Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
11 janvier 2014 6 11 /01 /janvier /2014 15:43

We'll see here the easiest way to quiclky install SNORT® on Debian 7 using SNORT-Mysql.

The install will be : SNORT-MySQL / MySQL / APACHE2 / BASE

Here is the network topology used :

I4a.gif 

The IDS uses the port-mirroring capabilities of Router 1 ( a Cisco RV110W in this case ) so to be able to sniff and monitor all of the Protected Network traffic.

As seen before, this SNORT direct MySQL output method is very low-rated performance-wise and reliability-wise, and should never be used in a production environment. Nevertheless, it's an interessing first step for a SNORT newcommer, as it only uses apt-get software installation and thus doesn't require any software compilation.

 

We'll be using 3 passwords, that I'll name secret1, secret2 and secret3 here :

 

MySQL root password                                                      secret1

SNORT Mysql user databases password                   secret2

BASE GUI admin password                                            secret3

 

Tested under Debian 7.5 / Edited May 3 2014

 

( Ubuntu users : the SNORT MySQL package have been removed since Ubuntu 14.04. Ubuntu 13.10 was the last to provide it ).

 

SNORT-MYSQL Installation

We first do a little networking optimization :

( some of the commands may fail if unsupported by your NIC. It's ok )

 

sudo ethtool -K eth0 gro off

sudo ethtool -K eth0 lro off

We install SNORT-MYSQL :

sudo apt-get update

sudo apt-get install snort-mysql

 

replies to the question asked during the installation :

 

    192.168.1.0/24        ( net to protect )
    set database : yes

 

we perform a little cleanup :

 

sudo rm /etc/snort/db-pending-config

sudo dpkg --configure --pending

 

 

MySQL/Apache2/Dependencies installation :

We then install the packages Apache2, MySQL and some dependencies :

sudo apt-get install apache2
sudo apt-get install libapache2-mod-php5

sudo apt-get install mysql-server

    [ enter Mysql-server root password = secret1 ]

sudo apt-get install libphp-adodb
( informational message is ok )

We edit /etc/php5/apache2/php.ini :

 

sudo leafpad /etc/php5/apache2/php.ini

 

to look for the line "error_reporting" and change it into :

error_reporting = E_ALL & ~E_NOTICE

sudo service apache2 restart

sudo apt-get install php-pear
sudo apt-get install libwww-perl    ( probably already installed )
sudo apt-get install php5-gd

sudo pear config-set preferred_state alpha
sudo pear channel-update pear.php.net
sudo pear install --alldeps Image_Color Image_Canvas Image_Graph

 

 

MySQL database setup

We setup the MySQL database. We first choose the password for the snort databases: secret2.




sudo mysql -u root -p

    ( Enter Mysql-server root password secret1 here )

create database snort;
create database archive;

grant usage on snort.* to snort@localhost;
grant usage on archive.* to snort@localhost;

set password for snort@localhost=PASSWORD('secret2');

grant all privileges on snort.* to snort@localhost;
grant all privileges on archive.* to snort@localhost;

flush privileges;

show tables;        ( we get an error here. it's ok. select missing )
exit


We then get the SNORD DB blueprint :

cd /usr/share/doc/snort-mysql

sudo zcat create_mysql.gz | mysql -u snort -D snort -psecret2

( do note the -psecret2 option. There is no typo here, just append -p with your user password )

SNORT Configuration

We do reconfiguring Snort with the command:

sudo dpkg-reconfigure snort-mysql

 

here are the answers to the reconfiguration queries :

 

"Snort start method" : boot

( Informational screen on interfaces )

Listening interface : ethx ( choose the listening interface )

Protected network : 192.168.1.0/24

Disable promoscuous : no

Additionnal ; [ empty ]

Send e.mail : No

Set database : yes

    localhost

    snort

    snort

    secret2


a few notes about the SNORT configuration

The configuration options entered here ( Protected network, ... ) are recorded in /etc/snort/snort.debian.conf. This file will override the /etc/snort/snort.conf settings at boot-time.
Be aware of this.

Nevertheless, regular and other snort settings are located in /etc/snort/snort.conf. You need to be aware of them, and they need to be taken care of :

We quickly edit /etc/snort/snort.conf :

 

sudo leafpad /etc/snort/snort.conf

 

At the beginning, we setup the network addresses we are protecting and the external net by modifying / uncommenting these lines :

ipvar HOME_NET 192.168.1.0/24
#ipvar EXTERNAL_NET any
ipvar EXTERNAL_NET !$HOME_NET

doing this states the protected net ( HOME_NET ) as well as the EXTERNAL_NET ( ipvar EXTERNAL_NET !$HOME_NET states that anything not in the HOME_NET is considered to be in the EXTERNAL_NET. This may seem trivial, but some other setups are possible. As an exemple, EXTERNAL_NET any can be an interesting choice too : It tells the detection engine to consider ANY IP as EXTERNAL : This is a more suspicious mode, as it further-monitors HOME_NET nodes. )

again, remember that the HOME_NET value here is overridden by /etc/snort/snort.debian.conf.


BASE installation and setup

We finally install the BASE GUI frontend :

cd /usr/src
sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
sudo tar -zxf base-1.4.5.tar.gz
sudo cp -r base-1.4.5 /var/www/base
sudo chown -R www-data:www-data /var/www/base

sudo service apache2 restart

we setup the BASE GUI by launching a web browser :

http://192.168.1.240/base

 

we respond these to the queries :

 

A) path : /usr/share/php/adodb

B)    snort
        localhost

        snort
        secret2

 

( tick 'use archive' )

 

        archive
        localhost

        snort
        secret2


C)    [BASE GUI admin name]
        secret3

        [BASE GUI admin full name]

nb : here, you setup the BASE GUI admin access. Clicking ' use authentication system ' locks the GUI access with a login / password. You can later add non-admin users, using the BASE GUI administration page.


D)    Click ' Create baseAG'
   

 

 

Limiting the GUI access to registered IPs

Optionnally, you may want to limit the BASE GUI access only to certain IPs. Beside limiting access using the network firewalls and the NIDS host firewall ( iptables ), we can limit access too at the Apache WebServer level. Here we limit it to the local machine ( localhost ), and the 192.168.1.0/24 subnet by editing /etc/apache2/sites-available/default :

sudo leafpad /etc/apache2/sites-available/default

we just have to add before virtualhost ( before the last line ) :

 

-----------------------------------------------------------------------------------

<Directory /var/www/base>
        Order allow,deny
        allow from 192.168.1.0/24
        allow from 127.0.0.0/8
    </Directory>
-------------------------------------------------------------------------------------

sudo service apache2 restart



Writing some test rules

sudo leafpad /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:10000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:10000002; rev:1;)

sudo service snort restart

 

We can now ping of try to HTTP browse the NIDS, and see alert recorded on the BASE GUI.

 

Do note that BASE has a default 3 minutes page refresh rate. Do manually refresh if needed.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
nb: The SNORT version installed here is SNORT 2.9.2.2.

It comes prefilled with a very basic ruleset :

The free (GPLv2) ruleset that was provided with the Snort back in 2005 increased with the rulese provided in "Community" ruleset later on (in 2007).
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Manual snort commands for testing / troubleshooting :

sudo /usr/sbin/snort -v -i eth0
( raw sniffing  test, no full ruleset engaged )

sudo /usr/sbin/snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T
( only performs ruleset loading test )

sudo /usr/sbin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
( full ruleset loaded / live console snorting )

Database update using Pulledpork

The real golden tool for rules management/updating is Pulledpork, we'll quickly see here how to update rules.

Pulledpork installation

at the time of this writing, the latest version is pulledpork 0.7.0

First we need to install two libraries, to enable https download of rules :

sudo apt-get install libssl-dev
sudo apt-get install libcrypt-ssleay-perl

We then download and install pulledpork :

cd /usr/src
wget http://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
tar -zxf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
cp pulledpork.pl /usr/local/bin
cp etc/*.conf /etc/snort
sudo chmod +x /usr/local/bin/pulledpork.pl


here is a basic, stripped-off, pulledpork.conf file :

sudo leafpad /etc/snort/pulledpork.conf
---------------------------------------------------------------------------------------------------------------------------------------------------
#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2940.tar.gz|[oinkcode]
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
#rule_url=http://rules.emergingthreats.net/open/snort-2.9.0/|emerging.rules.tar.gz|open-nogpl

ignore=deleted.rules,experimental.rules
temp_path=/tmp

rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log

snort_path=/usr/local/bin/snort

#enablesid=/etc/snort/enablesid.conf
#dropsid=/etc/snort/dropsid.conf
#disablesid=/etc/snort/disablesid.conf
#modifysid=/etc/snort/modifysid.conf

version=0.7.0
----------------------------------------------------------------------------------------------------------------------------------------------------

 

Be carefull, as pulledpork.conf is very 'space character' sensitive.

 

Do notice the first 3 lines, which are the URL for the VRT-registered rulefile, VRT Community rulefile

and ETOpen Rulefile. Do uncomment them as you will.
Here, we will just try to pull the VRT community ruleset.

SNORT .conf file :

 

As Pulledpork uses a single, consolidated rule file for all rules ( including decoder/preprocessor rules, so_rules ),

here is all is needed in section #7 #8 #9 of snort.conf :

 

include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

All the rest needs to be commented-out or deleted.

Thus the end of snort.conf should look like this :

------------------------------------------------------------------------------------------------------------------------

###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

 

# Event thresholding or suppression commands. See threshold.conf
include threshold.conf
---------------------------------------------------------------------------------------------------------------------------

 

 

To update the rules set :

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

sudo service snort restart

nb :    -T limits the update to text-based rules ( no shared objects_rules )
           -l logs the result of the update to the syslog

If all goes ok, there shouldn't be any error message.


To force the rule update ( process rules even if no new rules were downloaded, usefull to avoid a

reboot to empty the /tmp file ) :

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l -P
sudo service snort restart


To clean up all rules

sudo rm /etc/snort/rules/*.*
sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/rules/snort.rules



Portscan detection setup


To enable basic portscan detection, we edit /etc/snort/snort.conf :

sudo leafpad /etc/snort/snort.conf

 

to uncomment this line :

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low } logfile { /var/log/snort/portscan.log }

( notice the space beween { and /var/log .... same at the end )

sudo service snort restart

we can do a regular portscan ( nmap 192.168.1.210 ) and check the portscan.log file then :

sudo cat /var/log/snort/portscan.log

 

nb : some scans are classified as attempted reckon or bad unknown.

 

To have BASE GUI display some portscan datas

( This wont allow the portscan bar to fill up, this requires so_rules usage. But it allows some BASE GUI 'portscan' querries ) :

 

We edit sudo leafpad /var/www/base/base_conf.php :

sudo leafpad /var/www/base/base_conf.php

 

to uncomment and complete this line :

$portscan_file = '/var/log/snort/portscan.log';                    using an absolute path

sudo service apache2 restart

sudo chmod a+r /var/log/snort/portscan.log

sudo chmod 755 /var/log/snort


Some BASE GUI interesting options :

sudo leafpad /var/www/base/base_conf.php

To resolve IP to FQDN :

/* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 1;
   

To have alert-priority coloring :

 

* This option is used to set if BASE will use colored results
     * based on the priority of alerts
     * 0 : no
     * 1 : yes
     */
    $colored_alerts = 1;



To empty the alerts database

We can do this using the BASE GUI :

 

Cache & Status ) Clear Data Tables

sudo service snort restart

( The SNORT restart is mandatory for alerts to get displayed again )

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

 

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens