Appearance
Snort Cheatsheet
Snort is an open-source network intrusion detection and prevention system (IDS/IPS) capable of performing real-time traffic analysis and packet logging. Developed by Sourcefire (now Cisco), Snort can detect various attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
Installation
Linux Installation
bash
# Ubuntu/Debian
sudo apt update
sudo apt install snort
# CentOS/RHEL
sudo yum install epel-release
sudo yum install snort
# Fedora
sudo dnf install snort
# From source
wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz
tar -xzf snort-2.9.20.tar.gz
cd snort-2.9.20
./configure --enable-sourcefire
make
sudo make install
# Install DAQ (Data Acquisition library)
wget https://www.snort.org/downloads/snortplus/daq-2.0.7.tar.gz
tar -xzf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure
make
sudo make installDependencies
bash
# Required libraries
sudo apt install libpcap-dev libpcre3-dev libdumbnet-dev
sudo apt install zlib1g-dev liblzma-dev openssl libssl-dev
sudo apt install libnghttp2-dev
# Optional libraries
sudo apt install libluajit-5.1-dev
sudo apt install libdaq-dev
sudo apt install flex bisonBasic Configuration
Main Configuration File
bash
# /etc/snort/snort.conf
# Network variables
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SSH_SERVERS $HOME_NET
# Port variables
var HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1024:
var SSH_PORTS 22
var FTP_PORTS 21
var SIP_PORTS [5060,5061,5600]
var FILE_DATA_PORTS [$HTTP_PORTS,110,143]
var GTP_PORTS [2123,2152,3386]
# Paths
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rulesPreprocessor Configuration
bash
# Preprocessors in snort.conf
# Normalize TCP traffic
preprocessor normalize_tcp: ips ecn stream
# Normalize IP traffic
preprocessor normalize_ip4
preprocessor normalize_icmp4
# Fragment reassembly
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
# Stream reassembly
preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, overlap_limit 10, small_segments 3 bytes 150, timeout 180, ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669, ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
# HTTP inspection
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
max_spaces 200 \
small_chunk_length { 10 5 } \
ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
enable_cookie \
extended_response_inspection \
inspect_gzip \
normalize_utf \
unlimited_decompress \
normalize_javascript \
apache_whitespace no \
ascii no \
bare_byte no \
base36 no \
directory no \
double_decode no \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash no \
non_strict \
oversize_dir_length 300 \
plus_to_space no \
simplify_path no \
u_encode yes \
utf_8 no \
webroot noOutput Configuration
bash
# Output modules in snort.conf
# Alert to syslog
output alert_syslog: LOG_AUTH LOG_ALERT
# Alert to file
output alert_fast: /var/log/snort/alert
# Full packet logging
output log_tcpdump: /var/log/snort/snort.log
# Unified2 output (for Barnyard2)
output unified2: filename snort.u2, limit 128
# Database output
output database: log, mysql, user=snort password=password dbname=snort host=localhost
# CSV output
output alert_csv: /var/log/snort/alert.csv default
# XML output
output alert_XML: /var/log/snort/alert.xmlRule Management
Rule Syntax
bash
# Basic rule structure
action protocol src_ip src_port direction dst_ip dst_port (rule_options)
# Rule actions
alert # Generate alert and log packet
log # Log packet
pass # Ignore packet
drop # Drop packet and log (IPS mode)
reject # Drop packet and send reset (IPS mode)
sdrop # Drop packet silently (IPS mode)
# Rule examples
alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000001; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1000002; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET request"; content:"GET"; sid:1000003; rev:1;)Rule Options
bash
# Message and metadata
msg:"Alert message"
sid:1000001
rev:1
classtype:trojan-activity
priority:1
reference:url,www.example.com
# Content matching
content:"GET"
content:"|41 41 41 41|" # Hex content
content:"admin"; nocase
content:"password"; offset:10; depth:20
content:"user"; distance:5; within:10
# Flow options
flow:established,to_server
flow:established,from_server
flow:stateless
# Byte test and jump
byte_test:4,>,1000,0
byte_jump:4,0
# PCRE (Perl Compatible Regular Expressions)
pcre:"/^GET\s+\/admin/i"
pcre:"/password\s*=\s*['\"]?(\w+)/i"
# Threshold
threshold:type limit, track by_src, count 5, seconds 60
threshold:type threshold, track by_dst, count 10, seconds 60
threshold:type both, track by_src, count 5, seconds 60
# Detection filters
detection_filter:track by_src, count 5, seconds 60Custom Rules
bash
# /etc/snort/rules/local.rules
# Detect SSH brute force
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attack"; flow:established,to_server; content:"SSH"; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000100; rev:1;)
# Detect SQL injection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL Injection Attempt"; flow:established,to_server; content:"union"; nocase; content:"select"; nocase; distance:0; within:100; sid:1000101; rev:1;)
# Detect XSS attempts
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XSS Attempt"; flow:established,to_server; content:"<script"; nocase; sid:1000102; rev:1;)
# Detect port scanning
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Port Scan Detected"; flags:S; threshold:type threshold, track by_src, count 10, seconds 5; sid:1000103; rev:1;)
# Detect malware communication
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Malware Communication"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; sid:1000104; rev:1;)
# Detect DNS tunneling
alert udp $HOME_NET any -> any 53 (msg:"DNS Tunneling Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; byte_test:1,>,50,12; sid:1000105; rev:1;)Running Snort
Command Line Options
bash
# Basic IDS mode
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
# Packet logging mode
sudo snort -dev -l /var/log/snort -i eth0
# Read from pcap file
snort -r capture.pcap -c /etc/snort/snort.conf
# Test configuration
snort -T -c /etc/snort/snort.conf
# Verbose mode
snort -v -i eth0
# Dump application data
snort -vd -i eth0
# Dump link layer headers
snort -vde -i eth0
# IPS mode (inline)
sudo snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf
# Daemon mode
sudo snort -D -c /etc/snort/snort.conf -i eth0 -u snort -g snortCommon Parameters
bash
# Interface options
-i eth0 # Specify interface
-r file.pcap # Read from pcap file
-s # Log to syslog
# Configuration
-c snort.conf # Configuration file
-T # Test configuration
-v # Verbose
-d # Dump application data
-e # Dump link layer headers
# Logging
-l /var/log/snort # Log directory
-A console # Alert mode (console, fast, full, none)
-b # Log in binary tcpdump format
-K ascii # Log in ASCII format
# Performance
-q # Quiet mode
-D # Daemon mode
-u snort # Run as user
-g snort # Run as group
# Filtering
-F bpf_file # BPF filter file
host 192.168.1.1 # BPF filter expressionRule Management
Enabling/Disabling Rules
bash
# Enable all rules in a file
include $RULE_PATH/emerging-threats.rules
# Disable specific rules
# Comment out or remove from configuration
# Modify rule files
sudo nano /etc/snort/rules/local.rules
# Rule categories
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/blacklist.rules
include $RULE_PATH/botnet-cnc.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/content-replace.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/file-identify.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/info.rules
include $RULE_PATH/malware-cnc.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/scada.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/voip.rules
include $RULE_PATH/web-activex.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/x11.rulesRule Updates
bash
# PulledPork (rule management tool)
sudo apt install pulledpork
# Configure PulledPork
sudo nano /etc/pulledpork/pulledpork.conf
# Update rules
sudo pulledpork.pl -c /etc/pulledpork/pulledpork.conf
# Manual rule download
wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
tar -xzf emerging.rules.tar.gz -C /etc/snort/rules/
# Oinkmaster (alternative rule management)
sudo apt install oinkmaster
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rulesPerformance Tuning
Configuration Optimization
bash
# Stream5 tuning
preprocessor stream5_global: \
track_tcp yes, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5
# HTTP inspect tuning
preprocessor http_inspect_server: server default \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
chunk_length 500000
# Performance statistics
config profile_rules
config profile_preprocs
# Memory optimization
config detection: max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_lengthSystem Optimization
bash
# Increase receive buffer
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf
echo 'net.core.rmem_default = 134217728' >> /etc/sysctl.conf
# Disable TCP offloading
ethtool -K eth0 gro off
ethtool -K eth0 lro off
ethtool -K eth0 tso off
ethtool -K eth0 gso off
# CPU affinity
taskset -c 0 snort -c /etc/snort/snort.conf -i eth0
# Multiple Snort instances
snort -c /etc/snort/snort.conf -i eth0 --pid-path /var/run/snort1.pid &
snort -c /etc/snort/snort.conf -i eth1 --pid-path /var/run/snort2.pid &Monitoring and Analysis
Log Analysis
bash
# Alert log locations
/var/log/snort/alert
/var/log/snort/snort.log
/var/log/snort/*.u2
# View alerts
tail -f /var/log/snort/alert
grep "SQL Injection" /var/log/snort/alert
# Analyze unified2 logs with u2spewfoo
u2spewfoo /var/log/snort/snort.log.1234567890
# Analyze with Barnyard2
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
# Statistics
snort --pcap-show
snort --pcap-listReal-time Monitoring
bash
# Console alerts
snort -A console -q -c /etc/snort/snort.conf -i eth0
# Syslog monitoring
tail -f /var/log/syslog | grep snort
# Custom monitoring script
#!/bin/bash
tail -f /var/log/snort/alert | while read line; do
echo "$(date): $line"
# Send notification or take action
doneIntegration with SIEM
bash
# Syslog configuration
output alert_syslog: LOG_AUTH LOG_ALERT
# JSON output for ELK stack
output alert_json: /var/log/snort/alert.json
# Database integration
output database: alert, mysql, user=snort password=password dbname=snort host=localhost sensor_name=sensor1
# Splunk integration
# Configure Splunk Universal Forwarder to monitor /var/log/snort/Advanced Features
Inline Mode (IPS)
bash
# Configure bridge interface
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up
# Run Snort in inline mode
snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf
# IPS rules (drop instead of alert)
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force - Blocking"; flow:established,to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:2000001; rev:1;)
# Reject rules
reject tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Malicious HTTP Request - Rejecting"; content:"../../../"; sid:2000002; rev:1;)Custom Preprocessors
bash
# Reputation preprocessor
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules
# File preprocessor
preprocessor file_inspect: \
type_id, \
signature, \
capture_memcap 100, \
capture_max_size 1048576, \
capture_min_size 0, \
capture_block_size 32768
# SSL/TLS preprocessor
preprocessor ssl: \
ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 }, \
trustservers, \
noinspect_encryptedSnort3 (Next Generation)
bash
# Install Snort3
git clone https://github.com/snort3/snort3.git
cd snort3
./configure_cmake.sh --prefix=/usr/local/snort
cd build
make -j$(nproc)
sudo make install
# Snort3 configuration (Lua-based)
# /usr/local/snort/etc/snort/snort.lua
-- Basic configuration
HOME_NET = '192.168.1.0/24'
EXTERNAL_NET = '!192.168.1.0/24'
-- Stream configuration
stream = {
tcp_cache = {
max_sessions = 262144,
},
udp_cache = {
max_sessions = 131072,
}
}
-- HTTP inspection
http_inspect = {
request_depth = 0,
response_depth = 0,
unzip = true,
normalize_utf = true,
}
-- Rule files
ips = {
rules = [[
include /usr/local/snort/etc/rules/snort3-community.rules
include /usr/local/snort/etc/rules/local.rules
]]
}Troubleshooting
Common Issues
bash
# Permission issues
sudo chown -R snort:snort /var/log/snort
sudo chmod 755 /var/log/snort
# Interface issues
sudo ifconfig eth0 promisc
sudo ethtool -K eth0 gro off lro off
# Configuration errors
snort -T -c /etc/snort/snort.conf
# Rule syntax errors
snort -T -c /etc/snort/snort.conf 2>&1 | grep "ERROR"
# Performance issues
# Check CPU usage
top -p $(pgrep snort)
# Check memory usage
cat /proc/$(pgrep snort)/status | grep VmRSS
# Check dropped packets
cat /proc/net/dev | grep eth0Debugging
bash
# Debug mode
snort -v -d -e -i eth0
# Packet capture for analysis
tcpdump -i eth0 -w debug.pcap
snort -r debug.pcap -c /etc/snort/snort.conf
# Rule debugging
snort -A console -q -c /etc/snort/snort.conf -r test.pcap
# Performance profiling
snort --enable-inline-test -c /etc/snort/snort.conf -r test.pcap
# Memory debugging
valgrind --tool=memcheck snort -c /etc/snort/snort.conf -r test.pcapLog Analysis Tools
bash
# Snorby (web-based analysis)
# Ruby on Rails application for Snort log analysis
# BASE (Basic Analysis and Security Engine)
# PHP-based web interface for Snort
# Sguil (Analyst Console)
# Real-time network security monitoring
# ELSA (Enterprise Log Search and Archive)
# Centralized syslog framework
# Custom analysis scripts
#!/bin/bash
# Top attackers
grep "$(date +%b\ %d)" /var/log/snort/alert | \
awk '{print $NF}' | sort | uniq -c | sort -nr | head -10
# Top attacked ports
grep "$(date +%b\ %d)" /var/log/snort/alert | \
grep -o ":[0-9]*" | sort | uniq -c | sort -nr | head -10Best Practices
Security Best Practices
bash
# Regular rule updates
# Automated rule management with PulledPork
# Custom rule development for environment-specific threats
# Regular tuning to reduce false positives
# Secure Snort installation
# Run as non-root user
# Restrict file permissions
# Use dedicated monitoring network
# Network segmentation
# Deploy sensors at network boundaries
# Monitor internal network segments
# Implement network access controlsOperational Best Practices
bash
# Monitoring and alerting
# Set up log rotation
# Implement alert correlation
# Configure SIEM integration
# Regular performance monitoring
# Documentation
# Document rule customizations
# Maintain change logs
# Document tuning decisions
# Keep network diagrams updated
# Testing and validation
# Test rule changes in lab environment
# Validate detection capabilities
# Regular penetration testing
# Performance benchmarkingDeployment Considerations
bash
# Capacity planning
# Estimate traffic volumes
# Plan for peak usage
# Monitor resource utilization
# Scale horizontally when needed
# High availability
# Deploy redundant sensors
# Implement failover mechanisms
# Regular backup procedures
# Disaster recovery planning
# Compliance
# Meet regulatory requirements
# Implement audit logging
# Document security controls
# Regular compliance assessments