Home|Cudeso|Linux|*NIX / BSD|Misc|
 

SNORT - IDS

Contents

1. Introduction

2. Useful resources

3. Packages and installation

4. Configuration

5. Rules

6. Misc

7. Links





1. Introduction

Snort is one of the best Open Source Network Intrusion Detection Systems. An IDS is a network monitor that keeps track of intrusion attempts, signs of possible 'bad' behavior or hacking exploits.

I quote Dave Wreski and Christopher Pallack on Linuxsecurity.com
A Network Intrusion Detection System (NIDS) is a system that is responsible for detecting anamolous, inappropriate, or other data that may be considered unauthorized occuring on a network. Unlike a firewall, which is configured to allow or deny access to a particular service or host based on a set of rules. If the traffic matches an acceptible pattern, it is permitted regardless of what the packet contains. However, an NIDS captures and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application level, an alert is generated.

Snort is a "lightweight" NIDS in that it is non-intrusive, easily configured, utilizes familiar methods for rule development, and takes only a few minutes to install. Snort currently includes the ability to detect more than 1100 potential vulnerabilities. Keep in mind that Intrusion Detection devices work in conjunction with other security measures, and are not a replacement for other good security practices.

2. Useful resources

http://www.snort.org
http://www.linuxsecurity.com/feature_stories/feature_story-49.html

3. Packages and installation

Before you can install Snort, you should have the pcap-library. It is available for download from http://www.tcpdump.org/ (yes...those that have written tcpdump). Installation of libpcap is straightforward :
tar zxvf libpcap.tar.gz
cd libpcap
./configure
make
make install
This will install the library in /usr/local/lib. To get everything right, you need to edit the file /etc/ld.so.conf and check if it contains a line with /usr/local/lib. When all's OK enter
ldconfig
That's for the installation of libpcap.

Now, follow the same procedure for Snort.
tar zxvf snort.tar.gz
cd snort
./configure
make
make install

4. Configuration

By default (when you install from source) there's no /etc/snort directory and no snort-init-script. I like both! For this, I've included my init-script for download.

You can manually make the directory /etc/snort, and copy my configuration file, the classification file and the local-rules to this location.

Both classification and local.rules can be found in the Snort-sourcetree.

The initscript should be placed in /etc/init.d/.

Open up the configuration file with your favorite editor and change the variable for HOME_NET. Beware, there's no 'equal-sign =' between var and the setting. I guess most of the settings are self-explaining. If not, consult the snort-website. (one thing, for the portscan-preprocessor, there's also a portscan-ignore setting, consolt snort.org for this)

Also make sure you get the RULE_PATH-variable right. I create one directory (IDS) where I put all the new and old rules so that it is easy to check what's changed, when and how. There's a great tool that could assist you in retrieving the latest rule-set from Snort : Oinkmaster.

After you have changed the configuration file, add one group called snort and a user snort with the group snort as his primary group. Do not forget to edit the /etc/passwd file so that snort has no home-dir and no shell.

Create the directory /var/log/snort and make snort both owner and group.
mkdir /var/log/snort
chown snort.snort /var/log/snort
I also remove the world-read from /etc/snort, make snort the group for /IDS and also remove world-read from this directory.

5. Rules

You could have a perfect IDS but without a decent rule-set it's of almost no use. For this, you should get your hands on either the Snort-ruleset or the Vision-ruleset.

Together with the Oinkmaster it's very easy to keep your rule-set up-to-date.

You can start the Oinkmaster like this (note : don't run this as root)
./oinkmaster.pl -o $RULE_PATH 2>&1 | logger -t oinkmaster
This will download the rules in $RULE_PATH. Whenever you run the script afterwards, it will check if one of the rules has changed and if so, it will download it. Open up the Oinkmaster config file to discard some files. Oh yeah, don't forget to check if the user or group snort has read access to the rules directory.

6. Misc

After a while your logs will be unmanageable big. If you want to have some form of automatic review, you can use SnortSnarf. The main download page is at http://www.silicondefense.com/software/snortsnarf/. You need to have Perl installed before you can use it. SnortSnarf comes with a load of options, I use it this way :
  ./snortsnarf.pl \ /var/log/messages /var/log/snort/portscan.log \
    -d /var/www/snort/ \
    -homenet 192.168.1.0/24 \
    -rulesfile /etc/snort/snort.conf \
    -rulesdir /usr/local/etc/snort/rules \

7. Links

Writing SNORT rules
Basic guide to SNORT
SecurityDocs
http://www.securitydocs.com/links/381
Copyleft 2002-2007 - cudeso.bewebmaster@cudeso.betop