Zum Inhalt

Snort Cheatsheet

generieren

Snort ist ein Open-Source-Netzwerk-Intrusionserkennungs- und Präventionssystem (IDS/IPS), das Echtzeit-Verkehrsanalysen und Paketprotokollierung durchführen kann. Entwickelt von Sourcefire (heute Cisco), kann Snort verschiedene Angriffe und Sonden erkennen, wie Pufferüberläufe, Stealth Port Scans, CGI-Angriffe, SMB-Sonden und OS Fingerabdruckversuche.

Installation

Linux Installation

```bash

Ubuntu/Debian

sudo apt update sudo apt install snort

CentOS/RHEL

sudo yum install epel-release sudo yum install snort

Fedora

sudo dnf install snort

From source

wget https://www.snort.org/downloads/snort/snort-2.9.20.tar.gz tar -xzf snort-2.9.20.tar.gz cd snort-2.9.20 ./configure --enable-sourcefire make sudo make install

Install DAQ (Data Acquisition library)

wget https://www.snort.org/downloads/snortplus/daq-2.0.7.tar.gz tar -xzf daq-2.0.7.tar.gz cd daq-2.0.7 ./configure make sudo make install ```_

Abhängigkeiten

```bash

Required libraries

sudo apt install libpcap-dev libpcre3-dev libdumbnet-dev sudo apt install zlib1g-dev liblzma-dev openssl libssl-dev sudo apt install libnghttp2-dev

Optional libraries

sudo apt install libluajit-5.1-dev sudo apt install libdaq-dev sudo apt install flex bison ```_

Grundkonfiguration

Hauptkonfigurationsdatei

```bash

/etc/snort/snort.conf

Network variables

var HOME_NET 192.168.1.0/24 var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SSH_SERVERS $HOME_NET

Port variables

var HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]

var SHELLCODE_PORTS !80 var ORACLE_PORTS 1024: var SSH_PORTS 22 var FTP_PORTS 21 var SIP_PORTS [5060,5061,5600] var FILE_DATA_PORTS [$HTTP_PORTS,110,143] var GTP_PORTS [2123,2152,3386]

Paths

var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules ```_

Preprozessor Konfiguration

```bash

Preprocessors in snort.conf

Normalize TCP traffic

preprocessor normalize_tcp: ips ecn stream

Normalize IP traffic

preprocessor normalize_ip4 preprocessor normalize_icmp4

Fragment reassembly

preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

Stream reassembly

preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp no, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, overlap_limit 10, small_segments 3 bytes 150, timeout 180, ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669, ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555

HTTP inspection

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ http_methods \\{ GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA \\} \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ max_spaces 200 \ small_chunk_length \\{ 10 5 \\} \ ports \\{ 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 \\} \ non_rfc_char \\{ 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 \\} \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ normalize_javascript \ apache_whitespace no \ ascii no \ bare_byte no \ base36 no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ non_strict \ oversize_dir_length 300 \ plus_to_space no \ simplify_path no \ u_encode yes \ utf_8 no \ webroot no ```_

Ausgabekonfiguration

```bash

Output modules in snort.conf

Alert to syslog

output alert_syslog: LOG_AUTH LOG_ALERT

Alert to file

output alert_fast: /var/log/snort/alert

Full packet logging

output log_tcpdump: /var/log/snort/snort.log

Unified2 output (for Barnyard2)

output unified2: filename snort.u2, limit 128

Database output

output database: log, mysql, user=snort password=password dbname=snort host=localhost

CSV output

output alert_csv: /var/log/snort/alert.csv default

XML output

output alert_XML: /var/log/snort/alert.xml ```_

Regelverwaltung

Artikel Syntax

```bash

Basic rule structure

action protocol src_ip src_port direction dst_ip dst_port (rule_options)

Rule actions

alert # Generate alert and log packet log # Log packet pass # Ignore packet drop # Drop packet and log (IPS mode) reject # Drop packet and send reset (IPS mode) sdrop # Drop packet silently (IPS mode)

Rule examples

alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000001; rev:1;) alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1000002; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP GET request"; content:"GET"; sid:1000003; rev:1;) ```_

Regeloptionen

```bash

Message and metadata

msg:"Alert message" sid:1000001 rev:1 classtype:trojan-activity priority:1 reference:url,www.example.com

Content matching

content:"GET" content:"|41 41 41 41|" # Hex content content:"admin"; nocase content:"password"; offset:10; depth:20 content:"user"; distance:5; within:10

Flow options

flow:established,to_server flow:established,from_server flow:stateless

Byte test and jump

byte_test:4,>,1000,0 byte_jump:4,0

PCRE (Perl Compatible Regular Expressions)

pcre:"/^GET\s+\/admin/i" pcre:"/password\s*=\s*['\"]?(\w+)/i"

Threshold

threshold:type limit, track by_src, count 5, seconds 60 threshold:type threshold, track by_dst, count 10, seconds 60 threshold:type both, track by_src, count 5, seconds 60

Detection filters

detection_filter:track by_src, count 5, seconds 60 ```_

Zollvorschriften

```bash

/etc/snort/rules/local.rules

Detect SSH brute force

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force Attack"; flow:established,to_server; content:"SSH"; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000100; rev:1;)

Detect SQL injection

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL Injection Attempt"; flow:established,to_server; content:"union"; nocase; content:"select"; nocase; distance:0; within:100; sid:1000101; rev:1;)

Detect XSS attempts

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XSS Attempt"; flow:established,to_server; content:"<script"; nocase; sid:1000102; rev:1;)

Detect port scanning

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Port Scan Detected"; flags:S; threshold:type threshold, track by_src, count 10, seconds 5; sid:1000103; rev:1;)

Detect malware communication

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Malware Communication"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; sid:1000104; rev:1;)

Detect DNS tunneling

alert udp $HOME_NET any -> any 53 (msg:"DNS Tunneling Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; byte_test:1,>,50,12; sid:1000105; rev:1;) ```_

Laufende Snort

Kommandozeilenoptionen

```bash

Basic IDS mode

sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

Packet logging mode

sudo snort -dev -l /var/log/snort -i eth0

Read from pcap file

snort -r capture.pcap -c /etc/snort/snort.conf

Test configuration

snort -T -c /etc/snort/snort.conf

Verbose mode

snort -v -i eth0

Dump application data

snort -vd -i eth0

Dump link layer headers

snort -vde -i eth0

IPS mode (inline)

sudo snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf

Daemon mode

sudo snort -D -c /etc/snort/snort.conf -i eth0 -u snort -g snort ```_

Gemeinsame Parameter

```bash

Interface options

-i eth0 # Specify interface -r file.pcap # Read from pcap file -s # Log to syslog

Configuration

-c snort.conf # Configuration file -T # Test configuration -v # Verbose -d # Dump application data -e # Dump link layer headers

Logging

-l /var/log/snort # Log directory -A console # Alert mode (console, fast, full, none) -b # Log in binary tcpdump format -K ascii # Log in ASCII format

Performance

-q # Quiet mode -D # Daemon mode -u snort # Run as user -g snort # Run as group

Filtering

-F bpf_file # BPF filter file host 192.168.1.1 # BPF filter expression ```_

Regelverwaltung

Absetzen/Entwürfe

```bash

Enable all rules in a file

include $RULE_PATH/emerging-threats.rules

Disable specific rules

Comment out or remove from configuration

Modify rule files

sudo nano /etc/snort/rules/local.rules

Rule categories

include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/blacklist.rules include $RULE_PATH/botnet-cnc.rules include $RULE_PATH/chat.rules include $RULE_PATH/content-replace.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/experimental.rules include $RULE_PATH/exploit.rules include $RULE_PATH/file-identify.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/imap.rules include $RULE_PATH/info.rules include $RULE_PATH/malware-cnc.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules include $RULE_PATH/policy.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/scada.rules include $RULE_PATH/scan.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules include $RULE_PATH/voip.rules include $RULE_PATH/web-activex.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules ```_

Artikel-Updates

```bash

PulledPork (rule management tool)

sudo apt install pulledpork

Configure PulledPork

sudo nano /etc/pulledpork/pulledpork.conf

Update rules

sudo pulledpork.pl -c /etc/pulledpork/pulledpork.conf

Manual rule download

wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz tar -xzf emerging.rules.tar.gz -C /etc/snort/rules/

Oinkmaster (alternative rule management)

sudo apt install oinkmaster sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules ```_

Leistung Tuning

Konfigurationsoptimierung

```bash

Stream5 tuning

preprocessor stream5_global: \ track_tcp yes, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5

HTTP inspect tuning

preprocessor http_inspect_server: server default \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ chunk_length 500000

Performance statistics

config profile_rules config profile_preprocs

Memory optimization

config detection: max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length ```_

Systemoptimierung

```bash

Increase receive buffer

echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.rmem_default = 134217728' >> /etc/sysctl.conf

Disable TCP offloading

ethtool -K eth0 gro off ethtool -K eth0 lro off ethtool -K eth0 tso off ethtool -K eth0 gso off

CPU affinity

taskset -c 0 snort -c /etc/snort/snort.conf -i eth0

Multiple Snort instances

snort -c /etc/snort/snort.conf -i eth0 --pid-path /var/run/snort1.pid & snort -c /etc/snort/snort.conf -i eth1 --pid-path /var/run/snort2.pid & ```_

Überwachung und Analyse

Analyse der Ergebnisse

```bash

Alert log locations

/var/log/snort/alert /var/log/snort/snort.log /var/log/snort/*.u2

View alerts

tail -f /var/log/snort/alert grep "SQL Injection" /var/log/snort/alert

Analyze unified2 logs with u2spewfoo

u2spewfoo /var/log/snort/snort.log.1234567890

Analyze with Barnyard2

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo

Statistics

snort --pcap-show snort --pcap-list ```_

Echtzeitüberwachung

```bash

Console alerts

snort -A console -q -c /etc/snort/snort.conf -i eth0

Syslog monitoring

tail -f /var/log/syslog|grep snort

Custom monitoring script

!/bin/bash

tail -f /var/log/snort/alert|while read line; do echo "$(date): $line" # Send notification or take action done ```_

Integration mit SIEM

```bash

Syslog configuration

output alert_syslog: LOG_AUTH LOG_ALERT

JSON output for ELK stack

output alert_json: /var/log/snort/alert.json

Database integration

output database: alert, mysql, user=snort password=password dbname=snort host=localhost sensor_name=sensor1

Splunk integration

Configure Splunk Universal Forwarder to monitor /var/log/snort/

```_

Erweiterte Funktionen

Inline-Modus (IPS)

```bash

Configure bridge interface

brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 up

Run Snort in inline mode

snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf

IPS rules (drop instead of alert)

drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH Brute Force - Blocking"; flow:established,to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:2000001; rev:1;)

Reject rules

reject tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Malicious HTTP Request - Rejecting"; content:"../../../"; sid:2000002; rev:1;) ```_

Benutzerdefinierte Preprozessoren

```bash

Reputation preprocessor

preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules

File preprocessor

preprocessor file_inspect: \ type_id, \ signature, \ capture_memcap 100, \ capture_max_size 1048576, \ capture_min_size 0, \ capture_block_size 32768

SSL/TLS preprocessor

preprocessor ssl: \ ports \\{ 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 \\}, \ trustservers, \ noinspect_encrypted ```_

Snort3 (Nächste Generation)

```bash

Install Snort3

git clone https://github.com/snort3/snort3.git cd snort3 ./configure_cmake.sh --prefix=/usr/local/snort cd build make -j$(nproc) sudo make install

Snort3 configuration (Lua-based)

/usr/local/snort/etc/snort/snort.lua

-- Basic configuration HOME_NET = '192.168.1.0/24' EXTERNAL_NET = '!192.168.1.0/24'

-- Stream configuration stream = \\{ tcp_cache = \\{ max_sessions = 262144, \\}, udp_cache = \\{ max_sessions = 131072, \\} \\}

-- HTTP inspection http_inspect = \\{ request_depth = 0, response_depth = 0, unzip = true, normalize_utf = true, \\}

-- Rule files ips = \\{ rules = [[ include /usr/local/snort/etc/rules/snort3-community.rules include /usr/local/snort/etc/rules/local.rules ]] \\} ```_

Fehlerbehebung

Gemeinsame Themen

```bash

Permission issues

sudo chown -R snort:snort /var/log/snort sudo chmod 755 /var/log/snort

Interface issues

sudo ifconfig eth0 promisc sudo ethtool -K eth0 gro off lro off

Configuration errors

snort -T -c /etc/snort/snort.conf

Rule syntax errors

snort -T -c /etc/snort/snort.conf 2>&1|grep "ERROR"

Performance issues

Check CPU usage

top -p $(pgrep snort)

Check memory usage

cat /proc/$(pgrep snort)/status|grep VmRSS

Check dropped packets

cat /proc/net/dev|grep eth0 ```_

Debugging

```bash

Debug mode

snort -v -d -e -i eth0

Packet capture for analysis

tcpdump -i eth0 -w debug.pcap snort -r debug.pcap -c /etc/snort/snort.conf

Rule debugging

snort -A console -q -c /etc/snort/snort.conf -r test.pcap

Performance profiling

snort --enable-inline-test -c /etc/snort/snort.conf -r test.pcap

Memory debugging

valgrind --tool=memcheck snort -c /etc/snort/snort.conf -r test.pcap ```_

Tools für die Analyse

```bash

Snorby (web-based analysis)

Ruby on Rails application for Snort log analysis

BASE (Basic Analysis and Security Engine)

PHP-based web interface for Snort

Sguil (Analyst Console)

Real-time network security monitoring

ELSA (Enterprise Log Search and Archive)

Centralized syslog framework

Custom analysis scripts

!/bin/bash

Top attackers

grep "$(date +%b %d)" /var/log/snort/alert|\ awk '\\{print $NF\\}'|sort|uniq -c|sort -nr|head -10

Top attacked ports

grep "$(date +%b %d)" /var/log/snort/alert|\ grep -o ":[0-9]*"|sort|uniq -c|sort -nr|head -10 ```_

Best Practices

Sicherheit Best Practices

```bash

Regular rule updates

Automated rule management with PulledPork

Custom rule development for environment-specific threats

Regular tuning to reduce false positives

Secure Snort installation

Run as non-root user

Restrict file permissions

Use dedicated monitoring network

Network segmentation

Deploy sensors at network boundaries

Monitor internal network segments

Implement network access controls

```_

Operationelle Best Practices

```bash

Monitoring and alerting

Set up log rotation

Implement alert correlation

Configure SIEM integration

Regular performance monitoring

Documentation

Document rule customizations

Maintain change logs

Document tuning decisions

Keep network diagrams updated

Testing and validation

Test rule changes in lab environment

Validate detection capabilities

Regular penetration testing

Performance benchmarking

```_

Beschäftigung Erwägungen

```bash

Capacity planning

Estimate traffic volumes

Plan for peak usage

Monitor resource utilization

Scale horizontally when needed

High availability

Deploy redundant sensors

Implement failover mechanisms

Regular backup procedures

Disaster recovery planning

Compliance

Meet regulatory requirements

Implement audit logging

Document security controls

Regular compliance assessments

```_

Ressourcen