Difference between revisions of "Install Snort Intrusion Detection System"

From BubbaWiki
Jump to navigation Jump to search
 
(35 intermediate revisions by the same user not shown)
Line 1: Line 1:
Installing Snort Intrusion Detection System.  
Installing Snort Intrusion Detection System.  


Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network.  
Author: Asad
 
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.  
<pre>apt-get install snort</pre>  
<pre>apt-get install snort</pre>  
When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN&nbsp;network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules)  
When snort asks for the interface, enter: br0. (You will be able to see more traffic if you place the IDS&nbsp;on the LAN interface, however you may place it on eth0 instead if you want)<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN&nbsp;network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules)  
<pre>nano /etc/snort/snort.conf</pre>  
<pre>nano /etc/snort/snort.conf</pre>  
Uncomment the lines below and save the file.  
Uncomment the lines below and save the file.  
Line 16: Line 18:
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-misc.rules</pre>  
# include $RULE_PATH/community-misc.rules</pre>  
Example: Change the chat.rules file to get the complete MSN Message:  
Example: Edit the rules file:<br>
<pre>nano /etc/snort/rules/chat.rules</pre>  
<pre>nano /etc/snort/rules/chat.rules</pre>  
Edit the actual rule:  
Install Bleeding Edge Rules:
<pre>alert tcp $HOME_NET any &lt;&gt; $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:100; content:"Content-Type|3A|"; nocase;
 
Create the following file with nano:  
<pre>url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz
path = /bin:/usr/bin:/usr/local/bin
tmpdir = /tmp
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules</pre>
Run oinkmaster and add the new rules to load in snort.conf. Some rules have not been included below as they contain syntax errors which cause snort to fail. <br>You have to analyse those and fix any such error yourself and report them to Snort Bleeding Edge community.<br>
<pre>oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules</pre><pre>nano /etc/snort/snort.conf


content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)</pre>
include rules/bleeding-virus.rules
Here we change depth:1 to 100 which means, display the first 100 bytes from the match. (depth is modifier for the content option which sets the maximum search depth for a pattern match attempt).
include rules/bleeding_attack-response.rules
include rules/bleeding-policy.rules
include rules/bleeding-dos.rules
include rules/bleeding-exploit.rules
include rules/bleeding-inappropriate.rules
include rules/bleeding-malware.rules
include rules/bleeding-p2p.rules
include rules/bleeding-scan.rules
include rules/bleeding-web.rules


</pre>
Restart snort  
Restart snort  
<pre>service snort restart</pre>  
<pre>service snort restart</pre>  
Line 32: Line 51:
To check snort status  
To check snort status  
<pre>service snort status</pre>  
<pre>service snort status</pre>  
&nbsp; Change snort parameters later:  
Change snort parameters later:  
<pre>dpkg-reconfigure snort</pre>  
<pre>dpkg-reconfigure snort</pre>  
Check snort alerts: (For example filter all MSN traffic)  
Check snort alerts: (For example filter all MSN traffic)  
<pre>cat /var/log/snort/alert | grep -B5 MSN
<pre>cat /var/log/snort/alert | grep -B5 MSN
</pre>  
</pre>  
Tutotial not finished yet and is pending updating.<br>
Example 1: Create a sctipt to parse snort alerts that can be scheduled using cron:<br>
 
Create a script to automatically parse snort alerts to one readable file.
<pre>mkdir /home/web/logs
</pre>
Now create the script, for example snortscript.sh and save it into your home directory.<br>
<pre>/usr/sbin/snort -Cdv --pcap-filter="*log*" --pcap-dir=/var/log/snort/ &gt; /home/web/logs/latest_alerts.txt
</pre>
This will create one file called "latest_alerts.txt" which will always contain all the latest alerts including packet dump of each. This is not realtime, if you want you can schedule it to run every minute.<br>
 
You can also password protect it with htaccess, logs will then be available to http://yourbubba.dynamicip.com/snort/<br>
 
To view latest alerts in snorts own format without parsing the packet captures:
<pre>less /var/log/snort/alert
</pre>
Make the script run every day at night at 04.00 AM:<br>
 
crontab -e and add the following line:
<pre>0 4 * * * /home/asqu/snortscript.sh &gt;&gt; /var/log/syslog 2&gt;&amp;1
</pre>
Example 2: To read snort alerts in readable format from just one file:<br>
<pre>snort -dvr /var/log/snort/tcpdump.log.1293238522
 
Example output (truncated):
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/25-01:59:54.555605 195.68.245.131:6667 -&gt; 192.168.206.250:3470
TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF
***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20
3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53&nbsp;:Global!Global@S
65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg
65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf
20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69&nbsp;:[.users.] Noti
63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg
65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27
41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:.
0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@
53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur
67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd
66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f&nbsp;:Please be fam
69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G
61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta
62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy.
41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the
20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req
75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b
79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www
2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a
75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo
62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam
65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC
45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf&nbsp;:.--------
2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG
45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu
72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga
6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302
73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf&nbsp;:sdf=+~sdf@c
6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx.
67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com..
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
12/25-02:01:41.046608 192.168.63.246:3470 -&gt; 195.68.10.68:6667
TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20
50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel&nbsp;:
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
</pre>
The setting up of a web based GUI to view alerts such as BASE (Basic Analysis and Security Engine) is not part of this tutorial.<br>

Latest revision as of 10:15, 13 January 2011

Installing Snort Intrusion Detection System.

Author: Asad

Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.

apt-get install snort

When snort asks for the interface, enter: br0. (You will be able to see more traffic if you place the IDS on the LAN interface, however you may place it on eth0 instead if you want)
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)

nano /etc/snort/snort.conf

Uncomment the lines below and save the file.

# Policy related rules:
# include $RULE_PATH/policy.rules
# include $RULE_PATH/community-policy.rules
include $RULE_PATH/porn.rules
# include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-misc.rules

Example: Edit the rules file:

nano /etc/snort/rules/chat.rules

Install Bleeding Edge Rules:

Create the following file with nano:

url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz
path = /bin:/usr/bin:/usr/local/bin
tmpdir = /tmp
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules

Run oinkmaster and add the new rules to load in snort.conf. Some rules have not been included below as they contain syntax errors which cause snort to fail.
You have to analyse those and fix any such error yourself and report them to Snort Bleeding Edge community.

oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules
nano /etc/snort/snort.conf

include rules/bleeding-virus.rules include rules/bleeding_attack-response.rules include rules/bleeding-policy.rules include rules/bleeding-dos.rules include rules/bleeding-exploit.rules include rules/bleeding-inappropriate.rules include rules/bleeding-malware.rules include rules/bleeding-p2p.rules include rules/bleeding-scan.rules include rules/bleeding-web.rules

Restart snort

service snort restart

To start snort

service snort start

To stop snort

service snort stop

To check snort status

service snort status

Change snort parameters later:

dpkg-reconfigure snort

Check snort alerts: (For example filter all MSN traffic)

cat /var/log/snort/alert | grep -B5 MSN

Example 1: Create a sctipt to parse snort alerts that can be scheduled using cron:

Create a script to automatically parse snort alerts to one readable file.

mkdir /home/web/logs

Now create the script, for example snortscript.sh and save it into your home directory.

/usr/sbin/snort -Cdv --pcap-filter="*log*" --pcap-dir=/var/log/snort/ > /home/web/logs/latest_alerts.txt

This will create one file called "latest_alerts.txt" which will always contain all the latest alerts including packet dump of each. This is not realtime, if you want you can schedule it to run every minute.

You can also password protect it with htaccess, logs will then be available to http://yourbubba.dynamicip.com/snort/

To view latest alerts in snorts own format without parsing the packet captures:

less /var/log/snort/alert

Make the script run every day at night at 04.00 AM:

crontab -e and add the following line:

0 4 * * * /home/asqu/snortscript.sh >> /var/log/syslog 2>&1

Example 2: To read snort alerts in readable format from just one file:

snort -dvr /var/log/snort/tcpdump.log.1293238522

Example output (truncated):
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/25-01:59:54.555605 195.68.245.131:6667 -> 192.168.206.250:3470
TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF
***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20
3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 :Global!Global@S
65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg
65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf
20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 :[.users.] Noti
63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg
65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27
41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:.
0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@
53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur
67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd
66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f :Please be fam
69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G
61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta
62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy.
41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the
20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req
75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b
79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www
2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a
75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo
62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam
65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC
45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf :.--------
2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG
45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu
72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga
6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302
73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf :sdf=+~sdf@c
6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx.
67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/25-02:01:41.046608 192.168.63.246:3470 -> 195.68.10.68:6667
TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20
50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel :

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The setting up of a web based GUI to view alerts such as BASE (Basic Analysis and Security Engine) is not part of this tutorial.