June 2004

Sniff with Snort

Be pig-headed when protecting your network against malicious attacks
From the June 2004 Edition
of Windows IT Pro
Douglas Toombs
Feature
InstantDoc #42606
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Step 1. Install WinPcap
Because Snort is essentially a promiscuous-mode network sniffer, you need driver-level support. To provide this support, you can use WinPcap. Loris Degioanni created WinPcap as a port of the popular libpcap packet-capture driver commonly used in the UNIX world. WinPcap includes a kernel-level packet filter, a low-level DLL (packet.dll), and a high-level system-independent library (wpcap.dll, based on libpcap 0.6.2).

WinPcap, which is available for download at http://winpcap.polito.it, supports Windows Server 2003, XP, Win2K, Windows NT, Windows Me, and Windows 9x. WinPcap also supports an open-source packet sniffer called Ethereal, which is available at http://www.ethereal.com. You might find Ethereal useful when you're testing your Snort setup.

After you've downloaded the WinPcap installer, simply walk through the few installation screens it provides you. The most involved screen you'll see is the one in which you must agree to the license agreement.

Step 2. Install Snort
The next step is to install Snort. You can find the latest version at CodeCraft Consultants Web site (http://www.codecraftconsultants.com/snort.aspx) or the Snort.org Web site (http://www.snort.org). I recommend that you download Snort from CodeCraft Consultants because that Web site provides a self-installing executable. The installation program even walks you through the basic setup of Snort on your system. For this article, I used Snort 2.1.1, build 18, which was the most current version at the time. Since that time, later versions have been released.

When you run the installation program, the first dialog box in which you need to make a selection is Installation Options, which lets you configure the database to log to. If you intend to use a MySQL or ODBC-compliant database, you can leave the default selection, which Figure 1 shows. However, if you intend to log to a Microsoft SQL Server or Oracle database, you need to select the appropriate option and make sure you have the requisite client software installed on your system. For the purposes of this article, let's stick with the default selection.

Next, you need to choose the Snort components you want to install. The default selections, which Figure 2 shows, are fine, so I recommend that you leave those components selected and click Next. In the Choose Install Location dialog box, you must specify the directory in which you want to install Snort. After you enter the directory, you just need to click Next to finish the installation process.

Step 3. Test the Snort Installation
After the installation process completes, you need to test Snort to see how it's working. By default, the main executable for Snort needs to know two pieces of information to run: where to write its logs to and where to find the configuration file (i.e., snort.conf). You provide this information when you launch Snort from the command line by using the -l and -c switches, respectively. For example, the Snort command

snort -l F:\snort\log
  -c F:\snort\etc\snort.conf
  -A console

tells Snort that it should write its logs to the F:\snort\log directory and that it can find snort.conf in the F:\snort\etc directory. The -A switch tells Snort how to handle the alerts that it generates. In this instance, you're telling Snort to display the alerts on the console screen so that you can determine whether Snort is working properly. Note that, although this command appears on several lines here, you would enter it on one line in the command-shell window. (The same holds true for the other multiline commands in this article.) Also note that many of the Snort command-line switches are case sensitive, so you need to enter the switches exactly as they appear here.

If you have multiple network interfaces on your system, by default, Snort listens on the first one it finds. If you're uncertain about the order of your network interfaces, you can execute the Snort command with just the -W switch. Snort will then list the names and numbers of the network interfaces in the order in which it finds them. To instruct Snort to use a specific network interface, you need to add the -i switch followed by the interface number to the command that launches Snort. After you execute Snort, you should see a screen similar to the one that Figure 3 shows.

Assuming Snort is running, you can throw some interesting traffic past the NIDS to test the Snort sensor. One of the easiest ways to intentionally trip an alert is to try to access the command interpreter (cmd.exe) on a remote system as a part of an HTTP URL request—a common part of the Code Red and Nimda attacks. You can simulate this part of the attack by going to any specific URL and appending /cmd.exe at the end of your request. For example, going to http://www.a-website-that-I-can-trust.com/cmd.exe should cause your Snort sensor to log alerts in the command-shell window, as the first three alerts in Figure 4 show. These alerts also appear in F:\snort\log.

Please be careful about the Web sites you target with this test. Technically, most Web site administrators would consider this type of activity a hacking attempt. Although that approach shouldn't be exploitable (unless the server is horribly misconfigured), I recommend running this test only against your own server or a server that you can trust and whose administrators are aware that you'll be doing this type of test.

If this test doesn't work or isn't an option, another way you can test your Snort installation is to send an abnormally large ping request to a server across your network or to the computer on which you're running Snort. For example, you might execute the Ping command

ping -l 32767 ip_address

where ip_address is the IP address of the server or Snort computer you're targeting. This command should send an abnormally large ping packet (32KB to be exact), which is definitely not routine behavior for the Ping command. Snort should pick up this packet activity, as the bottom eight alerts in Figure 4 show.

If you're seeing such alerts, you can start tuning Snort for your specific environment. If not, you need to go back and check your installation to see whether you've missed a step.

   Previous  1  [2]  3  4  Next 


Windows IT Pro Community
Blogs





Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Windows 7 Sets Sales Record

Microsoft CEO Steve Ballmer described Windows 7's first ten days of sales as "fantastic" while in Japan yesterday. ...

Microsoft Completes Layoffs

Microsoft on Wednesday announced that it was laying off 800 more workers, bringing its previously-announced layoff plan to a close. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Managing IT Across Multiple Locations

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections asp.netPRO ITTV
IT Library Technology Resource Directory Connected Home Windows SuperSite
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc.     Terms of Use | Privacy Statement