Snort Rules: An Introduction
According to cyber security experts, small businesses experience the following types of attacks. They include web-based, phishing, general malware, SQL injection, and DDOS. Based on research, 43% of cyber attacks target small businesses.
In a survey, the average cost of stolen records with sensitive information was $141 in 2017. Experts also found that companies with over 50K stolen records average the data breach cost to $6.3 million.
Small businesses need to protect their data and prevent information loss. To do so, they must work with experts familiar with cyber attacks and snort rules.
Using powerful applications, experts can identify all malicious activities in your network.
In this article, you will learn what Snort is as well as how to create Snort rules.
What Is Snort?
This is a network intrusion prevention and detection application for detecting malicious activity. Such activities include buffer overflows, DDOS attacks, CGI attacks, and OS fingerprinting attempts.
Snort Rules Explained
The Snort rule language is flexible. It enables users to create new rules to detect any malicious activities. Also, it can help users differentiate between normal internet activities and malicious ones.
To write Snort rules, you have to combine the following segments:
- The Header
- The Options
This section contains information on how to use snort. It includes protocol, port, IP, and network packet among others. The action in the header gives the application instructions on what to do. There are five job actions Snort can perform:
Once you define the action, add the source IP, source port, direction operator (-> or <>), destination IP and port.
In this section, anything after the destination IP and destination port can be found here. Keywords are used and separated by a semicolon.
Here are examples of keywords
- Sid – short for ‘snort ID,’ it identifies snort rules
- Msg – short for ‘message,’ this argument informs the application to print logs
- Reference – allows snort rules to reference information available on the internet. For instance, CVE database
- Gid – this is the generator ID. It helps to identify what feature of Snort created the event
- Rev – short for ‘revision,’ it identifies the revisions of rules
- Priority – used to assign severity rank
- Class type – used to assign priority and classification numbers
Snort Rule Examples and Format
Following the format in this section, you can create your own Snort rules to analyze packets in a network.
Here is one of the snort rules examples you need to follow:
Alert IP any any -> any any (msg: “IP Packet found”; sid:10000001;)
If you observe the format above, you will note we have started with an action (alert). We followed this with the protocol (IP) and then the source IP and source port.
After the direction operator (->), we added the destination IP and port (any, any) and finally the rules option. We have used the keyword (msg) because we want the application to print the data. We also added the argument “IP Packet Found” and the snort id.
You will note that there is no specific destination IP and port number. This is only used when targeting a specific host.
If we allow Snort to run the following rule, the application will print any alerts as proposed. To command Snort to log the details, locate the following file “local.rules” and add a new rule. If you want to write a new rule, you must first empty the rule above. To do so, add the “cat” command in your terminal.
- Echo “ ” > local.rules
- Cat local.rules
Now, you are ready to create another Snort rule following the earlier format.
Keeping Track of CPU Usage
Snort may occupy high CPU usage and this indicates a high volume of traffic. To avoid this, only create Snort rules you need. If you enable all rules, your system will suffer performance-wise. Also, the best format for logging alerts is unified2 binary and not ASCII.
If you want to boost the security of your IT infrastructure, we can help. Contact us today to avoid becoming a victim of cyber attacks.