Snort Basics for Hackers, Part 5: Testing your Snort IDS Against Known Exploits

Hacking

Welcome back, my greenhorn cyber warriors!

In my previous posts in this series, we installed Snort, configured Snort, set up Snort to send alerts to a database (MySQL) and wrote Snort rules.

In this post, we will test our new Snort installation to see whether it can detect and alert us on well-known attacks before putting it into operation in our production environment to protect us from attacks.

Step #1: Fire up Kali

Although you probably want to install Snort on another Linux distribution in a production environment, in this article I will be using my trusty Kali Linux. Kali is built upon the Debian distribution, which is an excellent choice for using as a Snort host.

If Snort is not already installed on your Kali, you can do so by entering;

kali > apt-get install snort

Step #2: Download Attack .pcap’s

Like Wireshark and other sniffing tools, Snort uses the .pcap format for analyzing packets. To test our Snort installation, we can use live captures from Wireshark or tcpdump or we can use captures available online that others have gathered from intrusions and other attacks. There are numerous resources online, but two that are notable are;

1. Wireshark’s Sample Captures

2. Netresec

Both of resources have numerous sample files for testing your IDS or for use with Wireshark in analysis.

Step #3: Start Snort

To test our Snort installation, we will start Snort like we have in the previous tutorials, but instead of using a live capture as a data source, we will use these .pcap’s as our data source. Second, instead of sending the alert output to our database, we will instead send it in ASCII format to our logs for quick and easy analysis.

To do this we will need to alter our Snort command slightly.

kali > snort -vde -c /etc/snort/snort.conf -l /var/log/snort -r <pcap file> -K ascii

Where:

snort is our binary

-vde tells snort to be verbose and inclide the data link layer (layer 2) and application layer (layer 7)

-c /etc/snort/snort.conf directs snort to use our configuration file at this location

-r directs snort to use a input file rather than live capture

-l /var/log/snort directs snort to send the logs to /var/log/snort directory

-K ascii directs snort to send the alerts in human readable ASCII form

Step #4: Testing Snort on Known Intrusion Files

Now that we understand how to test known intrusions on our Snort installation, let’s try a couple to see how well Snort is able to detect and alert us of malicious traffic.

A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP fragmentation reassembly, the packets overlap one another, crashing the target network device. This attack is about 20 years old, so Snort should detect it and alert us.

Let’s try running this teardrop.pcap file through Snort and see whether it detects and alerts us.

We can do this by entering;

kali > snort -vde -c /etc/snort/snort.conf -l /var/log/snort -r /media/root/USB20FD/teardrop.cap -K ascii

Note that I have downloaded the .pcap’s to my USB device and I am using the absolute path to that file. Make certain to use the path to your .pcap file.

When we run this pcap capture file through Snort, we will see near the end of the output statistics the number of alerts. As you can see below, this particular set of malicious .pcap files generated 5 alerts.

To view the detail of the alerts, we can display the end or “tail” of the alert file.

In this case, I viewed the last 100 lines of the alert file at /var/log/snort/alert.

kali > tail -100 /var/log/snort/alert

As you can see above, Snort detected the attack and identified it as the a DoS Attack of the Teardrop variety.

Step #5: Test the EternalBlue Attack

Now, let’s test Snort on a more contemporary attack, the EternalBlue attack of 2017. This was the malware developed by NSA that would enable them to take command of any computer they directed it to. This attack and a few others were stolen from NSA by the Shadowbrokers and then released to the public in March 2017 (for more on EternalBlue see my Packet-Level analysis in the Network Forensics series). This attack then became apart of numerous other malicious attacks such as Petya and WannaCry.

Let’s see whether Snort will detect it. Enter the following command.

kali> snort -vde /etc/snort/snort.conf -l /var/log/snort -r /media/root/USB20FD/eternalblue-success-unpatched-win7.pcap -K ascii

Once the pcap has completed running, we can navigate to near the end of the Snort statistics and observe whether Snort generated any alerts on this malicious file.

As you see above, Snort generated 7 alerts on the EternalBlue malware. Great!

Like above, we can view the details of these alerts by viewing the tail of the alerts file.

kali > tail -100 /var/log/snort/alert

Of the 7 alerts generated by Snort, we can see 4 of those above.

Conclusion

Snort is an excellent IDS for protecting your network from malicious activity. After setting up Snort, configuring it and its database, here we tested Snort on one old and one relatively new attack. In both cases, it was able to detect and alert us of an ongoing attack.

You are now ready to use Snort to protect your precious resources online!