Installing Snort: Intrusion detection mode

In this installment of Snort Report, learn how to run the open source IDS/IPS in intrusion detection mode.

Our final test shows Snort running in its third mode, which is considered an inspection or intrusion detection mode. Activating this mode requires creating a configuration file, which we will call snortconf.test. That file contains the following:

Now we activate Snort in IDS mode using the -c switch, and send a single ICMP packet (not shown). Notice in the output that Snort recognizes the single rule contained in our snortconf.test file.

The action statistics section reports generating five alerts. A look in the tests directory shows an alert file with interesting contents.

The single ICMP echo and single ICMP echo reply produced five separate alerts. Four of the alerts were generated by Snort's packet decoder, as indicated by "(snort decoder)". These are not related to any rules. The only alert created by a rule is the LOCAL ICMP echo test alert.

These alerts are self-explanatory, mainly describing traffic involving the same source and destination IP addresses (127.0.0.1) and loopback traffic. Our custom rule fired simply because we told it to look for ICMP type 8 (echo) messages.

Inspecting the snort.log.1164036844 file shows the packets corresponding to each Snort alert. Notice that the first three are identical and the second two are identical.

IDS mode is the most common mode, and this section demonstrates how to simply validate that Snort is working as one expects.

Snort may also operate in an inline mode, where it makes pass or drop decisions based on certain actions. We will save that functionality for a future article.


Snort: Fundamentals and installation tips for the channel

  Introduction
  Installation
  Sniffer mode
  Packet logger mode
 Intrusion detection mode
  Conclusion

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (taosecurity.blogspot.com).

This was first published in December 2006
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close