Difference between revisions of "Install Snort Intrusion Detection System"
Jump to navigation
Jump to search
| (20 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy. | Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy. | ||
<pre>apt-get install snort</pre> | <pre>apt-get install snort</pre> | ||
When snort asks for the interface, enter: br0<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules) | When snort asks for the interface, enter: br0. (You will be able to see more traffic if you place the IDS on the LAN interface, however you may place it on eth0 instead if you want)<br>When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)<br>Do not select yes to disable promiscious mode.<br>You may enter an email address to e-mail alerts to.<br>Enable missing rules (In this case we enable the the porn, chat and p2p rules) | ||
<pre>nano /etc/snort/snort.conf</pre> | <pre>nano /etc/snort/snort.conf</pre> | ||
Uncomment the lines below and save the file. | Uncomment the lines below and save the file. | ||
| Line 28: | Line 28: | ||
update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ | update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ | ||
skipfile local.rules</pre> | skipfile local.rules</pre> | ||
Run oinkmaster and add the new rules to load in snort.conf<br> | Run oinkmaster and add the new rules to load in snort.conf. Some rules have not been included below as they contain syntax errors which cause snort to fail. <br>You have to analyse those and fix any such error yourself and report them to Snort Bleeding Edge community.<br> | ||
<pre>oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules</pre><pre>nano /etc/snort/snort.conf | <pre>oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules</pre><pre>nano /etc/snort/snort.conf | ||
| Line 41: | Line 41: | ||
include rules/bleeding-scan.rules | include rules/bleeding-scan.rules | ||
include rules/bleeding-web.rules | include rules/bleeding-web.rules | ||
</pre> | </pre> | ||
| Line 59: | Line 56: | ||
<pre>cat /var/log/snort/alert | grep -B5 MSN | <pre>cat /var/log/snort/alert | grep -B5 MSN | ||
</pre> | </pre> | ||
Example 1: Create a sctipt to parse snort alerts that can be scheduled using cron:<br> | |||
Create a script to automatically parse snort alerts to one readable file. | Create a script to automatically parse snort alerts to one readable file. | ||
<pre>mkdir / | <pre>mkdir /home/web/logs | ||
</pre> | |||
Now create the script, for example snortscript.sh and save it into your home directory.<br> | Now create the script, for example snortscript.sh and save it into your home directory.<br> | ||
<pre> | <pre>/usr/sbin/snort -Cdv --pcap-filter="*log*" --pcap-dir=/var/log/snort/ > /home/web/logs/latest_alerts.txt | ||
</pre> | </pre> | ||
This will create one file called "latest_alerts.txt" | This will create one file called "latest_alerts.txt" which will always contain all the latest alerts including packet dump of each. This is not realtime, if you want you can schedule it to run every minute.<br> | ||
You can also password protect it with htaccess, logs will then be available to http://yourbubba.dynamicip.com/snort/<br> | |||
Make the script run every day at night at 04.00 | To view latest alerts in snorts own format without parsing the packet captures: | ||
<pre>less /var/log/snort/alert | |||
</pre> | |||
Make the script run every day at night at 04.00 AM:<br> | |||
crontab -e and add the following line: | crontab -e and add the following line: | ||
<pre>0 4 * * * /home/asqu/snortscript.sh >> /var/log/syslog 2>&1 | <pre>0 4 * * * /home/asqu/snortscript.sh >> /var/log/syslog 2>&1 | ||
</pre> | </pre> | ||
Example 2: To read snort alerts in readable format from just one file:<br> | |||
<pre>snort -dvr /var/log/snort/tcpdump.log.1293238522 | <pre>snort -dvr /var/log/snort/tcpdump.log.1293238522 | ||
| Line 81: | Line 83: | ||
12/25-01:59:54.555605 195.68.245.131:6667 -> 192.168.206.250:3470 | 12/25-01:59:54.555605 195.68.245.131:6667 -> 192.168.206.250:3470 | ||
TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF | TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF | ||
***AP*** Seq: 0xCDD80D8E | ***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20 | ||
3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 :Global!Global@S | 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 :Global!Global@S | ||
65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 | 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg | ||
65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 | 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf | ||
20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 | 20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 :[.users.] Noti | ||
63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 | 63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg | ||
65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 | 65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27 | ||
41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D | 41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:. | ||
0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 | 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@ | ||
53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 | 53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur | ||
67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 | 67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd | ||
66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D | 66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f :Please be fam | ||
69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 | 69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G | ||
61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 | 61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta | ||
62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 | 62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy. | ||
41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 | 41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the | ||
20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 | 20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req | ||
75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 | 75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b | ||
79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 | 79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www | ||
2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 | 2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a | ||
75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F | 75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo | ||
62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D | 62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam | ||
65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 | 65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC | ||
45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D | 45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf :.-------- | ||
2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 | 2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG | ||
45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 | 45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY | ||
2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 | 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu | ||
72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 | 72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga | ||
6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 | 6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302 | ||
73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 | 73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf :sdf=+~sdf@c | ||
6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E | 6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx. | ||
67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A | 67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com.. | ||
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | ||
| Line 118: | Line 120: | ||
12/25-02:01:41.046608 192.168.63.246:3470 -> 195.68.10.68:6667 | 12/25-02:01:41.046608 192.168.63.246:3470 -> 195.68.10.68:6667 | ||
TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF | TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF | ||
***AP*** Seq: 0xFE981A0B | ***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20 | ||
50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 | 50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel : | ||
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ | ||
</pre> | |||
</pre> | The setting up of a web based GUI to view alerts such as BASE (Basic Analysis and Security Engine) is not part of this tutorial.<br> | ||
Latest revision as of 10:15, 13 January 2011
Installing Snort Intrusion Detection System.
Author: Asad
Snort is an intrusion detection system that can monitor network traffic and alert on malicious traffic or just monitor what users are doing on the network, in case they breach the policy.
apt-get install snort
When snort asks for the interface, enter: br0. (You will be able to see more traffic if you place the IDS on the LAN interface, however you may place it on eth0 instead if you want)
When snort asks for the network mask, enter: 192.168.0.0/16 (This includes the Bubba LAN network, and any additional networks you may create later for VPN, as long as they start on 192.168.*.*)
Do not select yes to disable promiscious mode.
You may enter an email address to e-mail alerts to.
Enable missing rules (In this case we enable the the porn, chat and p2p rules)
nano /etc/snort/snort.conf
Uncomment the lines below and save the file.
# Policy related rules: # include $RULE_PATH/policy.rules # include $RULE_PATH/community-policy.rules include $RULE_PATH/porn.rules # include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules # include $RULE_PATH/community-game.rules # include $RULE_PATH/community-misc.rules
Example: Edit the rules file:
nano /etc/snort/rules/chat.rules
Install Bleeding Edge Rules:
Create the following file with nano:
url = http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz path = /bin:/usr/bin:/usr/local/bin tmpdir = /tmp update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ skipfile local.rules
Run oinkmaster and add the new rules to load in snort.conf. Some rules have not been included below as they contain syntax errors which cause snort to fail.
You have to analyse those and fix any such error yourself and report them to Snort Bleeding Edge community.
oinkmaster -q -C Oinkmaster-bleedingsnort.conf -o ./rules
nano /etc/snort/snort.confinclude rules/bleeding-virus.rules include rules/bleeding_attack-response.rules include rules/bleeding-policy.rules include rules/bleeding-dos.rules include rules/bleeding-exploit.rules include rules/bleeding-inappropriate.rules include rules/bleeding-malware.rules include rules/bleeding-p2p.rules include rules/bleeding-scan.rules include rules/bleeding-web.rules
Restart snort
service snort restart
To start snort
service snort start
To stop snort
service snort stop
To check snort status
service snort status
Change snort parameters later:
dpkg-reconfigure snort
Check snort alerts: (For example filter all MSN traffic)
cat /var/log/snort/alert | grep -B5 MSN
Example 1: Create a sctipt to parse snort alerts that can be scheduled using cron:
Create a script to automatically parse snort alerts to one readable file.
mkdir /home/web/logs
Now create the script, for example snortscript.sh and save it into your home directory.
/usr/sbin/snort -Cdv --pcap-filter="*log*" --pcap-dir=/var/log/snort/ > /home/web/logs/latest_alerts.txt
This will create one file called "latest_alerts.txt" which will always contain all the latest alerts including packet dump of each. This is not realtime, if you want you can schedule it to run every minute.
You can also password protect it with htaccess, logs will then be available to http://yourbubba.dynamicip.com/snort/
To view latest alerts in snorts own format without parsing the packet captures:
less /var/log/snort/alert
Make the script run every day at night at 04.00 AM:
crontab -e and add the following line:
0 4 * * * /home/asqu/snortscript.sh >> /var/log/syslog 2>&1
Example 2: To read snort alerts in readable format from just one file:
snort -dvr /var/log/snort/tcpdump.log.1293238522 Example output (truncated): =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/25-01:59:54.555605 195.68.245.131:6667 -> 192.168.206.250:3470 TCP TTL:51 TOS:0x0 ID:62256 IpLen:20 DgmLen:536 DF ***AP*** Seq: 0xCDD80D8E Ack: 0xFE98A508 Win: 0xB68 TcpLen: 20 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 53 :Global!Global@S 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 67 ervices.GameSurg 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 66 e.net NOTICE sdf 20 3A 5B 02 75 73 65 72 73 02 5D 20 4E 6F 74 69 :[.users.] Noti 63 65 20 66 72 6F 6D 20 47 61 6D 65 53 75 72 67 ce from GameSurg 65 2C 20 70 6F 73 74 65 64 20 30 39 3A 32 37 20 e, posted 09:27 41 4D 2C 20 30 31 2F 32 30 2F 32 30 30 37 3A 0D AM, 01/20/2007:. 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F 62 61 6C 40 .:Global!Global@ 53 65 72 76 69 63 65 73 2E 47 61 6D 65 53 75 72 Services.GameSur 67 65 2E 6E 65 74 20 4E 4F 54 49 43 45 20 73 64 ge.net NOTICE sd 66 20 3A 50 6C 65 61 73 65 20 62 65 20 66 61 6D f :Please be fam 69 6C 69 61 72 20 77 69 74 68 20 74 68 65 20 47 iliar with the G 61 6D 65 53 75 72 67 65 20 41 63 63 65 70 74 61 ameSurge Accepta 62 6C 65 20 55 73 65 20 50 6F 6C 69 63 79 2E 20 ble Use Policy. 41 6C 6C 20 75 73 65 72 73 20 6F 6E 20 74 68 65 All users on the 20 6E 65 74 77 6F 72 6B 20 61 72 65 20 72 65 71 network are req 75 69 72 65 64 20 74 6F 20 61 62 69 64 65 20 62 uired to abide b 79 20 69 74 2E 20 68 74 74 70 3A 2F 2F 77 77 77 y it. http://www 2E 67 61 6D 65 73 75 72 67 65 2E 6E 65 74 2F 61 .gamesurge.net/a 75 70 2F 0D 0A 3A 47 6C 6F 62 61 6C 21 47 6C 6F up/..:Global!Glo 62 61 6C 40 53 65 72 76 69 63 65 73 2E 47 61 6D bal@Services.Gam 65 53 75 72 67 65 2E 6E 65 74 20 4E 4F 54 49 43 eSurge.net NOTIC 45 20 73 64 66 20 3A 02 2D 2D 2D 2D 2D 2D 2D 2D E sdf :.-------- 2D 2D 20 45 4E 44 20 4F 46 20 4D 45 53 53 41 47 -- END OF MESSAG 45 28 53 29 20 4F 46 20 54 48 45 20 44 41 59 20 E(S) OF THE DAY 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 02 0D 0A 3A 42 75 ----------...:Bu 72 73 74 66 69 72 65 2E 55 4B 2E 45 55 2E 47 61 rstfire.UK.EU.Ga 6D 65 53 75 72 67 65 2E 6E 65 74 20 33 30 32 20 meSurge.net 302 73 64 66 20 3A 73 64 66 3D 2B 7E 73 64 66 40 63 sdf :sdf=+~sdf@c 6D 2D 38 34 2E 32 30 39 2E 34 33 2E 31 32 36 2E m-xx.xxx.xx.xxx. 67 65 74 69 6E 74 65 72 6E 65 74 2E 6E 6F 0D 0A isp.com.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/25-02:01:41.046608 192.168.63.246:3470 -> 195.68.10.68:6667 TCP TTL:128 TOS:0x0 ID:23951 IpLen:20 DgmLen:71 DF ***AP*** Seq: 0xFE981A0B Ack: 0xCDD8EF7A Win: 0xFFD0 TcpLen: 20 50 52 49 56 4D 53 47 20 77 61 65 65 6C 20 3A 68 PRIVMSG waeel : =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The setting up of a web based GUI to view alerts such as BASE (Basic Analysis and Security Engine) is not part of this tutorial.