Snort IDS tips for VARs a

Installing Snort: Intrusion detection mode

Our final test shows Snort running in its third mode, which is considered an inspection or intrusion detection mode. Activating this mode requires creating a configuration file, which we will call snortconf.test. That file contains the following:

Now we activate Snort in IDS mode using the -c switch, and send a single ICMP packet (not shown). Notice in the output that Snort recognizes the single rule contained in our snortconf.test file.

The action statistics section reports generating five alerts. A look in the tests directory shows an alert file with interesting contents.

The single ICMP echo and single ICMP echo reply produced five separate alerts. Four of the alerts were generated by Snort's packet decoder, as indicated by "(snort decoder)". These are not related to any rules. The only alert created by a rule is the LOCAL ICMP echo test alert.

These alerts are self-explanatory, mainly describing traffic involving the same source and destination IP addresses (127.0.0.1) and loopback traffic. Our custom rule fired simply because we told it to look for ICMP type 8 (echo) messages.

Inspecting the snort.log.1164036844 file shows the packets corresponding to each Snort alert. Notice that the first three are identical and the second two are identical.

IDS mode is the most common mode, and this section demonstrates how to simply validate that Snort is working as one expects.

Snort may also operate in an inline mode, where it makes pass or drop decisions based on certain actions. We will save that functionality for a future article.


Snort: Fundamentals and installation tips for the channel

 Introduction
 Installation
 Sniffer mode
 Packet logger mode
 Intrusion detection mode
 Conclusion

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (taosecurity.blogspot.com).


This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: