- Scan ID:
- 381e1c9a-0b38-42df-a22a-b2f0c2a074d1Finished
- Submitted URL:
- https://hackertarget.com/snort-tutorial-practical-examples/
- Report Finished:
Links · 8 found
The outgoing links identified from the page
| Link | Text |
|---|---|
| https://docs.snort.org/start/installation | snort.org website |
| https://www.snort.org/downloads | snort.org |
| https://rules.emergingthreatspro.com/OPEN_download_instructions.html | Free |
| https://www.proofpoint.com/au/products/et-pro-ruleset | Paid |
| https://www.snort.org/oinkcodes | Pulled Pork |
| https://github.com/hackertarget | Github Page |
| https://www.threads.net/@hackertargetdotcom | Threads Social Page |
| https://twitter.com/hackertarget/ | Twitter Social Page |
JavaScript Variables · 35 found
Global JavaScript variables loaded on the window object of a page, are variables declared outside of functions and accessible from anywhere in the code within the current scope
| Name | Type |
|---|---|
| onbeforetoggle | object |
| documentPictureInPicture | object |
| onscrollend | object |
| $ | undefined |
| jQuery | function |
| gtag | function |
| dataLayer | object |
| cnArgs | object |
| ___grecaptcha_cfg | object |
| grecaptcha | object |
Console log messages · 1 found
Messages logged to the web console
| Type | Category | Log |
|---|---|---|
| log | other |
|
HTML
The raw HTML body of the page
<!DOCTYPE html><html lang="en-US"><head><meta http-equiv="origin-trial" content="A/kargTFyk8MR5ueravczef/wIlTkbVk1qXQesp39nV+xNECPdLBVeYffxrM8TmZT6RArWGQVCJ0LRivD7glcAUAAACQeyJvcmlnaW4iOiJodHRwczovL2dvb2dsZS5jb206NDQzIiwiZmVhdHVyZSI6IkRpc2FibGVUaGlyZFBhcnR5U3RvcmFnZVBhcnRpdGlvbmluZzIiLCJleHBpcnkiOjE3NDIzNDIzOTksImlzU3ViZG9tYWluIjp0cnVlLCJpc1RoaXJkUGFydHkiOnRydWV9">
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<link rel="profile" href="http://gmpg.org/xfn/11">
<meta name="robots" content="index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1">
<!-- This site is optimized with the Yoast SEO plugin v21.7 - https://yoast.com/wordpress/plugins/seo/ -->
<link media="all" href="https://hackertarget.com/wp-content/cache/autoptimize/css/autoptimize_102b99fdf1f9af54993e8c9ccde30ca8.css" rel="stylesheet"><title>Snort Tutorial and Practical Examples | HackerTarget.com</title>
<meta name="description" content="In this Snort tutorial you will not only get started with this powerful tool but also find practical examples and immediate use cases.">
<link rel="canonical" href="https://hackertarget.com/snort-tutorial-practical-examples/">
<meta property="og:locale" content="en_US">
<meta property="og:type" content="article">
<meta property="og:title" content="Snort Tutorial and Practical Examples | HackerTarget.com">
<meta property="og:description" content="In this Snort tutorial you will not only get started with this powerful tool but also find practical examples and immediate use cases.">
<meta property="og:url" content="https://hackertarget.com/snort-tutorial-practical-examples/">
<meta property="og:site_name" content="HackerTarget.com">
<meta property="article:published_time" content="2023-05-26T02:10:19+00:00">
<meta property="article:modified_time" content="2024-05-27T02:25:53+00:00">
<meta property="og:image" content="https://hackertarget.com/images/snort-tutorial-examples.png">
<meta name="author" content="the admin">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:creator" content="@hackertarget">
<meta name="twitter:site" content="@hackertarget">
<meta name="twitter:label1" content="Written by">
<meta name="twitter:data1" content="the admin">
<meta name="twitter:label2" content="Est. reading time">
<meta name="twitter:data2" content="7 minutes">
<script type="text/javascript" async="" charset="utf-8" src="https://www.gstatic.com/recaptcha/releases/pPK749sccDmVW_9DSeTMVvh2/recaptcha__en.js" crossorigin="anonymous" integrity="sha384-BJuEtmqk8gvp2kvOiXzxtaoRQQS7QjSOSAczV0tKC29lpbOt/RFR43n1iVnzO4Em"></script><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://hackertarget.com/snort-tutorial-practical-examples/","url":"https://hackertarget.com/snort-tutorial-practical-examples/","name":"Snort Tutorial and Practical Examples | HackerTarget.com","isPartOf":{"@id":"https://hackertarget.com/#website"},"primaryImageOfPage":{"@id":"https://hackertarget.com/snort-tutorial-practical-examples/#primaryimage"},"image":{"@id":"https://hackertarget.com/snort-tutorial-practical-examples/#primaryimage"},"thumbnailUrl":"https://hackertarget.com/images/snort-tutorial-examples.png","datePublished":"2023-05-26T02:10:19+00:00","dateModified":"2024-05-27T02:25:53+00:00","author":{"@id":"https://hackertarget.com/#/schema/person/dc7846776066a7c3cc9840140546ddb6"},"description":"In this Snort tutorial you will not only get started with this powerful tool but also find practical examples and immediate use cases.","breadcrumb":{"@id":"https://hackertarget.com/snort-tutorial-practical-examples/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://hackertarget.com/snort-tutorial-practical-examples/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://hackertarget.com/snort-tutorial-practical-examples/#primaryimage","url":"https://hackertarget.com/images/snort-tutorial-examples.png","contentUrl":"https://hackertarget.com/images/snort-tutorial-examples.png"},{"@type":"BreadcrumbList","@id":"https://hackertarget.com/snort-tutorial-practical-examples/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://hackertarget.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://hackertarget.com/blog/"},{"@type":"ListItem","position":3,"name":"Snort Tutorial and Practical Examples"}]},{"@type":"WebSite","@id":"https://hackertarget.com/#website","url":"https://hackertarget.com/","name":"HackerTarget.com","description":"Security Vulnerability Scanners and Assessments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://hackertarget.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https://hackertarget.com/#/schema/person/dc7846776066a7c3cc9840140546ddb6","name":"the admin"}]}</script>
<!-- / Yoast SEO plugin. -->
<link rel="dns-prefetch" href="//hackertarget.com">
<link rel="dns-prefetch" href="//www.google.com">
<link href="https://fonts.gstatic.com" crossorigin="anonymous" rel="preconnect">
<link rel="alternate" type="application/rss+xml" title="HackerTarget.com » Feed" href="https://hackertarget.com/feed/">
<link rel="alternate" type="application/rss+xml" title="HackerTarget.com » Comments Feed" href="https://hackertarget.com/comments/feed/">
<script type="text/javascript" src="https://hackertarget.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script>
<!--[if lt IE 9]>
<script type="text/javascript" src="https://hackertarget.com/wp-content/themes/ht-silicon/inc/assets/js/html5.js?ver=3.7.0" id="html5hiv-js"></script>
<![endif]-->
<script async="" type="text/javascript" src="https://www.google.com/recaptcha/api.js?ver=6.4.5" id="recaptcha-js"></script>
<link rel="pingback" href="https://hackertarget.com/xmlrpc.php">
<!-- Google tag (gtag.js) -->
<script async="" src="https://www.googletagmanager.com/gtag/js?id=G-3JZVG4J6QH"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-3JZVG4J6QH');
</script>
<link rel="icon" href="https://hackertarget.com/wp-content/uploads/2018/03/hackertarget-logo-square.png" sizes="32x32">
<link rel="icon" href="https://hackertarget.com/wp-content/uploads/2018/03/hackertarget-logo-square.png" sizes="192x192">
<link rel="apple-touch-icon" href="https://hackertarget.com/wp-content/uploads/2018/03/hackertarget-logo-square.png">
<meta name="msapplication-TileImage" content="https://hackertarget.com/wp-content/uploads/2018/03/hackertarget-logo-square.png">
</head>
<body class="cookies-not-set">
<a class="skip-link screen-reader-text" href="#content">Skip to content</a>
<!-- NAVBAR -->
<header class="header navbar navbar-expand-lg bg-dark navbar-dark fixed-top py-1" style="border-bottom: solid 1px; border-color: #222;">
<div class="container ps-1 pe-3">
<a href="/" class="navbar-brand pe-3">
<img src="/images/hackertarget-logo.png" width="219" height="56" alt="HackerTarget.com Logo">
</a>
<div id="navbarNav" class="offcanvas offcanvas-end bg-dark">
<div class="offcanvas-header border-bottom border-light">
<h5 class="offcanvas-title text-white">Menu</h5>
<button type="button" class="btn-close btn-close-white" data-bs-dismiss="offcanvas" aria-label="Close"></button>
</div>
<div class="offcanvas-body">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle fs-sm fw-normal" data-bs-toggle="dropdown">SCANNERS</a>
<div class="dropdown-menu dropdown-menu-dark">
<div class="d-lg-flex pt-lg-3">
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">Network</h6>
<ul class="list-unstyled mb-3">
<li><a href="/nmap-online-port-scanner/" title="Online Nmap Port Scanner" class="dropdown-item py-1">Nmap Port Scanner</a></li>
<li><a href="/scheduled-nmap/" title="Schedule Nmap scans and get alerted on change" class="dropdown-item py-1">Schedule Nmap Scans</a></li>
<li><a href="/openvas-scan/" title="OpenVAS Vulnerability Scanner" class="dropdown-item py-1">OpenVAS Scanner</a></li>
<li><a href="/openvas-scheduled-scanning/" title="Schedule OpenVAS Scans" class="dropdown-item py-1">Schedule OpenVAS Scans</a></li>
<li><a href="/zmap-fast-network-scan/" title="Zmap Network Port Scanner" class="dropdown-item py-1">Zmap Fast Network Scan</a></li>
</ul>
</div>
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">Web</h6>
<ul class="list-unstyled mb-3">
<li><a href="/nikto-website-scanner/" title="Nikto Web Security Scanner" class="dropdown-item py-1">Nikto Web Scanner</a></li>
<li><a href="/ssl-check/" title="SSL / TLS Security Testing" class="dropdown-item py-1">SSL / TLS Scan</a></li>
<li><a href="/whatweb-scan/" title="WhatWeb / Wappalyzer App Analysis" class="dropdown-item py-1">WhatWeb / Wappalyzer</a></li>
</ul>
</div>
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">CMS Apps</h6>
<ul class="list-unstyled mb-3">
<li><a href="/wordpress-security-scan/" title="WordPress Security Scan" class="dropdown-item py-1">WordPress Scanner</a></li>
<li><a href="/joomla-security-scan/" title="Test Joomla Security" class="dropdown-item py-1">Joomla Security Scan</a></li>
<li><a href="/drupal-security-scan/" title="Test Drupal with Security Scan" class="dropdown-item py-1">Drupal Security Scan</a></li>
<li><a href="/sharepoint-security-scan/" title="Test SharePoint with Security Scan" class="dropdown-item py-1">SharePoint Security Scan</a></li>
</ul>
</div>
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">Recon</h6>
<ul class="list-unstyled mb-3">
<li><a href="/domain-profiler/" title="Attack Surface Analysis with Domain Profiler" class="dropdown-item py-1">Domain Profiler (OSINT)</a></li>
<li><a href="/server-info/" title="IP Address Lookup and Analysis" class="dropdown-item py-1">IP Information Lookup</a></li>
<li><a href="/ip-tools/" title="DNS / IP Information Tools" class="dropdown-item py-1">Free DNS / IP Tools</a></li>
</ul>
</div>
</div>
</div>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle fs-sm fw-normal" data-bs-toggle="dropdown">TOOLS</a>
<div class="dropdown-menu dropdown-menu-dark">
<div class="d-lg-flex pt-lg-3">
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">Network Tests</h6>
<ul class="list-unstyled mb-3">
<li><a href="/online-traceroute/" title="Online Traceroute tool with MTR" class="dropdown-item py-1">Traceroute</a></li>
<li><a href="/test-ping/" title="Run an easy ping test" class="dropdown-item py-1">Test Ping</a></li>
</ul>
</div>
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">DNS Queries</h6>
<ul class="list-unstyled mb-3">
<li><a href="/dns-lookup/" title="Web based DNS lookup tool" class="dropdown-item py-1">DNS lookup</a></li>
<li><a href="/reverse-dns-lookup/" title="DNS reverse lookup on IP or net range" class="dropdown-item py-1">Reverse DNS</a></li>
<li><a href="/find-dns-host-records/" title="Find Subdomains" class="dropdown-item py-1">Find Host Records (Subdomains)</a></li>
<li><a href="/find-shared-dns-servers/" title="Reverse Lookup on Shared DNS" class="dropdown-item py-1">Find Shared DNS Servers</a></li>
<li><a href="/zone-transfer/" title="Zone Transfer Online Test" class="dropdown-item py-1">Zone Transfer</a></li>
<li><a href="/whois-lookup/" title="Online Whois Lookup Tool" class="dropdown-item py-1">Whois Lookup</a></li>
</ul>
</div>
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">IP Address</h6>
<ul class="list-unstyled mb-3">
<li><a href="/geoip-ip-location-lookup/" title="GeoIP location finder" class="dropdown-item py-1">IP Geolocation Lookup</a></li>
<li><a href="/reverse-ip-lookup/" title="Reverse IP to get shared hosting" class="dropdown-item py-1">Reverse IP Lookup</a></li>
<li><a href="/tcp-port-scan/" title="TCP Port Scan" class="dropdown-item py-1">TCP Port Scan</a></li>
<li><a href="/udp-port-scan/" title="UDP Port Scan" class="dropdown-item py-1">UDP Port Scan</a></li>
<li><a href="/subnet-lookup-online/" title="Find Subnet by CIDR or Mask" class="dropdown-item py-1">Subnet Lookup</a></li>
<li><a href="/as-ip-lookup/" title="Autonomous System Lookup (IP / AS)" class="dropdown-item py-1">ASN Lookup</a></li>
<li><a href="/banner-grabbing/" title="Banner Grabbing (Search)" class="dropdown-item py-1">Banner Grabbing (Search)</a></li>
</ul>
</div>
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">Web Tools</h6>
<ul class="list-unstyled mb-3">
<li><a href="/http-header-check/" title="Download HTTP Headers" class="dropdown-item py-1">HTTP Headers</a></li>
<li><a href="/extract-links/" title="Extract all links from Page" class="dropdown-item py-1">Extract Page Links</a></li>
<li><a href="/reverse-analytics-search/" title="Reverse Analytics Search" class="dropdown-item py-1">Reverse Analytics Search</a></li>
</ul>
</div>
</div>
</div>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle fs-sm fw-normal" data-bs-toggle="dropdown">RESEARCH</a>
<div class="dropdown-menu dropdown-menu-dark">
<div class="d-lg-flex pt-lg-3">
<div class="mega-dropdown-column">
<h6 class="text-light px-3 mb-2">Blog</h6>
<ul class="list-unstyled mb-3">
<li><a href="/research/#tutorial" title="Tutorials & Cheat Sheets" class="dropdown-item py-1">Tutorials & Cheat Sheets</a></li>
<li><a href="/category/tools/" title="Open Source Tools" class="dropdown-item py-1">Open Source Tools</a></li>
<li><a href="/blog/" title="Latest Posts" class="dropdown-item py-1">Latest Posts</a></li>
<li><a href="/research/" title="Research" class="dropdown-item py-1">Research</a></li>
</ul>
</div>
<div class="mega-dropdown-column" style="min-width: 400px;">
<h6 class="text-light px-3 mb-2">Most Popular</h6>
<ul class="list-unstyled mb-3">
<li><a href="/static/modern-threats-attack-surface.pdf" title="Modern Threats & the Attack Surface" class="dropdown-item py-1">Modern Threats & the Attack Surface</a></li>
<li><a href="/cyber-security-training/" title="Cyber Security Training Resources" class="dropdown-item py-1">Cyber Security Training Resources</a></li>
<li><a href="/cowrie-honeypot-analysis-24hrs/" title="Attack sources to Cowrie Honeypot mapped in this analysis" class="dropdown-item py-1">Cowrie Honeypot Analysis</a></li>
<li><a href="/attacking-wordpress/" title="Secure WordPress by Understanding how to attack it" class="dropdown-item py-1">Attacking WordPress</a></li>
<li><a href="/11-offensive-security-tools/" title="A list of cutting edge penetration tools" class="dropdown-item py-1">Offensive Security Tools for Sysadmins</a></li>
<li><a href="/nessus-openvas-nexpose-vs-metasploitable/" title="A comparison of Nessus, OpenVAS and Nexpose" class="dropdown-item py-1">Nessus, OpenVAS and NexPose vs Metasploitable</a></li>
<li><a href="/wireshark-tutorial-and-cheat-sheet/" title="Wireshark Tutorial & Tips to Master Network Analysis" class="dropdown-item py-1">Wireshark Tutorial and Cheat Sheet</a></li>
</ul>
</div>
</div>
</div>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle fs-sm fw-normal" data-bs-toggle="dropdown">ASSESSMENTS</a>
<ul class="dropdown-menu dropdown-menu-dark">
<li><a href="/attack-surface-assessment/" class="dropdown-item">Attack Surface Assessment</a></li>
<li><a href="/external-vulnerability-assessment/" class="dropdown-item">Vulnerability Assessment</a></li>
<li><a href="/wordpress-assessment/" class="dropdown-item">WordPress Assessment</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle fs-sm fw-normal" data-bs-toggle="dropdown">ABOUT</a>
<ul class="dropdown-menu dropdown-menu-dark">
<li><a href="/use-cases/" class="dropdown-item">Use Cases</a></li>
<li><a href="/about/" class="dropdown-item">About & FAQ</a></li>
<li><a href="/vulnerability-scanner/" class="dropdown-item">What is a Vulnerability Scanner?</a></li>
</ul>
</li>
<li class="nav-item">
<a href="/contact/" title="Get in Contact" class="nav-link" style="padding-top: 6px; font-size: 16px; font-weight: 600;"><i class="bi bi-envelope"></i></a>
</li>
</ul>
</div>
<div class="offcanvas-header border-top border-light">
<a href="/scan-membership/" class="btn btn-primary w-100" rel="noopener">PRICING</a>
</div>
<div class="offcanvas-header">
<a href="/wp-login.php" class="btn btn-outline-secondary w-100" rel="noopener">LOGIN</a>
</div>
</div>
<button type="button" class="navbar-toggler" data-bs-toggle="offcanvas" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation"><span class="navbar-toggler-icon"></span></button>
<a href="/scan-membership/" class="btn btn-primary btn-sm fs-sm d-none d-lg-inline-flex me-2" rel="noopener">PRICING</a>
<a href="/wp-login.php" class="btn btn-outline-secondary btn-sm fs-sm d-none d-lg-inline-flex" rel="noopener">LOG IN</a>
</div>
</header>
<main class="page-wrapper">
<div id="content" class="site-content" style="margin-top: 49px;">
<div class="container">
<div class="row">
<section id="primary" class="content-area col-sm-12 col-lg-8 mx-auto">
<div id="main" class="site-main" role="main">
<article id="post-16836" class="post-16836 post type-post status-publish format-standard hentry category-security-research category-tools category-tutorial">
<header class="entry-header mt-3 pt-3 mb-6">
<div class="pt-4">
<span class="post-categories fs-xs mt-5 pt-5 fw-medium"><a href="https://hackertarget.com/category/security-research/">SECURITY RESEARCH</a>, <a href="https://hackertarget.com/category/tools/">TOOLS</a>, <a href="https://hackertarget.com/category/tutorial/">TUTORIAL</a></span> | <span class="post-date fs-xs text-uppercase">May 26, 2023</span>
<h1 class="entry-title pt-3 pb-4">Snort Tutorial and Practical Examples</h1> </div>
</header><!-- .entry-header -->
<div class="entry-content">
<div class="row">
<div class="col-md-7">
<span class="fs-lg">Snort is a powerful open source <strong>network intrusion detection</strong> and <strong>prevention system</strong>. Use this <strong>tutorial</strong> to not only get started using Snort but understand its capabilities with a series of <strong>practical examples</strong>. </span><p></p>
<p class="fs-lg">
Snort uses <strong>rules</strong> to analyze network traffic discover <strong>potential threats</strong> or network anomalies. <strong>Alerts</strong> can be dispatched to an analyst or trigger remediation scripts or other actions.</p>
</div>
<div class="col-md-5 d-md-block d-none">
<img decoding="async" src="https://hackertarget.com/images/snort-tutorial-examples.png" alt="snort tutorial and examples find the threat"> </div>
</div>
<div class="alert alert-dark dark-mid-bg toc-links">
<div class="row">
<div class="col-md-6">
<h3 class="text-light">Getting Started with Snort</h3>
<p><a href="#intro">Introduction to Snort</a><br>
<a href="#use-cases">Common Use Cases</a><br>
<a href="#detect-attacks">Detecting Network Attacks</a><br>
<a href="#identify-traffic">Identify Suspicious Network Traffic</a><br>
<a href="#find-malware">Detect Malware in Network Traffic</a><br>
<a href="#install-snort-29">Installing Snort 2.9 on Ubuntu</a><br>
<a href="#snort3-docker">Snort 3 on Docker</a><br>
<a href="#snort3-ubuntu">Installing Snort 3 on Ubuntu</a><br>
<a href="#get-rules">Getting the Rules</a>
</p></div>
<div class="col-md-6">
<h3 class="text-light">Practical Examples</h3>
<p><a href="#capture-local">1. Capture on Local Interface</a><br>
<a href="#read-pcap">2. Analyse Packets from a PCAP</a><br>
<a href="#test-config">3. Test Snort Configuration</a><br>
<a href="#log-to-pcap">4. Log traffic to a PCAP</a><br>
<a href="#test-rule">5. Simple Test Rule (ICMP)</a><br>
<a href="#reject-drop">6. Reject and Drop Rules</a><br>
<a href="#bpf-filter">7. Filter on Command Line with BPF</a><br>
<a href="#enable-rules">8. Enable app-detect.rules</a><br>
<a href="#enable-malware-rules">9. Enable malware rules</a>
</p></div>
<p></p></div>
</div>
<h2 id="intro" class="mt-4">Introduction to Snort</h2>
<p>Snort is widely used by <strong>Blue Teams</strong> protecting networks of all sizes and is considered a robust part of network security infrastructure. Cisco purchased the snort project in 2013 and incorporated it in its Sourcefire line of products. The core snort software remains open source with a GPL2+ license.</p>
<h2 id="use-cases" class="mt-2">Common Use Cases for Snort</h2>
<p>Snort can be used in a variety of scenarios to protect networks from <strong>cyber threats</strong>. Some practical use cases for Snort include:</p>
<h4 id="detect-attacks">Detecting and blocking network attacks</h4>
<p>Snort can be used to detect and block network-based attacks, such as <strong>denial of service</strong> (DoS) attacks, <strong>SQL injection</strong> or network service attacks such as the well known <strong>ETERNALBLUE</strong> exploit. Snort will analyze network traffic in real-time, alerting and potentially taking action to prevent the attack from succeeding.</p>
<h4 id="identify-traffic">Monitoring network traffic for suspicious activity</h4>
<p>Snort can be used to monitor network traffic for any suspicious activity, such as an unusually high amount of traffic; think multiple <strong>Microsoft Remote Desktop (RDP) logins</strong> or <strong>High number of HTTP POST requests</strong>. This can help identify potential security threats allowing the network administrator assess a potential incident.</p>
<h4 id="find-malware">Detecting and blocking malware</h4>
<p>Snort can be configured to use a set of rules that are designed to <strong>detect known implants</strong> or malware signatures. Common examples would be <strong>Cobal Strike</strong> (installer / C2 traffic) and the <strong>Metasploit</strong> based <strong>Meterpreter</strong>. When malware is detected, Snort can alert the network administrator or trigger actions to mitigate damage from the malware.</p>
<p>These are the most common use cases for a snort deployment. It should be kept in mind that due to the ability to create custom rules, the possibilities for what Snort can monitor and alert on is endless.</p>
<h2 id="install-snort-29">Installing Snort 2.9 on Ubuntu</h2>
<p>In order to get started with Snort easily, we recommend starting with <strong>Snort 2.9</strong> which is available in the Ubuntu 22.04 repositories. Installation is a simple matter of the standard <code>apt-get install</code>.</p>
<pre>:-$ sudo apt install snort</pre>
<p>Using this method ensures you have a production ready version that is easy to maintain and update when required through the standard update processes.</p>
<pre>:-$ snort --version
,,_ -*> Snort! <*-
o" )~ Version 2.9.15.1 GRE (Build 15125)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.10.1 (with TPACKET_V3)
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11
</pre>
<h2 id="snort3-docker">Snort 3 with Docker</h2>
<p>Using the Cisco Talos docker container is the fastest way to get Snort 3 up and running. Primarily suited for initial testing, the docker container has a full snort installation and can be used to quickly process a network capture (pcap) within a few minutes.</p>
<p>Snort 3 comes with a number of new capabilities and features. Jump in with the following docker commands.</p>
<pre>:-$ sudo docker pull ciscotalos/snort3
:-$ sudo docker run --name snort3 -h snort3 -u snorty -w /home/snorty -d -it ciscotalos/snort3 bash
:-$ sudo docker exec -it snort3 bash</pre>
<h2 id="snort3-ubuntu">Installing Snort 3 on Ubuntu</h2>
<p>As snort 3 does not come as packaged binaries it is necessary to install from source to deploy on Ubuntu.</p>
<p>The full installation guide is available from the <a href="https://docs.snort.org/start/installation">snort.org website</a>. Specifically for Ubuntu deployments you will need the following required packages.</p>
<pre>:-$ sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev \
libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev \
libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev libfl-dev</pre>
<h2 id="get-rules">Getting the Rules</h2>
<p>The rules can be downloaded from <a href="https://www.snort.org/downloads">snort.org</a> and are available as the <strong>Community Rule set</strong>, as well as the official Cisco rules. The <strong>official rules</strong> require a free registration (30 day delay) or a paid subscription for immediate access to newly released rules.</p>
<p>While the community rules are an excellent resource the official rules are essential for getting good coverage and registration or a subscription should be done.</p>
<p>In addition there are excellent rules available from <strong>Emerging Threats</strong> (Proofpoint) with the option of <a href="https://rules.emergingthreatspro.com/OPEN_download_instructions.html">Free</a> or a <a href="https://www.proofpoint.com/au/products/et-pro-ruleset">Paid</a> for offering.</p>
<h4>Oinkcodes - Automate Rule Downloads</h4>
<p>The <strong>Oinkcode</strong> is an API key associated with a registered account. Using the oinkcode you are able to access the rule updates programatically using a tool such as <a href="https://www.snort.org/oinkcodes">Pulled Pork</a>.</p>
<h2>Working Snort 3 Installation</h2>
<p>Whichever version or method you are using running the following confirms that snort is installed and ready to go:</p>
<pre>snorty@snort3:~$ snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.0.0 (Build 267)
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.0
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 1.1.1d 10 Sep 2019
Using libpcap version 1.8.1
Using PCRE version 8.39 2016-06-14
Using ZLIB version 1.2.11
Using Hyperscan version 5.1.0 2019-01-31
Using LZMA version 5.2.4
snorty@snort3:~$ </pre>
<h2>Practical Examples</h2>
<p>These examples show a number of practical uses for snort as a command line tool and demonstrates how the system works in a hands on capacity.</p>
<h3 id="capture-local">1. Capture on Local Interface with Snort</h3>
<p>In this mode, Snort reads packets from the network interface and compares them to the set of rules specified in the configuration file.</p>
<pre>:~$ snort -c /etc/snort/snort.conf -i eth0</pre>
<h3 id="read-pcap">2. Analyse Packets from a PCAP File</h3>
<p>You can use Snort to read packets from a PCAP file.</p>
<pre>:~$ snort -r file.pcap -c /etc/snort/snort.conf</pre>
<h3 id="test-config">3. Test Snort Configuration File</h3>
<p>This command tests your Snort configuration and rules for errors.</p>
<pre>:~$ snort -T -c /etc/snort/snort.conf</pre>
<h3 id="log-to-pcap">4. Log Traffic to a pcap File</h3>
<p>Output options are configured in the <code>snort.conf</code> file. Logging to <code>pcap</code> can be configured in the file or we can use the command line option below to write the pcap.</p>
<p>Read packets from the configured network interface and write to a pcap file. </p>
<pre>:~$ snort -b -L packets.pcap</pre>
<h3 id="test-rule">5. A simple test rule to ensure Snort is working as expected</h3>
<p>To test everything is working and to understand how the alerting / logging works lets create a simple rule that we can trigger at any time.</p>
<p>Edit the file <code>/etc/snort/rules/local.rules</code> and put the following line at the end.</p>
<pre>alert icmp any any -> any any (msg:"ICMP connection attempt"; sid:1000010; rev:1;)</pre>
<p>This rule will detect any use of the <code>icmp</code> protocol (second entry in rule). That matches the source / dest (any -> any variable), and will then use the msg: as the alert text.</p>
<p>The following example is a bit different to previous. It says to print the alerts to the console (-A console) and uses the (-q) parameter to be quiet. Stopping the debugging and startup information from appearing and providing clean output. We can specify the <code>local.rules</code> file as the config or the snort.conf (as it should be including the local.rules file).</p>
<pre>:~$ snort -q -A console -c /etc/snort/local.rules</pre>
<p>If you ping the host or network that is listening you should see the alerts printed to the console.</p>
<pre>05/25-10:50:00.887913 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 10.1.1.33 -> 10.1.1.44
05/25-10:50:00.888003 [**] [1:1000002:1] ICMP connection attempt [**] [Priority: 0] {ICMP} 10.1.1.44 -> 10.1.1.33</pre>
<h3 id="reject-drop">6. Reject and Drop Rules</h3>
<p>Using our previous test rule for <code>icmp</code> we are able to demonstrate the <code>drop</code> and <code>reject</code> options for rules. To demostrate we will simply replace the <b>alert</b> with <b>reject</b>. The <b>sid</b> will also be incremented otherwise there will be an error when starting with two rules with the same <b>sid</b>.</p>
<pre>reject icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000011; rev:1;)</pre>
<p>Restarting <b>snort</b> and running the same <code>ping -c 2 10.1.1.44</code> we will receieve the following output:</p>
<pre>:~$ ping -c 2 10.1.1.44
PING 10.1.1.44 (10.1.1.44) 56(84) bytes of data.
64 bytes from 10.1.1.44: icmp_seq=1 ttl=64 time=1.25 ms
From 10.1.1.44 icmp_seq=1 Destination Port Unreachable</pre>
<p>The first packet gets a response, however the subsequent packet is rejected with an <b>icmp port unreachable</b>.</p>
<p>The rule options are available here -> http://manual.snort.org/node29.html</p>
<p>Using the reject option causes snort to send a TCP reset or an ICMP port unreachable packet, that will break the session. Using <b>drop</b> and <b>sdrop</b> will only work if <b>Snort</b> is running inline as it does as advertised and simply will drop the packets in this mode.</p>
<h3 id="bpf-filter">7. Filtering on the Command Line with BPF</h3>
<p>Similar to <code>tcpdump</code> we can provide <b>BPF filters</b> on the command line to limit the traffic we are inspecting and capturing. The following example limits captured traffic to a single host, that can be the source or destination.</p>
<pre>:~$ snort -q -A console -c /etc/snort/snort.conf host 10.1.1.33</pre>
<h3 id="enable-rules">8. Enable app-detect.rules and Know the Network</h3>
<p>After copying the official rules into the <code>/etc/snort/rules/</code>, quite a lot of rules are actually disabled. This is due to the fact that the default configuration is trying to balance alert noise vs coverage. It is up to the administrator to enable many of the rules.</p>
<p>An interesting set of rules to look at when getting started is the <code>app-detect.rules</code> these detect many types of application on the network - many of those that have remote control features often used by attackers but also legitimitaly.</p>
<pre>:~$ sudo grep app-detect /etc/snort/snort.conf
#include $RULE_PATH/app-detect.rules</pre>
<p>Firstly the configuration file has the rule file disabled. Furthermore the <code>app-detect.rules</code> rules are disabled by default.</p>
<pre># alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9;)</pre>
<p>This is an interesting rule, VNC is an application that allows GUI access to a console. While VNC can be used by administrators it is also used by attackers. An example is the payloads for VNC found within Metasploit.</p>
<p>So this is an example of the <code>app-detect.rules</code> that we want to enable by removing the '#' from the start of the line.</p>
<h3 id="enable-malware-rules">9. Enable malware rules</h3>
<p>Another set of rules that are disabled by default in the Ubuntu package are the malware-rules. We want to enable these as they will provide coverage of attacker favorites such as Cobalt Strike beacons or installers.</p>
<pre>:~$ sudo grep malware /etc/snort/snort.conf
#include $RULE_PATH/malware-backdoor.rules
#include $RULE_PATH/malware-cnc.rules
#include $RULE_PATH/malware-other.rules
#include $RULE_PATH/malware-tools.rules</pre>
<p>Remove the comment from the start of these lines to enable the use of the malware rules.</p>
<p>These rules contain detections for interesting tools such as <b>Cobalt Strike</b> and <b>Meterpreter</b>. If these are triggering on the internal network you will certainly want to know about it.</p>
<h2>Conclusion</h2>
<p>Snort has been around for 25 years and is still a powerful and effective tool for those who defend networks from threats. The above tutorial and examples are not intended to cover everything but to give you a practical starting point from which to build up your Snort skillset and build some key knowledge for when planning a deployment.</p>
<p>Even if you do not plan on throwing it on a network immediately, being able to quickly spin up a docker container or an install can be very helpful. Run it over some pcaps from the network or an incident and you may just find some bread crumbs to follow.</p>
<p>In recent years the trend has moved from Network Intrusion Detection (nids) to Endpoint Detection and Response (edr). This makes sense with increasingly encrypted network traffic. However, snort and other network tools still give visibility to a great deal of interestings on the wire and not everything runs an EDR client.</p>
<div class="dark-mode bg-dark bg-size-cover bg-position-center bg-repeat-0 position-relative overflow-hidden rounded-3 py-lg-2 py-xl-3 px-4 mt-5" style="background-image: url(/images/osint-background.webp);">
<div class="row position-relative zindex-2 py-3 my-1 my-md-3">
<div class="col-md-6">
<div class="mx-auto px-lg-4" style="max-width: 440px;">
<h4 class="h5 pb-1 pb-md-3 pb-lg-4"><span class="bright-gr">Next Level</span> Your Technical Network Intelligence</h4>
<p> <a href="/use-cases/" class="btn btn-sm btn-primary shadow-primary w-100 w-sm-auto">Use Cases and More Info</a>
</p></div>
</div>
<div class="col-md-6 mt-4">
<ul class="list-unstyled fs-lg d-none d-md-block">
<li class="mb-2 h6">
<i class="bi bi-check2-circle me-2"></i>13 Vulnerability Scanners</li>
<li class="mb-2 h6"> <i class="bi bi-check2-circle me-2"></i>17 Free DNS & Network Tools</li>
<li class="h6">
<i class="bi bi-check2-circle me-2"></i>4+ Billion Records of DNS / IP data</li>
</ul>
</div></div>
</div>
</div><!-- .entry-content -->
<footer class="entry-footer mb-8">
</footer><!-- .entry-footer -->
</article><!-- #post-## -->
<div class="container">
<div class="row">
<hr class="my-4">
<div class="col text-start">
<span class="fs-xs">PREVIOUS</span><br><span class="fs-sm fw-medium">
<a href="https://hackertarget.com/recon-ng-tutorial/" rel="prev">Recon-NG Tutorial</a> </span>
</div>
<div class="col text-end">
<span class="fs-xs">NEXT</span><br><span class="fs-sm fw-medium">
<a href="https://hackertarget.com/zeek-geoip-asn-ja4/" rel="next">Zeek with GeoIP, ASN & JA4 in 5 minutes</a> </span>
</div>
<hr class="my-4">
</div>
</div>
<section class="related-posts-wrapper">
<h5>Related Articles</h5>
<ul class="icon mb-5">
<li class="carat-right">
<a href="https://hackertarget.com/ossec-introduction-and-installation-guide/">OSSEC Introduction and Installation Guide</a>
</li>
<li class="carat-right">
<a href="https://hackertarget.com/pandalabs-2010-annual-report/">PandaLabs 2010 Annual Report</a>
</li>
<li class="carat-right">
<a href="https://hackertarget.com/samurai-and-backtrack-livecds-to-test-your-security/">Samurai, BackTrack and Kali – LiveCD’s for Pentesting</a>
</li>
<li class="carat-right">
<a href="https://hackertarget.com/sql-injection-demystified/">SQL Injection Demystified</a>
</li>
</ul>
</section>
</div><!-- #main -->
</section><!-- #primary -->
</div></div></div></main>
<footer class="footer dark-mode bg-black py-2">
<div class="container pt-1 pt-sm-4">
<div class="row">
<div class="col-md-4 footer-column pt-4 pe-10 ps-4">
<h6 class="footer-title text-white mb-4">ABOUT</h6>
<p class="mb-4">From attack surface discovery to vulnerability identification, we host tools to make the job of securing your systems easier.</p>
<p><a href="/scan-membership/" class="btn btn-outline-secondary dark-mode btn-sm">Membership</a> <a href="/use-cases/" class="btn btn-outline-secondary dark-mode btn-sm">Learn More</a></p>
</div>
<div class="col-md-4 footer-column pt-4 pe-4 ps-4">
<h6 class="footer-title text-white mb-4">CONNECT</h6>
<p class="fs-3">
<a href="https://github.com/hackertarget" aria-label="Github Page"><i class="bi bi-github pe-3"></i></a>
<a href="https://www.threads.net/@hackertargetdotcom" aria-label="Threads Social Page"><i class="bi bi-threads pe-3"></i></a>
<a href="https://twitter.com/hackertarget/" aria-label="Twitter Social Page"><i class="bi bi-twitter pe-3"></i></a>
<a href="https://hackertarget.com/contact/" aria-label="Contact Form"><i class="bi bi-envelope"></i></a>
</p>
</div>
<div class="col-md-4 footer-column pt-4 pe-10 ps-4">
<h6 class="footer-title text-white mb-4">MAILING LIST</h6>
<div id="mc_embed_shell">
<div id="mc_embed_signup">
<form action="https://hackertarget.us4.list-manage.com/subscribe/post?u=add40907f6e77beb8f9143361&id=826978fa7a&f_id=001e90ebf0" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_self" novalidate="">
<label class="form-label">Subscribe to the Low Volume List</label>
<div class="input-group">
<input type="email" name="EMAIL" class="form-control ps-5" id="mce-EMAIL" required="" value="" placeholder="Your Email">
<i class="bi bi-envelope fs-lg text-muted position-absolute top-50 start-0 translate-middle-y ms-3 zindex-5"></i>
<input type="submit" name="subscribe" id="mc-embedded-subscribe" class="btn btn-outline-secondary dark-mode btn-sm" value="Subscribe">
</div>
<div id="mce-responses" class="clear">
<div class="response" id="mce-error-response" style="display: none;"></div>
<div class="response" id="mce-success-response" style="display: none;"></div>
</div><div aria-hidden="true" style="position: absolute; left: -5000px;"><input type="text" name="b_add40907f6e77beb8f9143361_826978fa7a" tabindex="-1" value=""></div><div class="clear"></div>
<div class="form-text">Security News, Site Updates and Tool Usage</div>
</form>
</div>
</div>
</div>
<hr class="border-1 border-top border-dark mt-4 pb-1">
<p class="nav d-block fs-sm pt-0 mb-0 text-center">
<span class="text-light opacity-60">Copyright © Hacker Target Pty Ltd 2024 - ACN 600827263 | <a href="/terms/" class="link-light fw-medium">Terms of Use</a> and <a href="/privacy-policy/" class="link-light fw-medium">Privacy Policy</a> | Powered by Open Source Software</span>
</p>
</div>
</div></footer>
<!-- #page -->
<script type="text/javascript" id="cookie-notice-front-js-before">
/* <![CDATA[ */
var cnArgs = {"ajaxUrl":"https:\/\/hackertarget.com\/wp-admin\/admin-ajax.php","nonce":"6cb25d2bc2","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":false,"revokeCookies":false,"revokeCookiesOpt":"automatic"};
/* ]]> */
</script>
<!-- Cookie Notice plugin v2.4.18 by Hu-manity.co https://hu-manity.co/ -->
<div id="cookie-notice" role="dialog" class="cookie-revoke-hidden cn-position-bottom cn-effect-fade cn-animated cookie-notice-visible" aria-label="Cookie Notice" style="background-color: rgba(0,0,0,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">We use cookies to ensure that we give you the best experience on our site. If you continue to use this site we assume that you accept this.</span><span id="cn-notice-buttons" class="cn-buttons-container"><a href="#" id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button cn-button-custom button" aria-label="Ok">Ok</a></span><span id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" title="No"></span></div>
</div>
<!-- / Cookie Notice plugin --><script defer="" src="https://hackertarget.com/wp-content/cache/autoptimize/js/autoptimize_f984ca97ee91fe6bbc4512c21b0a37ef.js"></script>
</body></html>