I spoke about IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) a few days ago in a question posted by a user. So I thought I would dive a little deeper into the subject with a specific application that I have personally used – Snort. Snort is a very powerful IDS that in later versions can act like an IPS. Snort is free to download and use in the personal environment as well as in the business environment. In fact Snort is used by many enterprises as a very effective option for their business because not only is it free, but it is one of the most powerful IDS’s out there if you know what you are doing when you configure it. Snort can be created as a program that you run when you want on a personal computer or it can be setup to run when your OS starts and protect all computers on your network from attacks.
If you want to use Snort to protect your entire network it will need to be placed in line with your Internet connection. So as an example lets say that you have a business Internet account with your local cable company and you want to protect it with a computer running Snort. The computer running Snort needs to be placed between the cable modem and the router, this way Snort is able to monitor every piece of traffic that comes into your network and is in the best place to discover possible attacks.
We are going to be installing Snort on a computer running Ubuntu 9.04 which at the time of this article is the newest version of Ubuntu. Ubuntu is also a free OS that is available to download, making this IDS a totally free appliance for you, except the cost of the computer. There are two ways to install Snort onto a Ubuntu Distribution and the easiest is to do it through a command line. If your computer is up to date you can simply type:
sudo apt-get install snort
This will then download and install the newest version of snort on your computer through command line. As soon as it is done you will be ready to use snort. But if you run into an error or cannot install Snort through command line you can always go to the Snort website and download the newest version, but make sure that you are downloading the tar.gz file and follow their installation guide to completely setup Snort.
Once installed you can run snort as just a sniffer and have all packets captured and logged but that will create an enormous log file that you would then have to view. Snort works so well because of its use of rules to know which traffic to log and which traffic to ignore. Rules are going to be beyond the scope of this article but I plan on writing an article in the near future on creating rules for Snort.
How Snort runs depends on the flags that you specify when you launch Snort from command line.
-v View packet headers at the console.
-d View application data with IP headers.
-D Run Snort as a daemon.
-e Show data-link layer headers.
-l Run in packet logger mode.
-h Log information relative to the home network.
-b Log information to a single binary file in the logging directory.
-r Read packets contained in a log file.
N Disable packet logging.
-c Specifies which file will be used to provide a rule-set for intrusion detection.
-i Specifies which port you would like Snort to look at when running.
As you can see from above we have a few different options when it comes to flags used with Snort. Lets start with just viewing IP packet headers by using the command sudo snort -v. Be sure to use the sudo command before snort so that it runs in administrative mode, this is needed to open the appropriate port. Now since we did not specify a port for snort to look at it is going to use the eth0 port by default, well I am not using the eth0 port right now as I write this article I am using the wlan0 port which is my wireless card. We will need to us the -i flag to tell Snort to use my wireless card to check for traffic, sudo snort -v -i wlan0. Now Snort will run and display on the screen every packet header that comes across my wlan0 or wireless card, as you can see this is very useful if you want to monitor all traffic across your network but very impractical if you want to protect your network. To end the application once it has started you can simply hit CTRL+C to end the program and bring you back to a command prompt.
We have quickly discussed installing Snort and then running some basic Snort commands to get some output from the program onto our screen. Stay tuned for the next article on configuring Snort rules and running Snort as true IDS with alerting.