Snort Installation PDF
Snort Installation PDF
Snort Installation PDF
com
MODULE 3
Snort Installation
Module Objectives:
o o o o
o o
Installing from
27
http://it4training.com
Snort lnstallation
\&*k
.W
*w
The platform on which your Snort installation resides is as critical as any component of the installation. It is good practice to have the operating system on which you will install Snort and its components prepared and in a secure state. While a precise step-by-step how-to tutorial on building a secure OS is beyond the scope of this class, we will present the fundamentals of building a secure OS. There are many techniques that can be employed and an equally large number of opinions on how to deploy a secure OS, so it is critical that you do some research to come up with a secure configuration that makes sense for the environment in which you will deploy your Snort sensors.
r r . . .
lJnnecessary services
o Review installation, including OS and installed o Obtain and install latest security patches
If applicable, a local firewall
intend to use
Continuously monitor newsgroups and mailing lists for security information that might affect your installation
is a good idea to block access to ports other than those you
Check your organization's security policy for guidelines on password usage and account
Slide 35
The OS platform that has been provided is based on CentOS. It was installed with a minimal set of applications. Basically, there is enough to boot the system and compile and install the software packages we will need to complete our Snort deployment. The local firewall has been enabled. It has been configured to only allow incoming connections on ports 22 (ssh),80 (http) and 443(ssl). Although, from a security perspective, it makes sense to disable access to port 80 once your installation is up and running. This leaves remote access to your sensor only available via secure, encrypted protocols.
Notes:
28
sllffiBt&"
http://it4training.com
Snort Installation
Slide 36
The Base OS
The base operating system was prepared to facilitate the installation of Snort and the tools you
will install along side Snort for alert analysis and storage. If you
from scratch, use the following guide lines:
Since the CentOS linux distribution is largely RPM based, you can take advantage of tools such as 'yum' to install andupdate packages as needed.
yum is a skaight forward, command line application for managing RPMs. Without any configuration of the tool, it is preconfigured to point to some default RPM repositories, so it can be used right away. You can configure yum to point to specific repositories, but that discussion goes beyond the scope of this class.
yum also has the ability to resolve and fetch package dependencies. This feature will save lot of time and effort over manual package management. To use yum, see the following examples:
a
yum
i-nsta1I <package name> - This syntax fetches the package and its
dependencies, if any exist, from the package repository. Note that only the base package name is necessary; yum will pull down the most up-to-date version.
yum list installed <package name> - This command lets you see what packages are already installed on your system. It also accepts wild card characters whereas the previous two examples do not.
yum list avaif abl-e <package name> - This queries the yum repositories for packages available for download. It too accepts wildcards to facilitate you semches.
The base OS was initially configured with the following pre-installed:
o o o
Notes:
29
http://it4training.com
Snort lnstallation
o o
The MySQL database development libraries - The package listed below was installed with the following command: yum install <mysql package) . mysql-devel The PIIP scripting language - The packages listed below were installed with the following command: yum install <php package>
'php
'php-gd
Note that these package installations, in some cases, may contain dependencies. The yum tool will attempt to resolve any dependencies and include them with the package installation or update.
Snort Pre-installation
Slide 37
The Snort installation will include components above and beyond the Snort core. For the purposes of this class, these components will be installed from source code rather than RPM. This gives you the greatest amount of control over the binary that is produced in terms of the features and functionality you want to compile into it.
Snort:
. . o o .
The Snort core. Currently, the lab is configured with version 2.9.1 snortrules-snapshot-2900.tar.gz daq-0.6.1 - The data aquisition module.
a libdnet-l.11 - Libraries to provide the flex response capability in Snort. a Bamyard2-L.9 - This package will be installed and discussed in detail in a subsequent module. It is a Snort output processing package designed to off-load computationally expensive output processing from the Snort process.
Notes:
30
sxlffirEfi*
http://it4training.com
Snort lnstallation
Slide 38
There are several open source interface options for managing alerts you can choose from. For class purposes, BASE is the interface that will be used. The items below represent the packages needed to run BASE in addition to other graphical tools presented in this module.
o . o
o . o
Image_Canvas
Image_Color Image_Graph
Pre-installation
Slide 39
Prior to perfonning the Snort installation for this module you should familiarize yourself with the network environment.
o o o
Veri& that all the devices and services you expect are up and running
Reviewthe diagram on the following page for details of the virtual network topology and the devices in your environment.
Notes:
31
http://it4training.com
Snort lnstallation
:J
Notes:
32
http://it4training.com
Snort lnstallation
Slide 40
The virtual network for the class consists offive separate zones. The zones are described below in addition to the hosts located in each:
General Network Environment - This environment consists of the devices connected to VMNetl (192.168.133.0 /24)
o o I o o
o
Management Network - This environment consists of the devices connected to VMNet4 (192.168.111 .0124).This network segment is used for the management interfaces of your Snort sensor and DMZ hosts.
.
o
snortbox - Your Snort sensor. This host also has a second interface facing the General Network zone. This interface has no IP address and will be used as the sensing interface for your sensor.
,t
o
the sfsnort.co,m domain. It has 4 interfaces and serves as the cental point ofingress and egress between the virtual network and the classroom network.
The entire infrastructure has been given the domain name sfsnort.com. Since there is a DNS server servic.ing the network, all of the hosts are reachable by name.
T\ehost student desktop can be used as your primary desktop. It contains tools to allow you to remotely shell into snorlbox for the installation labs. Altematively, you can work directly in the snortbox virtual machine which has a graphical environment installed so you can use the GUI tools that are available.
Notes:
33
http://it4training.com
Snort lnstallation
1. 2. 3.
Double click the VMWare application icon on your desktop. From the F'ile menu, select Open. In the Open dialog box, navigate to the desktop and open the folder called "3D_xxxx_Infrastructure". In that folder, double click the icon called
"3D_xxxx_Infrastructure.vmtm
".
a. 5.
6.
Right click on the 3D2500 virtual machine and select 55Remove from Team". Close the tab containing the 3D2500 VM.
Right click on the DC1000 virtual machine and select "Remove from Team". Close the
tab containing the DC1000 VM.
From the File menu, select Open. From the 663D_xxxx_infrastructure" folder open the sub-folder "Snortbox_4.0. Double click on "Snortbox_3.0.vmx"
z.
Click the green kiangular icon to start the virtual machines (besure to start the team and Snortbox). Allow at least three minutes for them to initialize. You will note that a tile bar displays in the VMWare application window where each tile represents one of the virtual machines in the infrastructure. One way to tell that the virtual hosts have initialized is to watch for the login prompt in the last tile.
. o
User: root
Password: password
Notes:
34
http://it4training.com
Snort lnstallation
The virtual infrastructure consists of a variety of hosts running the following operating
systems:
o
o
CentOS 5.5
c . c . o o
attilu snofibox
Ubuntu Server 10.04 LTS - Note that the initial login screens of the Ubuntu-based may not render properly. You can press the Bnter] key to obtain a login prompt when needed.
rugils touter
lamp
bleda
You must click in the virtual machine's window to control it. If at any time you need to release the mouse or release control of the virtual machine so you can use your host OS desktop, you can press [Ctrl ] + on your keyboard. When you want to control the OS in the virtual machine again, just click in the VMWare window as you did before or press + [g] .
[AIt]
[Ctrl]
At this point your virtual network environment is ready. In the remainder of this section, you
Notes:
35
http://it4training.com
Snort lnstallation
Snort Installation
Slide
42
The local
access to the
following services:
o o o
Port22 - SSH
Port 80 - HTTP
Port443 - SSL
It is highly recommended that you disable external access to port 80 once the installation is up and running. This allows only secure access to the Snort host from remote locations.
[rootGsnortbox -] # netstat
-Itn
IrootGsnortbox -] * netstat -1tn Active Internet connections (on1y servers) Proto Recv-Q Send-Q l,ocal- Address tcp 0 0 0. 0. 0. 0: 3306 tcp 0 0 0.0.0.02841 LUP 0 0 0.0.0.0:11-1 tcp 0 0 127 .0.0.1:631 tcp 0 0 12'7.0.C.7:25 tcp 0 0 :::80 tcp 0 0 ::t22 tcp
n n ...1t?
Foreign Address
State
LISTEN LISTEN l,ISTEN LISTEN
T,ISTEN
:::* :::*
o o o
22-SSH
80 - HTTP 3306 - MySQL
Notes:
36
mmurftre
http://it4training.com
Snort lnstallation
1.
Install the PCRE libraries. This package is required so that Snort's Perl Compatible Regular Expression capability is enabled. With these libraries, you can use PCRE in the rules that you create and the rules that ship with the Snort distribution that rely on PCRE will work properly. From the
Iroot@snortbox loca]-l# tar zxvf src/pcre-?.9.tar.gz [root@snortbox locaf]# cd pcre-7.9 lrootGsnortbox pcre-7 . 9l # .,/configrure lrootGsnortbox pcre-7.91 # nake lrootGsnortbox pcre-'7 . 91# make insta].]. froot@snortbox pcre-7.9] # ca . . lrootGsnortbox l-ocal-l #
2.
Install libpcap. This is the package that allows the DAQ to read packets offthe network. From the /:usr /
local
locall # tar zxvf src,/Libpcap-1. locall# cet libpcap-1 .1.1 libpcap-1. 1. f l # . /configrure libpcap-1.1.11# nake libpcap-1.1.f1 + make install 1oca1l # cd ..
l-oca1l
#
tar.
gz
Notes:
37
http://it4training.com
Snort lnstallation
3.
Install libdnet. This package allows the DAQ to be used in the NFQ and IPQ mode as well as active
responses.
From the
/usr / local
IrootGsnortbox lrootGsnortbox [rootGsnortbox [rootGsnortbox lroot0snorlbox [root@snortbox lrootGsnortbox [rootGsnortbox lrootGsnortbox Iroot@snortbox
loca]-l # tar zxwf src/libdnet-I.11.tar.gz local-l# cd libdnet-l.11 libdnet-1. 11] g .r/confiEure libdnet-1. 11] # nake l-i-bdnet-1. 111 # make instal-]. libdnet-1.11]# cd ../].ib 1j-bl# In -s Iibdnet.1 libdnet.so.1 1ib] # Idconfig libl # cd . . loca]l #
4.
Install DAQ
The Data Aquisition library is the component that allows Snort to read packet data offthe
wire.
locall # tar zxvf arc,/daq-O.5.1.tar.92 local] # cd daq-O. 6.1 daq-0. 6.f]+ ./configrrre daq-O. 5. 1] # make daq-O.6.f1# make instaLl daq-0. 6. 1] # Idconfig daq-0.6.1] # ca . .
1oca1]
#
Notes:
38
http://it4training.com
Snort lnstallation
5.
Install Snort.
From the
/usr / local
IrootGsnortbox 1oca1] # tar zxwf src/snort-2.9.1.tar.92 IrootGsnortbox 1oca1] # cd snort-2.9.1 lrootGsnortbox snort-2.9.L|# ./configure --enable-ipv6 --enal.le-gre --enabJ-e-mpIs --enab1e-targetbased --enable-decoder-preprocessor-ruIes - -enabJ-e -ppm - -enable-perfprof iling - -enabJ-e-zJ.ib - -enable-active-response - -enabl-e -no:mali zer - -enable-reload --enable-react --enable-flexresp3 lrootGsnortbox snort-2. 9.11# nake lrootGsnortbox snort-2.9.L)# nake install IrootGsnortbox snort-2. 9.7]#
Note that the configuration options used to build your Snort binary determine which features ofSnort you will enable. The options used in class axe the Sourcefire recomended compile options. In the example above, implementing the compile-time options do the
following:
o . . o o . o . o o o o o
IPv6 - gives snort the ability to decode IPv6 traffic GRE - allows Snort to read GRE data
see
react
rule option
Notes:
39
http://it4training.com
Snort lnstallation
6.
Create a / eLc directory entry for Snort and for Snort rules. Then, copy the configuration files and unpack the rules distribution into it.
FromtheSnortinstallationdirectory
/usr/loeat./snort-2.9.1,dothefollowing:
lrootGsnortbox snort-2.9.1)# [root@snortbox snort-2.9.L)# I root G snortbox snort -2 . 9 . 7l # lrootGsnortbox snort-2.9.1]# 2910.tar .gz -C /etc/snort [rootGsnortbox snort-2.9.7)#
nkdir /eLc/ anorlu mkdir /war/Log/ sr:orimkdir / ast / Local/1ib/snort_dynamicrules tar zxw /wsr/Loca]-/etc/snortrules-snapshot-
tar z:xwf /rusr/Loc,aU src/opensource .gz -C /etc/snort lrootBsnortbox snort -2 . 9 . L1 # cp / etc./ snort-/ ei.c./ *. conf* / eLc./ srrorl. [root@snortbox snort-2.9.L)# cp /et.c:/snorL/etuc/*.map /etc/snort snortbox snort -2 .9 . L) # cp / etc/ snort/so_rules/precompiled/Centos-5I root 4 / L38 6 / 2 . 9 . t . / *,/usr/ Iocal,/ Iib,/ snort_dynamicrules [rootGsnortbox snort-2. 9. 7]# ln -s /usr/Loc,al/bLt/ snori' /lu,sr/ sbi-n/snort
G O
7.
From the directory you are currently in, issue the following commands:
[rootGsnortbox snort-2.9.7]# groupadd snort IrootGsnortbox snort-2.9.7]# useradd -g snort snort lrootGsnortbox snort-2.9.7)# chown snort:snort /war/Log/ srrort
Notes:
40
http://it4training.com
Snort !nstal.lation
8.
Ihe sfeps that follow will
assume that you are using the Vl editor. Howevef you can use any editor you are comfoftable with.
Note that in Vl, when you type the slash character as instructed, the information is displayed atthe bottom ofthe
In order to get the Snort system running in a state rvhere it can be tested to ensure it's working properly, you must make some initial configuration settings in the snort . conf file. This file will be covered in much greater detail in the modules that follow.
Open the file
file in VI,
following command:
terminal window.
You may also jump to a line number in Vl by typing in a number and press,ng <shribg
If you
Semch for the following string in the file: var RULE PATH are using tle VI editof you can type the slash character followed by the search string as shown below:
/RUI,E-PATH
Press Enter to execute the search. The cursor will land at first occrrrence of the string. The RULE_PATH vmiable can be found at approximately line 98. The value for this variable may aheady be set to the . . /rul-es relative directory.
To move to the next occuffence of a search tem, press f/,e lefter 1a', and to move to the previous occufience, you can press N',.
var
RULE_PATH
/etc,/snort/ru1es
In the VI editor, you can move the cursor to the line you wish to edit and press the letter 'i' to enter insert mode. Edit the line that follows as in the example below:
var var
SO_RULE_PATH
PRE
/etc/snort/so_ru1es
/
eluc /
PROC_RULE_PAIE
snort/preproo_rules
a Press ESC to exit insert mode after you make your edits. a Comment out the lines that follow (aprroximately lines 479 tfuv 484) as in the example
below:
# # # #
priority
nested ip inner, \
white1ist, \
Notes:
41
http://it4training.com
Snort lnstallation
lf
Next, look for the three lines that include the following files (approximately line 587):
$PREPROC_RULE_PATII/preprocessor.
$PREPROC
rules
.
RtLE PAIH,/decoder.rules
$PREPRoc-Rt
L{parn/ sensitive-data
ruJ-es
Uncomment these lines by removing the # symbol at the beginning of each line. You can move the cursor to the beginning of the line and press the [Del] key. Write these changes to the file. In VI use the command : wq to write the changes and quit
the editor. Since the VI is not the most friendly application to use, one handy trick in case you mess things up is to exit without saving.
o I
First, make sure you are in command mode by pressing the Esc key (if you hear you were already in command mode).
Then, type the following command: : q!
a beep,
Start Snort
1.
Test Snort.
Run
test of your Snort installation to make sure it starts with no erors as follows:
[rootGsnortbox]# snort
onEoLe
-i ethl -c /etc/snort/snort.conf -A c
Upon entering this command, you will see a series of messages scroll offthe screen. Eventually it will stop with a screen similar to that which is depicted below.
Notes:
42
http://it4training.com
Snort lnstallation
Commencing
Object: pop3 Version 1.0 <Build 1> Rules Object: web-misc Versj-on 1.0 <Build 1> Rules Object: chat Version 1.0 <Build 1> Rules Object: icmp Version 1.0 <Bui1d 1> Rules Object: misc Version 1.0 <Build 1> Rules Object: web-activex Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Bui1d 1> Rules Object: multimedia Version 1.0 <Buifd 1> Rules Object. p2p Version 1.0 <Build 1> Rules Object: netbios Version 1.0 <Build 1> Rules object: imap Version 1.0 <Bui1d 1> Rules Object: dos Version 1.0 <Bui1d 1> Rules Object: web-client Versj-on 1.0 <Buil-d 1> Rules Object: sql Version 1.0 <Buil-d 1> Rules Object: web-iis Version 1.0 <Bui1d 1> Version 1.0 <Build 1> Rules Object: specific-threats Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Bui1d 3> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Bui1d 4> Preproeessor Object: SE_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SE_REPUTATION (IPV6) Version 1.1 <Bui1d 1> Preprocessor Oblect: SF_SDF (IPV6) Version 1.1 <Bui1d 1> Preprocessor Object: SE_POP (IPV6) Version 1.0 <Bui1d 1> Preprocessor Object: SE_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SE_IMAP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SE_SSLPP (IPV6) Version 1.1 <Build 4> packet processing (pld=31187)
Rul-es
Notes:
43
http://it4training.com
Snort lnstallation
2.
To generate some alerts, logon to uttila.Yoa can access attila's console by SSH using pUTTY onthe student desktop. Once you have signed in, you can do the following to generate alerts.
Run an NMap scan. - From attila's command line, issue the following command:
IrootGattif a
Allow
a
- ] # nrnap
-sS -O
,253
After performing these actions, the alerts should be generated inthe snortbax console window indication that you installation is functioning. The display will show alerts similar
to the following example.
08/24-10:01:37.615798 [**] [1:384:5] ICMP PING [**] [Classification: Misc activityl IPrioriLy: 3] {ICMP} 792.768.133.50 -> 792.168.133.1 08/24-10:01:37. 615987 [**] [1:408:5] ICMP Echo Reply [**] lClassification: Misc activityl fPriority: 3] {ICMP} 192.168.133.1 ->
L92.168.133.50
08/24-L0:01:37.615988 [**] [1:384:5] ICMP PfNG [**] [Classification: Misc activityl IPriority: 3] {ICMP} 192.768.133.50 -> 792.168.133.253 c On snortboxpress lCtrl] + c toregain control ofthe commandline.
Right now we have a functional install of Snort. In a future module we will have Snort log its information into a database via Barnvard2.
Notes:
44
HIlffirHff"
http://it4training.com
Snort lnstallation
[rootGsnortbox ] # cA /rusr/1oca1/snort-2.9.l/rpm/snortd /etclinit. d [rootGsnortbox ] # cp /usr/1oca1/snorL-2.9. 1/rpm/snort. sysconfig / e|uc / sy s c.onf ig,/ snort lrootGsnortbox I # chrnod 155 /ebc/init.d/snortd lrootGsnortbox I #
The chckconfig portion of the snort.d file needs to be modified so that Snort starts after the network and Mysql. It can be found around line 6. Edit the file /el"c,/ i:nit. d/snortd andmodiff the following line.
# chkconfig: 2345 40 50
to
# ohkconfigz 2345 99
99
Notes:
45
http://it4training.com
Snort lnstallation
etc/ init . d called snortd is the startup script. However, it is controlled by a file called / eLc/ sysconf iglsnort. In its default state, this file contains some settings that may cause Snort to not start propedy.
The file you copied tnto /
Open the
/etuc,/
sysconfig,/snort
file in vi.
Make the following change to the Interface option in the General Configuration section near the top of the file (approximately line 15) :
fNTEREACE:eth1
Also, comment out the following lines (69, 75 and 81 approx.) these values need to be commented otherwise they will overide the output portion of the snort . conf :
. o .
ALERTMODE:fasL DUMP_APP:I
BINARY_1,OG:1
*Note: These settings if left enabled wil overide the output settings of the would be that no events uould be logged to the datiabase
"*
snort. conf
The result
Once this file is configured, Snort will start automatically on system restart. You can also stop and start Snort from the command line as follows:
/ et-c./ :-n:-L.
or
Notes:
46
silffiunf*u
http://it4training.com
Snort lnstallation
Module Summary
SIide 43
This module stepped through the process of conskucting a Snort system with all of its supporting components. This included installation and conliguration of the following:
. r
Supporting libraries
While there are many components to this lab, the end result yielded a Snort system ready for
deployment.
Notes:
47
ffiffif,Hffrm