Installing Snort on Windows
You would need the Snort installation file, WinPcaP and Snort rules to make use of Snort in a Windows environment. Snort makes the Snort rules available of free of charge in the Snort community website. These rules file can be downloaded and saved onto the Snort rules folder after installing Snort.
Snort rules
When you specify in the “snort.conf” file (located in C:\Snort\etc) of the snort installation how and which rules to be used, you can easily use these rules to detect intrusions. You also need to specify your local network address in snort.conf file to configure snort to work on your local network.
You can specify your local rules in the “local.rules” file in the Snort installation. Which is located in C:\Snort\rules folder.
The general structure of Snort rules
A basic Snort rule is as below, this rule consists of a rule header that defines who, where and what of a packet.
log tcp any any -> 192.168.1.0/24 77
The left side of the rule from the arrow (- and >) specifies the source and the right side is the destination. The above rule records all the TCP traffic from any network and from any port, to the network 192.168.1.0/24 and the port 77.
A rule can specify traffic to,
pass - let the packet go through
log - log the packet
alert - generate an alert, and log the packet
drop - block the packet and log it
reject - block data packet, log the data packet, send TCP reset request if its protocol is TCP or if the protocol is UDP send ICMP port unreachable message
sdrop - block the packet but do not log
PCRE matching
PCRE stands for Pearl Compatible Regular Expressions. PCRE matching provides Snort with a method to match content in a payload of a data packet that we know very little about.
In the below rule we specify the data type we are looking for (ip) and the section
pcre:"/Hello\s+world/" specify the regex pattern we are looking for which is Hello\s+world. Which means look for “Hello world” phrase with one or more spaces in between the two words.
alert ip any any -> any any (sid:1000008;msg:"Hello world phrase found";pcre:"/Hello\s+world/";)
PCRE matching can be used to detect web application attacks such as SQL injection attacks.
Use below rule to detect a SQL injection attack.
alert tcp any any -> 10.18.20.201 any (msg:”SQL Injection attack”; pcre:”/\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix”; sid:1000011; rev:1;)
Below are examples of snort rules that will detect packets of data which:
- Contain the phrase Hello world with the words Hello and world separated by one or more space characters.
alert ip any any -> any any (sid:1000008;msg:"Hello world phrase found";pcre:"/Hello\s+world/";)
- Are sent by any computer to a mail server and which contain a single word of text enclosed in double quotes, that starts with a capital letter and is between four and seven letters long.
alert ip any any -> any smtp (sid:1000009;msg:"Text enclosed in double quotes sent to mail server found";pcre:"/\"[A-Z][a-zA-Z]{3,6}\"/";)
