What is SNORT
Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.
It was developed in 1998 by Martin Roesch and is now developed by Cisco. Snort is written in C programming language and is free open-source software. It can also be used as a packet sniffer to monitor the system in real-time.
How does Snort work?
Snort uses rules to analyze network traffic and discover potential threats or network anomalies. It can detect and block network-based attacks, such as denial of service (DoS) attacks, SQL injection, or network service attacks such as the well-known ETERNALBLUE exploit. Snort will analyze network traffic in real-time, alerting and potentially taking action to prevent the attack from succeeding. It can also be used to monitor network traffic for any suspicious activity, such as an unusually high amount of traffic, which can help identify potential security threats allowing the network administrator to assess a potential incident.
Installing Snort
In order to get started with Snort easily, we recommend starting with Snort 2.9 which is available in the Ubuntu 22.04 repositories. Installation is a simple matter of the standard apt-get install.
Practical Examples
Here are some practical examples of how Snort can be used:
1. Detecting and blocking network attacks: Snort can be used to detect and block network-based attacks, such as denial of service (DoS) attacks, SQL injection, or network service attacks such as the well-known ETERNALBLUE exploit. Snort will analyze network traffic in real-time, alerting and potentially taking action to prevent the attack from succeeding.
2. Monitoring network traffic for suspicious activity: Snort can be used to monitor network traffic for any suspicious activity, such as an unusually high amount of traffic, which can help identify potential security threats allowing the network administrator to assess a potential incident.
3. Detecting and blocking malware: Snort can be configured to use a set of rules that are designed to detect known implants or malware signatures. Common examples would be Cobal Strike (installer / C2 traffic) and the Metasploit based Meterpreter. When malware is detected, Snort can alert the network administrator or trigger actions to mitigate damage from the malware.
Conclusion
Snort is widely used by Blue Teams protecting networks of all sizes and is considered a robust part of network security infrastructure. The core Snort software remains open-source with a GPL2+ license. Due to the ability to create custom rules, the possibilities for what Snort can monitor and alert on are endless. I hope this introduction to Snort was helpful. If you have any further questions, feel free to ask.