Exploring the latest version of Snort
Improved Features
One of the problems that has plagued Snort is that, when it crashes, it can lose significant amounts of data. As a penetration tester, I've known for years that one of the first things you consider is how to crash a network's intrusion detection system. I'm not saying that Snort is now harder to crash, but Snort now has enhanced programming that allows it to lose less data – or even no data at all – when it actually does crash. So, if Snort encounters a SIGABRT
(signal abort) request or, worse, a SIGBUS
(signal bus error) alert, Snort will lose less data.
Another important improvement is that Snort now has the ability to read and parse the SSL handshake during SMTP authentication sequences. SMTP is one of the most often-attacked protocols today, and Snort can identify if an attacker is trying to manipulate the SSL session. Many times, an attacker will try to insert a part of the SSL sequence, which creates an out-of-order error that can cause some email servers to crash, or even worse, cause the authentication sequence to fail. The result is that the attacker gains control of the SMTP server. Snort now has the ability to identify this form of attack.
Third, Snort has improved SMTP, POP3, and IMAP features. These features include the ability to inspect the Multipurpose Internet Mail Extensions (MIME) protocol to identify whether an attacker is manipulating the protocol.
Up until this latest version, Snort would try to inject active responses for various types of traffic, including UDP and other connectionless protocols. The developers have now resolved this issue. Snort now only injects packets when it identifies anomalies associated with TCP.
Getting Snort Up and Sniffing?
Snort can operate in three separate modes:
- Packet Logging – Snort goes into promiscuous mode, then logs each individual packet to the disk. This mode is useful if you wish to do long-term analysis of packets you have captured over a long period of time. If you're worried that someone or some entity is scanning your network devices, and you want to identify that pattern, this is the mode for you. Imagine being able to do a Hadoop-style analysis of packets to look for patterns over a period of months and see who is stealthily, slowly mapping your network.
- Sniffer – This simplest mode causes Snort to place the packets your from sensor right onto your screen. This mode is useful for setting up and troubleshooting your system. Sniffer mode is good for making sure Snort is working. Also, this mode is useful when creating or editing Snort rules to help identify false positives and other potential problems.
- Intrusion Detection – The most common Snort mode is used for normal operations.
Following are some simple examples for putting Snort into each mode: Running Snort at the command line in packet sniffing mode:
./snort -vde
Running Snort in packet logging mode:
./snort -dev -l /snort/logs/packetlog -h 10.49.50.0/8
Running Snort in intrusion detection mode:
./snort -dev -l ./log -h 10.49.50.0/8 -c snort.conf
Installing Foundational Libraries
Before you get going with configuring Snort, you first need to install some foundational libraries and applications. It is particularly important to set up these prerequisite components if you install Snort from source.
First, you will need both Flex and Bison, which you can install using RPM, apt-get, or whatever package installation tool your system prefers.
You will also need Libdnet, which provides necessary support for packet capture. As with Snort and DAQ, I prefer using tarballs rather than pre-created packages. If your Linux system doesn't have the proper version of Libdnet installed, you can obtain Libnet from several resources [3] [4].
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.