How To: Sniffing the Air

Snort 101

Snort is a very complex program. There are HOWTOs, books, and even lectures that all deal with how to set up and operate it. I will not get into the nitty-gritty details about Snort in this article, since that is best left to the more elaborate introductory materials and courses. But I will provide you with some fundamentals that will help you set the software up and then learn as you go.Snort works by loading preset malicious traffic patterns called rules (Figure 2) that help it to identify which traffic on a network will be harmful. This is similar to anti-virus programs, and the similarity extends to keeping rules updated. Snort can only look for what it knows about, so diligence in updating the program on the part of the system administrator is a must.

A set of Snort rules just waiting to be broken

Figure 2: A set of Snort rules just waiting to be broken
(Click image to enlarge)

Rules follow a fairly simple syntax, outlined below:

<action> <protocol> <first host> <first port> <direction>  <second host> <second port> (<rule options>;) 

The actions can include alert, which generates an alert to the IDS which can then be acted upon, log, which simply logs the packet, or pass, which ignores the packet completely. Rule options include options pertaining to the content of a packet (such as a certain Byte content or size) as well as the message to include when logging it. Here is an example rule, which tells Snort to generate an alert if a machine is pinged:

 alert icmp any any -> any (msg: "Oh snap it's a ping";)

This rule listens for a ping from any host directed towards the router (in this case, and creates an alert with the message "Oh snap it's a ping". More complicated rules can include variables (such as for a range of IP addresses comprising a home network or an external network) or even other files to use. For a good introduction to the different facets of Snort rule writing, check out How to Write Snort Rules and Keep Your Sanity in the Snort manual.

In addition to rules, Snort can be configured with several pre-defined rules called preprocessors that scan traffic before the rules set in. Preprocessors are especially useful for routine or expected traffic such as portscans and pings that would cause a significant slowdown if they were passed to the more resource-intensive rules.