Snort

From ImageStream Router Documentation

(Difference between revisions)
Jump to: navigation, search
(Overview)
(Documentation and Futher reading)
Line 12: Line 12:
==Documentation and Futher reading==
==Documentation and Futher reading==
-
*[[/Troubleshooting]] - Tips to help track down common problems
+
* (Coming soon) [[/Troubleshooting]] - Tips to help track down common problems
-
*[[/FAQ]] - ImageStream Snort FAQ
+
* (Coming soon) [[/FAQ]] - ImageStream Snort FAQ
-
*[[/Glossary]] - Glossary of Snort Terms
+
* (Coming soon) [[/Glossary]] - Glossary of Snort Terms
*http://www.snort.org/docs/ - Official Snort documentation
*http://www.snort.org/docs/ - Official Snort documentation

Revision as of 00:59, 12 May 2009

Overview

Snort is an Intrusion Detection System add-on package for ImageStream Linux. Routers running Snort can detect, log and provide alerts for network-based intrusion attempts.
A complete IDS setup consists of:
  • Snort sensor running on an ImageStream Router
  • Alert and Logging Collector
  • Front-end for reporting on alerts.

Snort add-on package installation

Setting up the add-on hard drive service

Enter the following commands from the command prompt (Main menu option 3 Advanced -> option 1 Bash shell)
  • addon_hd configure
  • addon_hd partition
  • addon_hd format
  • Enable addon_hd
  • Start addon_hd

The addon_hd service creates 2 partitions. A read-only partition for program installation is mounted by default on /opt. A read-write partition for data storage is mounted on /data.

The addon_hd service can be configured to run on the built-in flash if it is 128 MB or larger. Otherwise an extra flash drive or hard drive is required.

Partitioning schemes

Device RO Partition RO Size RO Mount Point RW Partition RW Size RW Mount point
Built-in 128 MB Flash hda3 32 MB /opt hda4 Remainder of drive (24 MB for 128 MB flash) /data
Add-on Flash or Hard Drive Less than 8 GB hdc1 512 MB /opt hdc2 Remainder of drive /data
Add-on Flash or Hard Drive Greater than 8 GB hdc1 4 GB /opt hdc2 Remainder of drive /data

Primary Flash as Add-On HDD

Use the following procedure to use the add-on hard drive feature with available storage on the primary flash (intended for routers with a primary flash that is 4 GB or larger).
- Ensure a DNS server is configured and the router has access to the Internet.
- Drop to a bash shell command line (Main menu option 3 Advanced -> option 1 Bash shell).
- Update the router OS.
 update 4.4.0
- Reboot the router after the OS update completes successfully.
- Drop to a bash shell command line (3. Advanced, 1. Bash shell).
- Run fdisk on the primary flash device (normally /dev/hda).
 fdisk /dev/hda
- Document the existing partition scheme (option 'p' in fdisk) which will look similar to the output below.
 Command (m for help): p
 Disk /dev/hda: 16 heads, 63 sectors, 15538 cylinders
 Units = cylinders of 1008 * 512 bytes
    Device Boot    Start       End    Blocks   Id  System
 /dev/hda1   *         1       131     65992+  83  Linux
 /dev/hda2           132       148      8568   83  Linux
 /dev/hda3           149       214     33264   83  Linux
 /dev/hda4           215     15538   7723296   83  Linux
- Delete the hda3 and hda4 paritions.
 Command (m for help): d
 Partition number (1-4): 3
 Command (m for help): d
 Partition number (1-4): 4
- Write the changes to disk by using the 'w' command.
 Command (m for help): w
 The partition table has been altered!
 Calling ioctl() to re-read partition table.
 WARNING: If you have created or modified any DOS 6.x
 partitions, please see the fdisk manual page for additional
 information.
 Syncing disks.
- Run fdisk on the primary flash device (normally /dev/hda) again.
 fdisk /dev/hda
- Confirm the partition table only shows hda1 and hda2 by using the 'p' command.
 Command (m for help): p
 Disk /dev/hda: 16 heads, 63 sectors, 15538 cylinders
 Units = cylinders of 1008 * 512 bytes
    Device Boot    Start       End    Blocks   Id  System
 /dev/hda1   *         1       131     65992+  83  Linux
 /dev/hda2           132       148      8568   83  Linux
- Create a new 3rd partition by using the following options:
  • n (add new partition)
  • p (primary partition)
  • 3 (parition number)
  • <enter> (accept the default which should be around 149)
  • +1000M (make it a 1GB partition)
- The sequence should look similar to the following.
 Command (m for help): n
 Command action
    e   extended
    p   primary partition (1-4)
 p
 Partition number (1-4): 3
 First cylinder (149-15538, default 149):
 Using default value 149
 Last cylinder or +size or +sizeM or +sizeK (149-15538, default 15538): +1000M
- Create a new 4th partition by using the following options:
  • n (add new partition)
  • p (primary partition)
  • 4 (parition number)
  • <enter> (accept the default which should be around 2181)
  • <enter> (make it use the remain available space)
- The sequence should look similar to the following.
 Command (m for help): n
 Command action
    e   extended
    p   primary partition (1-4)
 p
 Partition number (1-4): 4
 First cylinder (2181-15538, default 2181):
 Using default value 2181
 Last cylinder or +size or +sizeM or +sizeK (2181-15538, default 15538):
 Using default value 15538
- Confirm the partitions and sizes by using the 'p' command.
 Command (m for help): p
 Disk /dev/hda: 16 heads, 63 sectors, 15538 cylinders
 Units = cylinders of 1008 * 512 bytes
    Device Boot    Start       End    Blocks   Id  System
 /dev/hda1   *         1       131     65992+  83  Linux
 /dev/hda2           132       148      8568   83  Linux
 /dev/hda3           149      2180   1024128   83  Linux
 /dev/hda4          2181     15538   6732432   83  Linux
- Write the changes to disk by using the 'w' command.
 Command (m for help): w
 The partition table has been altered!
 Calling ioctl() to re-read partition table.
 WARNING: If you have created or modified any DOS 6.x
 partitions, please see the fdisk manual page for additional
 information.
 Syncing disks.
- Reboot the router after completing the partition changes.
- Run the addon_hd configuration script (addon_hd configure).
 # addon_hd configure
 Creating a default add-on hard drive configuration...
 Checking for a hard drive or flash drive...
   Probing hdb... not found.
   Probing hdc... not found.
   Probing hdd... not found.
 Using the 3rd and 4th partitions on the primary flash drive.
- Format the partitions by using addon_hd format script (addon_hd format).
 # addon_hd format
 WARNING: All data and programs on the add-on drive will be lost!
 Are you sure you want to format the add-on drive (y/N)? y
   Formatting program partition... done.
   Formatting data partition... done.
 Starting the add-on hard drive service...
   Mounting add-on program partition read-only...  done.
   Mounting add-on data partition read-write...  done.
 done.
- Enable the addon_hd (Enable addon_hd) so that it starts at boot.
 # Enable addon_hd
 addon_hd enabled on boot.
- Start the addon_hd feature (Start addon_hd) to make it available for use (most likely it is already started from the previous command).
 # Start addon_hd
 Add-on hard drive service is already started.
- Perform a "df -h" to confirm the addon_hd feature is working as evidenced by a 1GB /dev/hda3 parition mounted on /opt and another larger /dev/hda4 partion (size depends on the size of the flash) mounted on /data.
 # df -h
 Filesystem                Size      Used Available Use% Mounted on
 rootfs                   63.3M     47.6M     12.7M  79% /
 /dev/root.old            63.3M     47.6M     12.7M  79% /
 /dev/hda3               984.4M     16.0M    918.3M   2% /opt
 /dev/hda4                 6.3G     32.1M      6.0G   1% /data

Install the Snort add-on

Enter the following commands from the command prompt (Main menu option 3 Advanced -> option 1 Bash shell)
  • Install snort
  • Enable snort

Windows-based configuration and rules management

Installation

  • Download and install the IDS Policy Manager software from www.activeworx.org/programs/idspm

Configure Settings

  • Select Options => Settings from the menu.
  • Enter your Oink Code
You must create an account with snort.org to obtain an Oink Code https://www.snort.org/reg-bin/userprefs.cgi
  • Initialize Update Locations and select Snort v2.8 checkbox.

IDSPM Initial UL.JPG

Add a new policy

  • Double-click on Snort Policies in the left-hand tree view.
  • Right-click on Snort Policies and select Add Policy.
  • Enter a name for the policy.
  • Select Snort Version Snort 2.8
  • Make sure the Initialize Policy checkbox is checked.
  • Click OK

IDSPM add policy.JPG

Edit the new policy

ImageStream Variables IDSPM variables.JPG
  • Click on the new policy to expand the tree view.
  • Click on Variables
  • Right-click on the right-hand pane with the list of variables and select Add Item
  • Enter SGUIL_HOST for the Name and the Sguil server's Name or IP for the Value.
  • Right-click the new SGUIL_HOST variable and select Enable Item
  • Other Snort/Snort ImageStream Variables
Output Modules IDSPM output sguil.JPG
Enable unified logging to barnyard/sguil
  • Double-click on the log_unified line
  • Click the Enabled checkbox
  • Filename: Leave default snort.log
Force alert logging to /dev/null
  • Right-click on the log_unified line and select Add Item
  • Output Module: Select Alert Full
  • Click the Enabled checkbox
  • Filename: Enter /dev/null

Add a new sensor

  • Double-click on Snort Sensors in the left-hand tree view.
  • Right-click on Snort Sensors and select Add Sensor.
  • Name: Enter the router's name.
  • Description: Enter a description for the router.
Sensor Settings Tab IDSPM sensor settings.JPG
  • Sensor Host: Enter the router's hostname or IP address.
  • Policy: Select the policy you created earlier from the dropdown.
  • Snort Version: Select 2.8.
Upload Settings Tab IDSPM sensor upload settings.JPG
  • Upload Protocol: Select SFTP from the dropdown. Leave the default SSH port (22). Enable Use Compression.
  • Upload Directory: Enter /data/snort/etc
  • Configuration File: Leave default snort.conf
  • Test Connectivity Command: Leave default uname -a;id
Authentication Tab IDSPM sensor auth settings.JPG
  • Username: Enter root
  • Authentication Mode: Leave default Password from the dropdown.
  • Password Settings: Enter and confirm the router's password for root.
Restart Settings Tab IDSPM sensor restart settings.JPG
  • Restart after Upload: Enable
  • Restart method: Select Script via SSH from the dropdown.
  • Restart script: Enter Restart snort
  • Run Test Snort Before Restart: If the router has 512 MB of RAM or more you may enable this option.
  • Test Command: If Run Test Snort Before Restart is enabled, enter Checkconf snort
  • Test Fails if Output Contains: Enter Failure
Variables Tab IDSPM sensor variable settings.JPG
  • Add SNORT_IFACE and set to a space delimited list of interfaces to monitor. WARNING: Snort requires about 200 MB of memory per interface monitored.

Update Rules

  • Click on Snort Sensors in the left-hand tree view.
  • Click on the Update Policies icon above the left-hand menu.
  • Click the Start button to download rules files from snort.org.

Update Sensors

IDSPM upload policies.JPG

  • Click on Snort Sensors in the left-hand tree view.
  • Click on the Upload Policies to Sensors icon above the left-hand menu.
  • Enable the Update checkbox.
  • Click the Start button to upload rules and configuration files to the router. This step may take a minute.
  • Click the View Log button to ensure Snort was restarted properly.
Done Uploading to Sensor Scott home.

Restart Log
-----------

Restarting Sensor lab1.
Stopping the Snort service...
Stopping the Snort service...
Shutting down sancp: 


SANCP for sensor lab1-eth0 is DOWN

Shutting down PADS: 


PADS for sensor lab1-eth0 is DOWN

Shutting down barnyard: 


Barnyard for sensor lab1-eth0 is DOWN

Shutting down pads_agent-lab1-eth0: 


SANCP agent for sensor lab1-eth0 is DOWN

Shutting down sancp_agent-lab1-eth0: 


SANCP agent for sensor lab1-eth0 is DOWN

Shutting down snort_agent-lab1-eth0: 


SANCP agent for sensor lab1-eth0 is DOWN

Starting the Snort service...

  Mounting add-on program partition read-write... 
 done.

  Mounting add-on program partition read-only... 
 done.

Starting PADS: 
pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton <matt@mattshelton.com>

[-] Daemonizing...

pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton <matt@mattshelton.com>

[-] Daemonizing...



PADS for sensor lab1-eth0 is UP (pid 4849)

Starting pads_agent-lab1-eth0: 


SANCP agent for sensor lab1-eth0 is UP (pid 4872)

Starting sancp: 


SANCP for sensor lab1-eth0 is UP (pid 4900)

Starting sancp_agent-lab1-eth0: 


SANCP agent for sensor lab1-eth0 is UP (pid 4924)

Starting snort_agent-lab1-eth0: 


SANCP agent for sensor lab1-eth0 is UP (pid 4948)

Starting barnyard: 
Barnyard Version 0.2.0 (Build 32)



Barnyard for sensor lab1-eth0 is UP (pid 4974)

Successfully started the Snort service.

Sguil server installation for Linux

A complete step-by-step guide for installing Sguil Server on RedHat Linux is available at http://nsmwiki.org/Sguil_on_RedHat_HOWTO#Configuration

Obtaining Sguil Server Software

Grab the latest Sguil Server archive from http://sguil.sorceforge.com.

The tested version is http://internap.dl.sourceforge.net/sourceforge/sguil/sguil-server-0.7.0.tar.gz

Extract the archive to /usr/local/sguild

If your Linux distribution uses a threaded TCL binary ImageStream provides a source RPM and CentOS 5.3 32-bit binary RPM at ftp://ftp.imagestream.com/pub/sguil

To install:

rpm -Uvh --force tcl-8.4.13-3nothreads.i386.rpm

Setting up the MySQL Databases

root@dev1:/usr/local/sguild/server/sql_scripts# mysql -e "create database sguildb"
root@dev1:/usr/local/sguild/server/sql_scripts# mysql -D sguildb < ./create_sguildb.sql
root@dev1:/usr/local/sguild/server/sql_scripts# mysql -D sguildb -e "show tables"
+-------------------+
| Tables_in_sguildb |
+-------------------+
| history           |
| nessus            |
| nessus_data       |
| pads              |
| portscan          |
| sensor            |
| status            |
| user_info         |
| version           |
+-------------------+
root@dev1:/usr/local/sguild/server/sql_scripts#

Setting up sguild

Create the SSL certificate:

TODO: Add a guide to create the cert from the router.


Sguil client installation for Windows

Sguil is an open source Snort analyst console written in tcl/tk and requires additional software to run on the Windows platform. A Windows tcl/tk interpreter can be downloaded from http://www.activestate.com/activetcl/downloads.

Note: version 8.5 appears to be unable to run the Sguil client as of version 8.5.7.0. ImageStream has tested version 8.4.19.1 and found it to work.

The latest version of the Sguil client can be obtained from SourceForge.

Tested Software Downloads

ActiveTCL 8.4.19.1
Sguil Client 0.7.0

After installing ActiveTCL and extracting the Sguil Client you will need to associate the .tk extension with the wish.exe application in the ActiveTCL directory. A step-by-step installation guide for ActiveTCL and the Sguil Client can be found at TaoSecurity

SGUIL dashboard.JPG

Manual configuration

Edit the Snort configuration file from the command prompt:
  • /etc/editor /data/snort/etc/snort.conf
  • Uncomment and change the output methods as needed.
  • Start snort

Documentation and Futher reading

Personal tools
Router software releases