Blog | G5 Cyber Security

Snort: Blocking Packets

G5 Cyber Security

TL;DR

This guide shows you how to block unwanted network packets using Snort rules. We’ll cover creating a simple rule, loading it into Snort, and verifying the blocking is working.

Blocking Packets with Snort: A Step-by-Step Guide

  1. Understand Snort Rules
    • Snort rules define what traffic to look for and what action to take.
    • A basic rule structure includes: alert tcp any any -> any 80 (msg:'HTTP Traffic'; content:"GET";) This example alerts on HTTP traffic.
  2. Create a Blocking Rule

    Let’s block all incoming packets from IP address 192.168.1.100.

    drop tcp host 192.168.1.100 any -> any any (msg:'Blocked Incoming Traffic'; sid:1000001;)
    • drop: This action tells Snort to discard the packet.
    • tcp: Specifies the protocol (TCP in this case).
    • host 192.168.1.100: The source IP address to block.
    • sid:1000001: A unique rule ID. Choose a number not already used.
    • msg:’Blocked Incoming Traffic’: A descriptive message for the alert log.
  3. Save the Rule

    Save the rule in a file, for example, block_rule.rules.

  4. Load the Rule into Snort

    You can load rules using the snort.conf configuration file or via the command line.

    • Using snort.conf: Edit your snort.conf file and add a line like this: 
      include $RULE_PATH/block_rule.rules

      Make sure to replace $RULE_PATH with the actual path where you saved the rule.

    • Using the command line: Run Snort with the -c option and specify your configuration file: 
      snort -c /etc/snort/snort.conf

      (Adjust the path to your snort.conf if needed.)

  5. Start or Restart Snort

    If Snort is already running, restart it for the new rule to take effect.

    sudo systemctl restart snort

    (This command may vary depending on your operating system.)

  6. Verify the Blocking
    • Check the Alert Log: Look for alerts related to your rule in the Snort alert log file (usually located at /var/log/snort/alert).
    • Test Connectivity: Try pinging or connecting to a service on the blocked IP address. You should not be able to connect. 
      ping 192.168.1.100
  7. Troubleshooting
    • Rule Syntax Errors: Snort will usually report errors if there are problems with your rule syntax during startup. Check the logs for error messages.
    • Permissions Issues: Ensure that Snort has read access to the rule file.
    • Incorrect Rule Path: Double-check the path specified in snort.conf or when using the command line.
Exit mobile version