Overblog Suivre ce blog
Administration Créer mon blog
2 février 2014 7 02 /02 /février /2014 19:42

Ubuntu 14.04 LTS is here, let's see how to setup our SNORT® IDS for this new LTS.

 

We'll setup here a basic setup, using the Barnyard2 Spooler. The full softwares chain will be :

SNORT / Barnyard2 / Mysql / Apache2 / BASE

I4a

 

This configuration is a little more complicated to setup and troubleshoot than the now deprecated SNORT-MySQL, and requires some software compilation. But only then do we have a real robust and reliable SNORT functionning. Furthermore, SNORT MySQL direct output has been removed since SNORT 2.9.3.0

I assume eth0 is the SNORT IDS sniffing interface through this post.

 

We'll be using three passwords here :

MySQL Server root password                                                          secret1

SNORT MySQL databases user password                                  secret2

BASE GUI access                                                                               secret3

I'll be using secret1, secret2 and secret3 as example passwords through this post.

Tested under Ubuntu 14.04 LTS / Edited May 30 2014

 

Debian users see here for equivalent Debian config ( there are differences )

 

1. SNORT Install and Setup

We first do the usual apt-get update / upgrade :

 

sudo apt-get update

sudo apt-get upgrade

 

We set the SNORT machine with a static IP : 192.168.1.240
and reboot.

we apply some networking fine tunings ( not all options may be available to your NIC ) :

 

sudo apt-get install ethtool

 

sudo ethtool -K eth0 gro off
sudo ethtool -K eth0 lro off

and begin snort installation :

sudo apt-get install snort


During snort install, we answer the questions about the protected subnet, here :

    192.168.1.0/24


we edit snort.conf :

sudo gedit /etc/snort/snort.conf


Line #51 :

ipvar HOME_NET 192.168.1.0/24

Line #536 we modify the line into :

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

 

we restart SNORT :

 

sudo service snort restart

 

we delete previous log entries ( we changed the log format, to use time-stamps ) :

 

sudo rm /var/log/snort/snort.log

 

 

( nb: line #51 is not really needed, as it's overriden by /etc/snort/snort.debian.conf. I do it for coherency.

Likewise, edit /etc/snort/snort.debian.conf for sniffing interface choice if several NICs are present. )

 

We edit /etc/snort/rules/local.rules to include those two test rules :

sudo gedit /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:1000002;  rev:1;)

 

 

 

2. First test of Snort

sudo snort -i eth0 -v

( normally we get a live packet sniffing ). CTRL+C to stop.

We do a config loading test :

sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T

Let's finally launch SNORT in live alert console mode :

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

If we ping our SNORT IDS or try to browse it from another computer, alerts should be displayed.

CTRL+C to stop


3. Barnyard2 Setup

We first install the compile dependencies, and barnyard2 dependencies :

 sudo apt-get install autoconf

 sudo apt-get install libtool                                                               (##number to check)

 sudo apt-get install libpcap-dev

 sudo apt-get install libmysqlclient-dev

 

we get and install barnyard2 :

 cd /usr/src

 sudo wget https://github.com/firnsy/barnyard2/tarball/master

 sudo tar -zxf master

 cd firnsy-barnyard2*

 sudo autoreconf -fvi -I ./m4

 sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

 sudo make

 sudo make install

 sudo cp /usr/local/etc/barnyard2.conf /etc/snort

 sudo cp schemas/create_mysql /usr/src

 sudo mkdir /var/log/barnyard2

 

We edit Barnyard2.conf :

sudo gedit /etc/snort/barnyard2.conf


Line #227 change to :
output alert_fast                                      ( instead of output alert_fast: stdout )


near the end, line #348, uncomment and complete :

output database: log, mysql, user=snort password=secret2 dbname=snort host=localhost

( Replace secret2 with your choosen MySQL user-password. )


4. MySQL setup

sudo apt-get install mysql-server

    [ enter Mysql-server root password here : secret1 ]

We setup our database :

sudo mysql -u root -p

    [ Enter Mysql-server root password : secret1 ]

We enter these lines in the SQL> console :

create database snort;
create database archive;

grant usage on snort.* to snort@localhost;
grant usage on archive.* to snort@localhost;

set password for snort@localhost=PASSWORD('secret2');

grant all privileges on snort.* to snort@localhost;
grant all privileges on archive.* to snort@localhost;

flush privileges;

exit

 

 

We Populate The MySQL Database with Snort structure :

sudo mysql -u root -p

              [ enter mysql root-password here : secret1 ]

mysql>

use snort;

source /usr/src/create_mysql;

show tables;                                                 # you should see the list of new tables you just imported.

exit



5. Snort and Barnyard testing

We check the SNORT service is started :

 

sudo service snort restart

 

We manually launch Barnyard2 :

sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config



Barnyard2 will probably fatally exit due to a missing sid-msg.map file. This file is no longer included in the Snort source but is required by Barnyard2.

To solve this problem, we will use a oinkmaster script named create-sidmap.pl to generate the sid-msg.map
( we will later install and configure PulledPork which manages sid-msg.map file )

sid-msg.map creation :

cd /usr/share/oinkmaster

sudo bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"


we launch barnyard2, and this time we should get no error :

sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config

CRTL+C to exit barnyard2

 

 

6. Barnyard2 boot-time autorun

 

We need Barnyard2 to be automatically started at boot-time. Let's make a quick and easy boot-time script.

( This is a very light and easy script, not to use in a production environment ).

This script is very sensitive to the name you use. I advice you to keep with runbarnyard2.

 

sudo touch /etc/init.d/runbarnyard2

sudo gedit /etc/init.d/runbarnyard2

-----------------------------------------------------------------------------------------------

#!/bin/sh

case $1 in
    start)
        echo "Starting Barnyard2"
        sudo bash -c "barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n"
        echo 'Barnyard2 started.'
    ;;
    stop)
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
    ;;
    restart)
        $0 stop

        sleep 4
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

exit 0
-----------------------------------------------------------------------------------------------

 

sudo chmod 700 /etc/init.d/runbarnyard2

sudo update-rc.d runbarnyard2 defaults 21 00

 

We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

sudo gedit /etc/snort/barnyard2.conf
------------------------------------------------------------

# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart

 

( Do note Barnyard2 is launched with the -n switch : Only new records are processed ). 

 

For more ideas about Barnyard2 boot-time run, see here

 

 

7. Apache2 / BASE GUI frontend setup

Apache2 setup :

sudo apt-get install apache2

sudo apt-get install libapache2-mod-php5

sudo apt-get install libphp-adodb

( info message is OK )


Edit "/etc/php5/apache2/php.ini", look for the line "error_reporting" and change it to:

error_reporting = E_ALL & ~E_NOTICE

We edit /etc/apache2/apache2.conf to add authorizations for www/base :

 

-----------------------------------------------------------------------------------------------------

<Directory /var/www/html/base>
    AllowOverride All
    Require all granted
</Directory>
-----------------------------------------------------------------------------------------------------

 

 

We restart apache2 :


sudo service apache2 restart

 

We install the BASE dependencies :

sudo apt-get install php-pear

sudo apt-get install libwww-perl                                                       ( usually already installed )

sudo apt-get install php5-gd



sudo pear config-set preferred_state alpha

sudo pear channel-update pear.php.net

sudo pear install --alldeps Image_Color Image_Canvas Image_Graph

 

at this point you will get an error, facing the very annoying ' could not extract the package.xml file ' bug. This is due to an evolution in pear that did breack something. Let's dodge this problem :

 

Dodging the PEAR not valid .xml bug

 

We have to get in the pear download directory, and manually install the 6 pear packages ( 3 + 3 dependencies ).

Here's how :

 

cd /build/buildd/php5-5.5.9+dfsg/pear-build-download

ls

 

there should be the 6 .tgz packages here. Let's manually install them :

 

sudo tar zxf Image_Color*.tgz

sudo cp package.xml ./Image_Color*/

cd Image_Color*

sudo pear install package.xml

cd ..

 

do this for the 6 packages in this order :

 

Image_Color

Image_Canvas

Numbers_Roman

 

Math_BigInteger

Numbers_Words

Image_Graph

 

 

 

 

BASE install :

cd /usr/src

sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

sudo tar -zxf base-1.4.5.tar.gz

sudo cp -r base-1.4.5 /var/www/html/base

sudo chown -R www-data:www-data /var/www/html/base

sudo service apache2 restart


BASE setup :

we launch a local web browser :

http://localhost/base

 

Step 1) path : /usr/share/php/adodb

Step 2)  Database Name :                                         snort

               Database Host :                                            localhost


               Database User Name:                                snort

               Database Password :                                  secret2


       ( tick 'Use Archive Database' )

               Archive Database Name :                            archive

               Archive Database Host :                               localhost


               Archive Database User Name :                  snort

               Archive Database Password :                     secret2

Step 3)    tick 'use authentication system' ( it enables BASE login screen lock )

    Full admin name ( john )

    [GUI password]    ( Secret3 )

    Full admin name ( John Doe )

Step 4)    Click ' Create baseAG'

Step 5)    Click ' Now continue to Step 5 ' and login ( john / secret3 )  

 

 

A few ping and http alerts should be displayed ( red bar ). The web page is refreshed every 3 minutes.

 

Note : there is a pb with Ubuntu 14.04 LTS : In the BASE GUI, Graph Alert Data seem broken.

 

8. syslog logging


To setup snort syslog logging ( usefull for debuging snort ) :

we uncomment this line in snort.conf :

output alert_syslog: LOG_AUTH LOG_ALERT

+ restart snort ( sudo service snort restart or use your /etc.init.d/ script )

the log can by viewed using :

sudo grep snort /var/log/auth.log

nb :     LOG_AUTH is the logging facility ( configurable )

            LOG_ALERT is the severity level ( configurable )

 

Except for debugging purpose, logging should be performed at Barnyard2 level. The syntax is the same :

 

sudo gedit /etc/snort/barnyard2.conf

--------------------------------------------------------------------------

output alert_syslog: LOG_AUTH LOG_ALERT

--------------------------------------------------------------------------

 

+ restart barnyard2 ( using your /etc/init.d script )

It is usefull for Barnyard2 debugging too.

 

9. Basic Portscan detection

Complete Portscan detection requires SNORT Shared Objects / Shared Object Rules, which we'll be seeing later. Still, we can implement a basic function :

sudo gedit /etc/snort/snort.conf

We uncomment and modify this line ( #428 usually ) :

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log }

 

 

We restart snort :

 

sudo service snort restart

 

 

A regular Nmap/Zenmap scan ( nmap 192.168.1.240) on the SNORT IDS will trigger alerts.

 

portscans can be checked using :

sudo cat /var/log/snort/portscan.log

( check /var/log/snort/portscan.log permissions. chown snort:snort portscan.log is necessary )


we then enable portscan.log lookups by BASE :

sudo gedit /var/www/html/base/base_conf.php

 

#line 290 :

 

$portscan_file = '/var/log/snort/portscan.log';                using an absolute path

sudo service apache2 restart

sudo chmod a+r /var/log/snort/portscan.log

sudo chmod 755 /var/log/snort



10. DNS resolution, Alert coloring and Database Emptying


Some BASE GUI option interesting options :

sudo gedit /var/www/html/base/base_conf.php

To resolve IP to FQDN :

/* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 1;
 

To have alert-priority coloring :

* This option is used to set if BASE will use colored results
     * based on the priority of alerts
     * 0 : no
     * 1 : yes
     */
    $colored_alerts = 1;



To empty the SNORT MySQL alerts database

We can do this using the BASE GUI :

Cache & Status ) Clear Data Tables

sudo /etc/init.d/runbarnyard2 restart

 


( The Barnyard2 restart is mandatory for alerts to get displayed again )

 

Do note that logs and alerts may need to be deleted too. Read Next.

 

11. To delete all alerts and logs

 

Emptying the MySQL database is enough to clear the BASE GUI display, still the next Barnyard2 launch will review recorded snorts alerts, skipping old ones. Furthermore, the portscan.log won't get deleted. To avoid this, here is what is needed to empty all the logged alerts :

 

sudo service snort stop
sudo /etc/init.d/runbarnyard2 stop


sudo rm /var/log/snort/snort.log.*

sudo bash -c "cat /dev/null > /var/log/snort/portscan.log"
sudo rm /var/log/barnyard2/*

Then cleanup the MySQL database using the BASE GUI.

 

Then, either reboot or restart Snort and Barnyard2.

 

This cleanup may be integrated as a fourth option in your /etc/init.d/runbarnyard2 script.

 

See here for some exemples.

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
14 janvier 2014 2 14 /01 /janvier /2014 22:09


When compiled from sources, SNORT doesn't seem to provide a /etc/init.d/script.
Beside this, Barnyard2 needs to be started too.

Let's see some autostart scripts for SNORT and Barnyard2.

 

I1b

 

Tested on Ubuntu 14.04 LTS and Debian 7.5/ Edited June 03 2014

 

Beware of the sniffing interface in the scripts. In case of not using eth0, change accordingly.

 

Notes : These scripts are provided as exemples, for experimentation and learning. They are not fit for a production environment, where a certified Linux System Admin is needed.

 

1. Quick easy way

 

sudo gedit /etc/init.d/snortautorun

------------------------------------------------------------------------------------------------
#!/bin/bash

sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

exit 0
---------------------------------------------------------------------------------------------------

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults




2. A Cleaner way

This script is a little more structured, and good practice compliant.

sudo gedit /etc/init.d/snortautorun

---------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
    sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
  
    echo "SNORT is ON"
    ;;
  stop)
  
    echo "trying to stop Snort"
    sudo bash -c "sudo killall snort"  
    sleep 4
    echo "  "
    echo "try this command to verify SNORT is stopped :"
    echo "ps -A | grep snort"
    ;;
  *)
        echo "Usage: /etc/init.d/snortautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-------------------------------------------------------------------------------------------------------------------------

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults


Nb : the snort is working before login.



3. Complete Start / Stop Script with run-autodetect

This script provides Start / Stop capabilities, and is capable to detect if snort is already running.

This script is a little more structured, and compliant.

sudo gedit /etc/init.d/snortautorun

---------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
    if ps -C snort> /dev/null; then
    echo "SNORT is already running"
     
    else

    sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

    echo "SNORT is ON"
    fi
    ;;
  stop)

    if ps -C snort> /dev/null; then
    sudo rm /var/run/snort_eth0.pid
    sudo rm /var/run/snort_eth0.pid.lck

    echo "Stopping SNORT"
    sudo pkill snort
     
else

    echo "SNORT is already OFF"

    fi
    ;;
  *)
        echo "Usage: /etc/init.d/snortautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
------------------------------------------------------------------------------------------------------------------------------------------------

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults


Nb : the snort is working before login.


4. SNORT Reference Script

For a comparaison, you may want to have a look at the init.d script installed via doing apt-get install snort.
I'll copy here asap.



5. Barnyard2 Startup Script

A basic Barnyard2 script

 

 

sudo touch /etc/init.d/runbarnyard2
sudo gedit /etc/init.d/runbarnyard2
-----------------------------------------------------------------------------------------------
#!/bin/sh

case $1 in
    start)
        echo "Starting Barnyard2"
        sudo bash -c "barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n"
        echo 'Barnyard2 started.'
    ;;
    stop)
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
    ;;
    restart)
        $0 stop

        sleep 4
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

exit 0
-----------------------------------------------------------------------------------------------

sudo chmod 700 /etc/init.d/runbarnyard2
sudo update-rc.d runbarnyard2 defaults


( note : Ubuntu users might have a better functionning using : sudo update-rc.d runbarnyard2 defaults 21 00 )

( note2 : to remove a record, use : sudo update-rc.d -f runbarnyard2 remove )


We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

gedit /etc/snort/barnyard2.conf :
------------------------------------------------------------
# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart

 

A Barnyard2/Data Cleanup script

 

Here is a script that adds a clean option, thats stops SNORT and Barnyard2, and cleans all logs ( /var/log/snort, /var/log/barnyard2 ). Do note how slack it is ( 2> /dev/null suppress errors display. Really not to use in a production environment ! )

 

note : if using a custom snort script, change 'sudo service snort stop' into the relevant line. ex : sudo /etc/init.d/snortautorun stop )

 

sudo touch /etc/init.d/runbarnyard2
sudo gedit /etc/init.d/runbarnyard2
-----------------------------------------------------------------------------------------------
#!/bin/sh

case $1 in
    start)
        echo " * Starting Barnyard2"
        sudo barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n
    ;;
    stop)
        echo " * Stopping Barnyard2"
        sudo killall barnyard2
    ;;
    restart)
        $0 stop
    sleep 4
        $0 start
    ;;
    clean)
    echo "  "
    sudo service snort stop
    echo "  "
    $0 stop
    echo "  "
    sudo rm /var/log/snort/snort.log.* 2> /dev/null
    sudo cat /dev/null>/var/log/snort/portscan.log
    sudo rm /var/log/barnyard2/* 2> /dev/null
    echo "Snort and Barnyard2 Datas Cleaned"   
    echo "  "   
    #echo "Snort and Barnyard2 Stopped / Datas Cleaned"
    echo "Don't forget to empty the SNORT MySQL Database"
    echo "  "
    ;;
   
    *)
        echo "usage: $0 (start|stop|restart|clean)"
    ;;
esac

exit 0


-----------------------------------------------------------------------------------------------

sudo chmod 700 /etc/init.d/runbarnyard2
sudo update-rc.d runbarnyard2 defaults


( note : Ubuntu users might have a better functionning using : sudo update-rc.d runbarnyard2 defaults 21 00 )

( note2 : to remove a record, use : sudo update-rc.d -f runbarnyard2 remove )

 

We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

gedit /etc/snort/barnyard2.conf :
------------------------------------------------------------

# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart/clean

 

6. A Clever Barnyard2 Start/Stop/Restart/Cleanup Script

 

This script is a little more clever, as it detects if barnyard2 is already launched or stopped :

note : if using a custom snort script, change 'sudo service snort stop' into the relevant line. ex : sudo /etc/init.d/snortautorun stop )

 

--------------------------------------------------------------------------------------------------------------------

#!/bin/sh

case $1 in
    start)
        echo " * Starting the Barnyard2 Spooler"
        sudo barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n
        echo ' * Barnyard2 started.'
    ;;
    stop)
        echo " * Stopping the Barnyard2 Spooler"
    PIDFILE=/var/run/barnyard2_NULL.pid

    if [ ! -f "$PIDFILE" ]; then
    echo " * Barnyard2 is Not Running" >&2
    return 1
    fi
   
    sudo kill -15 $(cat "$PIDFILE")
    rm -f "$PIDFILE"
    sudo rm /var/run/barnyard2_NULL.pid.lck
        #sudo pkill barnyard2
    sleep 4
        echo ' * Barnyard2 stopped.'
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    clean)
    echo "  "
    echo "Stopping SNORT"
    sudo service snort stop
    echo "SNORT is stopped"
    echo "  "
   
    echo "Stopping Barnyard2"
    $0 stop
    echo "Barnyard2 is stopped"
    echo "  "

    echo "Cleaning logs"
        if [ -f /var/log/snort/snort.log.* ];
        then sudo rm /var/log/snort/snort.log.*
        else echo " * No Snort.log present"
        fi
   
        if [ "$(ls -A /var/log/barnyard2)" ];
        then sudo rm /var/log/barnyard2/*.*
        else echo " * No Barnyard2 logs present"
        fi

    if [ -s /var/log/snort/portscan.log ];
    then
    sudo cat /dev/null>/var/log/snort/portscan.log   
    echo " * Portscan.log cleaned"
    else
    echo " * portscan.log is already empty"
    fi
    echo "  "
   
    echo "Logs Cleaned"
    echo "  "

    echo "Don't forget to empty the SNORT MySQL Database"
    echo "  "
    echo "  "
    ;;
    *)
        echo "usage: $0 (start|stop|restart|clean)"
    ;;
esac

exit 0


-------------------------------------------------------------------------------------------------------------------- 

 

 

7. Notes

 

 

the sourced script :

When compiling from sources, there is a rpm-family script, bu no debian family script.

 

The rpm script is of course not compatible with Debian / Ubuntu.

 

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
14 janvier 2014 2 14 /01 /janvier /2014 20:37

It is sometimes handy to be able to have the latest build. We'll see here how to Install SNORT

from sources for Debian 7.5 and Ubuntu 14.04 LTS, as well as some basic issues ( Autostart, Log, Syslog ).

 

I1b

 

 

We'll see two ways to install from sources, either using checkinstall/dpkg or using make install.

We'll only see SNORT install here. The rest of the software chain ( Barnyard2 - MySQL - Apache2 - BASE ) is the same as in the previous parts.

 

All commands are implicitely done root ( either sudo -s or sudo [ command ] ). The SNORT IDS Interface is supposed to be eth0.


The SNORT IDS has all IP addresses set static.

SNORT has two dependencies : DAQ and Libdnet. The install is done using the latest versions of the

three softwares. As time moves, check for latest links/versions to move version numbers.

 

Tested with Debian 7.5 and Ubuntu 14.04 LTS / Edited June 05 2014



1. SNORT install using checkinstall/dpkg

The checkinstall/dpkg method is usefull as it create a package file, that is maintained by the package manager, can be cleanly removed, and is dependencies cared. Do note that It is not fit for packages distribution.


sudo -s

 

networking fine-tuning :

 

apt-get install ethtool

 

ethtool -K eth0 gro off

ethtool -K eth0 lro off

 

( some commands might not get suported by your NIC. It's OK )

 

 

 

Data AcQuisition library :
 

checkinstall will ask questions during the package creation process.

---------------------------------------------------------------------------------------------

default set ? : y

comments ? : Data-Acquisition API 2.0.2+ ENTER

                          ENTER

any change ? :   5 + ENTER

                             GPLv2
----------------------------------------------------------------------------------------------

 

apt-get install flex bison build-essential checkinstall libpcap0.8-dev libnet1-dev
wget http://www.snort.org/downloads/2778
tar zxf 2778
cd daq-2.0.2/
./configure
make
checkinstall

 

to remove the package : dpkg -r daq

to reinstall the package : dpkg -i daq_2.0.2-1_i386.deb

----
cd ..
-----

Libdnet :
 

---------------------------------------------------------------------------------------------

default set ? : y

comments ? : Libdnet API 1.11+ ENTER

                          ENTER

any change ? :   5 + ENTER

                             Copyright (c) 2000-2006 Dug Song <dugsong@monkey.org> All rights reserved, all wrongs reversed.
----------------------------------------------------------------------------------------------

 

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1


( be carefull to the version number of the symbolic link. Check /usr/local/lib to see the libdnet
version )

 

to remove the package : dpkg -r libdnet

to reinstall the package : dpkg -i libdnet_1.12-1_i386.deb

 

----
cd ..
----

SNORT :
 

Debian users : some extra steps are needed at the end of the process. See Note 1.

---------------------------------------------------------------------------------------------

default set ? : y

comments ? : SNORT 2.9.6.0+ ENTER

                          ENTER

any change ? :   5 + ENTER

                             GPLv2

 

                             10 + ENTER

                             daq,libdnet

 

Some files are inside the home directory.
should I list them ? : n
should I exclude them ? : y
----------------------------------------------------------------------------------------------

 

 

apt-get install libpcre3-dev zlib1g-dev
wget http://www.snort.org/downloads/2787
tar zxf 2787
cd snort-2.9.6.0
./configure --enable-sourcefire
make
checkinstall
ldconfig
 

to remove the package : dpkg -r snort

to reinstall the package : dpkg -i snort_2.9.6.0-1_i386.deb

 

 

note 1 : Debian specific

 

The checkinstall will fail, due to some writing permissions problems. Message :

ranlib: could not create temporary file whilst writing archive: No more archived files
There are two solutions :

 

a. Easy and lazy :

 

make install

checkinstall

 

b. Manual folders creation :

 

sudo mkdir /usr/local/lib/snort_dynamicengine
sudo mkdir /usr/local/include/snort
sudo mkdir /usr/local/lib/snort
sudo mkdir /usr/local/lib/snort/dynamic_preproc
sudo mkdir /usr/local/lib/snort_dynamicpreprocessor/
sudo mkdir /usr/local/lib/snort/dynamic_output/
sudo mkdir /usr/local/share/doc
checkinstall

 

 

nb2 : since Snort 2.9.3.0, direct SNORT output to MySQL is removed, thus the ./configure --my-sql

option is no longer supported ( configure: WARNING: unrecognized options: --with-mysql )

nb3 : Thus libmysqlclient15-dev is unneeded

nb4 : There's a problem with libdnet that gets upgraded ( DECnet Libraries parallel name ) which breaks snort.
To prevent libdnet upgrade :
sudo apt-mark hold libdnet

To restore libdnet upgrade :
sudo apt-mark unhold libdnet

nb5 : The package can be found in the Ubuntu Software Center ( Ubuntu Software Center > Installed > Show technical items > System Category )


. Check down the ' show technical items... '
. Search for the package true name or given name ( snort or Comment Name )



2. SNORT Install using Make Install

Another way to install SNORT and its two dependencies is to use the regular make install.

sudo -s

 

networking fine-tuning :

 

apt-get install ethtool

 

ethtool -K eth0 gro off

ethtool -K eth0 lro off

 

( some commands might not get suported by the NIC. It's OK )

 

 

Data AcQuisition library :

apt-get install flex bison build-essential checkinstall libpcap0.8-dev libnet1-dev
wget http://www.snort.org/downloads/2778
tar zxf 2778
cd daq-2.0.2/
./configure
make
make install

----
cd ..
-----

Libdnet :

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1


( be carefull to the version number of the symbolic link. Check /usr/local/lib to see the libdnet

version )


----
cd ..
----

SNORT :

apt-get install libpcre3-dev zlib1g-dev
wget http://www.snort.org/downloads/2787
tar zxf 2787
cd snort-2.9.6.0
./configure --enable-sourcefire
make
make install
ldconfig


nb : since Snort 2.9.3.0, direct SNORT output to MySQL is removed, thus the ./configure --my-sql

option is no longer supported ( configure: WARNING: unrecognized options: --with-mysql )

nb2 : Thus libmysqlclient15-dev is unneeded
 

 

 

3. SNORT Setup

Snort needs some folders, config files, and user/group setup :

sudo -s

mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules


Moving the Snort config files from the compilation folder :

Make sure that you are in the directory that you downloaded all files.

cd /home/[user]

cd snort-2.9.6.0/etc

cp * /etc/snort

sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules

finally some group / user / permission setup :

sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort


4. Quick Rules download

To perform quick tests, we'll download the community rules :

Let's quickly get them :
 

cd /tmp

 

 

wget https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz

tar -zxf community-rules.tar.gz

rm community-rules.tar.gz

cd community-rules

now we copy all files into /etc/snort/rules

cp * /etc/snort/rules
 

 

Let's finally edit the local.rules file to put four test rules :

gedit /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP IN Test NOW!!!"; sid: 1000001; classtype:not-suspicious; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP IN Test NOW!!!"; sid: 1000002; classtype:not-suspicious; rev:1;)
 

alert icmp $HOME_NET any -> any any (msg:"ICMP OUT Test NOW!!!"; sid: 1000003; classtype:not-suspicious; rev:1;)
alert tcp $HOME_NET any -> any 80 (msg:"HTTP OUT Test NOW!!!"; sid: 1000004; classtype:not-suspicious; rev:1;)

 

5. SNORT.conf Setup

We'll finally setup the SNORT config file :

gedit /etc/snort/snort.conf

change "ipvar HOME_NET any" to "ipvar HOME_NET [192.168.1.0/24,2001:db8:0:1:0:0:0:0/64]"
change "ipvar EXTERNAL_NET any" to "ipvar EXTERNAL_NET !$HOME_NET"
change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
 

we add this words to the end after decompress_depth 65535 ( near line #298 ) :

 

max_gzip_mem 104857600

 

we setup the output plugin in the output section ( line #520 ) :

 

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

 

 

we comment out all .rules, except local.rules and community.rules

 

 

create-sidmap.pl script

 

The create-sidmap.pl may be usefull for sidmap creation. Let's quickly get it :

 

cd /usr/src

sudo wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz

sudo tar -zxf oinkmaster-2.0.tar.gz

cd oinkmaster-2.0

cd contrib

sudo mkdir /usr/share/oinkmaster

cp create-sidmap.pl /usr/share/oinkmaster/
 


6. SNORT test

snort --help                                                                                                                   snort help

 

we do a config loading test :

snort -c /etc/snort/snort.conf -i eth0 -T

 

we launch a live sniffing ( CTRL+C to exit ) :

snort -i eth0 -v

 

we launch in alert console output ( CTRL+C to exit ) :

snort -A console -u snort -g snort -q -c /etc/snort/snort.conf -i eth0


Pinging or Web Browsing to the SNORT IDS IP should launch alerts

 

CTRL+C to exit

 

Do notice the use of -u snort -g snort, for proper permissions managements. It is to be remembered. 

 

7. SNORT logging
 

Let's quickly see how to have SNORT perform HDD or Syslog logging, as it's Barnyard2 role to perform these tasks.It still may be usefull for debugging purpose, or for some special-case installations.

 

Local log file :

Let's add a log file by ading to /etc/snort/snort.conf in the output plugin section :

output alert_fast

the alerts will be logged in the file /var/log/snort/alert
( defaults setup )
 

Do note use -A console, or logging won't be performed. Ie use :

 

sudo snort -u snort -g snort -q -c /etc/snort/snort.conf -i eth0

 

Remote Syslogging capability :

leafpad /etc/snort/snort.conf

# syslog
output alert_syslog: LOG_LOCAL3 LOG_NOTICE

we edit the rsyslog conf file :

gedit /etc/rsyslog.conf

LOCAL3.NOTICE    @192.168.1.10:514
LOCAL3.NOTICE    @[2001:db8:0:1::10]:514

 

sudo service rsyslog restart

 

Do note use -A console, or logging won't be performed. Ie use :

 

sudo snort -u snort -g snort -q -c /etc/snort/snort.conf -i eth0

 

 

 

8. SNORT Boot-time Autostart

We wish for SNORT to automatically start. Let's see a quick and easy way, as the next blog post will explore this issue more extensively.

A quick easy way :

sudo gedit /etc/init.d/snortautorun

-------------------------------------------------------------------
#!/bin/bash

sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

exit 0
--------------------------------------------------------------------
 

 

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults

Nb : the snort is working before login.



9. Barnyard2 Integration

Lets' quiclky review how to integrate the Barnyard2 Spooler.

 

/etc/snort/snort.conf modifications :

 

We modify the output plugins by removing any :

 

output alert_fast

output alert_syslog

 

And make sure we have unified2 output setup ( line #520) :

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

The following of the setup ( Barnyard2 / MySQL / Apache2 / BASE ) is documented here :

 

For Debian 7.5 / Get to Part 3 : Barnyard2 Setup

 

For Ubuntu 14.04 LTS / Get to Part 3 : Barnyard2 Setup

 

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
12 janvier 2014 7 12 /01 /janvier /2014 21:36

We'll see here how  to have B.A.S.E. display that Alert World Map that really do add some glitter to BASE.

 

S6a

( nothing implied in the choice of the countries displayed on this map. Actually countries I like ;-)                       )

 

This is tested on Debian 7.5 / Edited June 03 2014

( Does not seem to work with Ubuntu 14.04 LTS )

 

1. BASE WORLDMAP install

 

 

World Pictures Install :

 

We first have to find the PEAR directory :

 

pear config-show

 

we go to the PEAR directory ( usually /usr/share/php )

and to the subdir :

Image/Graph/Images/Maps/

 

 

we need to copy here these two files :

 

world_map6.png
world_map6.txt

they are located in /var/www/base/ and /usr/src/base-1.4.5/

ie :

sudo cp /var/www/base/world*.* /usr/share/php/Image/Graph/Images/Maps

 

 

binaries install :

 

sudo apt-get install geoip-bin
sudo apt-get install libgeo-ip-perl
sudo apt-get install libgeo-ipfree-perl


sudo find / -name "GeoIP.dat"
( note : case sensitive )
here it's at : /usr/share/GeoIP/GeoIP.dat

we cd in :

 

cd /usr/share/GeoIP/

 


sudo perl -MCPAN -e 'install Geography::Countries'

( Answer to the questions : yes / yes )

sudo perl -MCPAN -e 'install IP::Country'

sudo leafpad /var/www/base/base_conf.php

near the end of the .conf file, uncomment " $IP2CC..." and correct the ip2cc path ( if needed ) :

//$IP2CC = "/usr/bin/ip2cc";         becomes     $IP2CC = "/usr/local/bin/ip2cc";              



cd /usr/lib/perl5/Geo

explore the website http://cpansearch.perl.org/src/BRICAS/ to find the right version )

sudo wget  http://cpansearch.perl.org/src/BRICAS/Geo-IPfree-1.140470/misc/ipct2txt.pl
sudo cp /usr/share/perl5/Geo/ipscountry.dat ./

sudo perl ipct2txt.pl ./ipscountry.dat /var/www/base/ips-ascii.txt


fix font problem :

There is a font display problem in BASE. The easiest way to fix it is this :

 

sudo leafpad /var/www/base/base_conf.php

comment all font names and uncomment $graph_font_name = "", ie :

font choice :
           // $graph_font_name = "Verdana";
           // $graph_font_name = "DejaVuSans";
           // $graph_font_name = "Image_Graph_Font";
           $graph_font_name = "";



2. World Map Display Test

 

The Worldmap alert display will bug if there is ONLY private IPs in the recorded alerts... We will use local.rules to trigger

some alerts with public IPs. Ex :

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

alert tcp any any -> $EXTERNAL_NET 80 (msg:"HTTP Request Outbound NOW!!!"; classtype:not-suspicious; sid:1000003; rev:1;)

alert tcp any 80 -> $HOME_NET any (msg:"HTTP Reply Inbound NOW!!!"; classtype:not-suspicious; sid:1000004; rev:1;)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

( We update the sid-msg.map if needed )

 

We restart SNORT:

 

sudo service snort restart

 

and browse the web to trigger many alerts with Public IPs.

 

 

Using the Worldmap Display

 

We use the BASE menu Graph Alert Data :

 

S6c

 

 


What do you want to know : source countries vs number of alerts on a world map

S6b

 

We hit the 'Graph Alerts' Button :

 

S6d

 

And voila ! :

 

S6a

 

 

NB2 : The World Map Display won't autorefresh.


 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
12 janvier 2014 7 12 /01 /janvier /2014 20:32

We'll setup here a more robust SNORT® design, using the Barnyard2 Spooler. The full softwares chain will be :

SNORT / Barnyard2 / Mysql / Apache2 / BASE

I4a

 

 

This configuration is a little more complicated to setup and troubleshoot, and requires some software compilation. But only then do we have a real robust and reliable SNORT functionning. Furthermore, SNORT MySQL direct output has been removed since SNORT 2.9.3.0

 

 

We'll be using three passwords here :

 

MySQL Server root password                                                           secret1

SNORT MySQL database user password                                     secret2

BASE GUI access                                                                               secret3

 

I'll be using secret1, secret2 and secret3 as example passwords through this post.

I assume eth0 is the sniffing interface throughout this post.

 

Tested under Debian 7.5 / Edited June 03 2014

 

 

 

( Ubuntu users, see here. There are differences )

 

 

1. SNORT Install and Setup

We do the usual update/upgrade :

 

sudo apt-get update

sudo apt-get upgrade

 

We set the SNORT machine with a static IP : 192.168.1.240
and reboot.

 

 

we apply some networking fine tunings ( not all options may be available to your NIC ) :

sudo ethtool -K eth0 gro off

sudo ethtool -K eth0 lro off

 

and begin snort installation :

 

sudo apt-get install snort


we answer the question about the protected subnet, here :

    192.168.1.0/24


we edit snort.conf :

sudo leafpad /etc/snort/snort.conf



Line #45 :

ipvar HOME_NET 192.168.1.0/24

Line #48 :

ipvar EXTERNAL_NET !$HOME_NET

Line #298 - add this to the end after “decompress_depth 65535” :

max_gzip_mem 104857600

Line #526 uncomment and modify the line into :

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

 

Line #536 we comment out the line ( we don't want snort to log tcpdumps ) :
# pcap
#output log_tcpdump: tcpdump.log

 

We edit /etc/snort/rules/local.rules to include those two test rules :

 

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:1000002;  rev:1;)

 

We restart snort :

 

sudo service snort restart

 

we delete previous log entries if any ( we changed the log format, to use time-stamps, and we don't want snort to perform tcpdumps ) :

 

sudo rm /var/log/snort/snort.log

sudo rm /var/log/snort/tcpdump.log.*

sudo rm /var/log/snort/alert

 

 

 

( nb: line #45 is not really needed, as it's overriden by /etc/snort/snort.debian.conf. I do it for coherency.

Likewise, edit /etc/snort/snort.debian.conf for sniffing interface choice if several NICs are present. )

 

2. First test of Snort

sudo snort -i eth0 -v

( normally we get a live snort sniffing ). CTRL+C to stop.

 

We do a config loading test :

sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T

 

 

Let's finally launch SNORT in live alert console mode :

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

If we ping our SNORT IDS or try to browse it from another computer, alerts should be displayed.


CTRL+C to exit

3. Barnyard2 Setup

We first install the compile dependencies, and barnyard2 dependencies :

 sudo apt-get install autoconf

 sudo apt-get install libtool                                                               (##check number )

 sudo apt-get install libpcap-dev

 sudo apt-get install libmysqlclient-dev

 

we get and install barnyard2 :

 cd /usr/src

 sudo wget https://github.com/firnsy/barnyard2/tarball/master

 sudo tar -zxf master

 cd firnsy-barnyard2*

 sudo autoreconf -fvi -I ./m4

 sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

 sudo make

 sudo make install

 sudo cp /usr/local/etc/barnyard2.conf /etc/snort

 sudo cp schemas/create_mysql /usr/src

 sudo mkdir /var/log/barnyard2

 

 

We edit Barnyard2.conf :

sudo leafpad /etc/snort/barnyard2.conf


Line #227 change to :
output alert_fast                                      ( instead of output alert_fast: stdout )


near the end, line #348, uncomment and complete :

output database: log, mysql, user=snort password=secret2 dbname=snort host=localhost

 

 

 

4. MySQL setup

sudo apt-get install mysql-server

    [ enter Mysql-server root password here : secret1 ]

 

We setup our database :

 

sudo mysql -u root -p

    [ secret1 ]

 

We enter these lines in the SQL> console :

 

create database snort;

create database archive;

grant usage on snort.* to snort@localhost;

grant usage on archive.* to snort@localhost;

set password for snort@localhost=PASSWORD('secret2');

grant all privileges on snort.* to snort@localhost;

grant all privileges on archive.* to snort@localhost;

flush privileges;

exit

 

 

We Populate The MySQL Database with Snort structure :

sudo mysql -u root -p

 

              [ secret1 ]

 

mysql>

use snort;

source /usr/src/create_mysql;

show tables;                                                 # you should see the list of new tables you just imported.

exit



5. Snort and Barnyard2 testing

We check the SNORT service is started :

sudo service snort restart

 
We manually launch Barnyard2 :

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config


Barnyard2 will probably fatally exit due to a missing sid-msg.map file. This file is no longer included in the Snort source but is required by Barnyard2.

To solve this problem, we will use a oinkmaster script named create-sidmap.pl to generate the sid-msg.map
( we will later install and configure PulledPork which manages sid-msg.map file )

 

 

 

sid-msg.map creation :

cd /usr/share/oinkmaster

sudo bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"


we launch barnyard2, and this time we should get no error :

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config

CRTL+C to exit barnyard2

 

6. Barnyard2 boot-time autorun

( note : this startup script is very sensitive to the script name. It works using runbarnyard2, but fails with autobarnyard2, autobarn, barn, barnyard2, by2, ... Under investigation )


We need Barnyard2 to be automatically started at boot-time. Let's make a quick and easy boot-time script.

( This is a very light and easy script, not to use in a production environment ).

 

sudo touch /etc/init.d/runbarnyard2

sudo leafpad /etc/init.d/runbarnyard2

-----------------------------------------------------------------------------------------------
#!/bin/sh

case $1 in
    start)
        echo "Starting Barnyard2"
        sudo barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n
        echo 'Barnyard2 started.'
    ;;
    stop)
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
    ;;
    restart)
        $0 stop

        sleep 4
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

exit 0
-----------------------------------------------------------------------------------------------

 
sudo chmod 700 /etc/init.d/runbarnyard2

sudo update-rc.d runbarnyard2 defaults

 

We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

sudo leafpad /etc/snort/barnyard2.conf
------------------------------------------------------------

# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart

 

( Do note Barnyard2 is launched with the -n switch : Only new records are processed ).

 

For more ideas about Barnyard2 boot-time run, see here

 

 
7. Apache2 / BASE GUI frontend setup

Apache2 setup :

sudo apt-get install apache2

sudo apt-get install libapache2-mod-php5

sudo apt-get install libphp-adodb

( info message is OK )


Edit "/etc/php5/apache2/php.ini", look for the line #463 "error_reporting" and change it to:

error_reporting = E_ALL & ~E_NOTICE

 

 

We restart apache2 :

sudo service apache2 restart

 

 

 

We install the BASE dependencies :

sudo apt-get install php-pear

sudo apt-get install libwww-perl                                                       ( normally already installed )

sudo apt-get install php5-gd



sudo pear config-set preferred_state alpha

sudo pear channel-update pear.php.net

sudo pear install --alldeps Image_Color Image_Canvas Image_Graph


BASE install :

cd /usr/src

sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

sudo tar -zxf base-1.4.5.tar.gz

sudo cp -r base-1.4.5 /var/www/base

sudo chown -R www-data:www-data /var/www/base

sudo service apache2 restart


BASE setup :

we launch a local web browser :

http://localhost/base

 

 

Step 1) path : /usr/share/php/adodb

Step 2)  Database Name :                                         snort

               Database Host :                                            localhost


               Database User Name:                                snort

               Database Password :                                  secret2


       ( tick 'Use Archive Database' )

               Archive Database Name :                            archive

               Archive Database Host :                               localhost


               Archive Database User Name :                  snort

               Archive Database Password :                     secret2

Step 3)    tick 'use authentication system' ( it enables BASE login screen lock )

    Full admin name ( john )

    [GUI password]    ( Secret3 )

    Full admin name ( John Doe )

Step 4)    Click ' Create baseAG'

Step 5)    Click ' Now continue to Step 5 ' and login ( john / secret3 ) 

 
A few ping and http alerts should be displayed ( red bar ). The web page is automatically refreshed every 3 minutes.

 

8. syslog logging

 

Snort Syslog logging :

 

To setup snort syslog logging ( usefull for debuging snort ) :

we uncomment line #533 in snort.conf :

 

sudo leafpad /etc/snort/snort.conf

------------------------------------------------------------
output alert_syslog: LOG_AUTH LOG_ALERT

------------------------------------------------------------

 

 

and restart snort :

 

sudo service snort restart

 


the log can by viewed using :

sudo grep snort /var/log/auth.log


nb :      LOG_AUTH is the logging facility ( configurable )

            LOG_ALERT is the severity level ( configurable )

 

ex using the local0 facility :

output alert_syslog: LOG_LOCAL0 LOG_ALERT


sudo grep snort /var/log/syslog

 

Except for debugging purpose, logging should be performed at Barnyard2 level.

 

 

Barnyard2 Syslog logging :

 

The syntax is the same. We edit barnyard2.conf line #265 :

sudo leafpad /etc/snort/barnyard2.conf

--------------------------------------------------------------------------
output alert_syslog: LOG_AUTH LOG_ALERT

--------------------------------------------------------------------------

 

or

 

--------------------------------------------------------------------------

output alert_syslog: LOG_LOCAL0 LOG_ALERT

--------------------------------------------------------------------------

 

We then restart barnyard2 to apply the changes :

 

sudo /etc/init.d/runbarnyard2 restart

 

Beside regular, security-aimed, syslog or tcpdump tasks, wich is Barnyard2 role, using syslog is usefull for Barnyard2 debugging too.

 

9. Basic Portscan detection

Complete Portscan detection requires SNORT Shared Objects / Shared Object Rules, which we'll be seeing later. Still, we can implement a basic function :

sudo leafpad /etc/snort/snort.conf

We uncomment and modify the portscan line ( line #418 ) :

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log }

We restart snort :

 

sudo service snort restart

 

A regular Nmap/Zenmap scan ( nmap 192.168.1.240) on the SNORT IDS will trigger alerts.

portscans can be checked using :

sudo cat /var/log/snort/portscan.log


we then enable portscan.log lookups by BASE :

 

we edit base_conf.php line # 290 :

 

sudo leafpad /var/www/base/base_conf.php

$portscan_file = '/var/log/snort/portscan.log';                                                  ###using an absolute path

sudo service apache2 restart

sudo chmod a+r /var/log/snort/portscan.log

sudo chmod 755 /var/log/snort


To empty the portscan log :

sudo bash -c "cat /dev/null > /var/log/snort/portscan.log"

 

( just deleting it would remove our custom file permissions )

 

 

10. DNS resolution, Alert coloring and Database Emptying


Some BASE GUI option interesting options :

sudo leafpad /var/www/base/base_conf.php

To resolve IP to FQDN :

/* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 1;
  

 

note : to have local hosts registered, do edit /etc/hosts to add them. ex :

192.168.1.120              PC1.local

 

Then, update the BASE GUI IP Caches : Cache and Status : Update IP Caches / Rebuild IP Caches

 

To have alert-priority coloring :

* This option is used to set if BASE will use colored results
     * based on the priority of alerts
     * 0 : no
     * 1 : yes
     */
    $colored_alerts = 1;



To empty the alerts database

We can do this using the BASE GUI :

Cache & Status ) Clear Data Tables

sudo /etc/init.d/runbarnyard2 restart

 

( The Barnyard2 restart is mandatory for alerts to get displayed again )
Do note that logs and alerts may need to be deleted too. Read Next.

 
11. To delete all alerts and logs

Emptying the MySQL database is enough to clear the BASE GUI display, still the next Barnyard2 launch will review recorded snorts alerts, skipping old ones. Furthermore, emptying using BASE GUI keeps portscans logs.


To avoid this, here is what is needed to empty all the logged alerts :

sudo service snort stop
sudo /etc/init.d/runbarnyard2 stop

sudo rm /var/log/snort/snort.log.*

sudo bash -c "cat /dev/null > /var/log/snort/portscan.log"
sudo rm /var/log/barnyard2/*

 

 

then, empty the Snort MySQL database using the base GUI.

 

 

Then, either reboot or restart Snort and Barnyard2.

 

This cleanup may be integrated as a fourth option in your /etc/init.d/runbarnyard2 script.

See here for some exemples.

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
11 janvier 2014 6 11 /01 /janvier /2014 15:43

We'll see here the easiest way to quiclky install SNORT® on Debian 7 using SNORT-Mysql.

The install will be : SNORT-MySQL / MySQL / APACHE2 / BASE

Here is the network topology used :

I4a.gif 

The IDS uses the port-mirroring capabilities of Router 1 ( a Cisco RV110W in this case ) so to be able to sniff and monitor all of the Protected Network traffic.

As seen before, this SNORT direct MySQL output method is very low-rated performance-wise and reliability-wise, and should never be used in a production environment. Nevertheless, it's an interessing first step for a SNORT newcommer, as it only uses apt-get software installation and thus doesn't require any software compilation.

 

We'll be using 3 passwords, that I'll name secret1, secret2 and secret3 here :

 

MySQL root password                                                      secret1

SNORT Mysql user databases password                   secret2

BASE GUI admin password                                            secret3

 

Tested under Debian 7.5 / Edited May 3 2014

 

( Ubuntu users : the SNORT MySQL package have been removed since Ubuntu 14.04. Ubuntu 13.10 was the last to provide it ).

 

SNORT-MYSQL Installation

We first do a little networking optimization :

( some of the commands may fail if unsupported by your NIC. It's ok )

 

sudo ethtool -K eth0 gro off

sudo ethtool -K eth0 lro off

We install SNORT-MYSQL :

sudo apt-get update

sudo apt-get install snort-mysql

 

replies to the question asked during the installation :

 

    192.168.1.0/24        ( net to protect )
    set database : yes

 

we perform a little cleanup :

 

sudo rm /etc/snort/db-pending-config

sudo dpkg --configure --pending

 

 

MySQL/Apache2/Dependencies installation :

We then install the packages Apache2, MySQL and some dependencies :

sudo apt-get install apache2
sudo apt-get install libapache2-mod-php5

sudo apt-get install mysql-server

    [ enter Mysql-server root password = secret1 ]

sudo apt-get install libphp-adodb
( informational message is ok )

We edit /etc/php5/apache2/php.ini :

 

sudo leafpad /etc/php5/apache2/php.ini

 

to look for the line "error_reporting" and change it into :

error_reporting = E_ALL & ~E_NOTICE

sudo service apache2 restart

sudo apt-get install php-pear
sudo apt-get install libwww-perl    ( probably already installed )
sudo apt-get install php5-gd

sudo pear config-set preferred_state alpha
sudo pear channel-update pear.php.net
sudo pear install --alldeps Image_Color Image_Canvas Image_Graph

 

 

MySQL database setup

We setup the MySQL database. We first choose the password for the snort databases: secret2.




sudo mysql -u root -p

    ( Enter Mysql-server root password secret1 here )

create database snort;
create database archive;

grant usage on snort.* to snort@localhost;
grant usage on archive.* to snort@localhost;

set password for snort@localhost=PASSWORD('secret2');

grant all privileges on snort.* to snort@localhost;
grant all privileges on archive.* to snort@localhost;

flush privileges;

show tables;        ( we get an error here. it's ok. select missing )
exit


We then get the SNORD DB blueprint :

cd /usr/share/doc/snort-mysql

sudo zcat create_mysql.gz | mysql -u snort -D snort -psecret2

( do note the -psecret2 option. There is no typo here, just append -p with your user password )

SNORT Configuration

We do reconfiguring Snort with the command:

sudo dpkg-reconfigure snort-mysql

 

here are the answers to the reconfiguration queries :

 

"Snort start method" : boot

( Informational screen on interfaces )

Listening interface : ethx ( choose the listening interface )

Protected network : 192.168.1.0/24

Disable promoscuous : no

Additionnal ; [ empty ]

Send e.mail : No

Set database : yes

    localhost

    snort

    snort

    secret2


a few notes about the SNORT configuration

The configuration options entered here ( Protected network, ... ) are recorded in /etc/snort/snort.debian.conf. This file will override the /etc/snort/snort.conf settings at boot-time.
Be aware of this.

Nevertheless, regular and other snort settings are located in /etc/snort/snort.conf. You need to be aware of them, and they need to be taken care of :

We quickly edit /etc/snort/snort.conf :

 

sudo leafpad /etc/snort/snort.conf

 

At the beginning, we setup the network addresses we are protecting and the external net by modifying / uncommenting these lines :

ipvar HOME_NET 192.168.1.0/24
#ipvar EXTERNAL_NET any
ipvar EXTERNAL_NET !$HOME_NET

doing this states the protected net ( HOME_NET ) as well as the EXTERNAL_NET ( ipvar EXTERNAL_NET !$HOME_NET states that anything not in the HOME_NET is considered to be in the EXTERNAL_NET. This may seem trivial, but some other setups are possible. As an exemple, EXTERNAL_NET any can be an interesting choice too : It tells the detection engine to consider ANY IP as EXTERNAL : This is a more suspicious mode, as it further-monitors HOME_NET nodes. )

again, remember that the HOME_NET value here is overridden by /etc/snort/snort.debian.conf.


BASE installation and setup

We finally install the BASE GUI frontend :

cd /usr/src
sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
sudo tar -zxf base-1.4.5.tar.gz
sudo cp -r base-1.4.5 /var/www/base
sudo chown -R www-data:www-data /var/www/base

sudo service apache2 restart

we setup the BASE GUI by launching a web browser :

http://192.168.1.240/base

 

we respond these to the queries :

 

A) path : /usr/share/php/adodb

B)    snort
        localhost

        snort
        secret2

 

( tick 'use archive' )

 

        archive
        localhost

        snort
        secret2


C)    [BASE GUI admin name]
        secret3

        [BASE GUI admin full name]

nb : here, you setup the BASE GUI admin access. Clicking ' use authentication system ' locks the GUI access with a login / password. You can later add non-admin users, using the BASE GUI administration page.


D)    Click ' Create baseAG'
   

 

 

Limiting the GUI access to registered IPs

Optionnally, you may want to limit the BASE GUI access only to certain IPs. Beside limiting access using the network firewalls and the NIDS host firewall ( iptables ), we can limit access too at the Apache WebServer level. Here we limit it to the local machine ( localhost ), and the 192.168.1.0/24 subnet by editing /etc/apache2/sites-available/default :

sudo leafpad /etc/apache2/sites-available/default

we just have to add before virtualhost ( before the last line ) :

 

-----------------------------------------------------------------------------------

<Directory /var/www/base>
        Order allow,deny
        allow from 192.168.1.0/24
        allow from 127.0.0.0/8
    </Directory>
-------------------------------------------------------------------------------------

sudo service apache2 restart



Writing some test rules

sudo leafpad /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:10000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:10000002; rev:1;)

sudo service snort restart

 

We can now ping of try to HTTP browse the NIDS, and see alert recorded on the BASE GUI.

 

Do note that BASE has a default 3 minutes page refresh rate. Do manually refresh if needed.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
nb: The SNORT version installed here is SNORT 2.9.2.2.

It comes prefilled with a very basic ruleset :

The free (GPLv2) ruleset that was provided with the Snort back in 2005 increased with the rulese provided in "Community" ruleset later on (in 2007).
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Manual snort commands for testing / troubleshooting :

sudo /usr/sbin/snort -v -i eth0
( raw sniffing  test, no full ruleset engaged )

sudo /usr/sbin/snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T
( only performs ruleset loading test )

sudo /usr/sbin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
( full ruleset loaded / live console snorting )

Database update using Pulledpork

The real golden tool for rules management/updating is Pulledpork, we'll quickly see here how to update rules.

Pulledpork installation

at the time of this writing, the latest version is pulledpork 0.7.0

First we need to install two libraries, to enable https download of rules :

sudo apt-get install libssl-dev
sudo apt-get install libcrypt-ssleay-perl

We then download and install pulledpork :

cd /usr/src
wget http://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
tar -zxf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
cp pulledpork.pl /usr/local/bin
cp etc/*.conf /etc/snort
sudo chmod +x /usr/local/bin/pulledpork.pl


here is a basic, stripped-off, pulledpork.conf file :

sudo leafpad /etc/snort/pulledpork.conf
---------------------------------------------------------------------------------------------------------------------------------------------------
#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2940.tar.gz|[oinkcode]
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
#rule_url=http://rules.emergingthreats.net/open/snort-2.9.0/|emerging.rules.tar.gz|open-nogpl

ignore=deleted.rules,experimental.rules
temp_path=/tmp

rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log

snort_path=/usr/local/bin/snort

#enablesid=/etc/snort/enablesid.conf
#dropsid=/etc/snort/dropsid.conf
#disablesid=/etc/snort/disablesid.conf
#modifysid=/etc/snort/modifysid.conf

version=0.7.0
----------------------------------------------------------------------------------------------------------------------------------------------------

 

Be carefull, as pulledpork.conf is very 'space character' sensitive.

 

Do notice the first 3 lines, which are the URL for the VRT-registered rulefile, VRT Community rulefile

and ETOpen Rulefile. Do uncomment them as you will.
Here, we will just try to pull the VRT community ruleset.

SNORT .conf file :

 

As Pulledpork uses a single, consolidated rule file for all rules ( including decoder/preprocessor rules, so_rules ),

here is all is needed in section #7 #8 #9 of snort.conf :

 

include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

All the rest needs to be commented-out or deleted.

Thus the end of snort.conf should look like this :

------------------------------------------------------------------------------------------------------------------------

###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
include $RULE_PATH/local.rules
include $RULE_PATH/snort.rules

 

# Event thresholding or suppression commands. See threshold.conf
include threshold.conf
---------------------------------------------------------------------------------------------------------------------------

 

 

To update the rules set :

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

sudo service snort restart

nb :    -T limits the update to text-based rules ( no shared objects_rules )
           -l logs the result of the update to the syslog

If all goes ok, there shouldn't be any error message.


To force the rule update ( process rules even if no new rules were downloaded, usefull to avoid a

reboot to empty the /tmp file ) :

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l -P
sudo service snort restart


To clean up all rules

sudo rm /etc/snort/rules/*.*
sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/rules/snort.rules



Portscan detection setup


To enable basic portscan detection, we edit /etc/snort/snort.conf :

sudo leafpad /etc/snort/snort.conf

 

to uncomment this line :

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low } logfile { /var/log/snort/portscan.log }

( notice the space beween { and /var/log .... same at the end )

sudo service snort restart

we can do a regular portscan ( nmap 192.168.1.210 ) and check the portscan.log file then :

sudo cat /var/log/snort/portscan.log

 

nb : some scans are classified as attempted reckon or bad unknown.

 

To have BASE GUI display some portscan datas

( This wont allow the portscan bar to fill up, this requires so_rules usage. But it allows some BASE GUI 'portscan' querries ) :

 

We edit sudo leafpad /var/www/base/base_conf.php :

sudo leafpad /var/www/base/base_conf.php

 

to uncomment and complete this line :

$portscan_file = '/var/log/snort/portscan.log';                    using an absolute path

sudo service apache2 restart

sudo chmod a+r /var/log/snort/portscan.log

sudo chmod 755 /var/log/snort


Some BASE GUI interesting options :

sudo leafpad /var/www/base/base_conf.php

To resolve IP to FQDN :

/* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 1;
   

To have alert-priority coloring :

 

* This option is used to set if BASE will use colored results
     * based on the priority of alerts
     * 0 : no
     * 1 : yes
     */
    $colored_alerts = 1;



To empty the alerts database

We can do this using the BASE GUI :

 

Cache & Status ) Clear Data Tables

sudo service snort restart

( The SNORT restart is mandatory for alerts to get displayed again )

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

 

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
11 janvier 2014 6 11 /01 /janvier /2014 15:12


We'll see here SNORT® Inner components and functionning, as well as SNORT performance sizing and tuning.

 

 

SNORT Inner Components

 

When you start using SNORT, we beging hearing words like Packet Decoder, Pre_Processors, and

Detection Engine. Let's see what they are, and what role they play.

Here is the SNORT Inner layout :

I3a


Packet Decoder

The Packet decoder puts the raw, libpcap datas, and re-forms the data structures from layer 2 to

layer 4. It's like Wireshark data decoding.  It identifies network protocols.
The Packet Decoder can too trigger alerts in presence of suspiciously mal-formed packets ( protocol-wise )

 

 

Pre-processors

The Pre-processors are compiled pulgins. They perform two tasks : some detections that are beyond simple packet signature-matching, and further data structure reformation for the Detection engine. Here are some exemples :

. Detection of anomalies that go beyond single packet analysis : Portscan detector

 

. Further data structure reformation: de-fragmentation, stream reassembly, http special

character decoding, ...


As an exemple, it is common for an atacker to use fragmentation to divide the attack into multiple

packets in order to elude signature based detection engines. The de-fragmentation pre-processor

reassembles fragmented packets to spot such attacks.

 

 

Detection Engine

 

The Detection engine is the main detection part, which performs signature-based detection using the Ruleset.

 

 

 

Alert Generation

The Alert generation is responsible to handle the various alert modes : Database, unified2 ( binary

format used by Barnyard 2), syslog, console, as well as Packet recording.

 

 

 

 

SNORT Performances

SNORT good performances sizing and tuning is very important, as a non-packet-dropping NIDS is the real goal.

We don't want our IDS to drop packets and thus miss possibly suspicious activity, or to bottleneck.

Since version 2.0 SNORT is capable of handling Gigabit traffic.

 

 

The basic SNORT performance is matrixed by :

    . The Traffic being monitored

    . The Hardware/Software platform

   
The Traffic being monitored

Obviously, a high-bandwidth traffic will require more power. Beside this, certain type of traffic may be more power-consumming ( if they require extra decoding, more reassembly, ... ).

 

 

The Hardware/Software performance


Hardware performance :

CPU power ( more on this later )

Amount of Memory ( ex : Stream reassembly consummes memory )

HDD performance ( to avoid database logging bottleneck )
The type of NICs used

 

 

Software performance :

Using barnyard2 instead of network or DB logging improves software performance. Gigabit handling is only possible if using Unified2 / Barnyard2 mode.

Lighter ruleset : The lighter the ruleset, the easier for the CPU to handle the analysis task.

Fewer preprocessor rules : Preprocessor rules are CPU-intensive.


Usually, the SNORT bottleneck is either at the Detection Stage or at the Output stage.


SNORT and multithreading / multi CPU

SNORT is not multithreaded. While at first this may look like a weakness, it isn't actually. SNORT analysis being very linear, it poorly benefits from multithreading while being heavily taxed to pay the MT penalties. Faster cores here are better than more cores.

While basically SNORT is not multithreaded, several approaches may be used to enhance and optimize its performances.

1. lock aside softwares to other-cores ( ie lock barnyard2 / mysql to another core )
2. run several instances of snort locked on different cores, using different rulesets    ( same stream analyzed, different rulesets )
3. rune a load ballancing frontend, with several snort instances locked on different cores ( different streams analyzed, same ruleset used )

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
11 janvier 2014 6 11 /01 /janvier /2014 14:53

SNORT® is probably the worldwide most used IDS, is free and open source, and is ran by Sourcefire.

We'll see here the basic possible architectures to set in place the SNORT IDS, as it's always ran with companion softwares.

Althought it can be ran as a standalone, it is usually combined with other softwares to increase reliability, useability and performance. We'll see here these combinaisons.

 

 

 

1. Presentation of the SNORT NIDS

Here is the basic SNORT NIDS structure :

 I2e.gif

SNORT can output alerts to a Database, a Syslog Server or simply display them in console mode. It can output using any combinaison of these three of course.
Beside, it can log suspicious packets in raw mode ( PCAP format ) for later further analysis.


2. SNORT / MYSQL / APACHE / BASE

Although the SNORT IDS can output alerts in console mode or send them to a syslog server, a MySQL Database is usually always used, to provide for easy datas consulting and sorting.
Likewise, a web GUI is handy for easy access to the MySQL Database, as well as data display, consulting and analysis.

I2a
 

Here, SNORT logs alerts to a MySQL Database. With the help of a Apache Web Server, a web-based GUI ( BASE ) is used to monitor the SNORT alerts. Although other SNORT GUI do exist ( SGUIL, OSSIM, Snorby, ... ), BASE is very easy to setup and ideal for newcommers.

This is the simplest SNORT NIDS setup, great for beginners to have an easy learning curve, although it as some performance / reliability issues compared to a more robust setup.

We'll just add an update tool : Pulledpork is the official ruleset updater for SNORT :

I2c.gif 

We'll see in a following post how to practically implement this easy-setup.



3. SNORT / BARNYARD2 / APACHE / BASE

Here, a spooler is added to the software chain. Barnyard2 is a spooler specially designed for SNORT :

I2b.gif 

Here SNORT can concentrate on its main duty : sniffing network traffic, and just logs raw binary datas on the HDD. Barnyard2 gathers these datas, and handles teh task of sending them to the MySQL database. Barnyard2 is very clever : when it starts, it looks for any maybe missed datas left laying around by SNORT, and handles them. Samely, it is able to understand if the MySQL Database is offline, and then pauses sending datas to it. When it sees the teh MySQL Database is up again, it resumes sending datas to it.

Using Barnyard2 adds some complexity to the global softwares chain, do complicate problems troubleshooting, allwith the need to do some manual build ( no apt-get for barnyard2 in debian Repository ).
This spooling job, handled by Barnyard 2, allows to bring full efficiency, reliability and performance to SNORT.

Of course, here too the Pulledpork updater is added to the picture too, for rulesets updating :

 I2d

We'll see in a following post how to practically implement this more robust setup too.

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Repost 0
Published by computer outlines - dans NIDS
commenter cet article
11 janvier 2014 6 11 /01 /janvier /2014 14:20

We'll see what is a NIDS, and where to place it on the network topology.


What is a NIDS

A NIDS is a Network Intrusion Detection System. A NIDS is a software that monitors a network traffic. Using a database of network signatures and paterns, it issues alerts and records suspicious traffic for later analysis.

Here is a basic NIDS in a private network :

I1b.gif

A NIDS differs from a NIPS ( Network Intrusion Prevention System ) in that the NIDS does pure, passive monitoring, whereas the NIPS is placed inline, and does actively block suspicious connections.
Here is a NIPS placement :

I1c

NIDS and NIPS may in some way be thought as the network Antivirus : they do have an updatable signature and patterns database, perform detection, alerting, logging, and eventually blocking ( in the case of NIPS ).


NIDS placement in the topology

One first thing to note is that if the NIDS is to monitor a whole subnet, the use of port-mirroring on the switch is mandatory, as an ethernet switch creates a separate collision domain for each switch port (ie port 1 can't listen to the network trafic over port 2, etc .. ). Some entry-level professionnal routers do provide for port-mirroring ( ex : Cisco RV 110W, at 70 €/$ price tag ).
Here's a basic port mirroring for NIDS :

I1g.gif

Another solution, for experimentation only, would be to use a network hub, or a wifi wep/wpa network, as they don't create separate collision domains. ( yes, that's why you want to use public wifi networks withextra- care ).


There are basically three places a NIDS may be placed

On the WAN side :

 I1e.gif

    . pros : any suspicious attempt is detected

    . cons : too much noise will encumber the NIDS performance and flood the alert system for a limited benefit.

 

 

 

On the DMZ/EDGE Network :

I1a.gif 

    . pros : better NIDS performance, less unwanted noise to flood the performance and the alert system

    . cons : only traffic that has been allowed past the firewall is analyzed. Firewall-blocked attempts are ignored.

 

 

 

On the Inner Network :

 I1d.gif

    . same pros and cons as the DMZ/EDGE placement, in a different area strategy-wise.

 

 

A good NIDS placement should include both DMZ/EDGE and Inner Network positionning®®, for multi-zone monitoring :

 

I1f.gif 

 

This last approach is called multi-sensor approach, as there are multiple NIDS sensors positionned on the network topology, monitored from a single unified GUI frontend.

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens