Working with Snort Rules

• By Rafeeq Ur Rehman
• Sep 19, 2003
• Sample Chapter is provided courtesy of Prentice Hall Professional

This chapter is from the book
Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID

Like viruses, most intruder activity has some sort of signature. Information about these signatures is used to create Snort rules. As mentioned in Chapter 1, you can use honey pots to find out what intruders are doing and information about their tools and techniques. In addition to that, there are databases of known vulnerabilities that intruders want to exploit. These known attacks are also used as signatures to find out if someone is trying to exploit them. These signatures may be present in the header parts of a packet or in the payload. Snort's detection system is based on rules. These rules in turn are based on intruder signatures. Snort rules can be used to check various parts of a data packet. Snort 1.x versions can analyze layer 3 and 4 headers but are not able to analyze application layer protocols. Upcoming Snort version 2 is expected to add support of application layer headers as well. Rules are applied in an orderly fashion to all packets depending on their types.

A rule may be used to generate an alert message, log a message, or, in terms of Snort, pass the data packet, i.e., drop it silently. The word pass here is not equivalent to the traditional meaning of pass as used in firewalls and routers. In firewalls and routers, pass and drop are opposite to each other. Snort rules are written in an easy to understand syntax. Most of the rules are written in a single line. However you can also extend rules to multiple lines by using a backslash character at the end of lines. Rules are usually placed in a configuration file, typically snort.conf. You can also use multiple files by including them in a main configuration file.

This chapter provides information about different types of rules as well as the basic structure of a rule. You will find many examples of common rules for intrusion detection activity at the end of this chapter. After reading this chapter, along with the two preceding chapters, you should have enough information to set up Snort as a basic intrusion detection system.

3.1 TCP/IP Network Layers

Before you move to writing rules, let us have a brief discussion about TCP/IP layers. This is important because Snort rules are applied on different protocols in these layers.

TCP/IP is a five layer protocol. These layers interact with each other to make the communication process work. The names of these layers are:

1. The physical layer.

2. The data link layer. In some literature this is also called the network interface layer. The physical and data link layers consist of physical media, the network interface adapter, and the driver for the network interface adapter. Ethernet addresses are assigned in the data link layer.

3. The network layer, which is actually IP (Internet Protocol) layer. This layer is responsible for point-to-point data communication and data integrity. All hosts on this layer are distinguished by IP addresses. In addition to IP protocol, ICMP (Internet Control Message Protocol) is another major protocol in this layer. Information about IP protocol is available in RFC 791 available at http://www.rfc-editor.org/rfc/rfc791.txt. Information about ICMP protocol is available at http://www.rfc-editor.org/rfc/rfc792.txt.

4. The transport layer, which is actually TCP/UDP layer in the TCP/IP protocol. TCP (Transmission Control Protocol) is used for connection-oriented and reliable data transfer from source to destination. UDP (User Datagram Protocol), on the other hand, is used for connectionless data transfer. There is no assurance that data sent through UDP protocol will actually reach its destination. UDP is used where data loss can be tolerated. Information about UDP protocol is available in RFC 768 at http://www.rfc-editor.org/rfc/rfc768.txt. Information about TCP protocol is available in RFC 793 at http://www.rfc-editor.org/rfc/rfc793.txt.

5. The application layer consists of applications to provide user interface to the network. Examples of network applications are Telnet, Web browsers, and FTP clients. These applications usually have their own application layer protocol for data communication.

Snort rules operate on network (IP) layer and transport (TCP/UDP) layer protocols. However there are methods to detect anomalies in data link layer and application layer protocols. The second part of each Snort rule shows the protocol and you will learn shortly how to write these rules.