COIT13146 - System and Network Administration Installing Snort From the Snort website (www.snort.org, accessed 17-01-2013): "Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS." We will be installing Snort on our internal server, userv1. Assumptions We have an up-to-date Ubuntu Server connected to the Internet. Remember that our Ubuntu Server, userv1, requires our gateway server to provide access to the Internet. So for all this week's tasks, we will need the gateway server running and the firewall rules we developed previously, applied. We have a basic understanding of what Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are. We know the difference between a Network IDS and a Host IDS. Snort Before we install As always, we should ensure our system is up-to-date before installing new software. We should take a minute to remember what we have installed on our userv1 Ubuntu Server. We should by now have an up-to-date document with this information recorded (good System Administrators keep good documentation). userv1 should have ssh, lighttpd and mail installed and working. Test that we can email out to our self from userv1 and that we can still access the lighttpd web server from the external side of our gateway using our host web browser. This must be working before we proceed with installing Snort. Installation Installing snort is a very easy process as we've seen before: ubuntu@userv1:~$ sudo apt-get install snort The Snort install provides us with a configuration screen. We only want to work with our internal network which has the network address 192.168.12.0/24. So change the address range and select to complete the installation. We need to modify the default Snort configuration file /etc/snort/snort.conf. First take a 'backup' copy of the original: ubuntu@userv1:~$ sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.orig so we will always have the original to compare back to. Read through the first part of the configuration file to get an understanding of what we are doing. We are only interested in setting the variables for our network - Step #1. We will use all default libraries, rule sets etc. The only change we need to make is to the HOME_NET variable. Our network is connected to eth0 on userv1, so we will set the value to read the IP address of eth0. To do this we change line 45 (check this it may be different): ipvar HOME_NET any to ipvar HOME_NET $eth0_ADDRESS and save the file. Now we need to restart snort for changes to take effect: ubuntu@userv1:~$ sudo service snort restart * Stopping Network Intrusion Detection System snort ...done. * Starting Network Intrusion Detection System snort ...done. We should receive positive feedback '...done.'. If '...fail!' is returned then we will need to look at the end of the /etc/log/syslog file to work out the cause of the problem. Raise an issue on the course website if problems occur. As a double check that Snort is running correctly - review the snort process that is started: ubuntu@userv1:~$ ps ax|grep snort 14170 ? Ss 0:01 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.12.0/24] -i eth0 Check that the HOME_NET network address and interface match our server. The Snort alert file is located at /var/log/snort/alert. If we 'watch' the end of the file using the tail command ('man tail' for details): ubuntu@userv1:~$ tail -f /var/log/snort/alert and do a basic nmap scan of our entire network in another PuTTY window: ubuntu@userv1:~$ sudo nmap -v -sU 192.168.12.0/24 we should see that Snort detects the scan and reports a number of alerts. Note that Snort is 'watching' our entire network, not just the single server. Spend some time reading through the alerts and the documentation for Snort. Now that Snort is generating these alerts, what will we do with them? Snort captures network traffic in tcpdump format files that can be found in the /var/log/snort directory. Install tcpdump and use man to determine how to use tcpdump (the '-r' flag would be a good start). Review one of the snort tcpdump.log files. This gives us the ability to 'replay' an event. There is a huge amount of configuration and additional components that can be added to snort. For now we will be happy with the default configuration. We will soon see that OSSEC can 'hook' into Snort and provide additional services. Summary [Sourced and modified from help.ubuntu.com/community/SnortIDS, kat-amsterdam, accessed 24-02-2012] Our intrusion detection system (IDS) inspects all network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise our systems. An IDS differs from a firewall in that a firewall inspects the traffic and stops it based on user specified rules (iptables rules). An IDS on the other hand, inspects and evaluates the traffic to determine if it is suspicious. The IDS may raise alerts based upon the analysis. There are multiple locations an IDS can be located. Our example places the IDS behind the firewall. The interface on our IDS (userv1) is in promiscuous mode allowing it to inspect all traffic on the internal local network. The switch in the diagram is a good representation of the Internal Network provided by VirtualBox connecting userv1 to our gateway (firewall). We don't have user workstations on our internal network, but we do have userv2. Internal workstations are something we may need to think more about later.