Snort Setup and Alerts

Snort

1. Download the source code from snort.org/dl
2. Build the source code with "tar xzvf snort-2.4.3.tar.gz; cd snort-2.4.3; ./configure; make; sudo make install"
3. Copy the configure directory to a secure place, like /etc: "sudo cp snort-2.4.3/etc /etc/snort"
4. Edit the "/etc/snort/snort.conf" config file, at least to set the HOME_NET address.
5. Download snort rules from http://www.snort.org/pub-bin/downloads.cgi.  Free registration is required for the latest rules.
6. Unpack snort rules using "cd /etc/snort; tar xzvf ~/snortrules*".
7. Run snort as root "snort -de  -K ascii -c /etc/snort/snort.conf"

• The syslog (see /etc/syslog.conf to figure out where, often it's /var/log/warn)
• The snort log directory, normally /var/log/snort/<IP ADDRESS>/<PROTOCOL>:<SOURCE PORT>-<DEST PORT>
  

Interpreting Snort Alerts

• 127.0.0.1 is the "loopback" IP address.  Packets sent to this address immediately go back to the sending machine.
  
• UAF's public subnet is 137.229....
  
• 10..., 168... are non-routed "private" IP addresses. UAF has a private subnet using 172... addresses.
  
• 224..., 232..., and 239... IP addresses are multicast addresses.  Addresses ending in .255 are usually subnet broadcast addresses.
• Low numbers can be looked up from the first digit and the IANA IP allocation table.  Higher numbers are usually listed as "various entities".
• Addresses can also be tracked down to a geographic location using one of the many IP to location searches on the web.
• A "traceroute" can show you the network hops that take you to a particular IP:

  # /usr/sbin/traceroute target.cs.uaf.edu
  traceroute to target.cs.uaf.edu (137.229.25.200), 30 hops max, 40 byte packets
   1  48-1.wireless.uaf.edu (137.229.48.1)  1.453 ms   0.869 ms   0.965 ms
   2  * * *
   3  * * *
  # /usr/sbin/traceroute finesse.cs.uiuc.edu
  traceroute to finesse.cs.uiuc.edu (128.174.241.207), 30 hops max, 40 byte packets
   1  48-1.wireless.uaf.edu (137.229.48.1)  1.531 ms   1.454 ms   0.962 ms
   2  137.229.95.3  1.287 ms   1.357 ms   1.698 ms
   3  swf-6506-1 (137.229.254.145)  4.192 ms   1.591 ms   2.040 ms
   4  swf-m10-1 (137.229.254.209)  4.060 ms   3.088 ms   1.985 ms
   5  core1-ua-GE0-0-0-0.pnw-gigapop.net (209.124.177.129)  3.781 ms   2.983 ms   4.114 ms
   6  core1-wes-so0-2-0-0.pnw-gigapop.net (209.124.179.37)  43.039 ms   43.824 ms   44.104 ms
   7  hnsp2-wes-ge-0-0-0-0.pnw-gigapop.net (209.124.176.12)  42.826 ms   43.579 ms   41.697 ms
   8  abilene-pnw.pnw-gigapop.net (209.124.179.2)  41.180 ms   41.525 ms   43.449 ms
   9  dnvrng-sttlng.abilene.ucaid.edu (198.32.8.50)  69.073 ms   67.277 ms   66.149 ms
  10  kscyng-dnvrng.abilene.ucaid.edu (198.32.8.14)  78.379 ms   77.868 ms   77.004 ms
  11  iplsng-kscyng.abilene.ucaid.edu (198.32.8.80)  358.250 ms   366.737 ms   365.043 ms
  12  chinng-iplsng.abilene.ucaid.edu (198.32.8.76)  93.672 ms   101.860 ms   102.063 ms
  13  mren-chin-ge.abilene.ucaid.edu (198.32.11.98)  95.943 ms   96.129 ms   95.261 ms
  

• The official IANA port number list, or the much better hyperlinked networksourcery port list.  This does mix TCP and UDP.
  
•  Standard ports include:
• TCP port 20 & 21, FTP File Transfer Protocol.
• TCP port 22, SSH secure shell file & terminal transfer.
• TCP port 25, SMTP insecure email.
• UDP port 53, DNS domain name system traffic.
• UDP ports 67 & 68, DHCP/BOOTP machine startup configuration.
• TCP port 80, HTTP web traffic.
• TCP port 109 & 110, POP insecure email.
• TCP port 443, HTTPS secure web traffic (via SSL).
• Windows-specific ports include:
• TCP port 137, 138, 139, NETBIOS name, datagram, and session traffic.
• UDP port 1026+, network announcements.
  
• UNIX-specific ports include:
• TCP port 23, telnet insecure terminal protocol.
• Chatty broadcasting ports include:
• UDP port 427, SLP Service Location Protocol. (Macs, Novell)
• UDP port 631, IPP, Internet Printing Protocol. (CUPS, other printers)