Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
12 janvier 2014 7 12 /01 /janvier /2014 20:32

We'll setup here a more robust SNORT® design, using the Barnyard2 Spooler. The full softwares chain will be :

SNORT / Barnyard2 / Mysql / Apache2 / BASE

I4a

 

 

This configuration is a little more complicated to setup and troubleshoot, and requires some software compilation. But only then do we have a real robust and reliable SNORT functionning. Furthermore, SNORT MySQL direct output has been removed since SNORT 2.9.3.0

 

 

We'll be using three passwords here :

 

MySQL Server root password                                                           secret1

SNORT MySQL database user password                                     secret2

BASE GUI access                                                                               secret3

 

I'll be using secret1, secret2 and secret3 as example passwords through this post.

I assume eth0 is the sniffing interface throughout this post.

 

Tested under Debian 7.5 / Edited June 03 2014

 

 

 

( Ubuntu users, see here. There are differences )

 

 

1. SNORT Install and Setup

We do the usual update/upgrade :

 

sudo apt-get update

sudo apt-get upgrade

 

We set the SNORT machine with a static IP : 192.168.1.240
and reboot.

 

 

we apply some networking fine tunings ( not all options may be available to your NIC ) :

sudo ethtool -K eth0 gro off

sudo ethtool -K eth0 lro off

 

and begin snort installation :

 

sudo apt-get install snort


we answer the question about the protected subnet, here :

    192.168.1.0/24


we edit snort.conf :

sudo leafpad /etc/snort/snort.conf



Line #45 :

ipvar HOME_NET 192.168.1.0/24

Line #48 :

ipvar EXTERNAL_NET !$HOME_NET

Line #298 - add this to the end after “decompress_depth 65535” :

max_gzip_mem 104857600

Line #526 uncomment and modify the line into :

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

 

Line #536 we comment out the line ( we don't want snort to log tcpdumps ) :
# pcap
#output log_tcpdump: tcpdump.log

 

We edit /etc/snort/rules/local.rules to include those two test rules :

 

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:1000002;  rev:1;)

 

We restart snort :

 

sudo service snort restart

 

we delete previous log entries if any ( we changed the log format, to use time-stamps, and we don't want snort to perform tcpdumps ) :

 

sudo rm /var/log/snort/snort.log

sudo rm /var/log/snort/tcpdump.log.*

sudo rm /var/log/snort/alert

 

 

 

( nb: line #45 is not really needed, as it's overriden by /etc/snort/snort.debian.conf. I do it for coherency.

Likewise, edit /etc/snort/snort.debian.conf for sniffing interface choice if several NICs are present. )

 

2. First test of Snort

sudo snort -i eth0 -v

( normally we get a live snort sniffing ). CTRL+C to stop.

 

We do a config loading test :

sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T

 

 

Let's finally launch SNORT in live alert console mode :

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

If we ping our SNORT IDS or try to browse it from another computer, alerts should be displayed.


CTRL+C to exit

3. Barnyard2 Setup

We first install the compile dependencies, and barnyard2 dependencies :

 sudo apt-get install autoconf

 sudo apt-get install libtool                                                               (##check number )

 sudo apt-get install libpcap-dev

 sudo apt-get install libmysqlclient-dev

 

we get and install barnyard2 :

 cd /usr/src

 sudo wget https://github.com/firnsy/barnyard2/tarball/master

 sudo tar -zxf master

 cd firnsy-barnyard2*

 sudo autoreconf -fvi -I ./m4

 sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

 sudo make

 sudo make install

 sudo cp /usr/local/etc/barnyard2.conf /etc/snort

 sudo cp schemas/create_mysql /usr/src

 sudo mkdir /var/log/barnyard2

 

 

We edit Barnyard2.conf :

sudo leafpad /etc/snort/barnyard2.conf


Line #227 change to :
output alert_fast                                      ( instead of output alert_fast: stdout )


near the end, line #348, uncomment and complete :

output database: log, mysql, user=snort password=secret2 dbname=snort host=localhost

 

 

 

4. MySQL setup

sudo apt-get install mysql-server

    [ enter Mysql-server root password here : secret1 ]

 

We setup our database :

 

sudo mysql -u root -p

    [ secret1 ]

 

We enter these lines in the SQL> console :

 

create database snort;

create database archive;

grant usage on snort.* to snort@localhost;

grant usage on archive.* to snort@localhost;

set password for snort@localhost=PASSWORD('secret2');

grant all privileges on snort.* to snort@localhost;

grant all privileges on archive.* to snort@localhost;

flush privileges;

exit

 

 

We Populate The MySQL Database with Snort structure :

sudo mysql -u root -p

 

              [ secret1 ]

 

mysql>

use snort;

source /usr/src/create_mysql;

show tables;                                                 # you should see the list of new tables you just imported.

exit



5. Snort and Barnyard2 testing

We check the SNORT service is started :

sudo service snort restart

 
We manually launch Barnyard2 :

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config


Barnyard2 will probably fatally exit due to a missing sid-msg.map file. This file is no longer included in the Snort source but is required by Barnyard2.

To solve this problem, we will use a oinkmaster script named create-sidmap.pl to generate the sid-msg.map
( we will later install and configure PulledPork which manages sid-msg.map file )

 

 

 

sid-msg.map creation :

cd /usr/share/oinkmaster

sudo bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"


we launch barnyard2, and this time we should get no error :

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config

CRTL+C to exit barnyard2

 

6. Barnyard2 boot-time autorun

( note : this startup script is very sensitive to the script name. It works using runbarnyard2, but fails with autobarnyard2, autobarn, barn, barnyard2, by2, ... Under investigation )


We need Barnyard2 to be automatically started at boot-time. Let's make a quick and easy boot-time script.

( This is a very light and easy script, not to use in a production environment ).

 

sudo touch /etc/init.d/runbarnyard2

sudo leafpad /etc/init.d/runbarnyard2

-----------------------------------------------------------------------------------------------
#!/bin/sh

case $1 in
    start)
        echo "Starting Barnyard2"
        sudo barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n
        echo 'Barnyard2 started.'
    ;;
    stop)
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
    ;;
    restart)
        $0 stop

        sleep 4
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

exit 0
-----------------------------------------------------------------------------------------------

 
sudo chmod 700 /etc/init.d/runbarnyard2

sudo update-rc.d runbarnyard2 defaults

 

We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

sudo leafpad /etc/snort/barnyard2.conf
------------------------------------------------------------

# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart

 

( Do note Barnyard2 is launched with the -n switch : Only new records are processed ).

 

For more ideas about Barnyard2 boot-time run, see here

 

 
7. Apache2 / BASE GUI frontend setup

Apache2 setup :

sudo apt-get install apache2

sudo apt-get install libapache2-mod-php5

sudo apt-get install libphp-adodb

( info message is OK )


Edit "/etc/php5/apache2/php.ini", look for the line #463 "error_reporting" and change it to:

error_reporting = E_ALL & ~E_NOTICE

 

 

We restart apache2 :

sudo service apache2 restart

 

 

 

We install the BASE dependencies :

sudo apt-get install php-pear

sudo apt-get install libwww-perl                                                       ( normally already installed )

sudo apt-get install php5-gd



sudo pear config-set preferred_state alpha

sudo pear channel-update pear.php.net

sudo pear install --alldeps Image_Color Image_Canvas Image_Graph


BASE install :

cd /usr/src

sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

sudo tar -zxf base-1.4.5.tar.gz

sudo cp -r base-1.4.5 /var/www/base

sudo chown -R www-data:www-data /var/www/base

sudo service apache2 restart


BASE setup :

we launch a local web browser :

http://localhost/base

 

 

Step 1) path : /usr/share/php/adodb

Step 2)  Database Name :                                         snort

               Database Host :                                            localhost


               Database User Name:                                snort

               Database Password :                                  secret2


       ( tick 'Use Archive Database' )

               Archive Database Name :                            archive

               Archive Database Host :                               localhost


               Archive Database User Name :                  snort

               Archive Database Password :                     secret2

Step 3)    tick 'use authentication system' ( it enables BASE login screen lock )

    Full admin name ( john )

    [GUI password]    ( Secret3 )

    Full admin name ( John Doe )

Step 4)    Click ' Create baseAG'

Step 5)    Click ' Now continue to Step 5 ' and login ( john / secret3 ) 

 
A few ping and http alerts should be displayed ( red bar ). The web page is automatically refreshed every 3 minutes.

 

8. syslog logging

 

Snort Syslog logging :

 

To setup snort syslog logging ( usefull for debuging snort ) :

we uncomment line #533 in snort.conf :

 

sudo leafpad /etc/snort/snort.conf

------------------------------------------------------------
output alert_syslog: LOG_AUTH LOG_ALERT

------------------------------------------------------------

 

 

and restart snort :

 

sudo service snort restart

 


the log can by viewed using :

sudo grep snort /var/log/auth.log


nb :      LOG_AUTH is the logging facility ( configurable )

            LOG_ALERT is the severity level ( configurable )

 

ex using the local0 facility :

output alert_syslog: LOG_LOCAL0 LOG_ALERT


sudo grep snort /var/log/syslog

 

Except for debugging purpose, logging should be performed at Barnyard2 level.

 

 

Barnyard2 Syslog logging :

 

The syntax is the same. We edit barnyard2.conf line #265 :

sudo leafpad /etc/snort/barnyard2.conf

--------------------------------------------------------------------------
output alert_syslog: LOG_AUTH LOG_ALERT

--------------------------------------------------------------------------

 

or

 

--------------------------------------------------------------------------

output alert_syslog: LOG_LOCAL0 LOG_ALERT

--------------------------------------------------------------------------

 

We then restart barnyard2 to apply the changes :

 

sudo /etc/init.d/runbarnyard2 restart

 

Beside regular, security-aimed, syslog or tcpdump tasks, wich is Barnyard2 role, using syslog is usefull for Barnyard2 debugging too.

 

9. Basic Portscan detection

Complete Portscan detection requires SNORT Shared Objects / Shared Object Rules, which we'll be seeing later. Still, we can implement a basic function :

sudo leafpad /etc/snort/snort.conf

We uncomment and modify the portscan line ( line #418 ) :

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log }

We restart snort :

 

sudo service snort restart

 

A regular Nmap/Zenmap scan ( nmap 192.168.1.240) on the SNORT IDS will trigger alerts.

portscans can be checked using :

sudo cat /var/log/snort/portscan.log


we then enable portscan.log lookups by BASE :

 

we edit base_conf.php line # 290 :

 

sudo leafpad /var/www/base/base_conf.php

$portscan_file = '/var/log/snort/portscan.log';                                                  ###using an absolute path

sudo service apache2 restart

sudo chmod a+r /var/log/snort/portscan.log

sudo chmod 755 /var/log/snort


To empty the portscan log :

sudo bash -c "cat /dev/null > /var/log/snort/portscan.log"

 

( just deleting it would remove our custom file permissions )

 

 

10. DNS resolution, Alert coloring and Database Emptying


Some BASE GUI option interesting options :

sudo leafpad /var/www/base/base_conf.php

To resolve IP to FQDN :

/* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 1;
  

 

note : to have local hosts registered, do edit /etc/hosts to add them. ex :

192.168.1.120              PC1.local

 

Then, update the BASE GUI IP Caches : Cache and Status : Update IP Caches / Rebuild IP Caches

 

To have alert-priority coloring :

* This option is used to set if BASE will use colored results
     * based on the priority of alerts
     * 0 : no
     * 1 : yes
     */
    $colored_alerts = 1;



To empty the alerts database

We can do this using the BASE GUI :

Cache & Status ) Clear Data Tables

sudo /etc/init.d/runbarnyard2 restart

 

( The Barnyard2 restart is mandatory for alerts to get displayed again )
Do note that logs and alerts may need to be deleted too. Read Next.

 
11. To delete all alerts and logs

Emptying the MySQL database is enough to clear the BASE GUI display, still the next Barnyard2 launch will review recorded snorts alerts, skipping old ones. Furthermore, emptying using BASE GUI keeps portscans logs.


To avoid this, here is what is needed to empty all the logged alerts :

sudo service snort stop
sudo /etc/init.d/runbarnyard2 stop

sudo rm /var/log/snort/snort.log.*

sudo bash -c "cat /dev/null > /var/log/snort/portscan.log"
sudo rm /var/log/barnyard2/*

 

 

then, empty the Snort MySQL database using the base GUI.

 

 

Then, either reboot or restart Snort and Barnyard2.

 

This cleanup may be integrated as a fourth option in your /etc/init.d/runbarnyard2 script.

See here for some exemples.

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens