How to create basic Snort IDS rules
This post follows up to Install Snort in Kali Linux, the easy way.
I am going to create some basic rules to use Snort as an IDS.
The first thing to do is defining what Snort has to protect as the Home network.
You need to edit its configuration file (/etc/snort/snort.conf) as follows:
- Change the value of the line ipvar HOME_NET from any to your home network range (in my case, 192.168.2.0/24)
- Change the value of the line ipvar EXTERNAL_NET from any to !$HOME_NET (in other words, uncomment the last line shown in the first below screenshot). The value of the EXTERNAL_NET variable will have to be defined as any network other than the Home network.
- Apply customized rules by editing the file /etc/snort/rules/local.rules, as shown below.
- Edit /etc/snort/snort.conf by adding a line that includes your customized rule file.
The rules I created above, by editing the /etc/snort/rules/local.rules file, detect any access to Facebook and to two potentially malicious websites over my home network.
Validate your configuration by running the following command: snort -c /etc/snort/snort.conf -T.
If all looks good, you'll receive a successful confirmation message, as shown below.
At this point, you're good to go.
In order to run Snort in IDS mode, I used the following command: snort –A console –i eth0 –c /etc/snort/snort.conf –l /var/log/snort –K ascii, which shows alerts on screen, while at the same time saving them to a log file (/var/log/snort).
In order to run Snort in IDS mode, I used the following command: snort –A console –i eth0 –c /etc/snort/snort.conf –l /var/log/snort –K ascii, which shows alerts on screen, while at the same time saving them to a log file (/var/log/snort).
I visited the restricted websites with another virtual machine on my same network, in order to trigger the alerts, and the rules I had set up worked like a charm (see below screenshot).
Wrap up
Snort is a very powerful open-source IDS.
Though being a free software, Snort allows to handle pretty sophisticated rules and works with OS X, Windows and Linux.
It's used both in small and large corporate environments, allowing for customized rules to be easily deployed.
Snort is a tool that both system administrators and security professionals need to have in their bag of tricks.
Comments
Post a Comment