Home   Profile   Fun
#155 Linux  07.01.2008

How to test SNORT


Linux video tutorial for snort * Video Tutorial


After a successful SNORT installation some prepared TCP/IP packets should be send to the system in order to make sure SNORT generates alerts as expected. I use the hping3 program to generate and send packets to the machine on which the SNORT sensor resides. Each packet must trigger an alert according to the involved SNORT rule. This article describes a basic test for one SNORT rule. The goal is to make sure that SNORT is basically working.

First we look at the main configuration file.
vi /etc/snort/snort.conf

I want to test the SNORT installation from within my LAN. So I change the following two variables temporarily to "any". Otherwise some alerts may not be generated during the test because the malicious data is expected to come from outside of the LAN. Each SNORT rule has individual settings for the source and target network. 
var HOME_NET  any
var EXTERNAL_NET  any

As you can see at the end of /etc/snort/snort.conf many of the rule sets are disabled per default, e.g. shellcode.rules. In this test I want to trigger an alert for a shellcode rule. So we have to include these rules in snort.conf: 
include $RULE_PATH/shellcode.rules

Finally we start SNORT with the test configuration as a daemon and let it log into /var/log/snorttest:
snort -c /etc/snort/snorttest.conf -l /var/log/snorttest -g snort -D
tail -f /var/log/snorttest/alert


On the "attacking" host we will run hping3 to generate the packages. But before I want to see if a portscan is recognized. It's very simple to test this and it should wake up SNORT in any case. An nmap portscan is recognized by the preprocessor sfPortcan. Preprocessors analyse or prepare the data before the detection engine apply any rules. 
nmap 192.168.1.37

On the target host the output of "tail -f /var/log/snorttest/alert" should look like this:
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3]
01/30-12:04:19.987193 192.168.1.34 -> 192.168.1.37
PROTO:255 TTL:0 TOS:0x0 ID:15626 IpLen:20 DgmLen:162

The next step is to test the following rule from shellcode.rules:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; \
 content:"AAAAAAAAAAAAAAAAAAAAAAAAA"; classtype:shellcode-detect; sid:1394; rev:8;)

This rule triggers an alert for IP packets which come from network $EXTERNAL_NET(any in our test) with any source port and go to network $HOME_NET(any in our test) with any target port. These packets must contain the data "AAAAAAAAAAAAAAAAAAAAAAAAA".

On the attacking host we create such a packet by first putting the desired payload into a text file. 
vi payload.txt
AAAAAAAAAAAAAAAAAAAAAAAAA

Then we create the packet with the following properties and send it to 192.168.1.37:
set PUSH tcp flag, interface eth0, source port 2424 destination port 81, packet body size 26 and packet data from file payload.txt 
hping3 -P -i eth0 -s 3434 -p 81 -d 26 -E ./payload.txt 192.168.1.37


On the SNORT host "tail -f /var/log/snorttest/alert" shows that SNORT has been alerted through rule 1394 (sid) which is exactly the one we wanted to test: 
[**] [1:1394:8] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
01/30-12:58:06.080786 192.168.1.34:3424 -> 192.168.1.37:81
TCP TTL:64 TOS:0x0 ID:10170 IpLen:20 DgmLen:66
****P*** Seq: 0x55AD333C  Ack: 0x39FD9F2B  Win: 0x200  TcpLen: 20


IDS/IPS systems with Snort