Using Snort in Network Intrusion Detection System (NIDS) mode - on a home system (Part I)
Part I : Introduction to Snort and getting a basic installation up and running on Debian
NOTE: I am writing this while (re)learning about Snort, so there will likely be several revisions to this and further documents in this series. Make sure you have the latest version from the CyberArmy library!
Introduction:
If you've had a look at the Snort site, you will notice that the latest sources available are significantly newer than the packages available through Debian. In Part II of this series, I will go through the installation of the latest release available from the Snort site.
Before reading this, you should have an understanding of what a NIDS is used for and how it works. It would also be beneficial to have a good understanding of the TCP/IP suite, although this article will only cover basic installation without analysis of Snort's output.
I am using a basic home setup, with a PC connected to a router modem using wifi, which is only really useful for educational purposes. You could set Snort up this way in a larger environment, it would be of very limited use - but then so would this article! I plan to install openwrt on my router in the near future, so I will write another article on that when I get to that stage.
You can run Snort in four modes: Sniffer mode, Packet logger mode, NIDS mode and online mode. This article is only relative to NIDS, so if you want to know what the others are and how to set them up, check out the Snort Manual referenced at the end of this article.
Installation:
Debian system/packages:
- Debian lenny/sid
- Standard Debian kernel 2.6.22-2-686
- snort 2.3.3-14
First, fire up your favourite package management interface. For the purposes of this article, I installed the vanilla snort package with no db support. You may like to include the snort-mysql and/or snort-pgsql packages. Install snort, letting your package manager handle the dependencies and ensuring oinkmaster and snort-doc are also installed. The package configuration utility should start after downloading the required packages. Enter "any" as we want it all! I can't remember if I entirely purged my Snort installation before writing this, so if you are prompted with more questions, refer to the configuration section below. We should now have the relevant binaries, scripts, configuration files and documentation installed and ready for us to break.
Configuration:
Have a quick look in /usr/share/doc and you will notice a few Snort* directories containing documentation.
Now, let's move on and configure snort. As root, type the command below which will walk us through some basic configuration steps.
tirthrax:/# dpkg-reconfigure snort
If you have a permanent connection to the internet, choose "boot" so snort is started at boot time. Select whichever option suits your circumstances.
Have a quick read through the next screen (which is fairly self-explanatory). For now, I will choose to listen on my eth1 interface, which is my wifi connection to my router. If you have a wired connection, this will usually be eth0. If you have a wifi connection to a router, it will be whatever the driver you are using names the interface. If you run either
# ip link show
or
# ifconfig
as root, you will see which interfaces are configured on your system. Enter the interface(s) you wish Snort to listen on and continue.
The next screen should already have the correct setting. We set it earlier when snort was installed.
Leave promiscuous mode enabled and continue.
Change Snort's logging order to Pass|Alert|Log and then leave the defaults for the rest of the questions.
Snort has now been configured to send daily reports to your root account's mailbox. Have a look at your /etc/aliases file. If this contains a line like root: goltor, you should be able to read root's email from your user account (which you are logged in with, right?) If it does not, read the sendmail man page (newaliases).
Before moving on to the next section, let's see if snort runs.
You will notice that Debian has created a script for you to run snort as a service. Execute the following for usage information.
tirthrax:/# /etc/init.d/snort
Usage: /etc/init.d/snort {start|stop|restart|force-restart|reload|force-reload|status|config-check}
First off, let's run a config-check. This is similar to running # snort -T but will include Debian's configuration modifications which we are using. You can specify an interface here also, or leave it off to check all.
tirthrax:/# /etc/init.d/snort config-check eth1
checking config: (eth1).ok.
Not terribly informative...
Load up /etc/init.d/snort in your favourite editor, and we'll modify it so we can actually see some output. Find the config-check case and then remove >/dev/null 2>&1 from the statement below.
$DAEMON -T $COMMON $DEBIAN_SNORT_OPTIONS \
-c $CONFIGFILE \
-S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \
-i $interface >/dev/null 2>&1
Save and exit the config file and rerun the check. Have a read through the output to make sure everythong is OK.
tirthrax:/# /etc/init.d/snort config-check
checking config: (eth1)Running in IDS mode
Initializing Network Interface eth1
--== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
...
It looks good, so let's start snort and have a look at the Oinkmaster!
tirthrax:/# /etc/init.d/snort start
Rules / Sigs and Oinkmaster:
Everything we've done to this point is not really much use if we don't have anything to check traffic against.
Sourcefire, the developers of Snort, provide us with four ways of obtaining rules from their site. The first three following are certified by Sourcefire's Vulnerability Research Team (VRT) and the community rules are put through basic testing to ensure they won't break Snort. Basically, subscribers (those who pay $$$) receive them as soon as they are available, registered users receive them five days later, unregistered users can get a static set of rules released with every major release of Snort and there is also a community set of rules distributed "as is" under the GPL.
Head on over to http://www.snort.org and register. You can skip this step if you would like to use the community rules, but to get full access to the forums you need to be a member anyway. We are going to use the free VRT certified rules provided by Sourcefire, but there are also other rules provided by external entities, like http://www.bleedingthreats.net/, but that won't be covered here.
We are going to use Oinkmaster (http://oinkmaster.sourceforge.net/) to update our rules to the latest VRT certified set for registered users. Oinkmaster should be installed, but if you didn't do this earlier, do so now.
Usually, Oinkmaster should not be run as root, but the default Debian configuration requires that you do so. See /usr/share/doc/oinkmaster/README.Debian if you have concerns. If you are implementing the process in this article, however, you probably shouldn't be too concerned about this right now.
Before running Oinkmaster, we have to configure it to make sure we download the correct rules for the version of Snort installed. Head on over to http://www.snort.org and log in (if you haven't already). After logging in you should be taken to the "Account Settings" page. Towards the bottom of this page you will find your "Oink Code" and also an example URL to put in your oinkmaster.conf file to point to the correct rules. If the Oink Code area is empty, click on "Get Code" to generate one.
Now, let's have a look at the config file.
tirthrax:/# vim /etc/oinkmaster.conf
Have a quick look through the file. First thing we need to do is edit the first uncommented line of the file (line not starting with #). Currently it should say something like: url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
Change this to url = http://www.snort.org/pub-bin/oinkmaster.cgi/your oink code goes here/snortrules-snapshot-2.3.tar.gz and leave the rest of the file as is. Obviously substitute "your oink code goes here" in the URL with the oink code you generated on the Snort site.
Now, we can run Oinkmaster to update our rules. We need to specify the directory where our rules are located, which is /etc/snort/rules. After Oinkmaster downloads the rules tarball to /var/run/oinkmaster, it will unpack the file, then apply any changes. Let's create a directory to backup our current rules before the update.
tirthrax:/# mkdir /etc/snort/rules/old
Now, let's update.
tirthrax:~# oinkmaster -o /etc/snort/rules/ -b /etc/snort/rules/old/
You may like to choose quiet mode by using the "-q" switch in the future.
Before we restart Snort, let's check the config. You should do this every time you run Oinkmaster or make any configuration changes in the future before restarting Snort. You can run the test while Snort is running.
tirthrax:~# /etc/init.d/snort config-check
Hopefully everything went well, now we can restart Snort with our new rules.
tirthrax:~# /etc/init.d/snort restart
Now all you have to do is sit back and wait for your first report to come through (see /etc/cron.daily/snort).
This is only a very quick and dirty guide, but hopefully someone finds this useful. As stated earlier, I am planning to turn this into a series, so stay tuned!
Useful links:
http://www.snort.org/
http://www.snort.org/docs/faq/3Q06/
http://oinkmaster.sourceforge.net/
http://oinkmaster.cvs.sourceforge.net/*checkout*/oinkmaster/oinkmaster/FAQ?revision=1.48
http://oinkmaster.sourceforge.net/avoiding_snort_alerts.txt
http://www.bleedingthreats.net/
References:
As well as the below, most of the information came from looking at the snort and oinkmaster man pages, along with the documentation contained in the directories above.
Snort Users Manual 2.3.3, The Snort Project, January 2, 2007, Sourcefire, Inc. http://www.snort.org/
This article was originally published by CyberArmy.net in the CyberArmy Library.
|