Thursday, May 6, 2010

Configuring and using SNORT (IDS)

Disclaimer: This tutorials is just an assistance to get a start with snort, in no case I will be held responsible for anything happening to anyones' system.

SNORT is and Intrusion Detection System (IDS). We are given a problem statement as
"Study, Install and Configure any Intrusion Detection System (IDS)" in our lab manual.
I have just played with Snort for about 4 hours and now I am able to detect network traffic from internet to my computer and able to raise alert as specified in the rule file.

I wont talk much about anything else now, we will just begin with the tutorial for configuring snort and writing a very basic 'rule file' for snort.

1)I assume that all of you have snort installed on our systems.(if not just type 'sudo apt-get install snort'). first of all I will teach you how to write a rule file for detecting a specific type of intrusion from a certain host.

1.1create a plain document named 'rule' at the path /home/your_username
e.g. /home/jayz/rule

1.2 Now I will explain you the syntax of writing a rule file.
rule_header (rule_options)
e.g alert tcp any any -> any (msg:"JaysComp anyTCP intrusion detected ...!!";sid:1000984;)
A. rule_header consists of following fields

(rule action) (protocol) (src address & port)->(destination address & port)

  • rule action= this is an 'alert' that is raised when some intrusion occurs
  • protocol= this may be tcp, udp, icmp, vlan etc. I have used tcp for pinging GOOGLE.
  • src address and port= address and port number of intruder. you can take this value to be 'any any'
  • dest address & port=this is usually your address. I have used my LAN address( you can take this value to be 'any any'
B.rule_options consists of following pattern
keyword:argument; keyword:argument; ...

The keywords that I have used in my rule file are msg and sid.

e.g. msg:"Hey Intrusion detected"
sid:1000983 (I think this can be anything but I am not sure.)

2) Now we are ready to run snort and detect tcp intrusion on any of our port from internet.

open a terminal and type
'sudo snort -d -h -N -c /home/jayz/rule -i eth0'


sudo= super user previledges.
snort= command to run snort
-d= Dump the Appication layer
-h= home network address
-N=Turn off logging (alerts still work)
-c=Use Rules File at this location
-i= Monitor the given network interface

for most wired connections the value for -i=eth0 for rest it may change.
When you run this command, you will see an output like this

now open up the web browser and
just surf for few seconds.
Now again switch back to your
terminal and press 'Ctrl+C'
Now the terminal looks pretty mcuh like this

Now just open the path /var/log/snort

here you will find an 'alert file'

To this alert file all the alerts, as specified
in the 'rule file' are logged.

Now you can play with Snort to try out
different protocols' and hosts' intrusion
into your system.

May be there are some spelling mistakes here but just ignore them.


  1. for in case you want to detect intrusion from
    1. loopback
    2. your own computer(in case you ping!

    try this command in the terminal without the quotes
    "sudo snort -d -h -N -c /home/jayz/rule -i lo"

  2. My problem is the msg and sid is not displayed on the screen when I ping.
    What to do now??
    can we themselves create the rules for snort?

    Please reply me soon, i'll be very much thankful to you.



Related Posts Plugin for WordPress, Blogger...

Share This

Share |