Sheet 1 - SNORT
📘 Sheet 1: SNORT​
MCQ Answers​
| # | Question | Answer |
|---|---|---|
| Q1 | Main purpose of Snort? | C) Network intrusion detection and real-time traffic analysis |
| Q2 | Which is NOT a valid Snort rule action? | D) Delete |
| Q3 | What does sdrop do? | B) Blocks, logs, and sends TCP reset/ICMP unreachable |
| Q4 | Key advantage of Snort? | B) Flexible, customizable, strong community |
| Q5 | Rule option to inspect normalized HTTP URIs? | D) uricontent |
| Q6 | Command to test a local rule against a pcap file? | C) snort -c local-rules.conf -A full -l . -r task9.pcap |
| Q7 | What does 22 mean in: alert tcp $EXTERNAL_NET any -> $HOME_NET 22? | C) Destination port (SSH) |
| Q8 | Which IDPS monitors a single endpoint? | B) HIDS |
| Q9 | Which alert mode gives minimal details? | B) Fast |
| Q10 | Optimization technique to reduce CPU in Snort? | A) Rule optimization |
Essay Answers​
Q1. How does Snort work as an expert system?
- Rules files = knowledge base (stores known attack patterns)
- Detection engine = inference engine (matches packets against rules)
- When a packet matches a rule → an alert is fired
- Cannot learn on its own — all rules must be added manually
Q2. Key components of Snort?
- Packet Decoder — captures and decodes raw packets
- Preprocessors — normalize traffic to prevent evasion
- Detection Engine — matches packets against rules (most CPU-heavy)
- Rules Files — the stored attack signatures
- Output Modules — write alerts to files, console, or database
Q3. Map expert system components to Snort
| Expert System Component | Snort Equivalent |
|---|---|
| Knowledge Base | Rules files |
| Inference Engine | Preprocessors + Detection Engine |
| Database | Alert logs / backend DB |
| User Interface | Console, alert files, GUI tools |
| Explanation System | Alert msg, sid, and classtype fields |
Q4. Signature-based (Snort) vs Behavioral-based NIPS?
- Snort (signature): Accurate for known attacks, fast, low false positives — but cannot detect new or polymorphic attacks
- Behavioral NIPS: Can detect unknown/zero-day attacks — but higher false-positive rate
- Best practice: use both together
Q5. How to write a Snort rule from a new vulnerability?
- Analyze the exploit to find the attack's unique pattern
- Write the rule header: action, protocol, source/dest IP and port
- Add options: content match, flow, sid, classtype
- Test against malicious and normal traffic
- Deploy and tune to remove false positives
Q6. Difficulties in creating effective rules?
- False positives — rules too broad fire on normal traffic
- Evasion — attackers use encoding or polymorphism to bypass signatures
- Performance — too many/complex rules slow Snort down
- Maintenance — rules go outdated as attacks evolve
Q7. Knowledge engineering in Snort?
- Experts study exploits and capture attack traffic
- Extract the unique pattern (string, byte, protocol condition)
- Encode it as a Snort rule with header + options
- Test and validate, then deploy with a
sid/revnumber - Update rules as new threats appear
Q8. Three Snort use modes?
| Mode | Description | Use Case |
|---|---|---|
| Packet Sniffer | Shows live traffic on screen | Quick inspection |
| Packet Logger | Saves all packets to disk | Forensics |
| NIDS/IPS Mode | Loads rules, detects & alerts in real time | Main production use |
Q9. How to optimize Snort rules?
- Use rule profiling to find slow rules
- Add
fast_patternto the most unique keyword - Disable rules not relevant to your environment
- Use
threshold/suppressto avoid alert floods - Test regularly with known attack pcap files
Q10. Purpose of NIDS + Snort implementation proposal?
- NIDS monitors traffic to detect intrusions without blocking flow
- Deploy Snort on SPAN ports at the perimeter and internal switches
- Use community rules, disable irrelevant ones, add local rules
- Integrate with a SIEM for centralized alerting and correlation
- Update rules weekly and test monthly
Q11. Limitations of Snort?
- Cannot detect new attacks — rules must be written manually
- No learning — fully dependent on human-written rules
- Polymorphic attacks can bypass signature matching
- High CPU usage as rule count grows (80% on string matching)
- No situational awareness — cannot explain attack scope or intent
Q12. Explain a Snort rule's components
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"..."; flow:from_server,established; content:"to su root"; nocase; sid:715; rev:6;)
| Component | Meaning |
|---|---|
alert | Action — generate alert + log |
tcp | Protocol |
$TELNET_SERVERS 23 | Source IP variable and port |
-> $EXTERNAL_NET any | Direction and destination |
msg | Human-readable alert description |
flow:from_server,established | Only match established sessions |
content:"to su root" | Payload must contain this string |
nocase | Case-insensitive match |
sid:715; rev:6 | Unique rule ID and version |