This document describes the steps for install and setting up Snort the opensource intrustion detection system. It also describes the process for updating the signature definitions.<\/p>\n
Snort<\/a> is an opensource IDS (Intrusion Detection System) written and maintained by a company called sourcefire<\/a>. It is one of the best IDS available and is free (Kinda).<\/p>\n Since we us Redhat Enterprise Linux 5 here go to the snort download<\/a> page and select snort-2.8.5.2-1.RH5.i386.rpm<\/strong>. Since we will also be using the BASE web interface to view the alerts also download the snort-mysql-2.8.5.2-1.RH5.i386.rpm<\/strong> add-on that allows snort to log its alerts to a MySQL database.<\/p>\n Installing Snort via the rpms is very easy. Just use the rpm command like the following.<\/p>\n That’s it, Snort is installed and the rpm install script already configures Snort to start at boot.<\/p>\n Here is where the real magic happens. He now need to configure Snort for use. Typicaly your server will have two NICs. One will be for remote administration and one will be dedicated to Snort. In our case I will use eth0 for remote administration and logging into the computer and I’ll use eth1 for Snort. We want to dedicate the whole interface to snort because we will be placing it in promiscus mode which will cause the network interface to take sniff all the traffic coming across its segment.<\/p>\n You don’t actually need to use a real IP for the Snort interface so when you configure the if-cfg file just leave out the actual IP info In redhat the network config files are located under \/ettc\/sysconfig\/network-scripts\/<\/strong> so I’ll place the following in \/etc\/sysconfig\/network-scripts\/ifcfg-eth1<\/strong><\/p>\n Then recycle the network service with the service network restart<\/strong> command.<\/p>\n This will then turn on your network interface. You can verify that the interface is up and on with the ifconfig command.<\/p>\n So now that we have our network up it’s time to configure Snort to use the new network interface we just created. You can tell snorrt to either usee a certain NIC or ALL. In our case we only want it to use eth1 so edit \/etc\/sysconfig\/snort<\/strong> find the line that has INTERFACE=eth0<\/strong> and change it to INTERFACE=eth1<\/strong><\/p>\n Next since we will be logging to MySQL we need to shut off the standard flat file out by commenting out the ALERTMODE<\/strong> option. This step is actually really important. Without it no matter what you tell the snort config file, it will not send any logs to the MySQL database.<\/p>\n We now need to create and configure our mysql database and tables where Snort’s events will be logged. The snort rpm you installed earlier placed a MySQL database scheme at \/usr\/share\/snort-2.8.5.2\/schemas\/create_mysql<\/strong> Sso first we will need to manually create the MySQL database.<\/p>\n Next we will import the database scheme to the snorrt database we just created with the following command.<\/p>\n Last we need to create a snort user in mysql with full access to the database and tables we just created. In the following example replace secret password with an actual password.<\/p>\n The actual Snort config file is located in \/etc\/snort<\/strong> and is called snort.conf’<\/strong> Really the only things we should edit in this file are the VAR options that are specific to our network and the log line that defines our snort connection.<\/p>\n That’s it after that you can start snort with a simple service snortd start<\/strong><\/p>\n In the old days of hubs every packet was always sent out every port. This was inefficient and a huge security risk. So Switches came along to make sure only the port that needed the data got the packet. It did this my keeping an internal list of which mac was on which port. Then it only sends out packets destine for the mac associated with each port. This is much more efficient and secure but for snort this actually causes a problem. In order to see every packet to inspect it, it needs the switch to treat it’s port like a hub. Luckily in managed Cisco switches you have the ability to mirror ports or vlans to another port or vlan.<\/p>\n On our vlan we will assume that we have two vlans. In reality we probably have many more but for our example it doesn’t matter we will also assume that our dedicated network interface is plugged in to port GigabitEtherrnet0\/5.<\/p>\n This will tell your switch to take all traffic on vlan 1 & 2 and mirror them to gigabitEthernet port 0\/5<\/p>\n after that write and save your config. Now snort should be getting all the traffic from your vlans. As stated above if you have multiple Vlans then add more monitor session 1 source statements. You can combine all sorts of interfaces and vlans.<\/p>\n Unfortunately updating snort rules requires an account on the snort.org website. Their are free and paid subscriptions based accounts. The free account gets new signatures 30 days after the paid account. For our purposes we will be using the free version for now. So create your free account via the Signup Page<\/a> and after you do the whole email confirm thing login to the website at the Login Page<\/a> When you login Click on the Get Rules<\/strong> button this will take you to a download page and show you two sections one for VRT Subscription users and one for Registered users (Free 30days late). Select the snortrules-snapshot-CURRENT.tar.gz<\/strong> from the registered users section, this file is usually about 25-30MB so be patient. Once you download this tar archive to your snort machine create a tmp dir and unarchive all the files with the tar command again.<\/p>\n Once you uncompressed the rules you need to copy only the normal rules. Copy the normal rules to the \/etc\/snort\/rules<\/strong> directory.<\/p>\n Test the so rules with<\/p>\n If everything looks good recycle snort with service snortd restart<\/strong> For best results you should update your snort rules every week.<\/p>\n This document describes the steps for install and setting up Snort the opensource intrustion detection system. It also describes the process for updating the signature definitions. Snort is an opensource IDS (Intrusion Detection System) written and maintained by a company called sourcefire. It is one of the best IDS available and is free (Kinda). Downloading […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,4,13],"tags":[173,14,174],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-ids","category-linux","category-snort","tag-ids","tag-redhat-el5","tag-snort"],"_links":{"self":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/comments?post=132"}],"version-history":[{"count":6,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":136,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/132\/revisions\/136"}],"wp:attachment":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/media?parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/categories?post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/tags?post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Downloading Snort<\/h3>\n
Installing Snort<\/h3>\n
[root@mytest src]# rpm -Uvh snort-2.8.5.2-1.RH5.i386.rpm snort-mysql-2.8.5.2-1.RH5.i386.rpm\r\nPreparing... ########################################### [100%]\r\n 1:snort ########################################### [ 50%]\r\n 2:snort-mysql ########################################### [100%]\r\n<\/pre>\n
[root@mytest src]# chkconfig --list |grep snort\r\nsnortd 0:off 1:off 2:on 3:on 4:on 5:on 6:off\r\n<\/pre>\n
Configuring Snort<\/h3>\n
Configure Dedicated Network Interface<\/h4>\n
DEVICE=eth0\r\nBOOTPROTO=none\r\nONBOOT=yes\r\nTYPE=Ethernet\r\n<\/pre>\n
[root@mytest network-scripts]# service network restart\r\nShutting down interface eth0: [ OK ]\r\nShutting down interface eth1: [ OK ]\r\nShutting down loopback interface: [ OK ]\r\nBringing up loopback interface: [ OK ]\r\nBringing up interface eth0: [ OK ]\r\nBringing up interface eth1: [ OK ]\r\n<\/pre>\n
[root@mytest network-scripts]# ifconfig eth1\r\neth1 Link encap:Ethernet HWaddr 00:C0:F2:01:16:73\r\n UP BROADCAST MULTICAST MTU:1500 Metric:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)\r\n Interrupt:193 Base address:0xdde0\r\n<\/pre>\n
Snort Sysconfig file<\/h4>\n
# What interface should snort listen on? [Pick only 1 of the next 3!]\r\n# This is -i {interface} on the command line\r\n# This is the snort.conf config interface: {interface} directive\r\nINTERFACE=eth1\r\n<\/pre>\n# How should Snort alert? Valid alert modes include fast, full, none, and\r\n# unsock. Fast writes alerts to the default \"alert\" file in a single-line,\r\n# syslog style alert message. Full writes the alert to the \"alert\" file\r\n# with the full decoded header as well as the alert message. None turns off\r\n# alerting. Unsock is an experimental mode that sends the alert information\r\n# out over a UNIX socket to another process that attaches to that socket.\r\n# -A {alert-mode}\r\n# output alert_{type}: {options}\r\n#ALERTMODE=fast\r\n<\/pre>\nCreate and Configure the Database<\/h4>\n
[root@mytest ~]# mysql\r\nmysql> create database snort;\r\nQuery OK, 1 row affected (0.09 sec)\r\nmysql> exit\r\nBye\r\n<\/pre>\n
[root@mytest ~]# mysql snort < \/usr\/share\/snort-2.8.5.2\/schemas\/create_mysql\r\n<\/pre>\n
[root@mytest ~]# mysql snort\r\nmysql> grant all on snort.* to 'snort'@'%' identified by 'secret password';\r\nQuery OK, 0 rows affected (0.04 sec)\r\nmysql> exit\r\nBye\r\n<\/pre>\n
Snort Configuration File<\/h4>\n
#This should reflect all the subnets we have on our network.\r\nvar HOME_NET [10.0.0.0\/24,10.0.10.0\/24,10.0.23.0\/24]\r\nvar EXTERNAL_NET any\r\n# Configure your server lists. This allows snort to only look for attacks to\r\n# systems that have a service up. Why look for HTTP attacks if you are not\r\n# running a web server? This allows quick filtering based on IP addresses\r\n# These configurations MUST follow the same configuration scheme as defined\r\n# above for $HOME_NET.\r\nvar DNS_SERVERS [10.0.0.42,10.0.23.42]\r\nvar SMTP_SERVERS $HOME_NET\r\n#Any computer that was a webserver running should be in this list\r\nvar HTTP_SERVERS [10.0.0.23,10.0.23.42]\r\n#Any Machine that is running any type of SQL server should be listed here\r\nvar SQL_SERVERS [10.0.0.60,10.0.0.61]\r\nvar TELNET_SERVERS $HOME_NET\r\nvar FTP_SERVERS $HOME_NET\r\nvar SNMP_SERVERS $HOME_NET\r\n#Now we should define our database config\r\noutput database: log, mysql, user=snort password=secretpassword dbname=snort host=localhost\r\n<\/pre>\n
Configuring Switches for Snort<\/h3>\n
Switch> conf t\r\nSwitch> monitor session 1 source vlan 1 - 2 rx\r\nSwitch> monitor session 1 destination interface gigabitEthernet0\/5\r\n<\/pre>\n
Updating Scanning Signatures<\/h3>\n
[root@mytest src]# mkdir snort-rules-temp\r\n[root@mytest src]# cd snort-rules-temp\r\n[root@mytest snort-rules-temp]# tar -zxf ..\/snortrules-snapshot-CURRENT.tar.gz\r\n<\/pre>\n
[root@mytest snort-rules-temp]# cp rules\/* \/etc\/snort\/rules\/\r\n<\/pre>\n
[root@mytest src]# snort -c \/etc\/snort\/snort.conf -T\r\n<\/pre>\n
References<\/h2>\n
\n