Snort (Intrusion Prevention System)

From Bauman National Library
This page was last modified on 24 June 2016, at 09:18.
Developer(s) Sourcefire, Cisco
Repository {{#property:P1324}}
Written in C
Operating system UNIX-like, Windows

Snort is a free distributed program with open source code under the GPL lisence. Initially Snort was created by by Martin Roche in 1998. The main reason of creation this IDS was the absence at that time of quite effective, free, alert tool for attacks.

Nowadays Snort is the most common IDS(and IPS) in the world, mostly due to its openness and author work.


This IPS detects the following:

  • Bad Traffic
  • The use of exploits (identification Shellcode)
  • Scan system (ports, operating systems, users, etc.)
  • Attacks on services such as Telnet, FTP, DNS, etc.
  • Attacks DoS/DDoS
  • Attacks associated with the Web server (cgi, php, frontpage, iss etc.)
  • Attacks on SQL, Oracle and other databases.
  • Attacks on SNMP protocols, NetBios, ICMP
  • Attacks on SMTP, IMAP, pop2, pop3
  • Various Backdoors
  • Web-filters (pornography)
  • Viruses

In addition Snort has:

  • Ability to write their own rules
  • Increased functionality, using the possibility of connecting modules
  • A flexible system of notification of attacks (Log files, output devices, the database ID)

Snort supports the following interfaces to listen:

  • Ethernet
  • SLIP
  • PPP

IPS Snort can run on many operating systems: Linux, Windows, IRIX, SunOS, * BSD, and others.

Also expansion for Snort functionality called inline exists, it allows to link actions with firewall rules. For example, you can pass to firewall IP address of the host from which came suspicious package and give the command to ignore all traffic from that IP. This is often used for DDoS attacks. In turn, Snort' receives packets not from libpcap library but from the iptables. But there is a downside. Considering a situation where an attacker understands how the block works and takes advantage of this by forging packets and sending them to mission-critical servers, thereby causing state DoS. Therefore security experts does not recommended to realize this opportunity, or use it only in exceptional cases.

Installing the Snort

Where to download

The latest version of Snort can always be found on the website of the developers:

Where better to set up Snort

  • Where in the network should be Snort? Of course, if network has access to the Internet, IPS can be installed before or after Firewall. If Snort will be run before firewall, it will be possible to obtain

all warnings about attempts to crack and take appropriate action, if after, the firewall may discard Interesting packages, and there will be less opportunity to analyze the interesting traffic.  

  • Many network security experts advise to install Snort immediately on two machines before and after - it provides maximum reliability obtain necessary information. Also it can be used to effectively detect system invasions with routers that support traffic mirroring. For example, configuring IPS on the machine and mirroring all traffic from the router to a machine with IPS. Hub can be used for smaller networks in order to listen to all traffic.

Configuration of the installation program

Installation Snort version 2.4.3 on Linux will be considered

  • We provide:
 $ ./configure && Make && make install
  • It is important to note that there are many configure quite interesting

options. Here are some of them:

  • Installation directory:
 --prefix = PREFIX prefix for architecture-independent files [/ usr / local]
 --exec-prefix = EPREFIX prefix for architecture-dependent files [PREFIX]
  • Options to specify the installation directory
 --bindir = DIR custom execution (PREFIX / bin)
 --sbindir = DIR performance of the system administrator (PREFIX / sbin)
 --libexecdir = DIR program execution (PREFIX / lib)
 --datadir = DIR read-only architecture-independent directory
                                                           (PREFIX / share)
 --sysconfig = DIR read-only configuration directory
                                                             (PREFIX / etc)
 --sharedstatedir = DIR modifiable architecture-independent directory
                                                             (PREFIX / com)
 --localstatedir = DIR variable configuration directory (PREFIX / var)
 --includedir = DIR headers C (PREFIX / include)
 --oldincludedir = DIR header files are not C (/ usr / include)
 --infodir = DIR documentation (PREFIX / info)
 --mandir = DIR documentation man (PREFIX / man)
  • Options Package
 --with-PACKAGE [= ARG] use PACKAGE [ARG = yes]
 --without-PACKAGE do not use PACKAGE
                                                   (Similar to the --with-PACKAGE = no)
 --with-libpcap-includes = DIR directory with attachments for
                                 libpcap library
 --with-libpcap-libraries = DIR directory libpcap library
 --with-libpcre-includes = DIR directory with files embedded library
 --with-libpcre-libraries = DIR directory libpcre library
 --with-libnet-includes = DIR directory with attachments for
                               libnet library
 --with-libnet-libraries = DIR directory libnet library
 --with-mysql = DIR support mysql
 --with-odbc = DIR support odbc
 --with-postgresql = DIR support postgresql
 --with-pgsql-includes = DIR directory with attachments postgresql
 --with-oracle = DIR support oracle
 --with-libprelude-prefix = PFX prefix where established library
 --with-libipq-includes = DIR directory with an attachment for the library
 --with-libipq-libraries = DIR directory libipq library
 --enable-perfmonitor include preprocessor PerfMonitor
 --enable-inline libipq use interface for snort inline
 --enable-ipfw ipfw used to snort inline
 --enable-debug is only for developers for debugging option
  • After installation is complete make sure that all dependencies are satisfied

pools overlook and Snort is in operation (run mode sniffer):

 $ Snort -dev

  • Run any network application, and see if Snort displays data packages. Of course, the launch should be done as root, since the foundation is built on the Snort use libpcap library which listens for all traffic. Library lets Snort see packets before they are received by other applications,this level required superuser. The latest version of the library can be found at:

If Snort is used under the windows, an analog to libpcap library is needed, it's called winpcap.

Setting snort.conf

  • Next, you must configure the file: "snort.conf". An example of this file can be found in directory "etc /", which in turn is in uncompressed directory with Snort.

FILE options can be divided into 5 main parts:   1) Setting values ​​for your network   2) Configuration preprocessors   3) Configuration Plugin   4) Addition of directives   5) used rules

Its options are described in detail on the official website.


After configuration is complete, consider the option to run. (Note: the command line options have a higher priority than snort.conf)

 -A     Can take values: fast, full, console, or none. Fast
            Commercial equipm to quickly generate alerts. This option
             It recommends the use of developers not only, but also
             experts in information security. Full - the best
             slow method is used, if necessary.
 -b     Log the packets in tcpdump format. (This is the fastest and
              productive option)
 -c     When this parameter specifies the name of the configuration file.
 -C     Removed from the dump HEX value of the package.
 -D     Run Snort in daemon mode.
 -e     Log the information on the packet header.
 -f     Disables calls fflush () after writing binary logs.
 -g     Run the IPS with the rights group.
 -h     = Home network.
 -i     interface Listen to the name.
 -I     Add the interface name created in the alert.
 -k     checksum mode. It may be:
              (All, noip, notcp, noudp, noicmp, none).
 -K     Logging mode. Values: pcap, ascii, none. Default
              set to pcap.
 -l     Write logs into the directory.
 -L     Write logs in tcpdump file named.
 -m     Sets the mask.
 -n     The output after receiving the package.
 -N     Disables logging (alerts but working).
 -o     Select a rule to test in Log | Alert | Pass
 -O     Hide IP address.
 -p     Disable promisc mode.
 -q     Do not display banner Snort.
 -r     Record magazine in decoded form, ie in more
              readable view as unlike tcpdump binary log.
 -R     Insert 'id' in the name of the file
 -s     Log the in syslogd. To use this key, you must
              written in the syslog.conf file:
 -S     Sets the value of the file with the rules n is v.
 -T     Test and report on the current configuration of Snort.
 -u     Run the IPS under user rights.
 -U     Use UTC.
 -v     Verbose mode.
 -V     Show version of Snort.
 -w     Do dump 802.11 control frames.
 -X     Make dump the contents of the package.
 Put     -y year on the date of logs and alerts.
 -Z     Use a file path and name of the preprocessor
              performonitor (statistics).
 -z     Use safeguards regime, used to set
              (Established) connections. With this option you can recognize
              noise generators and successfully block them using
              preprocessor stream4.
 -h     Display a help.

Example of usage

  • Ignore all packets from
 $ Snort <bash_options> not host

by device:

 $ Snort <bash_options> `` not ((icmp [0] = 8 or icmp [0] = 0) and host) ``