Snort, part 1: Sniffer & Logger Modes (TryHackMe)

The Cyber RaccoonThe Cyber Raccoon
8 min read

Table of contents

I initially wanted to do a single article on TryHackMe’s first Snort room but halfway through it, I realized how long it was – so I decided to split it into two (or three) parts. Here’s the first one!

  1. Introduction

In my previous article, when discussing Network security, we talked about Intrusion Detection and Prevention as key elements of threat control. Today, we’ll go deeper into IDS/IPS as we’ll have our first look at Snort. Snort is both a NIDS/NIPS and is open-source. Its IPS “uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generate alerts for users."

Snort is based on three main detection and prevention techniques:

  • Signature-based: identifies patterns of known malicious behaviours. This is what detects the threat and is what most antivirus solutions do. Today, attackers try to avoid reproducing those patterns.

  • Behaviour-based: after a training period (baselining), this model learns what is a normal and known behaviour in a given network and compares it to abnormal and unknown behaviours. This is useful for detecting previously unknown/new threats.

  • Policy-based: aims to identify security policy violations through system configuration.

Snort has three main use models: Sniffer mode (reads IP packets), Packet Logger mode (logs inbound and outbound packets), and IDS and IPS modes.

To give Snort more power, you can use a configuration file, that is, a management file with all the plugins, rules, detection mechanisms, default actions, and settings. You can use different configuration files for different situations: but note that you can use only one file at a time. You can find Snort’s original base files in the /etc/snort folder.

1.1 Running the virtual machine

Once the virtual machine loads, you’ll have to run two terminal windows: one for snort and one for the traffic generator (the VM is offline so you’ll have to run a script called traffic-generator.sh). I recommend becoming root in the first window (with “sudo su”) to avoid running as sudo every time. To run the traffic generator, you have to navigate to /Desktop/Task-Exercises.

1.2 First parameters

You can test the configuration before you start. This means you need a parameter for the test and then a parameter for the configuration – quite easy, isn’t it? This means you need to run Snort, feed it with the configuration parameter and the way to the configuration file, and then add the test parameter! Because you’re already root, you won’t need to type sudo to do so.

snort -c /etc/snort/snort.conf -T

Running this command will give you the build number, as well as the number of rules it contains. You can then test it again but with /etc/snort/snortv2.conf

snort -c /etc/snort/snortv2.conf -T

You can then scroll and check the number of rules within this second build.

Make sure your configuration file works – especially if you’ve edited it and you’re still getting comfortable with Snort (like me). Otherwise, you may have to reinstall Snort and… running just one command is easier and faster!

Not working for you? Make sure:

  • Snort is case sensitive – make sure you’ve got every letter right

  • Respect the space between the letters

  • Make sure you’re root – if not, make sure you enter “sudo” every time

  1. Sniffer mode

You can view various data about the packets you’ve captured by using different parameters.

You can also combine the above parameters:

  • snort -v

  • snort -vd

  • snort -de

  • snort -v -d -e

  • snort -X

2.1 Verbose mode

First, run Snort with the verbose parameter:

snort -v

Then go to the second terminal and run the traffic generator as sudo (navigate to the corresponding folder first):

sudo ./traffic-generator.sh

From there, choose ICMP traffic (or HTTP traffic). A window will open – let it load until it closes itself. Now go back to the first terminal (where you run Snort) and interrupt the sniffing (with CTRL+C).

What’s cool about Snort is that you’ll get a little summary of everything found once you interrupt the process, unlike with tcpdump. However, to understand the data, you need knowledge about network protocols and how packets are built.

2.2 Now let’s try the “-i” parameter.

It’s used to define a specific interface to listen to, unless you have only one interface – in this case, Snort will use it by default. Here, we will go for the “eth0” interface and start Snort in verbose mode:

snort -v -i eth0

You still have to generate traffic so you can follow the steps described in the section above about the verbose mode.

2.3 Another parameter to try is “-d”:

This is the dumping packet data mode, which means you’ll get the actual content of the packet – this is something we can also see when using WireShark.

snort -d

You can also go for the “-de” parameter: dump (-d) and link-layer header grabbing (-e) mode:

snort -de

To make those modes work, you still have to run the traffic generator in the second terminal window.

2.4 The “-X” parameter

It will give you even more information: it’s very useful if you know what you’re looking for. But then again, you need to know how to read packets. This is also similar to WireShark.

snort -X

(don’t forget the traffic generator to test the -X parameter)

With all that being said, it’s worth noting that if you capture packets with Snort, you’ll be able to open them with WireShark as well!

  1. Logger mode

This mode allows packets to be stored. However, it is worth noting that if you log everything blindly from your network (without having a strategy about it), you’ll end up with an incredible amount of data that will be impossible to process.

When it comes to the logfile ownership, it’s the user who created it who owns it. As Snort needs superuser rights (sudo) to sniff packets – and as this is how you run Snort, it’s the root account that will have the logfile ownership: this is why I preferred becoming root from the beginning (out of laziness). You can also change the ownership of the file with sudo chown username file or sudo chown username -R directory.

Now let’s play with this mode!

3.1 “-l” parameter:

TryHackMe goes for running Snort as sudo – but we’re already root, so let’s just run the command:

snort -dev -l .

Breaking it down:

  • “-dev”: “-d” + “-e” + “-v”

  • “-l .”: log in the current directory. You can also configure the default output directory in the snort.config file or use “-l” to set a directory (here: current directory).

Once you run the command above, run the traffic generator (ICMP/HTTP) in the second terminal. When the new window closes itself, go back to the first terminal and CTRL+C. Because we decided to log the packets in the current directory, you can directly run the ls command. You’ll find the log file there. You can open it with tcpdump or WireShark as well and they can present the file in a human-readable style.

3.2 “-K ASCII” parameter:

This will save the data in a “human-readable way”. However, the quantity of data will be incredible, especially given that you’ll get a different folder per IP, which can lead to an overwhelming number of folders. Prioritising the “-l” parameter and then open it, for example, with WireShark is a great alternative.

snort -dev -K ASCII -l .

You should also keep in mind that while Snort can read the binary format, it can’t handle the -K ASCII.

3.3 “-r” parameter:

This parameter presents the binary file in a human-readable way. You’ll just have to add the logfile name after the parameter, in my case: snort.log.1755532856.

snort -r snort.log.1755532856

With this parameter, you can also limit the number of packets, for example, to the first 10 packets.

snort -dvr logname.log -n 10

You can also use it with the Berkeley Packet Filters (BPF):

  • snort -r logname.log -X

  • snort -r logname.log icmp

  • snort -r logname.log tcp

  • snort -r logname.log 'udp and port 53'

3.4 Exercises

Now let’s jump to the questions! Navigate to /Task-Exercises/Exercise-Files/TASK-6/ in the first terminal window.

  • Question 1: start Snort, then the traffic generator and choose TASK-6. Once the file closes, terminate the process in the first terminal window and navigate to folder 145.254.160.237. You’ll find the source port connected to port 53.

  • Question 2: from there, you can just run the “snort -r snort.log.1640048004 -n 10” command. Scroll up to the 10th packet and search for the ID number.

  • Question 3: the next question is about the referrer of the 4th packet – so you’ll need more information about the content of the packet. To save you some headache, you can directly run “snort -dvr snort.log.1640048004 -n 4” or “snort -r snort.log.1640048004 -n 4 -X”. Either way, from there, scroll up to the 4th packet and search for the referrer.

  • Question 4: to get the Ack number of the 8th packet, just run “snort -r snort.log.1640048004 -n 8” and scroll up to the 8th packet.

  • Question 5: you just need to run “snort -r snort.log.1640048004 'tcp port 80'”. As Snort gives you a summary of the process, you’ll find the number of TCP port 80 packets at the bottom of the summary.

See you soon for part 2!

0
Subscribe to my newsletter

Read articles from The Cyber Raccoon directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritytryhackmestudy notesLearning JourneysnortIDS/IPSnetworksecurity

Written by

The Cyber Raccoon
The Cyber Raccoon