Difference between revisions of "Install Snort Intrusion Detection System"

From BubbaWiki
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 5: Line 5:
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.  
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.  
<pre>apt-get install snort</pre>  
<pre>apt-get install snort</pre>  
When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN&nbsp;network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules)  
When snort asks for the interface, enter: br0. (You will be able to see more traffic if you place the IDS&nbsp;on the LAN interface, however you may place it on eth0 instead if you want)<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN&nbsp;network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules)  
<pre>nano /etc/snort/snort.conf</pre>  
<pre>nano /etc/snort/snort.conf</pre>  
Uncomment the lines below and save the file.  
Uncomment the lines below and save the file.  
Line 28: Line 28:
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules</pre>  
skipfile local.rules</pre>  
Run oinkmaster and add the new rules to load in snort.conf<br>  
Run oinkmaster and add the new rules to load in snort.conf. Some rules have not been included below as they contain syntax errors which cause snort to fail. <br>You have to analyse those and fix any such error yourself and report them to Snort Bleeding Edge community.<br>  
<pre>oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules</pre><pre>nano /etc/snort/snort.conf
<pre>oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules</pre><pre>nano /etc/snort/snort.conf


Line 41: Line 41:
include rules/bleeding-scan.rules
include rules/bleeding-scan.rules
include rules/bleeding-web.rules
include rules/bleeding-web.rules


</pre>  
</pre>  
Line 59: Line 56:
<pre>cat /var/log/snort/alert | grep -B5 MSN
<pre>cat /var/log/snort/alert | grep -B5 MSN
</pre>  
</pre>  
Example1: Create a sctipt to parse snort alerts that can be scheduled using cron:<br>  
Example 1: Create a sctipt to parse snort alerts that can be scheduled using cron:<br>  


Create a script to automatically parse snort alerts to one readable file.  
Create a script to automatically parse snort alerts to one readable file.  
<pre>mkdir /var/log/snort/view</pre>  
<pre>mkdir /home/web/logs
</pre>  
Now create the script, for example snortscript.sh and save it into your home directory.<br>  
Now create the script, for example snortscript.sh and save it into your home directory.<br>  
<pre>mv */var/log/snort/*log* /var/log/snort/view/
<pre>/usr/sbin/snort -Cdv --pcap-filter="*log*" --pcap-dir=/var/log/snort/ &gt; /home/web/logs/latest_alerts.txt
snort -dv --pcap-dir /var/log/snort/view/ &gt; /var/log/snort/latest_alerts.txt
</pre>  
</pre>  
This will create one file called "latest_alerts.txt" in /var/log/snort that will always contain all the latest alerts including packet dump:<br>  
This will create one file called "latest_alerts.txt" which will always contain all the latest alerts including packet dump of each. This is not realtime, if you want you can schedule it to run every minute.<br>
 
You can also password protect it with htaccess, logs will then be available to http://yourbubba.dynamicip.com/snort/<br>  


Make the script run every day at night at 04.00 PM:<br>  
To view latest alerts in snorts own format without parsing the packet captures:
<pre>less /var/log/snort/alert
</pre>
Make the script run every day at night at 04.00 AM:<br>  


crontab -e and add the following line:  
crontab -e and add the following line:  
<pre>0 4 * * * /home/asqu/snortscript.sh &gt;&gt; /var/log/syslog 2&gt;&amp;1
<pre>0 4 * * * /home/asqu/snortscript.sh &gt;&gt; /var/log/syslog 2&gt;&amp;1
</pre>  
</pre>  
Example2: To read snort alerts in readable format from just one file:<br>  
Example 2: To read snort alerts in readable format from just one file:<br>  
<pre>snort -dvr /var/log/snort/tcpdump.log.1293238522
<pre>snort -dvr /var/log/snort/tcpdump.log.1293238522


Line 81: Line 83:
12/25-01:59:54.555605 195.68.245.131:6667 -&gt; 192.168.206.250:3470
12/25-01:59:54.555605 195.68.245.131:6667 -&gt; 192.168.206.250:3470
TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF
TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF
***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20
***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20
3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 &nbsp;:Global!Global@S
3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53&nbsp;:Global!Global@S
65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg
65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg
65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf
65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf
20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 &nbsp;:[.users.] Noti
20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69&nbsp;:[.users.] Noti
63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg
63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg
65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27
65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27
41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:.
41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:.
0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@
0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@
53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur
53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur
67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd
67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd
66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f&nbsp;:Please be fam
66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f&nbsp;:Please be fam
69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G
69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G
61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta
61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta
62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy.
62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy.
41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the
41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the
20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71   network are req
20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req
75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b
75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b
79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www
79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www
2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a
2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a
75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo
75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo
62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam
62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam
65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC
65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC
45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf&nbsp;:.--------
45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf&nbsp;:.--------
2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG
2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG
45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY
45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu
72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga
72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga
6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302
6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302
73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf&nbsp;:sdf=+~sdf@c
73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf&nbsp;:sdf=+~sdf@c
6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx.
6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx.
67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com..
67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com..


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Line 118: Line 120:
12/25-02:01:41.046608 192.168.63.246:3470 -&gt; 195.68.10.68:6667
12/25-02:01:41.046608 192.168.63.246:3470 -&gt; 195.68.10.68:6667
TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF
TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20
***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20
50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel&nbsp;:
50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel&nbsp;:


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
</pre>
</pre>
The setting up of a web based GUI to view alerts such as BASE (Basic Analysis and Security Engine) is not part of this tutorial.<br>

Latest revision as of 10:15, 13 January 2011

Installing Snort Intrusion Detection System.

Author: Asad

Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.

apt-get install snort

When snort asks for the interface, enter: br0. (You will be able to see more traffic if you place the IDS on the LAN interface, however you may place it on eth0 instead if you want)
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)

nano /etc/snort/snort.conf

Uncomment the lines below and save the file.

# Policy related rules:
# include $RULE_PATH/policy.rules
# include $RULE_PATH/community-policy.rules
include $RULE_PATH/porn.rules
# include $RULE_PATH/community-inappropriate.rules
include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
# include $RULE_PATH/community-game.rules
# include $RULE_PATH/community-misc.rules

Example: Edit the rules file:

nano /etc/snort/rules/chat.rules

Install Bleeding Edge Rules:

Create the following file with nano:

url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz
path = /bin:/usr/bin:/usr/local/bin
tmpdir = /tmp
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
skipfile local.rules

Run oinkmaster and add the new rules to load in snort.conf. Some rules have not been included below as they contain syntax errors which cause snort to fail.
You have to analyse those and fix any such error yourself and report them to Snort Bleeding Edge community.

oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules
nano /etc/snort/snort.conf

include rules/bleeding-virus.rules include rules/bleeding_attack-response.rules include rules/bleeding-policy.rules include rules/bleeding-dos.rules include rules/bleeding-exploit.rules include rules/bleeding-inappropriate.rules include rules/bleeding-malware.rules include rules/bleeding-p2p.rules include rules/bleeding-scan.rules include rules/bleeding-web.rules

Restart snort

service snort restart

To start snort

service snort start

To stop snort

service snort stop

To check snort status

service snort status

Change snort parameters later:

dpkg-reconfigure snort

Check snort alerts: (For example filter all MSN traffic)

cat /var/log/snort/alert | grep -B5 MSN

Example 1: Create a sctipt to parse snort alerts that can be scheduled using cron:

Create a script to automatically parse snort alerts to one readable file.

mkdir /home/web/logs

Now create the script, for example snortscript.sh and save it into your home directory.

/usr/sbin/snort -Cdv --pcap-filter="*log*" --pcap-dir=/var/log/snort/ > /home/web/logs/latest_alerts.txt

This will create one file called "latest_alerts.txt" which will always contain all the latest alerts including packet dump of each. This is not realtime, if you want you can schedule it to run every minute.

You can also password protect it with htaccess, logs will then be available to http://yourbubba.dynamicip.com/snort/

To view latest alerts in snorts own format without parsing the packet captures:

less /var/log/snort/alert

Make the script run every day at night at 04.00 AM:

crontab -e and add the following line:

0 4 * * * /home/asqu/snortscript.sh >> /var/log/syslog 2>&1

Example 2: To read snort alerts in readable format from just one file:

snort -dvr /var/log/snort/tcpdump.log.1293238522

Example output (truncated):
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/25-01:59:54.555605 195.68.245.131:6667 -> 192.168.206.250:3470
TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF
***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20
3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 :Global!Global@S
65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg
65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf
20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 :[.users.] Noti
63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg
65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27
41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:.
0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@
53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur
67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd
66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f :Please be fam
69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G
61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta
62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy.
41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the
20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req
75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b
79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www
2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a
75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo
62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam
65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC
45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf :.--------
2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG
45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu
72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga
6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302
73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf :sdf=+~sdf@c
6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx.
67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/25-02:01:41.046608 192.168.63.246:3470 -> 195.68.10.68:6667
TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF
***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20
50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel :

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The setting up of a web based GUI to view alerts such as BASE (Basic Analysis and Security Engine) is not part of this tutorial.