SNORT - IDS
Snort is one of the best Open Source Network Intrusion Detection Systems. An IDS is a network monitor that keeps track of intrusion attempts,
signs of possible 'bad' behavior or hacking exploits.
I quote Dave Wreski and Christopher Pallack on
A Network Intrusion Detection System (NIDS) is a system that is responsible for detecting anamolous,
inappropriate, or other data that may be considered unauthorized occuring on a network. Unlike a firewall,
which is configured to allow or deny access to a particular service or host based on a set of rules.
If the traffic matches an acceptible pattern, it is permitted regardless of what the packet contains. However, an NIDS captures
and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application
level, an alert is generated.
Snort is a "lightweight" NIDS in that it is non-intrusive, easily configured, utilizes familiar methods for
rule development, and takes only a few minutes to install. Snort currently includes the ability to detect more than
1100 potential vulnerabilities. Keep in mind that Intrusion Detection devices work in conjunction with other security measures, and are
not a replacement for other good security practices.
Before you can install Snort, you should have the pcap-library. It is available for download from
http://www.tcpdump.org/ (yes...those that have
written tcpdump). Installation of
libpcap is straightforward :
tar zxvf libpcap.tar.gz
This will install the library in
/usr/local/lib. To get everything right, you need to edit the file
/etc/ld.so.conf and check if it contains a line with
/usr/local/lib. When all's OK enter
That's for the installation of libpcap.
Now, follow the same procedure for Snort.
tar zxvf snort.tar.gz
By default (when you install from source) there's no
/etc/snort directory and no snort-init-script. I like both!
For this, I've included my
init-script for download.
You can manually make the directory
and copy my
configuration file, the classification file and the local-rules to this location.
Both classification and local.rules can be found in the Snort-sourcetree.
The initscript should be placed in
Open up the configuration file with your favorite editor and change the variable for HOME_NET. Beware, there's no 'equal-sign =' between
var and the setting. I guess most of the settings are self-explaining. If not, consult the snort-website.
(one thing, for the portscan-preprocessor, there's also a portscan-ignore setting, consolt snort.org for this)
Also make sure you get the RULE_PATH-variable right. I create one directory (IDS) where I put all the new and old rules so
that it is easy to check what's changed, when and how. There's a great tool that could assist you in retrieving
the latest rule-set from Snort : Oinkmaster.
After you have changed the configuration file, add one group called snort and a user snort with the group snort as his primary group.
Do not forget to edit the
/etc/passwd file so that snort has no home-dir and no shell.
Create the directory
/var/log/snort and make snort both owner and group.
I also remove the world-read from
chown snort.snort /var/log/snort
/etc/snort, make snort the group for
/IDS and also remove world-read from this directory.
You could have a perfect IDS but without a decent rule-set it's of almost no use. For this, you should get your hands on either the Snort-ruleset
or the Vision-ruleset.
Together with the Oinkmaster it's very easy
to keep your rule-set up-to-date.
You can start the Oinkmaster like this (note : don't run this as root)
./oinkmaster.pl -o $RULE_PATH 2>&1 | logger -t oinkmaster
This will download the rules in
$RULE_PATH. Whenever you run the script afterwards, it will check if one of the rules has changed
and if so, it will download it. Open up the Oinkmaster config file to discard some files. Oh yeah, don't forget to check
if the user or group snort has read access to the rules directory.
After a while your logs will be unmanageable big. If you want to have some form of automatic review, you can use SnortSnarf. The
main download page is at http://www.silicondefense.com/software/snortsnarf/.
You need to have Perl installed before you can use it. SnortSnarf comes with a load of options, I use it this way :
Writing SNORT rules
./snortsnarf.pl \ /var/log/messages /var/log/snort/portscan.log \
-d /var/www/snort/ \
-homenet 192.168.1.0/24 \
-rulesfile /etc/snort/snort.conf \
-rulesdir /usr/local/etc/snort/rules \
Basic guide to SNORT