What is SNORT? And Snort Rules 🐷

SNORT is an open-source, rule-based Network Intrusion Detection and Prevention System.

Capabilities of Snort; Live traffic analysis, Attack and probe detection, Packet logging, Protocol analysis, Real-time alerting, Modules & plugins, Pre-processors, Cross-platform support! (Linux & Windows)

Snort has three main use modes;

• Sniffer Mode — Read IP packets and prompt them in the console application.
• Packet Logger Mode — Log all IP packets (inbound and outbound) that visit the network.
• NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System) Modes — Log/drop the packets that are deemed as malicious according to the user-defined rules.

- Generating Alerts

Snort provides a few different “alert mode” options that can be set on the command line to tweak the way alerts are displayed. Below are several different ‘alert’ modules:

The alert_talos is another useful mode that displays alerts in a format that is simple and easy-to-understand.

$ snort -q -c $my_path/lua/snort.lua -q -r get.pcap -R local.rules -A alert_talos

- Testing Rules

To protect networks, it’s also important to make sure that our rules are blocking attacks appropriately, and the dump DAQ enables us to do just that.

Specifying the -Q option to enable inline mode and then setting the --daq to dump will "dump" the traffic that would've been passed through, emulating a real inline operation.

$ snort3 -Q --daq dump -q -r get.pcap -R local.rules

Snort Rule Structure

Snort rules consist of two main sections:

The rule header defines the action to take upon any matching traffic, as well as the protocols, network addresses, port numbers, and direction of traffic that the rule should apply to.

The rule option section defines the message associated with a given rule, and most importantly the payload and non-payload criteria that need to be met in order for a rule to match.

The action defined in a given Snort rule’s header is not taken unless all of the rule’s individual options evaluate to true.

Rule Hader

Rule header consists of five main components:

• Rule actions tell Snort what to do when a rule “fires” (alert)
• The protocol tells Snort which protocol applies (tcp)
• IP addresses tell Snort what networks to evaluate the rule against ($EXTERNAL_NET + $HOME_NET )
• Ports tell Snort which ports to evaluate the rule against (80 + any)
• The direction operator tells Snort which traffic direction to look for..….( — >)

This example is used to highlight what these five parts are. Examples are given in parentheses

for more header samples >>> https://docs.snort.org/rules/headers/actions

General Rule Options

General rule options provide information about a rule, but they do not at all change what a given rule looks for in a packet.

• msg sets the message to be printed out when a rule matches
• reference is used to provide additional context to rules in the form of links to relevant attack identification systems
• gid identifies the specific Snort component that generates a given event
• sid identifies the unique signature number assigned to a given Snort rule
• rev identifies the particular revision number of a given Snort rule
• classtype assigns a classification to the rule to indicate the type of attack associated with an event
• priority sets a severity level for appropriate event prioritizing
• metadata adds additional and arbitrary information to a rule in the form of name-value pairs
• service sets the list of services to be associated with a given rule
• rem is used to convey an arbitrary comment in the rule body
• file_meta is used to set the file metadata for a given file identification rule

Thank u for reading. Have a nice work