The other side of Intrusion detection on Linux: Snort
You may wonder why the title contains the words " the other side". In our Tripwire article we've shown that there are two major types of Intrusion Detection Systems: network-based and host-based. While Tripwire is host-based, this time we will show you how to install and configure Snort, a network-based IDS/IPS. We will not repeat the theoretical introduction, because we already exposed it in the previous article. We'll go directly to installing and configuring snort for your needs. What we expect from you in terms of knowledge is thorough understanding of networks, security and system administration. Without these, you're likely better off without a NIDS, because it's a complex beast with lots of options. Also, some Perl knowledge would be useful, because Snort uses the PCRE for matching. If you need an additional help, feel free to ask on our new Linux forum.
2. Installing Snort
Debian offers you a good start when installing Snort, because it presents a nice dialog to help you set up the address range for your LAN.
In terms of installation per se, all you have to do is
# aptitude install snort
After some research, it seems that Fedora doesn't offer Snort, probably because although the software is GPL2-licensed, the rules require registration. But one can always install snort from source on Fedora systems and even package it and put it in a custom repository, because it's less likely Snort will be in an official Fedora repo anytime soon.
If you already have the server:monitoring repository enabled, you'll find snort ready to be installed. If not, enable the repository and install snort like this:
# zypper ar http://download.opensuse.org/repositories/server:/monitoring/ servermonitoring # zypper ref # zypper in snort
2.4. Arch Linux
# pacman -S snort
You can find a slackbuild in the network category for Slackware.
# emerge snort
3. Configuring Snort
Before we begin, you must be aware of the way Snort works. It offers three modes in which it can be run, those being sniffer mode (Snort runs as a packet sniffer), packet logger mode (logs to disk) and NIDS mode, what we're more interested in, for which you will need some ruleset and some configuration, depending on what you want to accomplish. So, we will talk a bit about the first two modes, then teach you how to configure Snort to work as a NIDS.
3.1. Sniffer mode
Remember that you will have to run Snort as root, for the same reasons Wireshark or similar tools must be run as root. So the most basic usage would be using -v for printing TCP/UDP/ICMP headers on your screen, and maybe -i $interface to tell Snort what interface it should listen on:
# snort -v -i eth0
On a machine on the LAN with no browser, server, torrent client, etc. started, we saw nothing, obviously. To test, we tried to ping that machine from another one in the LAN. Here's some sample output:
What you see here is basic ICMP packet exchange, also known as ping-pong. Now if you want to see the data traveling between the hosts, you will use the -d flag:
# snort -i eth0 -vde
The -e flag here is used for data link header sniffing and the output with these flags would look like this:
3.2. Packet logger mode
OK, let's go to the next mode, since Snort's main purpose isn't to be a sniffer. So, if you want to log your output to disk, you will use the same options as above, plus -l $location, like this:
# snort -i eth0 -vde -l ./snortlogs
You will notice that the output file isn't quite useful for reading with a text editor, and that's because Snort writes its' logs in tcpdump format. Speaking of which, you can use tcpdump or any other sniffer that "speaks" tcpdump to read the logs, or you can use the -r flag:
# snort -dve -r ./snortlogs/snort.log.8732687341
If you have lots of traffic to record/log, lose the -dve flags and use -b (binary format). You will still be able to read the logs in the same manner. Please refer to the manual page for details.
3.3. NIDS mode
Before you can use Snort as a NIDS, you must edit its' snort.conf file, located in /etc/snort. It is a very well-commented file that will explain what each option does and how to alter it to fit your security policy. Speaking of security policy, we will offer you examples on how to configure Snort, but you must realize every security scenario is different from site to site. We will presume that you know exactly what you want to achieve before editing the file, because it depends on what services your network offers (HTTP, database, etc.) and what your security settings are. Parts of this file will depend on Snort's build flags, so you may want to compile it yourself and repackage it before use.
The file begins, as you will see, with the steps necessary to get to a custom snort.conf. We don't want to repeat what the comments say, because that wouldn't offer much value to this article. Instead we'll just comment on some important configuration options for a better understanding. First and foremost, change HOME_NET to a value that reflects what's on your network. On the other hand, EXTERNAL_NET has a pretty obvious name too, so set that up as well. Next part deals with what exactly you want to protect: in our example we run a database server and a HTTP server, for the sake of simplicity. So we would have two lines like this:
var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET
Now to configure the ports the servers are listening on:
var HTTP_PORTS 80 var SQL_PORTS 5432 # This is the default port Postgres listens on
Next let's tell Snort where to find its' rules. Please have in mind that if you want to write your own rules and not use the default ones, that's fine. However, since we assume a more beginner-level and we only want to get your feet wet, we'll roll with the default rules for now. So, writing a line like this (this value is probably there already, and if it is, don't change it without good reason)
var RULE_PATH $IDS_BASE/rules
We get to section two, which deals with decoders. For now, we will leave that section as it is, and we invite you to read README.decode and README.daq so you can get the big picture, because at one moment, if you continue using Snort, you'll need the information contained therein. Even if you installed from your distribution's repositories, it's a good idea to download the latest tarball and take a peek inside /etc from the unpacked directory.
Moving further, we get to the preprocessors section. For a small LAN with a HTTP and a SQL server to monitor, one needs not alter the defaults for now. Just remember to comment out the preprocessors you do not use, like SMTP or Telnet.
We get to the rules part, which is somewhat problematic. You will need an account on the Snort website (at least) in order to download the rulesets. Or you can use Debian, which seems to offer the rules in the "snort-rules-default" package. We tested and installed Snort on Debian, OpenSUSE and Arch and only Debian offers a start-up ruleset, offered by the community, as the package description tells us. We said "at least" earlier, regarding registration on the website because there is a difference between registered and subscribed. The difference being money and how actual the offered ruleset will be. Of course, if you intend to use Snort in a corporate environment talk to your manager so you can pay, because old rulesets are as bad as old virus definitions on Windows machines.
Anyway, we presume for the rest of this article that your rules are in place and that place is reflected in your RULE_PATH variable (the default is /etc/snort/rules). Same goes with SO_RULE_PATH and PREPROC_RULE_PATH. In the vanilla snort.conf you will find lots of include directives for a lot of rules. Do you need them all? By reading the snort.conf file you gan guess by the filenames what you want and what you don't, so comment out what you don't need.
3.3.2. Running in NIDS mode
After you have written your file, you can start Snort as follows:
# snort -dve -l ./snortlogs -c /etc/snort/snort.conf
Now, is there are no problems, snort will start in NIDS mode. Use this to check your snort.conf for issues. Remember that if you don't use -l, all logging will be done via /var/log. If your distribution doesn't supply some kind of init script, use -D to start Snort as a daemon and write your own script. You can use PostgreSQL or MySQL to store the data that Snort captures and BASE for analysis of said data (you'll need a webserver with PHP).
As you can see, you must have some knowledge to get Snort up and running, but once you do, you will sleep better knowing that your network is more secure. Although you are required to read the manual (repeatedly) in order to get to a working, fine-tuned configuration, the results will be rewarding.