Monday, February 21, 2005

Snort Documentation for Creating a Distributed Intusion Detection System on Fedora

Tested on Fedora Core 2 and Core 3.

Central Console Setup

MySQL Database

Based on Patrick Harper's guide to Snort/Acid installation (http://www.snort.org/docs/Snort_SSL_FC2.pdf)


DATABASE INSTALLATION

If necessary, install the database package and start the service.

 yum install mysql
service mysqld start

Download the latest SNORT package (http://www.snort.org/dl/snort-2.3.0.tar.gz) and version 2.2.0 (http://www.snort.org/dl/snort-2.2.0.tar.gz). Both will be needed to get the extra features of the database loaded.

 cd /usr/local/src
wget http://www.snort.org/dl/snort-2.3.0.tar.gz
wget http://www.snort.org/dl/snort-2.2.0.tar.gz
tar xvfz snort-2.3.0.tar.gz
tar xvfz snort-2.2.0.tar.gz

Time to make the database. If this is your first installation of MySQL, be sure to set the root password. Create a database 'snort', a user for it, and grant the appropriate permissions. **NOTE: This is lifted almost verabtim from Patrick's doc at http://www.snort.org/docs/Snort_SSL_FC2.pdf. I've modified some of the content slightly to fit this example.


 mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
>Query OK, 0 rows affected (0.25 sec)
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
mysql> exit
>Bye

Execute the following commands to create the tables

 mysql -u root -p < /usr/local/src/snort-2.3.0/contrib/create_mysql snort
Enter password: the mysql root password

Then install the extra DB tables using the following command

 zcat /usr/local/src/snort-2.2.0/contrib/snortdb-extra.gz |mysql -p snort
Enter password: the mysql root password

Now you need to check and make sure that the Snort DB was created correctly

 mysql -p
>Enter password:
mysql> SHOW DATABASES;

(You should see the following)

+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)

 mysql> use Snort
>Database changed mysql> SHOW TABLES;

+------------------+
| Tables_in_Snort
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+
19 rows in set (0.00 sec)

 mysql> exit 

BASE Analytics

Based on Patrick Harper's guide to Snort/Acid installation (http://www.snort.org/docs/Snort_SSL_FC2.pdf)


BASE INSTALLATION

If necessary, install the web server package and start the service.

 yum install httpd
service httpd start

Download the latest JPGraph (http://www.aditus.nu/jpgraph/jpdownload.php) and ADODB (http://phplens.com/lens/dl/adodb453.tgz) packages. Unpack and install them. This example assumes a default web root at /var/www/html.

 cd /usr/local/src
wget http://phplens.com/lens/dl/adodb453.tgz
wget http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17.tar.gz
tar xvfz adodb453.tgz
tar xvfz jpgraph-1.17.tar.gz
mv adodb /var/www/
mv jpgraph-1.17 /var/www/
ln -s /var/www/jpgraph-1.17 /var/www/jpgraph

Download BASE (http://www.snort.org/dl/contrib/data_analysis/BASE/) from the snort website and unpack it.

 wget http://www.snort.org/dl/contrib/data_analysis/BASE/base-1.0.tar.gz
tar xvfz base-1.0.tar.gz
mv base /var/www/html/

Create the BASE configuration file and define the variables.

 cd /var/www/html/base
cp base_conf.php.dist base_conf.php
vi base_conf.php
Set $BASE_urlpath to the web path used to access BASE
$BASE_urlpath = "http:///base";
set $DBlib_path to the ADODB path
$DBlib_path = "/var/www/adodb";
set $DBtype to the MySQL
$DBtype = "mysql";
set the alert and archive databases to their requisite database and access settings.
set $ChartLib_path to the JPGraph path
$ChartLib_path = "/var/www/jpgraph/src";
Save and exit

Open a browser and navigate to your site. On first access, BASE will ask to install the requisite tables and alert data into the database. Press the Setup button. On successive accesses, this will already exist and BASE will go straight to the analytics page.

 http:///base 

Centralized Rule & Configuration Distribution

CREATE A CENTRALIZED DISTRIBUTION WEB SERVER

This is a very insecure setup and is not intended for a public-facing server. Only use this for an internal server. Please use appropriate security precautions.

These examples assume a default webroot installation at /var/www/html.

If necessary, install the web package and start the service.

 yum install httpd
service httpd start

Create a 'snort' directory and subdirectories.

 cd /var/www/html
mkdir -p snort/rules
mkdir -p snort/bleedingedge
mkdir -p snort/oinkmaster
mkdir -p snort/rpm
mkdir -p snort/config
cd snort

Get the basic packages needed to create a drone. This snort_mirror.sh sample script will pull mirrors of the relavent rule files from snort.org and bleedingsnort.org.

 /usr/local/bin/snort_mirror.sh 

Schedule the mirror script to be run with cron.

 crontab -e
0 5 * * * /usr/local/bin/snort_mirror.sh;

Fill in the config and rpm directories. These are the master files. Use the RPMS from the SensorInstallation process.

 cd /var/www/html/snort/rpm
cp /usr/src/redhat/RPMS/i386/snort-2.3.0-0.fdr.1.i386.rpm .
cp /usr/src/redhat/RPMS/i386/snort-debuginfo-2.3.0-0.fdr.1.i386.rpm .
cp /usr/src/redhat/RPMS/i386/snort-mysql-2.3.0-0.fdr.1.i386.rpm .
cd ../config
cp /etc/oinkmaster.conf .

Change oinkmaster.conf to point to http:///snort/rules/snort-snapshot-2_3.tar.gz.

***Note, this file contains passwords that grant access to the snort database. Perhaps an encrypted transport would be better.

 cp /etc/snort/snort.conf . 

Populate oinkmaster for distribution. Use the oinkmaster files from the OinkmasterRuleUpdates process.

 cd /var/www/html/snort/oinkmaster
cp /usr/local/src/oinkmaster/oinkmaster.pl .
cp /usr/local/bin/oinkmaster.sh .

Change the oinkmaster.sh file to point to http:///snort/bleedingedge/bleeding.rules.tar.gz.

USING THE CENTRAL SERVER

From the sensor machine, get the files needed to install the snort drone and install. Or just run this drone_install.sh script for all of the below steps.

 cd /usr/local/src
wget http:///snort/rpm/snort-2.3.0-0.fdr.1.i386.rpm
wget http:///snort/rpm/snort-debuginfo-2.3.0-0.fdr.1.i386.rpm
wget http:///snort/rpm/snort-mysql-2.3.0-0.fdr.1.i386.rpm
rpm -ivh snort-2.3.0-0.fdr.1.i386.rpm snort-mysql-2.3.0-0.fdr.1.i386.rpm snort-debuginfo-2.3.0-0.fdr.1.i386.rpm

On the drone, set up oinkmaster.

 cd /etc
wget http:///snort/config/oinkmaster.conf
cd /usr/local/bin
wget http:///snort/oinkmaster/oinkmaster.pl
wget http:///snort/oinkmaster/oinkmaster.sh

Set up the snort files.

 cd /etc/rc.d/init.d
wget http:///snort/config/snortd
cd /etc/snort
wget http:///snort/config/snort.conf
cd /etc/sysconfig
wget http:///snort/config/snort

Set it up for boot and run it.

 chkconfig snortd on
service snortd start

Check the log for errors.

 cat /var/log/messages | grep snort 

UPDATING THE DRONES

A cron job will need to be set up to automatically update the configuration files, rules, and restart snort. The job will need to retrieve oinkmaster and snort configuration changes and update the rules. It will then need to restart snort for the changes to take effect. A cron job like this drone_update.sh script should do the trick. This will be run as root because of the service restart at the end, which needs root privileges. Only make changes to the master server if you've thoroughly tested the effect in a comparably configured test drone or you'll run the risk of killing all of the sensors!

 crontab -e
15 2 * * * /usr/local/bin/drone_update.sh

Sensor Installation

SENSOR INSTALLATION

Install these packages to satisfy dependancies.

 yum install mysql
yum install mysql-devel
yum install pcre
yum install pcre-devel

Download the latest PCRE package from http://www.pcre.org. This will provide the libpcre.h file required for the RPM build. Current version tested with is version 5.0.

 cd /usr/local/src
wget http:///sourceforge/pcre/pcre-5.0.tar.gz

Untar, build and install.

 tar xvfz /usr/local/src/pcre-5.0.tar.gz
cd pcre-5.0
./configure
make
make check
make install

Download the snort source from http://www.snort.org. Current version tested with is version 2.3.0.

 wget http://www.snort.org/dl/snort-2.3.0.tar.gz 

Untar the archive and enter the directory.

 tar xvfz /usr/local/src/snort-2.3.0.tar.gz
cd snort-2.3.0

Configure and make the source files.

 ./configure
make
make check

Change to the 'rpm' directory. Create the RPMS for install.

 cd rpm
rpmbuild --with fedora --with mysql -ta /usr/local/src/snort-2.3.0.tar.gz

Install the RPMS.

 rpm -ivh /usr/src/redhat/RPMS/i386/snort-2.3.0-0.fdr.1.i386.rpm /usr/src/redhat/RPMS/i386/snort-debuginfo-2.3.0-0.fdr.1.i386.rpm /usr/src/redhat/RPMS/i386/snort-mysql-2.3.0-0.fdr.1.i386.rpm 

The RedHat-compliant setup makes some assumptions that need to be fixed. Edit the daemon startup script in /etc/rc.d/init.d and remove the $ALERTMODE variable from each start line.

 cd /etc/rc.d/init.d
vi snortd
Remove $ALERTMODE from the start() function calls and save.

Edit the snort configuration file. Add an output for the database.

 cd /etc/snort
vi snort.conf
Change the HOME_NET variable to your public IP address
Add the line "output database: log, mysql, user=snort password= dbname=snort host=" to section 3.
  **OPTIONAL: DSHIELD**
You may want to add "output alert_syslog: LOG_AUTH LOG_ALERT" for use with DShield parsing scripts.
Save and exit.

Test snort.

 snort -T -c /etc/snort/snort.conf 

If all is well, change the ownership to the snort user. This will make life easier later.

 chown -R snort:snort /var/log/snort /etc/snort 

Add snort to the startup regimen and start the service.

 chkconfig snortd add
service snortd start

Final check: check syslog for successful startup messages.

 cat /var/log/messages | grep snort 

Oinkmaster Rule Updates

OINKMASTER INSTALLATION

Get the latest script from the snort website (http://www.snort.org/dl/contrib/rule_management/oinkmaster/). Untar it.

 cd /usr/local/src
wget http://www.snort.org/dl/contrib/rule_management/oinkmaster/oinkmaster-1.1.tar.gz
tar xvfz oinkmaster-1.1.tar.gz
ln -s oinkmaster-1.1 oinkmaster
cd oinkmaster

Install the script into one of the local binary directories. I prefer /usr/local/bin.

 cp oinkmaster.pl /usr/local/bin 

Modify and install the configuration file.

 vi oinkmaster.conf
Set url to the path of your snort version
url = http://www.snort.org/dl/rules/snortrules-snapshot-2_3.tar.gz
Save and exit.
cp oinkmaster.conf /etc/

To add some additional functionality to oinkmaster, you might want to write a script. This would allow for updates from multiple sites (say Bleeding Edge and Snort.org), mail notification, logging and so forth. Here's my sample oinkmaster.sh script.

 wget http://www.hunt-family.net/oinkmaster.sh
vi oinkmaster.sh
Change the email address to your own.
Save and exit.
cp oinkmaster.sh /usr/local/bin

Schedule the script to run at a time of your choosing with cron, preferably as the 'snort' user.

 crontab -e -u snort
07 01 * * * /usr/local/bin/oinkmaster.sh
Save and exit.

D-Shield Integration

Integrating Snort with DShield for Automated Reporting of Violators to ISPs.

OVERVIEW

DShield is an organization dedicated to monitoring Internet threats from the same folks that update the Internet Storm Center (http://isc.sans.org). In fact, much of the data presented on the Internet Storm Center is from the DShield collaborative. For more information or reasons why you should contribute to DShield, visit thier site at http://dshield.org.

GET THE SCRIPTS

Navigate to http://www.dshield.org/howto.php and download the client of choice. For this example, I've used the "Linux 2.4x iptables," "Snort 1.8," and "Snort Portscan" clients.

 cd /usr/local/src
wget http://www.dshield.org/clients/framework/iptables.tar.gz
wget http://www.dshield.org/clients/framework/snort_portscan.tar.gz
wget http://www.dshield.org/clients/framework/snort_18_syslog.tar.gz

REGISTER ON THE SITE

Click the "Signup" link on the home page. This allows you to receive a nicely formatted daily report on the attacks/scans you have submitted. Registration for the Fightback program is optional, but recommended. This gives the DShield organization permission to submit abuse complaints to ISPs on your behalf.

CONFIGURE AND TEST

Untar the archives.

 tar xvfz iptables.tar.gz
tar xfvz snort_18_syslog.tar.gz
tar xvfz snort_portscan.tar.gz

Enter the iptables directory and edit the test.cnf file to fit your environment. Change the "whereto=" line to "whereto=./output.txt". To test the mail delivery of the output, uncomment and enter your email address and local sendmail command. The default is usually sufficient. NOTE: An MTA must be running on the host running the script. Run the test wrapper and review the results in output.txt and debug.txt.

 cd iptables
vi test.cnf
Change 'whereto=' to a local output file.
Change the email information and enable the sendmail command.
Save and exit.
./test_wrapper.sh

The script should run and deliver output to the local 'output.txt' file. Check it to see if the iptables denials were dumped correctly. To see how the process worked, look at the debug.txt file as well.

 cat output.txt
cat debug.txt

If satisfactory, repeat for the snort and snort portscan scripts. Each of these should read from the /var/log/messages file for different lines. Check your email to see if the email messages delivered properly.

SETTING UP A COMMON CONFIGURATION SET FOR MULTIPLE SCRIPTS

Create a configuration directory under /etc. Populate it with the source and target exclude files. Also copy the production configuration file.

 cd /usr/local/src/iptables
mkdir /etc/dshield
cp *.lst dshield.cnf /etc/dshield/

Now modify the exclude files. The source-exclude file should include your private network ranges and any testing Internet servers you may use. The other exclude files are typically fine as they are.

 cd /etc/dshield
mv dshield.cnf dshield_iptables.cnf
vi dshield-source-exclude.lst
I added GRC Shields Up! scanner to my exclude list since I use it to do most of my Internet-based port scanning.
Save and exit.

Edit the configuration file for production script use. Enter your email and the user id you received when you registered at the DShield site. Leave the 'to=' field as it is. If you would like to receive a copy of what the script submits, add your email to the 'cc=' line. Set 'whereto=' to 'whereto=MAIL'. Change the path in the 'source_exclude=', 'source_port_exclude', 'target_exclude' and 'target_port_exclude' variables to /etc/dshield/(filename). Make sure 'obfus=N' to use the Fightback service. Set 'verbose=N', but change 'debug=Y' for use as a transcript file later in a later step.

 cp dshield.cnf dshield_iptables.cnf
vi dshield_iptables.cnf
Edit the variables as described above:
from=
userid=
to=report@dshield.org
log=/var/log/messages
sendmail=/usr/sbin/sendmail -oi -t
whereto=MAIL
source_exclude=/etc/dshield/dshield-source-exclude.lst
target_exclude=/etc/dshield/dshield-target-exclude.lst
source_port_exclude=/etc/dshield/dshield-source-port-exclude.lst
target_port_exclude=/etc/dshield/dshield-target-port-exclude.lst
obfus=N
linecnt=/tmp/dshield.cnt
verbose=N
debug=Y
rotate=N
Save and exit.

Copy the snort and snort portscan config files into the /etc/dshield directory as dshield_snort.cnf and dshield_snort_portscan.cnf files. Perform the same procedure on them, only use dshield_snort.cnt or dshield_portscan.cnt for the linecnt variable. When complete, the /etc/dshield directory should contain the following:

   root@www bin# ls -1 /etc/dshield
dshield_iptables.cnf
dshield_snort.cnf
dshield-source-exclude.lst
dshield-source-port-exclude.lst
dshield-target-exclude.lst
dshield-target-port-exclude.lst
dshield_snort_portscan.cnf

CREATING THE PRODUCTION SCRIPTS

Install the perl scripts into the /usr/bin directory.

   cd /usr/local/src
cp iptables/iptables.pl /usr/bin
cp snort_18_syslog/snort_18_syslog.pl /usr/bin
cp snort_portscan/snort_portscan.pl /usr/bin

Once you have test scripts that work when executed manually, copy the launching scripts into the /usr/local/bin folder.

   cd /usr/local/src
cp iptables/test_wrapper.sh /usr/local/bin/dshield_iptables
cp snort_portscan/test_wrapper.sh /usr/local/bin/dshield_snort_portscan
cp snort_18_iptables/test_wrapper.sh /usr/local/bin/dshield_snort

When done, the folder should look similar to this:

   root@www bin# ls
dshield_iptables dshield_snort dshield_snort_portscan

Create a script to launch all of the others at /usr/local/bin/dshield.

   root@www bin# cat /usr/local/bin/dshield
#!/bin/bash
/usr/local/bin/dshield_iptables
/usr/local/bin/dshield_snort_portscan
/usr/local/bin/dshield_snort

Create the /var/log directory for dshield.

   mkdir /var/log/dshield 

Edit the scripts for production use.

   cd /usr/local/bin
vi dshield_iptables
Comment out the "echo "20021201000000" > dshield.cnt" line.
Change the executable line to read "/usr/bin/iptables.pl -config=/etc/dshield/dshield_iptables.cnf > /var/log/dshield/iptables_debug.txt"
Save and exit.
   vi dshield_snort
Comment out the "echo "20021201000000" > dshield.cnt" line.
Change the executable line to read "/usr/bin/snort_18_syslog.pl -config=/etc/dshield/dshield_snort.cnf > /var/log/dshield/snort_syslog_debug.txt"
Save and exit.
   vi dshield_snort_portscan
Comment out the "echo "20021201000000" > dshield.cnt" line.
Change the executable line to read "/usr/bin/snort_portscan.pl -config=/etc/dshield/dshield_snort_portscan.cnf > /var/log/dshield/snort_portscan_debug.txt"
Save and exit.

AUTOMATING SUBMISSIONS

Edit the root crontab file to execute the scripts.

   crontab -e
Add a line with "20 * * * * /usr/local/bin/dshield". This will execute the script on the :20 minute every hour.
Save and exit.

FINAL TESTING

Execute the dshield script manually to test it. Make sure the three submission emails are received.

   /usr/local/bin/dshield 

WRAPPING UP

Once running well, the submission emails can be curtailed by editing the /etc/dshield/*.cnf files and blanking out the "cc=" email addresses.

No comments: