Snort from scratch (Part I)

An IDS is a security tool, that allow us to monitor our network events searching attempts to compromise the security of our systems. It’s possible matching predefinied rules emulating the behaviour of an attack and it’s possible to deny the package or simply alert us to an email or sending messages to log. Basically we can find two types of IDS:
  • HIDS: Host based IDS, monitors the activity of a single machine, searching anomaling behaviors.
  • NID: Network IDS, capture and analyze network packages to search attack patterns.
Generally an IDS can be located in each network segment, for example front of the firewall or back of the firewall or also can be implemented in the same firewall if we have a small network traffic, with this way we can analyze all input and output traffic.
SNORT
Snort is a NIDS, implements real time scanning of attack detection and port scanning detecting. The basic architecture of snort:
  • Packet capture module: Used to capture network traffic using libpcap library.
  • Decoder: It ensures to form the data structures of the packages captured and identify the network protocol.
  • Preprocessor: prepocessors are plugins developed generally in C and process the packets provided by the decoder and ensambles the packets received. This preprocessors are configured in snort.conf file configuration. Some preprocessor examples may be:
    - sfPortscan
    - Frag3
    - HTTP
    - SSH
    - To see a complete list visit: http://manual.snort.org/node17.html
  •  Detection engine: Analyze the packets based in our rules configued.
  •  Detection plugins: Used to modify the behaviour of the detection engine.
  • Output plugins: Defines how and where saves the alters and the packages generated.

For this post I’ll explain how to install and configure snort from the source code in CentOS 6 and download free ruleset for snort and configure for be used.
Installing dependencies and preparing the environment
- Installing rpmforge repository:
- Install prerequisites packages:

# yum -y install libdnet libdnet-devel libpcap libpcap-devel daq gcc make flex bison pcre pcre-devel zlib zlib-devel
- Downloading and installing daq:

# cd /tmp ; wget http://www.snort.org/downloads/1850 -O daq-1.1.1.tar.gz
# tar -xzvf daq-1.1.1.tar.gz
# cd daq-1.1.1/
# ./configure
# make && make install
# ldconfig -v
- Creating snort user and tree directories:

# groupadd snort
# useradd -g snort snort
# mkdir /usr/local/snort
# mkdir /etc/snort
# mkdir /var/log/snort
# mkdir /var/run/snort
# chown snort:snort /var/log/snort
# chown snort:snort /var/run/snort
Installing Snort and configuring the ruleset
- Downloading and installing snort:

# cd /tmp ; wget http://www.snort.org/downloads/1862 -O snort-2.9.3.1.tar.gz
# tar -xzvf snort-2.9.3.1.tar.gz
# cd snort-2.9.3.1/
# ./configure --prefix /usr/local/snort --enable-sourcefire --enable-ipv6
# make && make install
# ln -s /usr/local/snort/bin/snort /usr/bin/snort
# cp /tmp/snort-2.9.3.1/etc/snort.conf /etc/snort/
# cp /tmp/snort-2.9.3.1/etc/unicode.map /etc/snort/
# cp /tmp/snort-2.9.3.1/etc/classification.config /etc/snort/
# cp -r /usr/local/snort/lib/snort_dynamicpreprocessor/ /usr/local/lib/
# cp -r /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/
- Downloading open source ruleset from emerging:

# cd /etc/snort ; wget http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz && wget http://rules.emergingthreats.net/open/snort-2.9.0/reference.config
# tar -xzvf emerging.rules.tar.gz
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
# chown -R snort:snort /etc/snort/
- Edit snort configuration:

# vi /etc/snort/snort.conf

ipvar HOME_NET 192.168.1.0/24
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
include $RULE_PATH/emerging.conf
output alert_full /var/log/snort/alert
Configuring the init script for Snort
- Create sysconfig snort configuration:

# vi /etc/sysconfig/snort

#### General Configuration
INTERFACE=eth0
CONF=/etc/snort/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0
#### Logging & Alerting
LOGDIR=/var/log/snort
ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0
- Adding the init script:


# vi /etc/init.d/snortd

#!/bin/bash
#
# snort Start up the Snort Intrusion Detection System daemon #
# chkconfig: 2345 55 25
# description: Snort is a Open Source Intrusion Detection System
# This service starts up the snort daemon. #
# processname: snort
# pidfile: /var/run/snort_eth0.pid
### BEGIN INIT INFO
# Provides: snort
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $syslog
# Should-Start: $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start up the Snort Intrusion Detection System daemon
# Description: Snort is an application for Open Source Intrusion Detection.
# This service starts up the Snort IDS daemon.
### END INIT INFO
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/snort ] && . /etc/sysconfig/snort
RETVAL=0
prog="snort"
lockfile=/var/lock/subsys/$prog
# Some functions to make the below more readable
SNORTD=/usr/bin/snort
#OPTIONS="-A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort"
#PID_FILE=/var/run/snort_eth0.pid
# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
ALERTMODE=""
else
ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
USER="snort"
fi
if [ "$GROUP"X = "X" ]; then
GROUP="snort"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
BINARY_LOG="-b"
else
BINARY_LOG=""
fi
if [ "$LINK_LAYER"X = "1X" ]; then
LINK_LAYER="-e"
else
LINK_LAYER=""
fi
if [ "$CONF"X = "X" ]; then
CONF="-c /etc/snort/snort.conf"
else
CONF="-c $CONF"
fi
if [ "$INTERFACE"X = "X" ]; then
INTERFACE="-i eth0"
PID_FILE="/var/run/snort_eth0.pid"
else
PID_FILE="/var/run/snort_$INTERFACE.pid"
INTERFACE="-i $INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
DUMP_APP="-d"
else
DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
NO_PACKET_LOG="-N"
else
NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
PRINT_INTERFACE="-I"
else
PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
PASS_FIRST="-o"
else
PASS_FIRST=""
fi
if [ "$LOGDIR"X = "X" ]; then
LOGDIR=/var/log/snort
fi
# These are used by the 'stats' option
if [ "$SYSLOG"X = "X" ]; then
SYSLOG=/var/log/messages
fi
if [ "$SECS"X = "X" ]; then
SECS=5
fi
if [ ! "$BPFFILE"X = "X" ]; then
BPFFILE="-F $BPFFILE"
fi
runlevel=$(set -- $(runlevel); eval "echo $$#" )
start()
{
[ -x $SNORTD ] || exit 5
echo -n $"Starting $prog: "
daemon --pidfile=$PID_FILE $SNORTD $ALERTMODE $BINARY_LOG $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $lockfile
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
killproc $SNORTD
if [ -e $PID_FILE ]; then
chown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi*
fi
RETVAL=$?
# if we are in halt or reboot runlevel kill all running sessions
# so the TCP connections are closed cleanly
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
trap TERM
killall $prog 2> /dev/null
trap TERM
fi
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
return $RETVAL
}
restart() {
stop
start
}
rh_status() {
status -p $PID_FILE $SNORTD
}
rh_status_q() {
rh_status > /dev/null 2>&;1
}
case "$1" in
start)
rh_status_q && exit 0
start
;;
stop)
if ! rh_status_q; then
rm -f $lockfile
exit 0
fi
stop
;;
restart)
restart
;;
status)
rh_status
RETVAL=$?
if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
RETVAL=2
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
RETVAL=2
esac
exit $RETVAL
- Start snort at system boot time:


# chmod +x /etc/init.d/snortd
# chkconfig --levels 235 snortd on
- Starting snort:


# /etc/init.d/snortd start
Testing the basic functionality of port scanning detection with nmap

# tail -f /var/log/snort/alert

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

Connect to a different port with SQL Server Management Studio

Hình ảnh
Microsoft's SQL Server Management Studio will connect by default to port 1433 and there's nowhere in the connect dialog to specify a different port from the default. To connect using a different port specify the servername, a comma, and then the port number as shown in this post. Connect using a different port using a comma The connection dialog in the SQL Server Management Studio client is shown in the screenshot below. Normally you would just type the server name into field but to specify a different port use a comma then the port number. The example screenshot above shows " 192.168.50.166\SQLSERVER2012 " as the instance name and "port" where the port would be. 192.168.50.166\SQLSERVER2012,1343 Then specify the login credentials, click the connect button, and assuming everything is correct it should then connect to the SQL Server. Setup specific port for SQL Server: Link: http://msdn.microsoft.com/en-us/library/ms177440.aspx
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm