Using IDS rules to test Snort

Is your new Snort system running too quietly? Whether you're new to using Snort or you've deployed it on a new platform -- a low-noise level may have you worried. It could be a tightly-tuned (or too tightly-tuned) system, or you may have the IDS residing on a quiet network segment. Fortunately, several methods exist for testing Snort over the wire to ensure it's working properly in your environment.

To start, you can run it in sniffer mode from the command line, which will confirm that the network card is working properly, a span port is enabled (see How to deal with switches and segments) and Snort is actually seeing traffic. In the case where you're using more than one network interface card (NIC) (see How to determine how many interfaces a sensor needs), you'll need to define the exact one for Snort to use. To find the name of the interface in Linux/Unix, use ifconfig; and in Windows, use snort -W. Then, use snort –vi (interface name); for example snort –vi eth1 in Linux or snort –vi 2 in Windows, to tell Snort which NIC to sniff. If everything is working you'll get a stream of packet header information (similar to tcpdump/windump) scrolling up the screen faster than you can read it. Press CTRL-C to stop the capture and review packet statistics such as the number of packets analyzed, a breakdown by protocol, fragmentation and more. Also experiment with the –d (dump) and –q (quiet) switches to see how they affect the output.

You can manually check Snort using some simple test rules. In order for this test to work, you'll need to add one or more of these rules to your setup. The easiest way to do that is to add them to the bottom of your sn

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

The first two Snort rules should generate an alert upon seeing any IP or ICMP packet, respectively. Since they will trigger on almost every single packet on the network these aren't rules you want to run on a heavily loaded production segment! Run them on a smaller or test segment if necessary. The last rule is a copy of SID (rule) 499 (Note that Snort.org reserves SID 1-1,000,000 for "official" rules. See the Snort User's Manual at Snort.org) modified to make it much more loose to increase alert generation for our testing purposes. Normally you'll want to avoid loose rules since they lead to false positives. Also, the original rule has been deprecated and is in the deleted.rules file. To use the modified rule above, ping -s 1024 {target host} (Linux) or ping -l 1024 (target host) (Windows). If none of these tests work, then Snort likely isn't working and/or packets aren't getting through. Don't forget to remove your test rules when you are finished.

Finally, Snort has a test switch (-T), which allows you to easily test proposed changes to your configuration. You can run a command like snort -c /etc/snort/snort.conf -T, and read the output to see if the configuration works. Snort will also set a return code of 0 if it worked and anything else (usually a 1) if it failed. This can be illustrated by running one of these two commands: snort -c /etc/snort/snort.conf -T & echo "Return code: $?" (Linux) or snort -c ./Snort.conf -T & echo Return code: %ERRORLEVEL% (Windows). Since you can always run more than one copy of Snort, you can keep one instance running, make and test configuration changes using another, and then stop the production process and immediately restart it to implement your changes once they are tested.

One other note on testing Snort over the wire: Some older rules use TCP header flags to see if packets are part of an established TCP session. Newer rules use the established keyword (see Where to find Snort rules). In either case, you can't simply use Netcat to put the expected TCP packet payload out on the wire and expect Snort to "see" it -- the payload must appear as part of an established TCP session, in the appropriate direction, before Snort will trigger an alert. The "established" keyword is great for reducing false positives, but can be very confusing when trying to test Snort, which is why we used ICMP or custom rules above.

[TABLE]

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Open Source Security Tools and Applications,   Application and Platform Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Samurai offers pen-testing nirvana Firewall rule management best practices Chained Exploits: How to prevent phishing attacks from corporate spies Rootkit Hunter demo: Detect and remove Linux rootkits Enterprise UTM security: The best threat management solution? Making the case for network security configuration management An inside look at security log management forensics investigations How to find sensitive information on the endpoint How to perform Microsoft Baseline Security Analyzer (MBSA) scans How to spot attacks through Apache Web server log analysis Network Intrusion Detection (IDS) SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation What is the cause of an 'intrusion attempt' message? Host-based intrusion prevention addresses server, desktop security Intrusion detection vs. intrusion prevention Product review: AirDefense Enterprise 7.3 Network Intrusion Detection (IDS) Research Open Source Security Tools and Applications Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of today's IT tools Maltego demo: Identifying a website's trust relationships Free HP SWFScan tool detects Adobe Flash flaws L0phtCrack returns How to use (almost) free tools to find sensitive data Should open source disk-encryption software be used? Open source security concerns can trump cost savings RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.