How to install a program (Snort) on your PC
- Maan Bayya
- Dec 28, 2018
- 23 min read
Before talking about how to install Alsnorc program (Snort), we will give a simple explanation for this program, Long Thread and private databases, in order that we will be divided in several parts on the subject.
* What is the Snort program - Snort IDS?
Is the real analysis software packages to the retina, or so-called in (Packet), and the working principle of this program on the prevention of types of attack, Such as the exploitation of loopholes (Buffer OverFlow) and web surveys (Scan Port) and (CGI Attacks) and (SMB probes) and (OS fingerprinting attempts).
* Installing Snort
In this section you will learn how to install precompiled version of Snort as well as how to compile and install it by yourself.
Installation of the pre-compiled RPM package is very easy and requires only a few steps.
However if you get Snort in source code format, the installation process may take some time and understanding.
* Installing Snort from the RPM Package
The installation procedure of Snort from the RPM package involves the following
steps.
* Download
Download the latest version from Snort web site (http://www.snort.org). At the
time of writing this book, the latest binary file is snort-1.9.0-1 snort.i386.rpm.
* Install
Run the following command to install Snort binaries:
rpm --install snort-1.9.0-1snort.i386.rpm
This command will perform the following actions:
• Create a directory /etc/snort where all Snort rule files and configuration files
are stored.
• Create a directory /var/log/snort where Snort log files will be stored.
• Create a directory /usr/share/doc/snort-1.9.0 and store Snort documentation
files in that directory. You will see files like FAQ (Frequently Asked
Questions), README and other files in this directory.
• Create a file snort-plain in /usr/sbin directory. This is the Snort daemon.
• Create a file /etc/rc.d/init.d/snortd file which is startup and shutdown script.
On RedHat Linux, this is equivalent to /etc/init.d/snortd.
Basic installation is complete at this point and you can start using Snort.
The version of Snort installed this way is not compiled with database support, so you can use it only for logging to files in the /var/log/snort directory.
* Starting, Stopping and Restarting Snort
To run Snort manually, use the following command:
/etc/init.d/snortd start
This command will start Snort and you can run the Snort daemon using the “ps –ef” command. You should see a line like the following in the output of this command:
root 15999 1 0 18:31 ? 00:00:01 /usr/sbin/
snort -A fast -b -l /var/log/snort -d -D -i eth0 -c /etc/ snort/snort.conf
Note that you have to start Snort manually each time you reboot the machine. You can automate this process by creating links to this file, which will be explained later.
To stop Snort, use the following command:
/etc/init.d/snortd stop
To restart Snort, use this command:
/etc/init.d/snortd restart
* Installing Snort from Source Code
To install Snort from the source code, you have to build it first. You can build the
executable snort file using the procedure explained in this section. First, download the latest version of Snort from its web site (http://www.snort.org/).
Just look for the “download” link and grab the latest version of the software.
The latest version was 1.9.0. The downloadable file name is snort1.9.0.tar.gz, which can be saved in the /opt directory on the Linux box.
Note that the installation method is similar for other versions which may be available by the time.
Note :
You must have libpcap installed on your UNIX machine or WinPcap if you
are using Microsoft Windows. You can get WinPcap from
http://winpcap.polito.it/
Libpcap is available from
http://www-nrg.ee.lbl.gov/
-------------------------
install program Snort
Unpacking Snort
The first step after downloading is unpacking the source code. Use the following
command to unpack it:
tar zxvf snort-1.9.0.tar.gz
This will create a directory /opt/snort-1.9.0, assuming that you have downloaded
the file in /opt directory and have run the tar command in this directory. In case of other versions of Snort, the directory name will be different and will reflect the version number.
After unpacking you can see the directory tree created by the tar command using the tree command.
The following is a snapshot of directories present under /opt/snort-1.9.0 directory.
[root@conformix opt]# tree -d snort-1.9.0
snort-1.9.0
|-- contrib
|-- doc
|-- etc
|-- rules
|-- src
| |-- detection-plugins
| |-- output-plugins
| |-- preprocessors
| `-- win32
| |-- WIN32-Code
| |-- WIN32-Includes
| | |-- NET
| | |-- NETINET
| | |-- libnet
| | |-- mysql
| | `-- rpc
| |-- WIN32-Libraries
| | |-- libnet
| | `-- mysql
| `-- WIN32-Prj
`-- templates
21 directories
[root@conformix opt]#
A brief list of the contents of these directories is listed below:
•The contrib directory contains utilities which are not strictly part of Snort
itself. These utilities include ACID, MySQL database creation scripts and other things.
•The doc directory contains documentation files, as is evident from the name of
the directory.
•The etc directory contains configuration files.
•The rules directory contains predefined rule files.
• All source code is present under the src directory.
•The templates directory is useful only for people who want to write their
own plug-ins. It has no significance for general Snort users.
* Compiling and Installation
The compilation and installation process consists of three steps as listed below:
1. Running the configure script.
2. Running the make command.
3. Running the make install command.
To start the compilation process of Snort, go to /opt/snort-1.9.0 directory
and run the configure script. If you are new to GNU style software, the configure
script is a common utility with open source packages.
It is used to set some parameters, create makefiles, and detect development tools and libraries available on your system.
Many command line options can be used with the configure script. These options determine which Snort components will be compiled with Snort.
For example, using these options, you can build support of SNMP, MySQL or SMB alerts, in addition to many other things.
You can also determine the directory in which the final Snort files will be installed.
Available command line options with the configure script can be listed using the
“./configure –help”
command as shown below:
[root@conformix snort-1.9.0]# ./configure --help
Usage: configure [options] [host]
Options: [defaults in brackets after descriptions]
Configuration:
--cache-file=FILE cache test results in FILE
--help print this message
--no-create do not create output files
--quiet, --silent do not print `checking...' messages
--version print the version of autoconf that
created configure
Directory and file names:
--prefix=PREFIX install architecture-independent
files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent
files in EPREFIX
[same as prefix]
--bindir=DIR user executables in DIR
[EPREFIX/bin]
--sbindir=DIR system admin executables in DIR
[EPREFIX/sbin]
--libexecdir=DIR program executables in DIR
[EPREFIX/libexec]
--datadir=DIR read-only architecture-independent
data in DIR
[PREFIX/share]
--sysconfdir=DIR read-only single-machine data in
DIR [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent
data in DIR
[PREFIX/com]
--localstatedir=DIR modifiable single-machine data in
DIR [PREFIX/var]
--libdir=DIR object code libraries in DIR
[EPREFIX/lib]
--includedir=DIR C header files in DIR
[PREFIX/include]
--oldincludedir=DIR C header files for non-gcc in DIR
[/usr/include]
--infodir=DIR info documentation in DIR
[PREFIX/info]
--mandir=DIR man documentation in DIR
[PREFIX/man]
--srcdir=DIR find the sources in DIR
[configure dir or ..]
--program-prefix=PREFIX prepend PREFIX to installed program
names
--program-suffix=SUFFIX append SUFFIX to installed program
names
--program-transform-name=PROGRAM
run sed PROGRAM on installed
program names
Host type:
--build=BUILD configure for building on BUILD
[BUILD=HOST]
--host=HOST configure for HOST [guessed]
--target=TARGET configure for TARGET [TARGET=HOST]
Features and packages:
--disable-FEATURE do not include FEATURE (same as
--enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as
--with-PACKAGE=no)
--x-includes=DIR X include files are in DIR
--x-libraries=DIR X library files are in DIR
--enable and --with options recognized:
--enable-debug enable debugging options
(bugreports and developers only)
--enable-profile enable profiling options
(developers only)
--with-libpcap-includes=DIR libcap include directory
--with-libpcap-libraries=DIR libcap library directory
--with-mysql=DIR support for mysql
--with-odbc=DIR support for odbc
--with-postgresql=DIR support for postgresql
--with-oracle=DIR support for oracle
--with-snmp support for snmp
--with-openssl=DIR support for openssl
--enable-sourcefire Enable Sourcefire specific build
options
--enable-perfmonitor Enable perfmonitor preprocessor
--enable-smbalerts SMB alerting capaility via Samba
--enable-flexresp Flexible Responses on hostile
connection attempts
[root@conformix snort-1.9.0]#
Options values listed in square brackets indicate that if that particular option is not selected, the value mentioned in the square bracket will be used by default. For example, the following three lines show that if the with-prefix option is not used on the command line for the configure script, /usr/local value will be used as PREFIX by default.
Note :that PREFIX is the directory under which Snort files are installed
when you use the “make install” command.
--prefix=PREFIX install architecture-independent
files in PREFIX
[/usr/local]
A typical session with the configure scripts may be as follows. Output is truncated
after displaying the initial output line to save space.
Note the options that have been enabled on the command line.
[root@conformix snort-1.9.0]# ./configure --prefix=/opt/snort
--enable-smbalerts --enable-flexresp --with-mysql --with-snmp
--with-openssl
loading cache ./config.cache
checking for a BSD compatible install... (cached) /usr/bin/
install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal... found
checking for working autoconf... found
checking for working automake... found
checking for working autoheader... found
checking for working makeinfo... found
checking for gcc... (cached) gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler...
no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ANSI C... (cached) none
needed
checking for ranlib... (cached) ranlib
Output is truncated at the end because the configure script may create a lot of
information. The prefix option on the command line is used to tell the configure
script the location of final installation directory.
Other options are used to enable the following components of Snort:
• Support of MySQL database.
• Support of SNMP traps.
• Support of SMB alerts. SMB alerts are used to send pop-up windows to
Microsoft Windows machines.
• Enable support of flex response. Flex response is used to terminate network
sessions in real time. More information about flex response will be provided
Note: that to enable support of this option, you must
have libnet installed. You can download libnet from http://www.securityfocus.net.
I have used version 1.0.2a for this installation.
After running the configure script, you can run the following two commands
to compile and install Snort files.
make
make install
The first command may take some time to complete depending upon how powerful
your machine is. When you run the second command, files are installed in the appropriate
directories. The make install command installs Snort binaries in
/opt/snort
directory as you selected --prefix=/opt/snort on the command line for the
configure script.
Useful command line parameters that can be used with the configure script are
shown in /
Command line parameters used with configure scripts
Parameter Description
-with-mysql Build support of MySQL with Snort.
-with-snmp Build support of SNMP while compiling Snort.
You have to use – with-openssl if you use this option.
-with-openssl Enable OpenSSL support.
You may need to use this when you use SNMP option.
-with-oracle Enable support for Oracle database.
-with-odbc Build support for ODBC in Snort.
--enable-flexresp Enables use of Flex Response which allows canceling hostile connections.
This is still experimental (see README.FLEXRESP file in Snort distribution).
-enable-smbalerts Enable SMB alerts.
Be careful using this as this invokes smbclient user space process every
time it sends an alert.
-prefix=DIR Set directory for installing Snort files.
- The installation procedure for libnet .
Basically it consists of four steps:
• Untar the file using tar zxvf libnet-1.0.2a.tar.gz
• Change to directory Libnet-1.0.2a and run the ./configure command.
• Run make command.
• Run make install command.
----------------------------------------
General definition in Snort program
Intrusion Detection Systems with Snort
Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID
Security is a big issue for all networks in today’s enterprise environment.
Hackers and intruders have made many successful attempts to
bring down high-profile company networks and web services. Many
methods have been developed to secure the network infrastructure and
communication over the Internet, among them the use of firewalls,
encryption, and virtual private networks. Intrusion detection is a relatively
new addition to such techniques. Intrusion detection methods started
appearing in the last few years. Using intrusion detection methods, you
can collect and use information from known types of attacks and find out
if someone is trying to attack your network or particular hosts. The information
collected this way can be used to harden your network security, as well as
for legal purposes. Both commercial and open source products are now
available for this purpose. Many vulnerability assessment tools are also
available in the market that can be used to assess different types of security
holes present in your network.
A comprehensive security system consists of multiple tools, including:
(http://www.netscreen.com). The most popular Open Source firewall
is the Netfilter/Iptables (http://www.netfilter.org)-based firewall.
Intrusion detection systems (IDS) that are used to find out if someone
has gotten into or is trying to get into your network. The most popular
IDS is Snort, which is available at http://www.snort.org.
Vulnerability assessment tools that are used to find and plug security
holes present in your network. Information collected from vulnerability
assessment tools is used to set rules on firewalls so that these security
holes are safeguarded from malicious Internet users. There are many
vulnerability assessment tools including Nmap (http://www.nmap.org)
and Nessus (http://www.nessus.org).
(http://www.netscreen.com). The most popular Open Source firewall
is the Netfilter/Iptables (http://www.netfilter.org)-based firewall.
• Intrusion detection systems (IDS) that are used to find out if someone
has gotten into or is trying to get into your network. The most popular
IDS is Snort, which is available at http://www.snort.org.
• Vulnerability assessment tools that are used to find and plug security
holes present in your network. Information collected from vulnerability
assessment tools is used to set rules on firewalls so that these security
holes are safeguarded from malicious Internet users. There are many
vulnerability assessment tools including Nmap (http://www.nmap.org)
and Nessus (http://www.nessus.org).
These tools can work together and exchange information with each other. Some
products provide complete systems consisting of all of these products bundled together.
Snort is an open source Network Intrusion Detection System (NIDS) which is
available free of cost. NIDS is the type of Intrusion Detection System (IDS) that is used
for scanning data flowing on the network. There are also host-based intrusion detection
systems, which are installed on a particular host and detect attacks targeted to that host
only. Although all intrusion detection methods are still new, Snort is ranked among the
top quality systems available today.
and starts to intrusion detection and related terminology.
You will learn installation and management of Snort as well as other products that work
with Snort. These products include MySQL database (http://www.mysql.org) and Analysis
Control for Intrusion Database (ACID) (http://www.cert.org/kb/acid).
Snort has the capability to log data collected (such as alerts and other log messages) to a database.
MySQL is used as the database engine where all of this data is stored.
Using Apache web server (http://www.apache.org) and ACID, you can analyze this data.
A combination of Snort, Apache, MySQL, and ACID makes it possible to log the intrusion detection
data into a database and then view and analyze it later, using a web interface.
This book is organized in such a way that the reader will be able to build a complete
intrusion detection system by going through the following chapters in a step-bystep manner.
All steps of installing and integrating different tools are explained in the part as outlined below.
and basic information about how to build and install Snort itself.
Using the basic installation and default rules, you will be able to get a working IDS.
You will be able to create log files that show intrusion activity.
and provides information about Snort rules, different parts of Snort rules
and how to write your own rules according to your environment and needs.
This is very important, as writing good rules is the key to building a detection system. and also explains different rules that are part of Snort distribution.
and is about input and output plug-ins, Plug-ins are parts of the software that are compiled with Snort and are used to modify input or output of the Snort detection engine.
Input plug-ins prepare captured data packets before the actual detection process is applied on these packets.
Output plug-ins format output to be used for a particular purpose, For example, an output plug-in can convert the detection data to a Simple Network Management Protocol (SNMP) trap.
Another output plug-in is used to log Snort output data into databases,and provides a comprehensive overview of how these plug-ins are configured and used.
And information about using MySQL database with Snort. MySQL
plug-in enables Snort to log data into the database to be used in the analysis later on. and you will find information about how to create a database in MySQL, configure a database plug-in, and log data to the database.
and describes ACID, how to use it to get data from the database you configured and how to display it using Apache web server, ACID is a very important tool that provides rich data analysis capabilities.
You can find frequency of attacks, classify different attacks, view the source of these attacks and so on, ACID uses PHP (Pretty Home Page) scripting language, graphic display library
(GD library) and PHPLOT, which is a tool to draw graphs.
A combination of all of these results in web pages that display, analyze and graph data stored in the MySQL database.
and information about some other useful tools that can be used with Snort,the system that you will build after going to analyzed by Snort As you can see, data is captured and analyzed by Snort. Snort then stores this data
in the MySQL database using the database output plug-in. Apache web server takes help from ACID, PHP, GD library and PHPLOT package to display this data in a browser window when a user connects to Apache. A user can then make different types of queries on the forms displayed in the web pages to analyze, archive, graph and delete data.
In essence, you can build a single computer with Snort, MySQL database, Apache, PHP, ACID, GD library and PHPLOT. A more realistic picture of the system that you will be able to build by Snort.
In the enterprise, usually people have multiple Snort sensors behind every router or firewall. In that case you can use a single centralized database to collect data from all of the sensors. You can run Apache web server on this centralized database server as, shown in Figure .
* Some Definitions
Before we go into details of intrusion detection and Snort, you need to learn some definitions related to security. These definitions will be used in this book repeatedly in the coming chapters. A basic understanding of these terms is necessary to digest other complicated security concepts.
* IDS
Intrusion Detection System or IDS is software, hardware or combination of both
used to detect intruder activity. Snort is an open source IDS available to the general public. An IDS may have different capabilities depending upon how complex and sophisticated the components are. IDS appliances that are a combination of hardware and software are available from many companies. As mentioned earlier, an IDS may use signatures, anomaly-based techniques or both.
* Network IDS or NIDS
NIDS are intrusion detection systems that capture data packets traveling on the
network media (cables, wireless) and match them to a database of signatures. Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database.
One major use of Snort is as a NIDS.
* Host IDS or HIDS
Host-based intrusion detection systems or HIDS are installed as agents on a host.
These intrusion detection systems can look into system and application log files to detect any intruder activity. Some of these systems are reactive, meaning that they inform you only when something has happened. Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which the HIDS is installed and alert you in real time.
* Signatures
Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisadmin” in a packet going to your web server may indicate an intruder activity.
Signatures may be present in different parts of a data packet depending upon the
nature of the attack. For example, you can find signatures in the IP header, transport layer header (TCP or UDP header) and/or application layer header or payload. You will learn more about signatures later in this book.
Usually IDS depends upon signatures to find out about intruder activity. Some
vendor-specific IDS need updates from the vendor to add new signatures when a new type of attack is discovered. In other IDS, like Snort, you can update signatures yourself.
* Alerts
Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts. You will find detailed information about alerts later in this book.
Snort can generate alerts in many forms and are controlled by output plug-ins.
Snort can also send the same alert to multiple destinations. For example, it is possible to log alerts into a database and generate SNMP traps simultaneously. Some plug-ins can also modify firewall configuration so that offending hosts are blocked at the firewall or router level.
* Logs
The log messages are usually saved in file. By default Snort saves these messages under /var/log/snort directory. However, the location of log messages can be changed using the command line switch when starting Snort.
Log messages can be saved either in text or binary format. The binary files can be viewed later on using Snort or tcpdump program. A new tool called Barnyard is also available now to analyze binary log files generated by Snort. Logging in binary format is faster because it saves some formatting overhead. In high-speed Snort implementations, logging in binary mode is necessary.
and tune different default rules. In some cases you may need to disable some of the rules to avoid false alarms.
* Sensor
The machine on which an intrusion detection system is running is also called the
sensor in the literature because it is used to “sense” the network, and word sensor is used, it refers to a computer or other device where Snort is running.
wnership of IDS more precisely.
Snort is logically divided into multiple components. These components work together to detect particular attacks and to generate output in a required format from the detection system.
A Snort-based IDS consists of the following major components:
• Packet Decoder
• Preprocessors
• Detection Engine
• Logging and Alerting System
• Output Modules
shows image how these components are arranged. Any data packet coming
from the Internet enters the packet decoder. On its way towards the output modules, it is
either dropped, logged or an alert is generated.
A brief introduction to these components is presented in this section.
you will become more familiar with these components
and how they interact with each other.
* Packet Decoder
The packet decoder takes packets from different types of network interfaces and prepares the packets to be preprocessed or to be sent to the detection engine.
The interfaces may be Ethernet, SLIP, PPP and so on.
* Preprocessors
Preprocessors are components or plug-ins that can be used with Snort to arrange
or modify data packets before the detection engine does some operation to find out if the packet is being used by an intruder.
Some preprocessors also perform detection by finding anomalies in packet headers and generating alerts. Preprocessors are very important for any IDS to prepare data packets to be analyzed against rules in the detection engine.
Hackers use different techniques to fool an IDS in different ways.
For example, you may have created a rule to find a signature “scripts/iisadmin” in HTTP packets.
If you are matching this string exactly, you can easily be fooled by a hacker who makes slight modifications to this string.
For example:
• “scripts/./iisadmin”
• “scripts/examples/../iisadmin”
• “scripts\iisadmin”
• “scripts/.\iisadmin”
To complicate the situation, hackers can also insert in the web Uniform Resource
Identifier (URI) hexadecimal characters or Unicode characters which are perfectly legal as far as the web server is concerned.
Note that the web servers usually understand all of these strings and are able to preprocess them to extract the intended string “scripts/ iisadmin”. However if the IDS is looking for an exact match, it is not able to detect this attack.
A preprocessor can rearrange the string so that it is detectable by the IDS.
Preprocessors are also used for packet defragmentation. When a large data chunk is transferred to a host, the packet is usually fragmented. For example, default maximum length of any data packet on an Ethernet network is usually 1500 bytes.
This value is controlled by the Maximum Transfer Unit (MTU) value for the network interface.
This means that if you send data which is more than 1500 bytes, it will be split into multiple data packets so that each packet fragment is less than or equal to 1500 bytes.
The receiving systems are capable of reassembling these smaller units again to form the original data packet. On IDS, before you can apply any rules or try to find a signature, you have to reassemble the packet.
For example, half of the signature may be present in
one segment and the other half in another segment. To detect the signature correctly you have to combine all packet segments. Hackers use fragmentation to defeat intrusion detection systems.
The preprocessors are used to safeguard against these attacks. Preprocessors in
Snort can defragment packets, decode HTTP URI, re-assemble TCP streams and so on.
These functions are a very important part of the intrusion detection system.
* The Detection Engine
The detection engine is the most important part of Snort. Its responsibility is to
detect if any intrusion activity exists in a packet. The detection engine employs Snort rules for this purpose. The rules are read into internal data structures or chains where they are matched against all packets. If a packet matches any rule, appropriate action is taken; otherwise the packet is dropped. Appropriate actions may be logging the packet or generating alerts.
The detection engine is the time-critical part of Snort. Depending upon how powerful your machine is and how many rules you have defined, it may take different amounts of time to respond to different packets.
If traffic on your network is too high when Snort is working in NIDS mode, you may drop some packets and may not get a true real-time response.
The load on the detection engine depends upon the following factors:
• Number of rules
• Power of the machine on which Snort is running
• Speed of internal bus used in the Snort machine
• Load on the network
When designing a Network Intrusion Detection System, you should keep all of
these factors in mind.
Note that the detection system can dissect a packet and apply rules on different
parts of the packet. These parts may be:
• The IP header of the packet.
• The Transport layer header. This header includes TCP, UDP or other transport
layer headers. It may also work on the ICMP header.
• The application layer level header. Application layer headers include, but are
not limited to, DNS header, FTP header, SNMP header, and SMTP header. You
may have to use some indirect methods for application layer headers, like offset
of data to be looked for.
• Packet payload. This means that you can create a rule that is used by the
detection engine to find a string inside the data that is present inside the packet.
The detection engine works in different ways for different versions of Snort. In all 1.x versions of Snort, the detection engine stops further processing of a packet when a rule is matched. Depending upon the rule, the detection engine takes appropriate action by logging the packet or generating an alert.
This means that if a packet matches criteria defined in multiple rules, only the first rule is applied to the packet without looking for other matches.
This is fine except for one problem. A low priority rule generates a low
priority alert, even if a high priority rule meriting a high priority alert is located later in the rule chain. This problem is rectified in Snort version 2 where all rules are matched against a packet before generating an alert. After matching all rules, the highest priority rule is selected to generate the alert.
The detection engine in Snort version 2.0 is completely rewritten so that it is a lot
faster compared to detection in earlier versions of Snort. While Snort 2.0 is earlier analysis shows that the new detection engine may be up to eighteen times faster.
• Simply logging to
/var/log/snort/alerts
file or some other file
• Sending SNMP traps
• Sending messages to syslog facility
• Logging to a database like MySQL or Oracle. You will learn more about using
MySQL later in this book
• Generating eXtensible Markup Language (XML) output
• Modifying configuration on routers and firewalls.
• Sending Server Message Block (SMB) messages to Microsoft Windows-based
machines Other tools can also be used to send alerts in other formats such as e-mail messages or viewing alerts using a web interface.
* Components of an IDS
1 - Name / Packet Decoder
Description / Prepares packets for processing.
2 - Name / Preprocessors or Input Plugins
Description / Used to normalize protocol headers, detect anomalies, packet reassembly and TCP stream re-assembly.
3 - Name / Detection Engine
Description / Applies rules to packets.
4 - Name / Logging and Alerting System
Description / Generates alert and log messages.
5 - Name / Output Modules
Description / Process alerts and logs and generate final output.
* IDS Policy Manager
IDS policy manager is a Microsoft Windows based GUI. It is used to manage the Snort configuration file and Snort rules on a sensor. It is available from its web site http://activeworx.com/idspm/, beta version 1.3 is available
from this web site and it supports Snort versions up to 1.9.0. You can download the software and install it using normal Windows installation procedures.
When you start the software, a window like the one shown in images is displayed.
As you can see, this window is initially empty. It has three tabs at the bottom, as
explained below:
• The “Sensor Manager” tab shows the sensors that you are managing with this
tool. Initially there is no sensor listed in the window because you have to add
sensors after installing IDS Manager. This is the default tab when you start the
Policy Manager.
• The “Policy Manager” tab shows configured policies. A policy includes
snort.conf file parameters (variables, input and output plug-ins, include
files) as well as a list of rules that belong to that policy.
• The “Logging” tab shows log messages.
You can click on any of these tabs to switch to a particular window. To add a new
sensor, you can click on the “Sensor” menu and chose the “Add Sensor” option. A popup
window like the one shown in image appears where you fill out information about the sensor.
The screen shot shown in image is taken after filling out information in blank
fields. You have to enter the following information about a sensor:
• Sensor name, which is “MyHome Sensor” in this example.
• IP address of sensor which is 192.168.1.2. You have to fill out the IP address of
your sensor in this box.
• The “IDS System” box is used to specify which version of Snort is being used
on the sensor. Different Snort versions have slightly different parameters for
input and output plug-ins as well as keywords used in rules. It’s important to
use correct information in this option.
• The policy name is “Official”. You can use a different name for the policy. The
sensor policy is downloaded and stored on the machine where IDS Policy
Manager is being installed.
• The “Upload Information” section includes parameters that are needed to
transfer files from and to the sensor.
• The SCP method uses SSH server running on the sensor. User name and
password are used to log in to the Snort sensor to upload and download files. The
“Upload Directory” shows the location of the snort.conf file on the Snort
sensor. Since the location of other rule files is mentioned in the snort.conf
file, you don’t need to specify names and locations of other rule files.
After entering this information, you can click “OK” to add the sensor. After adding
the sensor, the first task is to download policy from the sensor you added in the previous step.
For this purpose, you can use the “Download Policy from Sensor” option in the “Sensor” menu.
After downloading the policy, you can click on the “Policy Man- ager” tab at the bottom of the screen to edit the policy.
When you click here, you will see the screen with a list of currently
available policies. Since you used “Official” as the name of the policy while adding the sensor, this policy must be present in the list.
To edit the policy, double click the policy name and a Policy Editor window will appear, as shown in image.
On the left hand side of the window shown in image is a list of different classes of rules used on the sensor.
The right hand side of the window shows a description of the class and individual rules included in that class.
To modify a rule, you can double click that rule and a window like the one shown in image will appear where you can modify different parts of a rule.
The pull-down menus in the right side of the window shown in image make it very easy to modify rules.
For example, to modify protocol used in the rule, you can click the pull-down menu button and a list of supported protocols will appear.
To modify other parts of the snort.conf file, you can click the “Settings” tab on the top left side of the window.
A window like the one shown in image appears where you can modify input and output plug-ins and values of different variables.
As you can see in the screen shot in image, the database user name and pass- words are displayed. These are the same ones we used in Chapter 5 while configuring the MySQL database.
After making changes to the policy, you can close this window, now you can upload it to the sensor using options in the “Sensor” menu of the main menu.
IDS Policy Manager makes it very easy to modify sensor policies. It does almost all of the tasks.
* Using a Private Network
There are different ways to make ACID secure. One way is to use a private net-
work for all Snort sensors and the centralized database server where ACID and Apache
are installed so that their IP addresses are not visible from the Internet. This scheme is
still vulnerable to the internal users who have access to this private network.
* Blocking Access to the Web Server on the Firewall
Another method is to block access to your web server from the firewall so that
nobody from the Internet can access the web server. Again this scheme is still vulnerable
to internal users.
* Using iptables
Another way is to use iptables to allow only your own computer to access port
80 on the web server. This is the most secure method because it protects your web
server and ACID from both internal and external users. You can use a simple command
to block all incoming connections except your own workstation, which has an IP
address 192.168.1.100.
iptables -A INPUT -s ! 192.168.1.100 -j DROP
The command is case sensitive. This command blocks all connections except ones
from host 192.168.1.100, which is your own workstation where you use the web
browser. This is not a comprehensive tutorial on how to use the iptables command.
You can either use the “man iptables” command to get more information about iptables-based
firewalls or read Rusty’s guide for iptables at
http://www.netfilter.org/unreliable-guides/packet-filtering-HOWTO/index.html.
Once you use the above command, nobody from any other host will be able to
access ANY service on the machine where you used this command. All existing connections
will be dropped.
You are warned!
* Easy IDS
Easy IDS is an integrated system available from http://www.argusnetsec.com for the
Linux operating system. It has all of the necessary components to build a complete IDS
quickly. These components are precompiled and configured for easy installation. The package includes:
• Snort
• Apache Web server
•MySQL server
•ACID
•PHPLOT
• ADODB
The installation script installs all of these components and creates startup and
shutdown script links. This is a good choice for people who want to get something running quickly.
It may be available for free download from the company web site in the future.
* IDS Policy
Before you install the intrusion detection system on your network, you must have a policy to detect intruders and take action when you find such activity.
A policy must dictate IDS rules and how they will be applied.
The IDS policy should contain the following components; you can add more depending upon your requirements.
• Who will monitor the IDS? Depending on the IDS, you may have alerting
mechanisms that provide information about intruder activity. These alerting
systems may be in the form of simple text files, or they may be more
complicated, perhaps integrated to centralized network management systems
like HP OpenView or MySQL database. Someone is needed to monitor the
intruder activity and the policy must define the responsible person(s). The
intruder activity may also be monitored in real time using pop-up windows or
web interfaces. In this case operators must have knowledge of alerts and their
meaning in terms of severity levels.
• Who will administer the IDS, rotate logs and so on? As with all systems, you
need to establish routine maintenance of the IDS.
• Who will handle incidents and how? If there is no incident handling, there is no
point in installing an IDS. Depending upon the severity of the incident, you
may need to get some government agencies involved.
• What will be the escalation process (level 1, level 2 and so on)? The escalation
process is basically an incident response strategy. The policy should clearly
describe which incidents should be escalated to higher management.
• Reporting. Reports may be generated showing what happened during the last
day, week or month.
• Signature updates. Hackers are continuously creating new types of attacks.
These attacks are detected by the IDS if it knows about the attack in the form of
signatures. Attack signatures are used in Snort rules to detect attacks. Because
of the continuously changing nature of attacks, you must update signatures and
rules on your IDS. You can update signatures directly from the Snort web site
on a periodic basis or on your own when a new threat is discovered.
• Documentation is required for every project. The IDS policy should describe
* Where IDS Should be Placed in Network Topology
Depending upon your network topology, you may want to position intrusion
detection systems at one or more places. It also depends upon what type of intrusion activities you want to detect: internal, external or both. For example, if you want to detect only external intrusion activities, and you have only one router connecting to the Internet, the best place for an intrusion detection system may be just inside the router or a firewall. If you have multiple paths to the Internet, you may want to place one IDS box at every entry point.
However if you want to detect internal threats as well, you may want to place a box in every network segment.
In many cases you don’t need to have intrusion detection activity in all network
segments and you may want to limit it only to sensitive network areas. Note that more intrusion detection systems mean more work and more maintenance costs. Your decision really depends upon your security policy, which defines what you really want to protect from hackers.
image shows typical locations where you can place an intrusion detection system.
As you can see from image, typically you should place an IDS behind each of
your firewalls and routers. In case your network contains a demilitarized zone (DMZ), an IDS may be placed in that zone as well. However alert generation policy should not be as strict in a DMZ compared to private parts of the network.
Comments