Snort OpenAppID Introduction And Configuration Guide
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
Snort is a very powerful IDS that in later versions can act like an IPS. Snort is free to download and use in the personal environment as was as in the business environment. In fact Snort is used by many Enterprises as a very effective option for their business because not only is it free but it is one of the most powerful IDS’s out there is you know what you are doing when you configure it.
Snort can be created as a program that you run when you want on a personal computer or it can be setup to run when your OS starts and protect all computers on your network from attacks.
If you want to use Snort to protect your entire network it will need to be placed in line with your internet connection. So as an example lets say that you have a business internet account with your local cable company and you want to protect it with a computer running Snort. The computer running Snort needs to be placed between the cable modem and the router, this way Snort is able to monitor every piece of traffic that comes into your network and is in the best place to discover possible attacks.
OpenAppID: How does it work?
effectively enables a business to create its own application firewall. With a set of application identifiers — essentially signatures for identifying traffic from specific applications — network and security admins can create, share and implement custom application detection rules within Snort systems. OpenAppID can be used to alert, block, perform contextual analysis and report what’s truly happening with application usage on the network.
These robust features put the admin in the driver’s seat for responding to existing and emerging threats by identifying rogue applications and malicious usage. Additionally, it removes the dependence on Layer 7 security vendors. Until now, enterprises needing the ability to detect and potentially block application-layer traffic have had no choice but to purchase a commercial product. With OpenAppID, enterprises can now use Snort — a tool many security pros are quite familiar with — as the basis to essentially build a customized, open source application firewall that alerts or blocks application traffic based on the organization’s needs.
OpenAppID currently supports more than 1,500 applications. Admins can write their own application detectors as well.
OpenAppID: Can it work for you?
One thing I’ve learned about open source is that you usually get what you pay for. Snort is a proven tool and OpenAppID seems to be a beneficial feature, so this freebie could have some substance. But that doesn’t mean it’s automatically going to work as well as commercial alternatives (e.g., next-generation firewalls). As good as Snort is and as good as OpenAppID sounds, it’s still new, so be prepared for the bumps in the road that are inevitable for any new software, as well as new features and changes in the coming months.
I learned a lot about Sourcefire’s application-aware offerings. It’s a worthy set of technologies that can benefit the complex enterprise networks. However, I don’t believe Cisco is looking to cannibalize its commercial line with open source products such as Snort and OpenAppID. Hopefully the company will build out both so enterprises can choose which path to go down.
But with that said, should an enterprise experiment with OpenAppID to gain better control of network security at Layer 7? Here are some things to consider before jumping on the OpenAppID bandwagon:
- First and foremost, ask: What is your enterprise security program trying to accomplish? What are its current business risks? Surprisingly, many organizations don’t know the answers to these questions. The last thing you need to do is implement a new technology to fix a new problem associated with a risk you don’t yet know about that may or may not be a big deal in your enterprise environment.
- What existing security controls does your company have in place that may already provide the capabilities of OpenAppID (e.g., next-generation firewalls, content filtering, endpoint protection)? How is OpenAppID different? Better?
- Does your organization have the in-house expertise to implement and oversee such a tool? With OpenAppID, you’re in control; are you up for the challenge? Even if you are from a technical perspective, what about time? Whenever an enterprise takes on a new network security function, it has to give something else up or it’ll wind up not doing anything effectively. What are you willing to give up in order to create more time for OpenAppID and network application protection?
If none of these questions raise concerns, then chances are OpenAppID is a good fit for the business. Try it out in a test environment, or at least in a subset of your production network that won’t be adversely affected, until you get it configured properly. There’s nothing like selling management on a proof-of-concept that ends up creating more problems than it solves.
When it comes to Layer 7 security, criminal hackers are highly innovative with application and malware-related attacks. Though enterprises might be a few steps behind, there’s no reason they can’t be on the same playing field.Just like how most street fights end up on the ground, most network security challenges end up at Layer 7; that’s where enterprise security teams need to focus. The free network application controls offered by OpenAppID just might provide that level of protection and visibility you need in order to advance your network security to the next level.
# apt-get update
# apt-get install snort
Verify the Snort Installation
Verify the installation as shown below.
# snort --version
,,_ -*> Snort! <*-
o" )~ Version 220.127.116.11 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.3.0
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.7
Create the following snort.conf and icmp.rules files:
Open the configuration file of snort
# leafpad /etc/snort/snort.conf
Check the configuration file and check whether the icmp rules is included or not. If not, include the line below.
Open icmp rules file and include a rule mentioned below.
# leafpad /etc/snort/rules/icmp.rules
Include the below mentioned line into icmp.rule file.
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)
The above basic rule does alerting when there is an ICMP packet (ping).
Following is the structure of the alert:
<Rule Actions> <Protocol> <Source IP Address> <Source Port> <Direction Operator> <Destination IP Address> <Destination > (rule options)
|Source IP Address||any|
|Destination IP Address||any|
|(rule options)||(msg:”ICMP Packet”; sid:477; rev:3;)|
Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
here, -c for rules file and -l for log directory
Show log alert
Try pinging some IP from your machine, to check our ping rule. Following is the example of a snort alert for this ICMP rule.
root@vishnu:~# head /var/log/snort/alert
[**] [1:2925:3] INFO web bug 0x0 gif attempt [**]
[Classification: Misc activity] [Priority: 3]
12/02-12:08:40.479756 18.104.22.168:80 -> 192.168.1.64:55747
TCP TTL:42 TOS:0x0 ID:14611 IpLen:20 DgmLen:265 DF
***AP*** Seq: 0x6C1242F9 Ack: 0x74B1A5FE Win: 0x2E TcpLen: 32
TCP Options (3) => NOP NOP TS: 1050377198 1186998
[**] [1:368:6] ICMP PING BSDtype [**]
[Classification: Misc activity] [Priority: 3]
12/02-12:09:01.112440 192.168.1.14 -> 192.168.1.64
A couple of lines are added for each alert, which includes the following:
Message is printed in the first line.
Type of packet, and header information.
If you have a different interface for the network connection, then use -dev -i option. In this example my network interface is eth0.
# snort -dev -i eth0 -c /etc/snort/snort.conf -l /var/log/snort/
Execute snort as Daemon
Add -D option to run snort as a daemon.
# snort -D -c /etc/snort/snort.conf -l /var/log/snort/
Default rules can be downloaded from: