LinuxCBT NIDS Edition - Snort:
1. Snort is considered to be an NIDS/NIPS solution NOT IDS/IPS solution
2. Confirm MD5SUM - using md5sum
3. Verify the PGP/GPG signature - gpg --verify snort*.sig snort*.gz
4. pcre* - performs parsing of traffic using Perl-compatible Regular Expressions
5. libpcap - facilitates packet capturing @ a low-level in OSI-model
1. Snort is considered to be an NIDS/NIPS solution NOT IDS/IPS solution
2. Confirm MD5SUM - using md5sum
3. Verify the PGP/GPG signature - gpg --verify snort*.sig snort*.gz
4. pcre* - performs parsing of traffic using Perl-compatible Regular Expressions
5. libpcap - facilitates packet capturing @ a low-level in OSI-model
OSI Model contains 7-Layers:
7 - Application
6 - Presentation
5 - Session
4 - Transport(sport:3100 - dport:80)
3 - IP routing(source_ip:192.168.1.20 - destination_ip:192.168.1.1)
2 - Data-Link(MAC) - Framing(Ethernet) - LIBPCAP(Snort)
1 - Physical - Switch/NIC/Hub/etc.
7 - Application
6 - Presentation
5 - Session
4 - Transport(sport:3100 - dport:80)
3 - IP routing(source_ip:192.168.1.20 - destination_ip:192.168.1.1)
2 - Data-Link(MAC) - Framing(Ethernet) - LIBPCAP(Snort)
1 - Physical - Switch/NIC/Hub/etc.
Snort's Modes of Operation:
1. there are 3 modes
Sniffing Mode - TCPDUMP - Packet Sniffer
Sniffing mode logs to the console, which is VERY slow
Consequently, Snort is subject to dropping a high-percentage of packets
Note: Snort needs root privileges to change NIC into promiscuous mode
Note: Snort binds to 'eth0' by default
1. there are 3 modes
Sniffing Mode - TCPDUMP - Packet Sniffer
Sniffing mode logs to the console, which is VERY slow
Consequently, Snort is subject to dropping a high-percentage of packets
Note: Snort needs root privileges to change NIC into promiscuous mode
Note: Snort binds to 'eth0' by default
snort -v - dumps TCP/IP packet headers
snort -vd - dumps to the output location TCP/UDP/ICMP headers
snort -vde - dumps full packet information (TCP/UDP/ICMP/IP headers and payload)
snor -vd(e) - layer 2 - related - MAC addresses
snort -v(d) - application layer(Layer 7) information
snort -vd - dumps to the output location TCP/UDP/ICMP headers
snort -vde - dumps full packet information (TCP/UDP/ICMP/IP headers and payload)
snor -vd(e) - layer 2 - related - MAC addresses
snort -v(d) - application layer(Layer 7) information
2. Snort as a Packet Logger
a. default packet mode logs using ASCII files
b. ly information specified using -vde options will be captured (ASCII)
c. logging mode utilizes same -vde switches to log information plus -l switch to indication location of output
snort -v -K ascii -l ./log - operates @ layers 3,4
snort -ve -K ascii -l ./log - operates @ layers 2,3,4 in OSI model
snort -vde -K ascii -l ./log - operates @ layers 2,3,4,5,6,7
Tip: Use managed-switches and restrict port-capabilities to lessen eavesdropping/passive attacks; sniffing.
d. Binary Logging Mode - snort -b
Snort logs layers 2-7 when using binary mode
Default log directory is /var/log/snort
Default nomenclature for binary output file: snort.log.Unix Epoch Timestamp
a. default packet mode logs using ASCII files
b. ly information specified using -vde options will be captured (ASCII)
c. logging mode utilizes same -vde switches to log information plus -l switch to indication location of output
snort -v -K ascii -l ./log - operates @ layers 3,4
snort -ve -K ascii -l ./log - operates @ layers 2,3,4 in OSI model
snort -vde -K ascii -l ./log - operates @ layers 2,3,4,5,6,7
Tip: Use managed-switches and restrict port-capabilities to lessen eavesdropping/passive attacks; sniffing.
d. Binary Logging Mode - snort -b
Snort logs layers 2-7 when using binary mode
Default log directory is /var/log/snort
Default nomenclature for binary output file: snort.log.Unix Epoch Timestamp
snort -b -L test.snort.binary.1 - /var/log/snort/test.snort.binary.1
Use fast disks for logging - 7200RPM or better/RAID 0
Use fast disks for logging - 7200RPM or better/RAID 0
Berkeley Packet Filters (BPF) - feasible to log to screen (Sniffing mode)
1. Snort supports filtering captured traffic using BPFs
2. We need to use e or more qualifiers
3. 3 major categories of qualifiers:
a. Type qualifiers: host(default), net, port
b. Directional qualifiers: src, dst, src or dst(default), src and dst
c. Protocol qualifiers: tcp, udp, ether, ip, arp(ip-mac), rarp(mac-ip)
1. Snort supports filtering captured traffic using BPFs
2. We need to use e or more qualifiers
3. 3 major categories of qualifiers:
a. Type qualifiers: host(default), net, port
b. Directional qualifiers: src, dst, src or dst(default), src and dst
c. Protocol qualifiers: tcp, udp, ether, ip, arp(ip-mac), rarp(mac-ip)
BPF supports logical and AND or
Note: BPF rules are specified AFTER normal snort options
Syslog BPF: snort -vde port 514
When combining qualifier you usually don't need to specify the qualifier twice. i.e.
snort -vde port 514 or 123
snort -vde not port 5901
snort -vdeC src 192.168.1.30 and not dst port 32790
Logging with BPFs - snort -b -l ./log not 5901
Note: consider perspective of Snort box when writing rules
Note: BPF rules are specified AFTER normal snort options
Syslog BPF: snort -vde port 514
When combining qualifier you usually don't need to specify the qualifier twice. i.e.
snort -vde port 514 or 123
snort -vde not port 5901
snort -vdeC src 192.168.1.30 and not dst port 32790
Logging with BPFs - snort -b -l ./log not 5901
Note: consider perspective of Snort box when writing rules
Snort can read TCPDUMP-compliant binary files using BPFs
1. snort -vder snort.log.1134955365 <BPF>
1. snort -vder snort.log.1134955365 <BPF>
Use Snort in Daemon Mode to log interesting traffic.
snort -b -l ./log -D port 21
snort -b -l ./log -D port 21
Configure Cisco Switch with appropriate VLANs and security
1. VLAN 1 - 192.168.1.0/24 - management subnet
2. VLAN 2 - represents External(Internet) VLAN (PIX Firewall/ISP Device)
3. VLAN 3 - for all unused ports
Cisco 3500-48 Switch Management IP: 192.168.1.253
4. Disable all unused ports and assign them to VLAN 3
5. Secure access to the vty (telnet) ports using an access-list
6. Configure Network Time Protocol (NTP)
1. VLAN 1 - 192.168.1.0/24 - management subnet
2. VLAN 2 - represents External(Internet) VLAN (PIX Firewall/ISP Device)
3. VLAN 3 - for all unused ports
Cisco 3500-48 Switch Management IP: 192.168.1.253
4. Disable all unused ports and assign them to VLAN 3
5. Secure access to the vty (telnet) ports using an access-list
6. Configure Network Time Protocol (NTP)
Common terms related to SPAN:
1. Port Mirroring
2. SPAN
3. Port Monitoring
1. Port Mirroring
2. SPAN
3. Port Monitoring
Applying Packet Sniffing and logging modes to SPAN traffic - External
snort -vde -i eth1
snort -b -l ./log -i eth1
snort -vde -i eth1
snort -b -l ./log -i eth1
Note: Stealth Snort Interfaces should NOT have a layer-3 address!
1. Disable layer-3 address
1. Disable layer-3 address
Configure Secondary Snort NIDS/NIPS Sensor - Sensor #2 (linuxcbtserv3)
1. configured the Cisco Switch port
2. ensured that the NIC was configured to static settings with no IP address
Note: We should ly see the following traffic Sensor #2:
a. Traffic from internal hosts to the Internet
b. Return traffic from the Internet
c. holes configured the external firewall permitting inbound traffic
1. configured the Cisco Switch port
2. ensured that the NIC was configured to static settings with no IP address
Note: We should ly see the following traffic Sensor #2:
a. Traffic from internal hosts to the Internet
b. Return traffic from the Internet
c. holes configured the external firewall permitting inbound traffic
Prepare Snort to be an NIDS/NIPS(IPTables)
Note: NIDS/NIPS mode differs from Sniffing/Packet-logging modes in that, in NIDS/NIPS mode, Snort compares traffic to pre-defined rules.
1. prepare /etc/snort (snort.conf, rules, associated files)
Snort's traffic flow:
a. Capture (NIC is in promiscuous mode/SPAN is enabled) ->
b. decode(normalization) ->
c. preprocessor(third-party modules)
d. detection engine (pattern-matching of traffic to signatures)
e. output logging (TCPDump, DBMS, CSV, etc.)
TCP 3-Way Handshake
1. attacker(client) -> SYN host(server)
2. host -> ACK attacker
3. attacker -> SYN|ACK
Note: NIDS/NIPS mode differs from Sniffing/Packet-logging modes in that, in NIDS/NIPS mode, Snort compares traffic to pre-defined rules.
1. prepare /etc/snort (snort.conf, rules, associated files)
Snort's traffic flow:
a. Capture (NIC is in promiscuous mode/SPAN is enabled) ->
b. decode(normalization) ->
c. preprocessor(third-party modules)
d. detection engine (pattern-matching of traffic to signatures)
e. output logging (TCPDump, DBMS, CSV, etc.)
TCP 3-Way Handshake
1. attacker(client) -> SYN host(server)
2. host -> ACK attacker
3. attacker -> SYN|ACK
Stage 1 attacks (Reconnaissance Attacks) - Gather information
a. the attacker tends to use stealth means
a. the attacker tends to use stealth means
frag2/frag3 preprocessor notes:
a. packets are fragmented during transmission across the Internet
1. 1500 bytes - Message/Maximum Transfer Unit (MTU)
i.e. file = 3000 bytes gets fragmented into 2 1500-byte packets
- defragmentation preprocessors reassemble the 3000-byte file
Preprocessors are defined to pickup reconnaissance attacks (NMAP)
a. packets are fragmented during transmission across the Internet
1. 1500 bytes - Message/Maximum Transfer Unit (MTU)
i.e. file = 3000 bytes gets fragmented into 2 1500-byte packets
- defragmentation preprocessors reassemble the 3000-byte file
Preprocessors are defined to pickup reconnaissance attacks (NMAP)
Preprocessor - sfPortScan
scan_type { portscan portsweep decoy_portscan distributed_portscan all }
a. portscan - is vertical - scans 1 host for all open ports
b. portsweep - is horizontal - scans many hosts(IP block) for 1 or more common open ports
c. decoy_portscan - ip spoofing - intersperse fake IPs with real ip
d. distributed_portscan - DDOS, scan from multiple hosts
scan_type { portscan portsweep decoy_portscan distributed_portscan all }
a. portscan - is vertical - scans 1 host for all open ports
b. portsweep - is horizontal - scans many hosts(IP block) for 1 or more common open ports
c. decoy_portscan - ip spoofing - intersperse fake IPs with real ip
d. distributed_portscan - DDOS, scan from multiple hosts
Implementing latest Community rules:
Note: if you start Snort in NIDS/NIPS modes without rules, it will fail
Note: if you start Snort in NIDS/NIPS modes without rules, it will fail
Snort's Outputs:
Separate Alerts(rule has been matched) from Logs(packets captured)
Default log location is a TCPDump compliant binary file in /var/log/snort
Default Alert location is an ASCII file in /var/log/snort
Separate Alerts(rule has been matched) from Logs(packets captured)
Default log location is a TCPDump compliant binary file in /var/log/snort
Default Alert location is an ASCII file in /var/log/snort
SYSLOG:
output alert_syslog: <facility> <priority> <options>
output alert_syslog: <facility> <priority> <options>
Unified Logging:
1. Snort's core-comptencies include the following:
a. Capturing traffic from stealth/non-stealth interfaces
b. Analyzing captured data
Note: Unified logging allows Snort to focus its core competencies
1. Snort's core-comptencies include the following:
a. Capturing traffic from stealth/non-stealth interfaces
b. Analyzing captured data
Note: Unified logging allows Snort to focus its core competencies
2. Unified logging does the following:
a. Outputs both Log and Alert data to binary(TCPDump) format
b. Snort allows a separate program to process the logs & alert data
c. Snort becomes a 2-process (Snort, Barnyard) environment
3. Steps to configuring Unified Logging:
a. reconfigure snort.conf - setup Unified output plugins
b. Download and configure Barnyard post-processor
4. Installation steps for Barnyard
a. ./configure
b. make
c. make install - perform as root - allows copy of binary to /usr/local/bin
a. Outputs both Log and Alert data to binary(TCPDump) format
b. Snort allows a separate program to process the logs & alert data
c. Snort becomes a 2-process (Snort, Barnyard) environment
3. Steps to configuring Unified Logging:
a. reconfigure snort.conf - setup Unified output plugins
b. Download and configure Barnyard post-processor
4. Installation steps for Barnyard
a. ./configure
b. make
c. make install - perform as root - allows copy of binary to /usr/local/bin
5. Barnyard operates in 3 modes
a. e-shot -o - process in e-pass the specifed binary file
b. Continual -f - Default Mode
c. Continual with checkpoint -w - Writes checkpoint file for easy recovery
Note: Barnyard relies upon /etc/snort/barnyard.conf
a. e-shot -o - process in e-pass the specifed binary file
b. Continual -f - Default Mode
c. Continual with checkpoint -w - Writes checkpoint file for easy recovery
Note: Barnyard relies upon /etc/snort/barnyard.conf
Configuring BASE for web-based analysis:
1. ADODB
2. BASE
3. php-gd*
Securing BASE Console:
1. Configure Apache for basic authentication (clear text)
1. Configure Apache for basic authentication (clear text)
Output Database section of snort.conf - make sensors unique by:
sensor_name=sensor1
sensor_name=sensor2
sensor_name=sensor1
sensor_name=sensor2
Configuring Startup Environment for NIDS Framework:
1. Configure each sensor to load Snort @ startup
2. Configure DBMS/HTTP(BASE) to start MySQL & HTTPD @ startup
1. Configure each sensor to load Snort @ startup
2. Configure DBMS/HTTP(BASE) to start MySQL & HTTPD @ startup
#Initialize Snort Sensor
#Enable sensor Stealth - External - Internet-facing Interface
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D
#Enable sensor Stealth - External - Internet-facing Interface
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D
#Ensable sensor Management - Non-Stealth - Intranet-facing Interface
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D
Understand Snort Rules:
Rules contain 2 sections:
a. Rule Header
b. Rule Body
Rules contain 2 sections:
a. Rule Header
b. Rule Body
Rule Header:
alert|pass|drop|etc. tcp|udp|icmp|ip $EXTERNAL_NET any ->|<> 192.168.1.0/24 80
Rule Body:
(content: "bad string"; msg: Hack Attempt)
alert|pass|drop|etc. tcp|udp|icmp|ip $EXTERNAL_NET any ->|<> 192.168.1.0/24 80
Rule Body:
(content: "bad string"; msg: Hack Attempt)
Auto-Rules Update:
Download and use oinkmaster from oinkmaster.sourceforge.net
Download and use oinkmaster from oinkmaster.sourceforge.net