snort_manual.tex

This is the snapshot of Snot Latest Rules

QUEUE is to use the rc.firewall script created and maintained by the 
Honeynet Project (\url{http://www.honeynet.org/papers/honeynet/tools/})
This script is well-documented and allows you to direct packets
to \texttt{Snort Inline} by simply changing the QUEUE variable to yes.

Finally, start Snort Inline:

\begin{verbatim}
snort_inline -QDc ../etc/drop.conf -l /var/log/snort
\end{verbatim}

You can use the following command line options:
\begin{itemize}
\item \texttt{-Q} - Gets packets from iptables.
\item \texttt{-D} - Runs \texttt{Snort Inline} in daemon mode.  The process ID is stored
                    at \texttt{/var/run/snort\_inline.pid}
\item \texttt{-c} - Reads the following configuration file.
\item \texttt{-l} - Logs to the following directory.

\end{itemize}

Ideally, Snort Inline will be run using only its own drop.rules.  If
you want to use Snort for just alerting, a separate process should be
running with its own rule set.

\subsection{Using the Honeynet Snort Inline Toolkit}

The Honeynet Snort Inline Toolkit is a statically compiled \texttt{Snort Inline} 
binary put together by the
Honeynet Project for the Linux operating system.  It comes with a set
of drop.rules, the \texttt{Snort Inline} binary, a snort-inline rotation shell
script, and a good README.  It can be found at:

\url{http://www.honeynet.org/papers/honeynet/tools/}

\subsection{Troubleshooting Snort Inline}

If you run Snort Inline and see something like this:
\begin{verbatim}
Initializing Output Plugins!
Reading from iptables
Log directory = /var/log/snort
Initializing Inline mode
InlineInit: : Failed to send netlink message: Connection refused
\end{verbatim}
More than likely, the ip\_queue module is not loaded or ip\_queue 
support is not compiled into your kernel.  Either recompile
your kernel to support ip\_queue, or load the module.

The ip\_queue module is loaded by executing:
\begin{verbatim}
insmod ip_queue
\end{verbatim}
Also, if you want to ensure Snort Inline is getting packets, you can 
start it in the following manner:
\begin{verbatim}
snort_inline -Qvc <configuration file>
\end{verbatim}
This will display the header of every packet that Snort Inline sees. 

\section{Miscellaneous}

\subsection{Running in Daemon Mode}

If you want to run Snort in daemon mode, you can the add -D switch to any
combination described in the previous sections. Please notice that if you want to be able to restart Snort
by sending a SIGHUP signal to the daemon, you {\em must} specify the full path to the Snort
binary when you start it, for example:

\begin{center}
\begin{verbatim}
/usr/local/bin/snort -d -h 192.168.1.0/24 \
    -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D
\end{verbatim}
\end{center}

Relative paths are not supported due to security concerns.

\subsubsection{Snort PID File}

When Snort is run in daemon mode, the daemon creates a PID file in
the log directory.  In Snort 2.6, the \texttt{--pid-path} command line
switch causes Snort to write the PID file in the directory specified.

Additionally, the \texttt{--create-pidfile} switch can be used to
force creation of a PID file even when not running in daemon mode.

The PID file will be locked so that other snort processes cannot
start.  Use the \texttt{--nolock-pidfile} switch to not lock the
PID file.

\subsection{Obfuscating IP Address Printouts}

If you need to post packet logs to public mailing lists, you might
want to use the -O switch. This switch obfuscates your IP addresses in
packet printouts. This is handy if you don't want people on the mailing
list to know the IP addresses involved. You can also combine the -O switch with
the -h switch to only obfuscate the IP addresses of hosts on the home network.
This is useful if you don't care who sees the address of the attacking host.
For example, you could use the following command to read the packets from a log 
file and dump them to the screen, obfuscating only the addresses from the 
192.168.1.0/24 class C network:
 
\begin{center}
\begin{verbatim}
./snort -d -v -r snort.log -O -h 192.168.1.0/24
\end{verbatim}
\end{center}

\subsection{Specifying Multiple-Instance Identifiers}

In Snort v2.4, the \texttt{-G} command line option was added that specifies
an instance identifier for the event logs.  This option can be used when
running multiple instances of snort, either on different CPUs, or on the same
CPU but a different interface.  Each Snort instance will use the value
specified to generate unique event IDs.  Users can specify either a
decimal value (\texttt{-G 1}) or hex value preceded by 0x (\texttt{-G 0x11}).
This is also supported via a long option \texttt{--logid}.

\section{More Information}

Chapter \ref{Configuring Snort} contains much information about many
configuration options available in the configuration file.  The Snort manual
page and the output of \texttt{snort -?} or \texttt{snort --help} contain
information that can help you get Snort running in several different modes.

\begin{note}
In many shells, a backslash (\textbackslash{}) is needed to escape the ?, so you may have to type 
\texttt{snort -\textbackslash{}?} instead of \texttt{snort -?} for a list of Snort command line options.
\end{note}

The Snort web page (\url{http://www.snort.org}) and the Snort Users mailing
list (\url{http://marc.theaimsgroup.com/?l=snort-users} at
\verb?snort-users@lists.sourceforge.net? provide informative announcements as
well as a venue for community discussion and support. There's a lot to Snort, so
sit back with a beverage of your choosing and read the documentation and
mailing list archives.

\newpage
\chapter{Configuring Snort \label{Configuring Snort}}

\subsection{Includes}

The {\tt include} keyword allows other rules files to be included within the rules
file indicated on the Snort command line. It works much like an \#include from
the C programming language, reading the contents of the named file and adding the contents
in the place where the include statement appears in the file.

\subsubsection{Format}
\begin{verbatim}
include <include file path/name>
\end{verbatim}

\begin{note}
Note that there is no semicolon at the end of this line. 
\end{note}

Included files will
substitute any predefined variable values into their own variable references.
See Section \ref{variables} for more information on defining and
using variables in Snort rules files.

\subsection{Variables \label{variables}}

Variables may be defined in Snort. These are simple substitution variables
set with the {\tt var} keyword as shown in Figure \ref{variable definition}.

\subsubsection{Format}

\begin{verbatim}
var <name> <value>
\end{verbatim}

\begin{figure}[!hbpt]
\begin{verbatim}
var MY_NET [192.168.1.0/24,10.1.1.0/24]
alert tcp any any -> $MY_NET any (flags:S; msg:"SYN packet";)
\end{verbatim}

\caption{Example of Variable Definition and Usage\label{variable definition}}
\end{figure}

Rule variable names can be modified in several ways. You can define
meta-variables using the \$ operator. These can be used with the variable
modifier operators {\tt ?}  and {\tt -}, as described in the following table: 

\begin{tabular}{| l | p{5in} |}
\hline
\textbf{Variable Syntax} & \textbf{Description}\\
\hline
\hline
\texttt{var} & Defines a meta-variable.\\
\hline
\texttt{\$(var) or \$var} & Replaces with the contents of variable \texttt{var}.\\
\hline
\texttt{\$(var:-default)} & Replaces the contents of the variable \texttt{var} with ``default'' if 
   \texttt{var} is undefined.\\
\hline
\texttt{\$(var:?message)} & Replaces with the contents of variable \texttt{var} or prints out the
error message and exits.\\
\hline
\end{tabular}


See Figure \ref{advanced variable usage} for an example of advanced variable usage in action.

\begin{figure}[!hbpt]
\begin{verbatim}
var MY_NET 192.168.1.0/24
log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23
\end{verbatim}

\caption{Figure Advanced Variable Usage Example\label{advanced variable usage}}
\end{figure}

\subsection{Config\label{Config}}

Many configuration and command line options of Snort can be specified
in the configuration file. 

\subsubsection{Format}

\begin{center}
\begin{verbatim}
config <directive> [: <value>]
\end{verbatim}
\end{center}


\subsubsection{Directives}
\begin{center}
\begin{longtable}{| p{2in} | p{2.25in} | p{2.25in} |}
\caption{Config Directives} \\
\hline
{\bf Command} & {\bf Example} & {\bf Description}\\
\hline
\hline
\texttt{alert\_with\_interface\_name} & \texttt{config alert\_with\_interface\_name} & Appends interface name to alert (\texttt{snort -I}). \\
\hline
\texttt{alertfile} & \texttt{config alertfile: alerts} & Sets the alerts output file. \\
\hline
\texttt{asn1} & \texttt{config asn1:256} & Specifies the maximum number of nodes to 
track when doing ASN1 decoding. See Section \ref{asn1} for more information and examples.\\
\hline
\texttt{bpf\_file} & \texttt{config bpf\_file: filters.bpf} & Specifies BPF filters (\texttt{snort -F}). \\
\hline
\texttt{checksum\_drop} & \texttt{config checksum\_drop : all} & Types of packets 
to drop if invalid checksums. Values: \texttt{none}, \texttt{noip}, \texttt{notcp}, 
\texttt{noicmp}, \texttt{noudp}, \texttt{ip}, \texttt{tcp}, \texttt{udp}, \texttt{icmp} or \texttt{all} (only applicable in inline mode and for packets checked per \texttt{checksum\_mode} config option). \\
\hline
\texttt{checksum\_mode} & \texttt{config checksum\_mode : all} & Types of packets 
to calculate checksums. Values: \texttt{none}, \texttt{noip}, \texttt{notcp}, 
\texttt{noicmp}, \texttt{noudp}, \texttt{ip}, \texttt{tcp}, \texttt{udp}, \texttt{icmp} or \texttt{all}. \\
\hline
\texttt{chroot} & \texttt{config chroot: /home/snort} & Chroots to specified dir (\texttt{snort -t}). \\
\hline
\texttt{classification} & \texttt{config classification: misc-activity,Misc activity,3} & See Table \ref{Snort Default Classifications} for a list of
  classifications.\\
\hline
\texttt{daemon} & \texttt{config daemon} & Forks as a daemon (\texttt{snort -D}). \\
% yeah, this should go away...
% reference\_net]Set home network (snort -h). Example: config reference\_net: 192.168.1.0/24
\hline
\texttt{decode\_data\_link} & \texttt{config decode\_data\_link} & Decodes Layer2 headers (\texttt{snort -e}). \\
\hline
\texttt{default\_rule\_state} & \texttt{config default\_rule\_state: disabled} & Global configuration directive to enable or disable the loading of rules into the detection engine.  Default (with or without directive) is enabled.  Specify \texttt{disabled} to disable loading rules. \\
\hline
\texttt{detection} & \texttt{config detection: search-method ac no\_stream\_inserts max\_queue\_events 128} & Makes changes to the detection engine. 
The following options can be used:\begin{itemize}\item \texttt{search-method $<$ac $|$ ac-std $|$ ac-bnfa $|$ acs $|$ ac-banded $|$ ac-sparsebands $|$ lowmem $>$}
\begin{itemize}
\item \texttt{ac} Aho-Corasick Full (high memory, best performance)
\item \texttt{ac-std} Aho-Corasick Standard (moderate memory, high performance)
\item \texttt{ac-bnfa} Aho-Corasick NFA (low memory, high performance)
\item \texttt{acs} Aho-Corasick Sparse (small memory, moderate performance)
\item \texttt{ac-banded} Aho-Corasick Banded (small memory, moderate performance)
\item \texttt{ac-sparsebands} Aho-Corasick Sparse-Banded (small memory, high performance)
\item \texttt{lowmem} Low Memory Keyword Trie (small memory, low performance)
%\item \texttt{mwm} Wu-Manber (small memory, low performance)
\end{itemize}
\item \texttt{no\_stream\_inserts}
\item \texttt{max\_queue\_events$<$integer$>$}\end{itemize}\\
\hline
\texttt{disable\_decode\_alerts} & \texttt{config disable\_decode\_alerts} & Turns off the alerts generated by the decode phase of Snort. \\
\hline
\texttt{disable\_inline\_init\_failopen} & \texttt{config disable\_inline\_init\_\linebreak failopen} & Disables failopen thread that allows inline traffic to pass while Snort is starting up.  Only useful if Snort was configured with --enable-inline-init-failopen. (\texttt{snort --disable-inline-init-failopen}) \\
\hline
\texttt{disable\_ipopt\_alerts} & \texttt{config disable\_ipopt\_alerts} & Disables IP option length validation alerts. \\
\hline
\texttt{disable\_tcpopt\_alerts} & \texttt{config disable\_tcpopt\_alerts} & Disables option length validation alerts. \\
\hline
\texttt{disable\_tcpopt\_experimental\_\linebreak alerts} & \texttt{config disable\_tcpopt\_experiment\linebreak al\_alerts} & Turns off alerts generated by experimental TCP options. \\