SNORT Cheat sheet

Snort has three modes of operation: Sniffer Mode Sniffs all packets and dumps them to stdout. o v (verbose): tells snort to dump output to the screen. o d : dumps packet payload (application data) o x: dumps entire packet in Hex (Including frame headers) o e: display link layer data EX: snort -dve Packet Logger Mode - This mode is used to output file to a log file. These are used to read aback through snort using the r switch o l (log directory): log to a directory in tcpdump (binary) format o k (ASCII): Dump packets in ASCII o h Home subnet (/ notation) EX: snort v l /var/log/snort/ -h 10.0.1.0/24 snort v k ascii -l /var/log/snort To read that saved packet: The stuff after the logfile name are Berkly Packet Filter(BPF) statements. These are similar to tcpdump filters. Snort dve r /var/log/snort [tcp|udp|icmp] Snort dve r /var/log/snort host NDIS Mode This mode processes the config file and applies snort rules to the collected traffic. o c : path to the configuration file o T : Test the configuration and rules. NOTE: ALWAYS test first whenever you have altered the config file or modified the rules files in any way. EX: snort Tc /etc/snort/snort.conf snort c /etc/snort/snort.conf

Default output: **** NOTE: The directory that snort wants to use if running chrooted is /var/snort/log. It is best practice to specify this output directory. EX: snort c /etc/snort/snort.conf l /var/snort/log/ Creates an alert file in /var/log/snort/ by default. This can be viewed using less, cat, tail, etc Creates a snort.log.<timestamp> file in /var/log/snort by default. This can be viewed using tcpdump n r /var/log/snort/snort.log.<timestamp>

===============================================================

Snort Rules:
There are two parts to a Rule: Rule Header (required) 1. NOTE: The rule header MUST match the traffic for the Options part of the rule to ever be tested. If the header does not find a match the Options part of the rule is never used. Rule Options (Not required)

Rule Header:
Format: Alert tcp !192.168.100.0/24 any 192.168.100.0/24 any The Header is used to identify Action (What to do if rule is matched) Protocol Source/Destination IP's Source/Destination Port's Direction of the flow

Action:
alert - generate an alert using the selected alert method, and then log the packet (in the unified snort.alert)

log - log the packet (This writes pcap format of the traffic that caused the alert) pass - ignore the packet

activate - alert and then turn on another dynamic rule

dynamic - remain idle until activated by an activate rule , then act as a log rule drop (inline mode) - make iptables drop the packet and log the packet reject (inline mode) - make iptables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP. sdrop (inline mode) - make iptables drop the packet but do not log it.

Protocol:

TCP UDP ICMP IP

Source/Destination IP's:

Indicate subnet mask to apply using CIDR notation x.x.x.x/24 Use the 'any' keyword to match any address use the logical not operator '!' to match all addresses but the one you enter.(Note: do not use this with the 'any' key word ;)~ ) Don't forget your snort.config variables! $HOME_NET $EXTERNAL_NET $DNS_SERVERS $SMTP_SERVERS $HTTP_SERVERS $SQL_SERVERS $TELNET_SERVERS $SNMP_SERVERS You can also add your own variables to snort.conf EX: ipvar MY_IP_ADDRESSES NOTE: the use of the 'var' keyword is deprecated, use 'ipvar'. DO NOT USE FQDN's, there is no DNS lookup available.

Source/Destination Port numbers:

Use the 'any' keyword to match any ports

Don't forget your snort.config variables! $HTTP_PORTS $SHELLCODE_PORTS $ORACLE_PORTS You can also add your own variables to snort.conf EX: portvar MY_PORTS [5000,6000:7000] use the logical not operator '!' to match all ports but the one you enter.(Note: do not use this with the 'any' key word ;)~ ) EX: Single port 80 All ports any All ports except 21 !21 Range of ports (port 1 threw port 1024) 1:1024 Ports less than or equal to 6000 :6000 Ports greater than or equal to 500 500:

Direction of the flow:

Coming from source going to destination -> Traveling in either direction <> NOTE: There is no < - operator!!!! <-

Rule Options:
Rule options are driven by detection plugins Enclosed in parenthesis: ( ) Keyword:Value pairs Each packet attribute is separated by a semicolon (;) NOTE: this semicolon needs to be included even at the end of the options string. EX: (keyword:value;) There are Four categories of rule options: General Payload Non-Payload Post Detection

1. General - These options provide information about the rule but do not have any affect during detection
Keyword Description

The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert. reference The reference keyword allows rules to include references to external attack identification systems. The gid keyword (generator id) is used to identify what part of Snort gid generates the event when a particular rule fires. The sid keyword is used to uniquely identify Snort rules. sid The rev keyword is used to uniquely identify revisions of Snort rules. rev classtype The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class. The priority keyword assigns a severity level to rules. priority metadata The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format. msg

2. Payload Detection - These options all look for data inside the packet
Keyword Description

The content keyword allows the user to set rules that search for specific content in the packet payload and trigger response based on that data. (NOTE: Rules without content (or uricontent) slow the entire system down!!!! If at all possible, try and have at least one content (or uricontent) option in your rule) The rawbytes keyword allows rules to look at the raw packet data, rawbytes ignoring any decoding that was done by preprocessors. The depth keyword allows the rule writer to specify how far into a depth packet Snort should search for the specified pattern. The offset keyword allows the rule writer to specify where to start offset searching for a pattern within a packet. The distance keyword allows the rule writer to specify how far into a distance packet Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match. The within keyword is a content modifier that makes sure that at most within N bytes are between pattern matches using the content keyword. uricontent The uricontent keyword in the Snort rule language searches the normalized request URI field. (NOTE: Rules without content (or uricontent) slow the entire system down!!!! If at all possible, try and have at least one content (or uricontent) option in your rule) The isdataat keyword verifies that the payload has data at a specified isdataat location. The pcre keyword allows rules to be written using perl compatible pcre regular expressions. The byte_test keyword tests a byte field against a specific value (with byte_test operator). byte_jump The byte_jump keyword allows rules to read the length of a portion of data, then skip that far forward in the packet. ftpbounce The ftpbounce keyword detects FTP bounce attacks. content

3. Non-Payload Detection - These options look for non-payload data (NOTE: These options are discrete and should generally be placed at the begining of any rule, before content (or uricontent) matching. [See Optimizing Rules in the Snort manual])!!!!!!
Keyword Description

fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window itype icode icmp_id icmp_seq rpc ip_proto sameip

The fragoffset keyword allows one to compare the IP fragment offset field against a decimal value. The ttl keyword is used to check the IP time-to-live value. The tos keyword is used to check the IP TOS field for a specific value. The id keyword is used to check the IP ID field for a specific value. The ipopts keyword is used to check if a specific IP option is present. The fragbits keyword is used to check if fragmentation and reserved bits are set in the IP header. The dsize keyword is used to test the packet payload size The flags keyword is used to check if specific TCP flag bits are present. The flow keyword allows rules to only apply to certain directions of the traffic flow (This is important!!!!!!!) The flowbits keyword allows rules to track states across transport protocol sessions. The seq keyword is used to check for a specific TCP sequence number. The ack keyword is used to check for a specific TCP acknowledge number. The window keyword is used to check for a specific TCP window size. The itype keyword is used to check for a specific ICMP type value. The icode keyword is used to check for a specific ICMP code value. The icmp_id keyword is used to check for a specific ICMP ID value. The icmp_seq keyword is used to check for a specific ICMP sequence value. The rpc keyword is used to check for a RPC application, version, and procedure numbers in SUNRPC CALL requests. The ip_proto keyword allows checks against the IP protocol header. The sameip keyword allows rules to check if the source ip is the same as the destination IP.

4. post-detection - These options are rule specific triggers that happen after a rule has fired.
Keyword Description

The logto keyword tells Snort to log all packets that trigger this rule to a special output log file. The session keyword is built to extract user data from TCP Sessions. session The resp keyword is used attempt to close sessions when an alert is resp triggered. This keyword implements an ability for users to react to traffic that react matches a Snort rule by closing connection and sending a notice. The tag keyword allow rules to log more than just the single packet tag that triggered the rule. This keyword allows the rule writer to specify a rule to add when a activates specific network event occurs. activated_by This keyword allows the rule writer to dynamically enable a rule when a specific activate rule is triggered. This keyword must be used in combination with the activated_by count keyword. It allows the rule writer to specify how many packets to leave the rule enabled for after it is activated. logto

Flow: (flow: established;) Flow states: established (must have three way hand shake) stateless (Any packet) Flow direction: to_server from_server to_client from_client no_stream only_stream EX: Look for the string test string only if a handshake has occured: alert tcp any any -> any 5000 \ (content:test string; \ flow:established; \ msg:test string flow established; \ sid:50000;)

Examining packet payload:

Rule Option (Content): Content can consist of o Text o Hex data (Surround hex with pipes | 90 90|) o Combination of text and hex You can also match for the exception by using the ! character. You can use multiple content options. ***The content option is case sensitive (override with nocase) *** Some applications like Telnet send the characters one at a time in the connection. You must enable the stream4 preprocessor to reassemble the stream to find this type of application layer data.

EX: Look for anonymous ftp traffic: alert tcp any any -> any 21 \ (content: anonymous; \ msg:Anonymous FTP Login;) Look for non-anonymous ftp traffic: alert tcp any any -> any 21 \ (content: !anonymous; \ msg:Anonymous FTP Login;) Look for a specific set of Hex bits (NoOP sled) alert tcp any any -> any any \ (content: |9090 9090 9090|; \ msg:NoOp sled;)

Offset: Defines offset from beginning of the payload. (default is zero, first byte of the payload)

EX: (This will cause the pattern matcher to start looking at byte 6 in the payload) alert tcp any any -> any 21 \ (content: anonymous; \ offset:5; \ msg:Anonymous FTP Login;)

Depth: Limits the depth, number of bytes from the offset (default offset 0) that the pattern matcher will search. EX: (This will search the first 13 bytes of the packet looking for the word anonymous. alert tcp any any -> any 21 \ (content: anonymous; \ depth:14;\ msg:Anonymous FTP Login;) nocase: Deactivates the case sensitivity of a text search . EX: alert tcp any any -> any 21 \ (content: anonymous; \ nocase;\ msg:Anonymous FTP Login;) urlcontent: This normalizes URI buffers. It removes things like Unicode and other encoding methods. EX: Search for Win2000 web directory traversal alert tcp any any -> any 80 \ flow:to_server,established; \ nocase;\ uricontent:/C+?dir; \ msg:Anonymous FTP Login;)