Catalog / Snort Intrusion Detection System Cheatsheet
Snort Intrusion Detection System Cheatsheet
A comprehensive cheat sheet for Snort, covering installation, configuration, rule writing, and usage for network intrusion detection and prevention.
Installation and Basic Configuration
Installation
Ubuntu/Debian:
CentOS/RHEL:
|
Download from Snort.org: |
Basic Configuration File
The main configuration file is |
Key configurations include defining network variables, setting up preprocessors, and specifying rule files. |
Important variables to configure:
|
Running Snort
Basic command |
|
Test Configuration |
|
Run in NIDS mode |
|
Snort Rule Structure
Rule Header
The rule header defines the action, protocol, source, and destination information. |
Syntax:
|
Example:
|
Rule Actions
|
Generates an alert using the selected method. |
|
Logs the packet. |
|
Ignores the packet. |
|
Drops the packet and logs it (inline mode only). |
|
Drops the packet and sends a TCP reset (for TCP) or ICMP port unreachable (for UDP) (inline mode only). |
|
Drops the packet but does not log it (inline mode only). |
Rule Options
Rule options provide detailed inspection and action parameters within the rule. They are enclosed in parentheses |
Key options include |
Common Rule Options
Content Matching
|
Matches the specified string in the packet payload.
|
|
Makes the content match case-insensitive.
|
|
Specifies the maximum number of bytes to search within the payload.
|
|
Specifies the starting byte to begin the search.
|
|
Specifies the minimum distance from the previous content match.
|
|
Specifies the number of bytes that the content must be within after a previous match.
|
Flow Control
|
Checks for established connections from client to server. |
|
Ignores the flow state. |
Metadata and Classifications
|
Specifies the message to display when the rule is triggered. |
|
Categorizes the type of attack or activity. |
|
Specifies the Snort ID of the rule. Should be unique. |
|
Specifies the revision number of the rule. |
Advanced Rule Examples
Detecting Shellcode
|
This rule detects the presence of No Operation (NOP) sleds, which are commonly used in shellcode. |
Detecting SQL Injection
|
This rule detects SQL injection attempts by looking for common SQL keywords in HTTP traffic. |
Detecting Specific User-Agent
|
This rule detects a specific user agent string in HTTP requests. |
File Integrity Monitoring
Snort can be configured with tools like |
This typically involves integrating Snort alerts with OSSEC to provide real-time monitoring and alerting of file changes. |