Thursday, April 1, 2010

"Snort RPM Based Installation with SnortSnarf and Snort Rule Creation Methods"

RPM Based Installation of Snort with SnortSnarf and Snort Rule Creation Methods:
===============================================================================
written by: Muhammad Farrukh Siddique


Snort is an open source Network Intrusion Detection System
Snort can also act as Sniffer and Logger
In this section we will discuss the more beneficial part of Snort that is Intrusion Detection System (IDS)

Snort can also be installed on Windows Platform which will be covered later.
Currently the Operating System is CentOS-5.3


Snort Installation and Configuration:
------------------------------------

First of all download and install the following required packages


# snort and snort-mysql rpm (download-able from http://www.snort.org/downloads)
# mysql and mysql-server-5.0 with all affected packages
# libpcap
# Apache
# php5
# php-cli
# php-common
# php-devel
# php-ldap
# Php5-mysql

You can check these rpms through rpm -qa command.
you can install missing packages either from source DVD or through yum command

After downloading snort rpms, just install them

[root@snortserver tmp]# rpm -ivh snort-2.8.5.3-1.RH5.i386.rpm

[root@snortserver tmp]# rpm -ivh snort-mysql-2.8.5.3-1.RH5.i386.rpm


now configure some basic settings for snort:

# vim /etc/snort/snort.conf

Change var HOME_NET any to var HOME_NET 192.168.2.0/24 # you can give a single ip address or range of IP addresses by syntax [192.168.2.1,192.168.2.10] and similarly different networks can also be defined as [192.168.1.0/24,192.168.2.0/24]

Change var EXTERNAL_NET any to var EXTERNAL_NET !$HOME_NET # (It states that everything except HOME_NET is external).

The rule path should be

var RULE_PATH /etc/snort/rules

save and exit


Now add rules to /etc/snort/rules directory

just download all the .rules file from the link http://cvs.snort.org/viewcvs.cgi/snort/rules/ one by one.

or just follow a simple way, i have created all the links for your convenience and time saving.


# cd /tmp

# mkdir rules

# cd rules

# vim download-rules.txt

http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/attack-responses.rules?rev=1.23.2.7
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/backdoor.rules?rev=1.50
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/bad-traffic.rules?rev=1.22.2.5
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/chat.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/ddos.rules?rev=1.14.2.7
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/deleted.rules?rev=1.39
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/dns.rules?rev=1.42
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/dos.rules?rev=1.43
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/experimental.rules?rev=1.80
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/finger.rules?rev=1.29
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/ftp.rules?rev=1.63
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/icmp-info.rules?rev=1.25
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/icmp.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/imap.rules?rev=1.13.2.13
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/info.rules?rev=1.31
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/misc.rules?rev=1.59
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/local.rules?rev=1.13
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/multimedia.rules?rev=1.15
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/mysql.rules?rev=1.13
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/netbios.rules?rev=1.54
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/nntp.rules?rev=1.16
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/oracle.rules?rev=1.21
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/other-ids.rules?rev=1.12
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/p2p.rules?rev=1.20
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/pop2.rules?rev=1.14
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/pop3.rules?rev=1.26
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/porn.rules?rev=1.12
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/rservices.rules?rev=1.24
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/scan.rules?rev=1.19.2.6
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/shellcode.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/smtp.rules?rev=1.48
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/snmp.rules?rev=1.19
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/sql.rules?rev=1.32
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/telnet.rules?rev=1.40
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/tftp.rules?rev=1.21
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-attacks.rules?rev=1.21
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-cgi.rules?rev=1.63.2.15
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-client.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-coldfusion.rules?rev=1.30
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-frontpage.rules?rev=1.35
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-iis.rules?rev=1.84
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-misc.rules?rev=1.102.2.15
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-php.rules?rev=1.23
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/x11.rules?rev=1.20

save and exit


# wget -i download-rules.txt

it will download all the rules at once saving a lot of time.


[you can start snort by simple creating blank .rules files but remember with blank rule files snort will not detect anything]

after downloading the rules in a directory. Copy the directory on another location. Rename each file to rule-name.rules and then paste the files in /etc/snort/rules directory

change the ownership of newly created rules files

# chown snort.root /etc/snort/rules/*

Keep the original rules directory and match weekly the revision version of each rule on the site to incorporate changes accordingly.

some rules can also be download and copied in rules directory from http://openmaniak.com/snort_bleeding.php
then append these lines in inlude section of /etc/snort/snort.conf file for each new rule

include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules

Now its time to start snort

Start snort

# /etc/init.d/snortd start

Remember syslogd daemon must be running in order to take logs

The log file named 'alert' will be generated in /var/log/snort directory

now do a port scan and check the alerts in /var/log/snort/alert file, if you have defined a complete subnet in HOME_NET variable then you can do a port scan of any host but that host must be reachable by snort server
If you have some network issues then try stopping iptables and SElinux for test purpose

if you have nmap installed then simple run the command to scan ports

# nmap localhost

you can see alerts in real time by command

# tailf /var/log/snort/alert

At this time snort is running fine and generating alerts
Now lets move to an interesting section


Creating your own Snort Rules:
----------------------------

you can also use Snort Rule Generator or some other utilities but its better to write a rule in a file. lets do it

We are going to create a rule for generating alerts whenever someone is trying to open youtube.com

# vim /etc/snort/rules/youtube.rules

alert tcp any any -> any any (content:"www.youtube.com"; msg:"someone is accessing youtube"; sid:1000003; rev:1;)

save and exit

now add the rule path in snort.conf

#vim /etc/snort/snort.conf

append the line in include section as

include $RULE_PATH/youtube.rules

save and exit

and restart snort daemon to take affect changes

# /etc/init.d/snortd restart



lets describe the rule:


alert tcp any any -> any any (content:"www.youtube.com"; msg:"someone is accessing youtube"; sid:1000003; rev:1;)


tcp = protocol
1st any = Source IP (your local IP in this case)
2nd any = Source Port
-> = request for
3rd any = Destination IP (youtube IP in this case)
4th any = Destination Port (that would be 80 in this case)
sid = snort unique id which snort uses to differentiate different alerts and their descriptions
rev = version number

Now after creating the rule and restarting the snort daemon, lets check our new rule working status


just type

# elinks www.youtube.com

wait for youtube to be loaded

or Open a browser and type www.youtube.com

then view the alerts

# cat /var/log/snort/alert

you will see some alerts like

[**] [1:100003:1] someone is accessing youtube.com [**] [Priority: 0] {TCP} 192.168.2.5:48401 -> 64.233.169.139:80
[**] [1:100003:1] someone is accessing youtube.com [**] [Priority: 0] {TCP} 192.168.2.5:38510 -> 110.93.194.23:80



SnortSnarf:
----------

In order to get better results we will have to manage alerts in a more descriptive form

So lets install and configure SnortSnarf an html generator for snort alerts

make sure that you have installed Apache and its running

[root@snortserver ~]# /etc/init.d/httpd status
httpd (pid 2992 2991 2990 2989 2988 2987 2986 2985 2983) is running...
[root@snortserver ~]#

otherwise just start it

# /etc/init.d/httpd start

make sure that you have installed perl5 packages because SnortSnarf depends on perl based Time modules

lets start

download snortsnarf from http://sourceforge.net/projects/snortsnarf/

# cd /etc

# wget http://downloads.sourceforge.net/project/snortsnarf/snortsnarf/Initial%20Release%201.0/SnortSnarf-1.0.tar.gz?use_mirror=space

# tar -zxvf SnortSnarf-1.0.tar.gz

Now you have to download and install Time modules needed for snortsnarf from http://search.cpan.org/~muir/Time-modules-2006.0814/

# wget http://search.cpan.org/CPAN/authors/id/M/MU/MUIR/modules/Time-modules-2006.0814.tar.gz

# tar -zxvf Time-modules-2006.0814.tar.gz

# cd Time-modules-2006.0814

install the modules by following commands:

# perl Makefile.pl

# make

# make test

# make install

After successfull installation of Time modules, create a destination directory where snortsnarf will generate html pages as an output

# mkdir /var/www/html/ids

Now run snortsnarf

# cd /etc/SnortSnarf-1.0

# ./snortsnarf.pl -d /var/www/html/ids/ /var/log/snort/alert

where -d defines output directory and /var/log/snort/alert is the source file to take input.

The above command shows a similar output on the console

[root@snortserver SnortSnarf-1.0]# ./snortsnarf.pl -d /var/www/html/ids/ /var/log/snort/alert
Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266.
SnortFileInput: input file /var/log/snort/alert exists but is length 0; skipping it
[root@snortserver SnortSnarf-1.0]#

if your /var/log/snort/alert file is not empty then you will not see the last output line


Cron Job for SnortSnarf:
-----------------------

Create a cron job to automatically run the snorsnarf script to append alerts in html pages

first of all make a simple script

# cd /etc

# touch snortsnarf

# vim snortsnarf

cd /etc/SnortSnarf-1.0
./snortsnarf.pl -d /var/www/html/ids /var/log/snort/alert

save and exit

make the script executable

# chmod +x snortsnarf

now define a new cron job to run snortsnarf after every 5 minutes

# crontab -e

*/5 * * * * /etc/snortsnarf

save and exit

*/5 means that snortsnarf will be run after every 5 minutes, you can adjust the time accordingly.

restart the cron and Apache daemons

# /etc/init.d/crond restart

# /etc/init.d/httpd restart

now create a simple port scan and generate alerts in /var/log/snort/alert file and then open your browser and type http://localhost/ids

You can see the alerts, further click the alerts and find some more information and go on.

Now snort IDS with SnortSnarf has been successfully configured, Alhamdullilah

In next session we will discuss some advanced functionality, how alerts can be stored in a database and managed by Basic Analysis and Security Engine which is an enhanced version of ACID with Graph facilities, and also how SnortSnarf and other web based utilities can be secured.