Snort — CySA+ Tools — Thiago Teixeira

Snort

Cisco / Snort Team

Signature-based network IDS/IPS with a large community rule set.

Network Recon & Monitoring Free & Open Source Platform / Suite Learning Cross-platform

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Snort is the original open-source network intrusion detection/prevention system. Maintained today by Cisco/Talos, it is the reference platform for signature-based NIDS and the canonical rule format used in many other products.

Key concepts a CySA+ candidate must know:

Rule anatomy: action proto src_ip src_port -> dst_ip dst_port (msg:""; sid:; rev:; content:""; pcre:"";)
Modes: sniffer, packet logger, NIDS, inline IPS.
Rule sources: Snort VRT (commercial), Snort community, Emerging Threats Open.
Snort 3 brings multi-threading and HTTP/2 inspection.

Use cases

Perimeter NIDS at internet egress
Inline IPS on critical segments
Detection-as-code shared via SID lists

Example

# Example community rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( \
    msg:"INDICATOR-SCAN SMB AUTH brute force attempt"; \
    flow:to_server,established; \
    sid:1000001; rev:1; )