• Snort synonyms, snort pronunciation, snort translation, English dictionary definition of snort. A rough, noisy sound made by breathing forcefully through the nostrils, as a horse or pig does. A similar sound: the snort of a steam engine.
• Snort is an open source network intrusion detection system (NIDS) created by Martin Roesch. Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies.

Snort is a free lightweight network intrusion detection system for both UNIX and Windows.

In this article, let us review how to install snort from source, write rules, and perform basic testing.

Snort is an open-source security software product that looks at network traffic in real time and logs packets to perform detailed analysis used to facilitate security and authentication efforts. Snort was released by Martin Roesch in 1998.

1. Download and Extract Snort

Download the latest snort free version from snort website. Extract the snort source code to the /usr/src directory as shown below.

Note: We also discussed earlier about Tripwire (Linux host based intrusion detection system) and Fail2ban (Intrusion prevention framework)

2. Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.

Follow the steps below to install snort.

3. Verify the Snort Installation

Verify the installation as shown below.

4. Create the required files and directory

You have to create the configuration file, rule file and the log directory.

Create the following directories:

Create the following snort.conf and icmp.rules files:

Snort Laugh

The above basic rule does alerting when there is an ICMP packet (ping).

Affinity designer for ux design. Following is the structure of the alert:

5. Execute snort

Execute snort from command line, as mentioned below.

Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.

Alert Explanation
A couple of lines are added for each alert, which includes the following:

• Message is printed in the first line.
• Source IP
• Destination IP
• Type of packet, and header information.

If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is ppp0.

Execute snort as Daemon

Add -D option to run snort as a daemon.

Additional Snort information

• Default config file will be available at snort-2.8.6.1/etc/snort.conf
• Default rules can be downloaded from: http://www.snort.org/snort-rules

Snort is an intrusion detection and prevention system. It can be configured tosimply log detected network events to both log and block them. Thanks toOpenAppID detectors and rules, Snort package enables applicationdetection and filtering. The package is available to install in the pfSense®webGUI from System > Package Manager. Snort operates using detectionsignatures called rules. Snort rules can be custom created by the user, or anyof several pre-packaged rule sets can be enabled and downloaded.

The Snort package currently offers support for these pre-packaged rules:

• Snort VRT (Vulnerability Research Team) rules

• Snort GPLv2 Community Rules

• Emerging Threats Open Rules

• Emerging Threats Pro Rules

• OpenAppID Open detectors and rules for application detection

The Snort GPLv2 Community Rules and the Emerging Threats Open Rules areboth available for free with no registration required. The Snort VRTrules are offered in two forms. One is a registered-user version whichis free, but requires registration at http://www.snort.org. Theregistered-user free version only provides access to rules that are30-days old or more in age. A Snort VRT paid subscription can bepurchased, and it offers twice-weekly (and sometimes more frequent)updates to the rules. The Emerging Threats Pro rules are offered to paidsubscribers only and offer almost daily updates to address fast-changingthreats.

We strongly suggest obtaining a paid subscription from Snort or EmergingThreats in order to download the most current rules. This is highlyrecommended for commercial applications.

Launching Snort configuration GUI¶

To launch the Snort configuration application, navigate to Services >Snort from the menu in the pfSense webGUI.

Setting up Snort package for the first time¶

Click the Global Settings tab and enable the rule set downloads touse. If either the Snort VRT or the Emerging Threats Pro rules arechecked, a text box will be displayed to enter the unique subscribercode obtained with the subscription or registration.

More than one rule set may be enabled for download, but note thefollowing caveats. If a paid subscription is available for the Snort VRTrules, then all of the Snort GPLv2 Community rules are automaticallyincluded within the file downloaded with the Snort VRT rules; therefore,do not enable the GPLv2 Community rules if a paid-subscriber account isused for the Snort VRT rules. All of the Emerging Threats Open rules areincluded within the paid subscription for the Emerging Threats Prorules. If the Emerging Threats Pro rules are enabled, the EmergingThreats Open rules are automatically disabled.

Once the desired rule sets are enabled, next set the interval for Snortto check for updates to the enabled rule packages. Use the UpdateInterval drop-down selector to choose a rule update interval. In mostcases every 12 hours is a good choice. The update start time may becustomized if desired. Enter the time as hours and minutes in 24-hourtime format. The default start time is 3 minutes past midnight localtime. So with a 12-hour update interval selected, Snort will check theSnort VRT or Emerging Threats web sites at 3 minutes past midnight and 3minutes past noon each day for any posted rule package updates.

Update the rules¶

The Updates tab is used to check the status of downloaded rulespackages and to download new updates. The table shows the available rulepackages and their current status (not enabled, not downloaded, or avalid MD5 checksum and date).

Click on the Update Rules button to download the latest rule packageupdates. If there is a newer set of packaged rules on the vendor website, it will be downloaded and installed. The determination is made bycomparing the MD5 of the local file with that of the remote file on thevendor web site. If there is a mismatch, a new file is downloaded. TheFORCE button can be used to force download of the rule packages fromthe vendor web site no matter how the MD5 hash tests out.

In the screenshot below, the Snort VRT and Emerging Threats Open rulepackages have been successfully downloaded. The calculated MD5 hash andthe file download date and time are shown. Also note the last updatetime and result are shown in the center of the page.

Add Snort to an interface¶

Click the Snort Interfaces tab and then the icon to add a newSnort interface.

A new Interface Settings tab will open with the next available interfaceautomatically selected. The interface selection may be changed using theInterface drop-down if desired. A descriptive name may also beprovided for the interface. Other interface parameters may also be seton this page. Be sure to click the SAVE button down at the bottom ofthe page when finished.

After saving, the browser will be returned to the Snort Interfacestab. Note the warning icons in the image below showing no rules havebeen selected for the new Snort interface. Those rules will beconfigured next. Click the icon (shown highlighted with a red box inthe image below) to edit the new Snort interface again.

Select which types of rules will protect the network¶

Click the Categories tab for the new interface.

If a Snort VRT Oinkmaster code was obtained (either free registered useror the paid subscription), enabled the Snort VRT rules, and entered theOinkmaster code on the Global Settings tab then the option of choosingfrom among three pre-configured IPS policies is available. These greatlysimplify the process of choosing enforcing rules for Snort to use wheninspecting traffic. The IPS policies are only available when the SnortVRT rules are enabled.

The three Snort VRT IPS Policies are: (1) Connectivity, (2) Balanced and(3) Security. These are listed in order of increasing security. However,resist the temptation to immediately jump to the most secure Securitypolicy if Snort is unfamiliar. False positives can frequently occur withthe more secure policies, and careful tuning by an experiencedadministrator may be required.

Tip

If Snort is unfamiliar, then using the less restrictiveConnectivity policy in non-blocking mode (the default setting) isrecommended as a starting point to identify and whitelist falsepositives. Once experience with Snort has been gained in this networkenvironment, blocking mode may be enabled (via the Block Offendersoption in the Snort Interface Settings tab) and a more restrictiveIPS policy may be chosen.

If the Snort VRT rules were not enabled, or if any of the other rulepackages are to be used, then make the rule category selections bychecking the checkboxes beside the rule categories to use.

Be sure to click SAVE when finished to save the selection and buildthe rules file for Snort to use.

Starting Snort on an interface¶

Click the Snort Interfaces tab to display the configured Snort interfaces.Click the icon (shown highlighted with a red box in the imagebelow) to start Snort on an interface.

It will take several seconds for Snort to start. Once it has started, the iconwill change to as shown below. To stop a running Snortinstance on an interface, click the icon.

Select which types of signatures will protect the network¶

Click the Rules tab for the interface to configure individual rulesin the enabled categories. Generally this page is only used to disableparticular rules that may be generating too many false positives in aparticular network environment. Be sure they are in fact truly falsepositives before taking the step of disabling a Snort rule!

Select a rules category from the Category drop-down to view all the assignedrules. Click the or icon at the far-leftof a row to toggle the rule’s state from enabled to disabled, or click or to toggle from disabled to enabled. Theicon will change to indicate the state of the rule. At the top of the rule listis a legend showing the icons used to indicate the current state of a rule.

Define servers to protect and improve performance¶

Managing blocked hosts¶

The Blocked tab shows what hosts are currently being blocked bySnort (when the block offenders option is selected on the InterfaceSettings tab). Blocked hosts can be automatically cleared by Snort atone of several pre-defined intervals. The blocking options for aninterface are configured on the Snort Interface Settings tab for theinterface.

Managing Pass lists¶

Pass Lists are lists of IP addresses that Snort should never block.These may be created and managed on the Pass Lists tab. When an IPaddress is listed on a Pass List, Snort will never insert a block onthat address even when malicious traffic is detected.

To create a new Pass List, click . To edit an existing Pass List,click the . To delete a Pass List, click . Note that a Pass Listmay not be deleted if it is currently assigned to one or more Snortinterfaces.

A default Pass List is automatically generated by Snort for everyinterface, and this default list is used when no other list isspecified. Pass Lists are assigned to an interface on the InterfaceSettings tab.

Customized Pass List may be created and assigned to an interface. Thismight be done when trusted external hosts exist that are not located onnetworks directly connected to the firewall. To add external hosts inthis manner, first create an Alias under Firewall > Aliases and thenassign that alias to the Assigned Aliases field. In the exampleshown below, the alias “Friendly_ext_hosts” has been assigned. Thisalias would contain the IP addresses of the trusted external hosts.

When creating a custom Pass List, leave all the auto-generated IPaddresses checked in the Add auto-generated IP addresses section.Not selecting the checkboxes in this section can lead to blocking ofcritical addresses including the firewall interfaces themselves. Thiscould result in being locked out of the firewall over the network! Onlyuncheck boxes in this section when absolutely necessary.

Click the ALIASES button to open a window showing previously definedaliases for selection. Remember to click SAVE to save changes.

Note

Remember that simply creating a Pass List is only the firststep! It must be selected by going to the Interface Settings tab forthe Snort interface and assigning the newly created Pass List as shownbelow. After assigning and saving the new Pass List, restart Snort onthe affected interface to pick up the change.

Alert Thresholding and Suppression¶

Suppression Lists allow control over the alerts generated by Snortrules. When an alert is suppressed, then Snort no longer logs an alertentry (or blocks the IP address if block offenders is enabled) when aparticular rule fires. Snort still inspects all network traffic againstthe rule, but even when traffic matches the rule signature, no alertwill be generated. This is different from disabling a rule. When a ruleis disabled, Snort no longer tries to match it to any network traffic.Suppressing a rule might be done in lieu of disabling the rule whenalerts should only be stopped based on either the source or destinationIP. For example, to suppress the alert when traffic from a particulartrusted IP address is the source. If any other IP is the source ordestination of the traffic, the rule would still fire. To eliminate allalerts from the rule, then it is more efficient to simply disable therule rather than to suppress it. Disabling the rule will remove it fromSnort’s list of match rules and therefore makes for less work Snort hasto do.

On the Suppress List Edit page, a new suppress list entry may bemanually added or edited. It is usually easier and faster to addsuppress list entries by clicking shown with the alert entries onthe Alerts tab. Remember to click the SAVE button to savechanges when manually editing Suppress List entries.

Getting to know the alerts¶

The Alerts tab is where alerts generated by Snort are viewed. IfSnort is running on more than one interface, choose the interface whosealerts should be viewed in the drop-down selector.

Use the DOWNLOAD button to download a gzip tar file containing allof the logged alerts to a local machine. The CLEAR button is used toerase the current alerts log. Destination IP’s have been redacted fromthe screenshot.

Alert Details

The Date column shows the date and time the alert was generated. Theremaining columns show data from the rule that generated the alert.

In the Source, Destination columns are icons for performingreverse DNS lookups on the IP addresses as well as a icon used to addan automatic Suppress List entry for thealert using the IP address and SID (signature ID). This will prevent futurealerts from being generated by the rule for that specific IP address only. Ifeither of the Source or Destination addresses are currently being blocked bySnort, then a icon will also be shown. Clicking that icon will removethe block for the IP address.

The SID column contains two icons. The icon willautomatically add that SID to the SuppressList for theinterface and suppress future alerts from the signature for all IPaddresses. The icon in the SID column will disable therule and remove it from the enforcing rule set. When a rule is manuallydisabled, the icon in the SID column changes to .

Application ID detection with OpenApp ID¶

OpenAppID is an application-layer network security plugin for the opensource intrusion detection system Snort. Learn more about ithere.

Enabling OpenAppID and its rules is done from Snort Global Settings.Select both checkboxes to enable detectors and rules download. Save thepage.

After enabling the detectors and rules go to Snort Updates tab and clickon Update Rules. Wait for all the rules to update. Once done, thepage will show OpenAppID detectors and rules have been updated.

The following steps assume the firewall already has a Snort interface for LAN.Edit the LAN interface and navigate to LAN categories tab. When there, make surethe Snort OPENAPPID Rules from the right column are all selected and clickSave.

Lastly, while still editing Snort interface, navigate to LANPreprocessor tab.

Scroll down to Application ID Detection section and select bothEnable and AppID Stats Logging checkboxes. Save the page theOpenApp ID will be activated on the Snort interface.

Viewing detected applications can be done from Alerts tab. Thefollowing screenshots are examples of identified services andapplications:

Facebook

Netflix

Reddit

Amazon Web Services

iCloud

Twitter

Known issues¶

Snorting Bath Salts

See also

Snort Rescue

The pfSense bug tracker contains a list of known issues withthis package.

Package Support¶

Snorting Soma

This package is currently supported by Netgate TAC to those with an activesupport subscription.