Whether meaning to be mischievous or malicious, hackers can wreak
havoc on your network. Fortunately, Snort makes it easy to spot them and
set up protection
Snort is an intrusion detection system (IDS). It works by monitoring
network activity and raising an alert in the case of suspicious
activity. What constitutes suspicious activity is definable by rules,
and it comes with a massive selection. It can protect a single machine
from attacks or even an entire network. This guide will show you how to
set up and use Snort and also take you through some typical security
scenarios in which Snort will prove useful.
As you get to know Snort, you might consider setting up a testing
environment using virtual machines. A simple approach would be to use a
virtual machine that has its network adaptor configured to be visible on
your network (the setting is called ‘bridged adaptor’ in VirtualBox,
for example). The techniques outlined here are not dangerous, but they
can be considerably easier to get working within a controllable
environment. Snort runs on a single machine, but can monitor an entire network
Install Snort
Install Snort with ‘sudo apt-get install snort’. If you need the very
latest version, visit the website and fetch, build and install it.
Step 02
Set Up a ‘quiet’ network environment
When first setting up Snort, it helps to have as little activity on
the network as possible. Disconnect other computers or even set up a VM
with a bridged adaptor which you can operate upon from the host machine.
Step 03
Test Snort installation
Nearly all Snort operations need to be carried out by the root user.
On Ubuntu, it’s probably worth using ‘sudo -i’ to avoid password
prompts. Use ‘su’ on other distros. As root, type ‘snort -v’. This puts
Snort into packet sniffer mode.
Step 04
Create network activity
Presuming that the network you are on is reasonably quiet, you can
generate some network activity by pinging the server. Open another
terminal and type ‘ping [IP address of server]’, and cancel after a
couple of successful pings. Now, go back to the terminal with Snort
running.
Step 05
Interpreting the data
In this example, the ping activity is reported in entries
that end with lines ‘ECHO’ and ‘ECHO REPLY’. You may have to scroll back
in the terminal to see these entries. Notice that the entries contain
the time that the activity occurred and the source and destination of
the traffic.
Step 06
Exiting Snort
Exit Snort by hitting Ctrl+C. When you exit Snort, it prints a
statistical summary of the traffic that it observed. In this example,
there should have been some ICMP traffic from the ping operation. Exiting Snort
Step 07
More detail
Here’s a more extensive command line: ‘snort -vde’. This produces
more output due to the d (display packet data) and e (application
layer). For example, if you fetch POP email without SSL selected, you’ll
be able to see the username and password scroll past.
Step 08
log packet data
Make a directory called ‘snort_logs’. Now run ‘snort -d -l
./snort_logs’ and Snort will log all recorded traffic into the log
directory with a separate file for each interface. We’ll skip the
verbose flag (-v), as all of the screen output eats into Snort’s
throughput.
Step 09
Back up Snort configuration file
Snort comes with a default configuration file which we will back up.
Type ‘locate snort.conf’ to find the file and then make a copy of it.
‘cp /etc/ snort/snort.conf /etc/snort/snort.conf_old’ should work for
Ubuntu, for example.
Step 10
Initial configuration
Open the config file in a text editor. For now, make sure that the
variable ‘HOME_NET’ accurately describes your network. For example, if
your computers have IP addresses that begin at 192.168.0.1, set it to
192.168.0.1/24.
Step 11
Create launch script
Make a startup script to save time. Create an empty file with ‘nano
start_snort’, then add the line ‘snort -de -l [full path to
script]/snort_logs -c /etc/snort/snort.conf’ to it, and then save. Now
type “chmod +x start_ snort”. This will launch snort in IDS mode, with
reasonable defaults.
Step 12
Intrusion detection mode
First, find the IP address of the machine running Snort by using
‘ifconfig’ and make a note of it. Now run ‘./start_snort’. Some extra
startup information scrolls past as we are now using the Snort
configuration file and the rules files that it references.
Step 13
Simulate an attack (Nmap)
We’ll begin by carrying out a port scan on the machine running Snort
using Nmap, a common first step in a typical intrusion attempt. From a
different machine on your network, type ‘nmap [IP address of Snort
machine]’. A file called ‘alert’ should have appeared in the log folder.
Examine it. Simulate an attack
Step 14
Automatically start Snort
The method to launch a script at startup varies between
distributions. On Ubuntu, simply add our ‘start_snort’ script to
‘/etc/init’ by typing ‘ln start_snort /etc/init/’. Remember to use fully
qualified path names in the script.
Step 15
Protect the network
Protecting an entire network requires either a dedicated Snort
machine or a dedicated network adaptor on your server. This is because
the network card must be put into promiscuous mode to capture all
traffic being transmitted, and this is the scenario we will work with
here. Once you have installed the second card and rebooted the machine,
determine the naming of the two network interfaces by typing ‘ifconfig’.
In this example, the second network card is called ‘eth1’. Now open
‘/etc/networking/interfaces’ in a text editor.
Step 16
Configure promiscuous mode
Add the following lines to the file: ‘iface eth1 inet manual’, ‘up
ifconfig $IFACE 0.0.0.0 up’, ‘up ip link set $IFACE promisc on’, ‘down
ip link set $IFACE promisc off’, ‘down ifconfig $IFACE down’. Type ‘sudo
ifup eth1’ to start up the second Ethernet adaptor and physically plug
it into your router, hub or spanning switch.
Step 17
Test promiscuous mode
Type ‘ifconfig’ and eth1 should be listed without an IP address. Now
add ‘sudo ifup eth1’ to your Snort startup script along with the flag
‘-i eth1’ on the Snort launch command. When launched, Snort will now
monitor all traffic on your network.
Step 18
Create a simple Snort rule
For the sake of simplicity, we are going to add a rule to
the configuration file rather than create a new rule file. As root, open
up snort.conf in a text editor. On the final line of the configuration
file, add the following line: ‘alert tcp any any -> any 23 ( msg:
“telnet alert!”; sid: 1; )’.
Step 19
Test simple rule
Launch Snort with ‘snort -dev -l ./snort_logs -c /etc/snort.conf’.
From another machine, type ‘telnet [IP address of Snort machine]’. If
everything has worked, you should now have an update in the alert file.
See the Snort manual for a full breakdown, but open the file and check
that source IP and destination IP look correct.
Step 20
Fetch extra rules
Get extra rules from the Snort website (free sign-up required). They
belong in ‘/etc/ snort/rules’ and should be enabled using the ‘include’
directive in snort.conf. The comprehensive selection is an excellent
starting point for creating your own rules for dealing with, for
example, application-specific exploits.
Step 21
Add CSV output module
Unless you know that you are going to have to use Snort alert logs as
input for another networking utility, consider switching it to CSV
output so that you can view the data in a spreadsheet. Simply add the
line ‘output alert_csv: alert.csv default’ to the end of the
configuration file. Add CSV output module
Step 22
Interpreting an attack
When an attack is logged, begin by looking up the IP address with the
‘whois’ command or by using an online geographic IP lookup address.
Note the port number of the attack to try to figure out the service or
application that is the focus of the attack.
Step 23
Block an attack (part 1)
Block the IP address of the attacker as reported in the alert file.
Obviously, the address can change, but they tend to be fairly static
from the most common type of automated attacks. Use the command
‘iptables -A INPUT -s [attacker IP address] -j DROP’.
Step 24
Block an attack (part 2)
It’s possible that an attack is targeting an unused or unimportant
port on your network. Use ‘/iptables -A INPUT -p tcp –destination- port
80 -j DROP’ to block a port, if you have determined that it will not
harm the normal function of your system. To unblock a port or IP
address, use the ‘-D’ switch instead of ‘-A’.
No comments:
Post a Comment