Exploring the latest version of Snort
Improved Features
One of the problems that has plagued Snort is that, when it crashes, it can lose significant amounts of data. As a penetration tester, I've known for years that one of the first things you consider is how to crash a network's intrusion detection system. I'm not saying that Snort is now harder to crash, but Snort now has enhanced programming that allows it to lose less data – or even no data at all – when it actually does crash. So, if Snort encounters a SIGABRT
(signal abort) request or, worse, a SIGBUS
(signal bus error) alert, Snort will lose less data.
Another important improvement is that Snort now has the ability to read and parse the SSL handshake during SMTP authentication sequences. SMTP is one of the most often-attacked protocols today, and Snort can identify if an attacker is trying to manipulate the SSL session. Many times, an attacker will try to insert a part of the SSL sequence, which creates an out-of-order error that can cause some email servers to crash, or even worse, cause the authentication sequence to fail. The result is that the attacker gains control of the SMTP server. Snort now has the ability to identify this form of attack.
Third, Snort has improved SMTP, POP3, and IMAP features. These features include the ability to inspect the Multipurpose Internet Mail Extensions (MIME) protocol to identify whether an attacker is manipulating the protocol.
Up until this latest version, Snort would try to inject active responses for various types of traffic, including UDP and other connectionless protocols. The developers have now resolved this issue. Snort now only injects packets when it identifies anomalies associated with TCP.
Getting Snort Up and Sniffing?
Snort can operate in three separate modes:
- Packet Logging – Snort goes into promiscuous mode, then logs each individual packet to the disk. This mode is useful if you wish to do long-term analysis of packets you have captured over a long period of time. If you're worried that someone or some entity is scanning your network devices, and you want to identify that pattern, this is the mode for you. Imagine being able to do a Hadoop-style analysis of packets to look for patterns over a period of months and see who is stealthily, slowly mapping your network.
- Sniffer – This simplest mode causes Snort to place the packets your from sensor right onto your screen. This mode is useful for setting up and troubleshooting your system. Sniffer mode is good for making sure Snort is working. Also, this mode is useful when creating or editing Snort rules to help identify false positives and other potential problems.
- Intrusion Detection – The most common Snort mode is used for normal operations.
Following are some simple examples for putting Snort into each mode: Running Snort at the command line in packet sniffing mode:
./snort -vde
Running Snort in packet logging mode:
./snort -dev -l /snort/logs/packetlog -h 10.49.50.0/8
Running Snort in intrusion detection mode:
./snort -dev -l ./log -h 10.49.50.0/8 -c snort.conf
Installing Foundational Libraries
Before you get going with configuring Snort, you first need to install some foundational libraries and applications. It is particularly important to set up these prerequisite components if you install Snort from source.
First, you will need both Flex and Bison, which you can install using RPM, apt-get, or whatever package installation tool your system prefers.
You will also need Libdnet, which provides necessary support for packet capture. As with Snort and DAQ, I prefer using tarballs rather than pre-created packages. If your Linux system doesn't have the proper version of Libdnet installed, you can obtain Libnet from several resources [3] [4].
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.