| 1. Introduction | | | | continuous stream on the console (screen).o Packet |
| Intrusion detection and incident response are the key | | | | Logger mode, which logs the packets to disk.o |
| components in securing assets for any organization. | | | | Network Intrusion Detection System (NIDS) mode, the |
| What actually is an Intrusion? How to detect intrusion? | | | | most complex and configurable configuration, which |
| And how to response on the intrusion are our key | | | | allow Snort to analyze network traffic for matches |
| areas for this article. | | | | against a user-defined rule set and performs several |
| In order to detect intrusions you must be aware of the | | | | actions based upon what it sees.o Inline mode, which |
| normal behavior of your network infrastructure so that | | | | obtains packets from iptables instead of from libpcap |
| any abnormal behavior can be seen easily like a drop | | | | and then causes iptables to drop or pass packets |
| of blue ink in a glass of water and you have to cure | | | | based on Snort rules that use inline-specific rule types. |
| that intrusion else it will vanished. There are many | | | | Let me explain the modes of snort one by one.. |
| systems and scenarios by which you can detect | | | | First, let's start with the basics. If you just want to print |
| intrusions in your network infrastructure. | | | | out the TCP/IP packet headers to the screen (i.e. |
| Intrusion Detection System (IDS) can detect intrusions | | | | sniffer mode), try this: |
| for a single host or for a complete subnet in a | | | | # snort -v |
| switched environment; deployment of IDS depends on | | | | This command will run Snort and just show the IP and |
| the design of your network infrastructure. To make | | | | TCP/UDP/ICMP headers, nothing else. If you want to |
| this article applicable let me explain you how IDS | | | | see the application data in transit, try the following: |
| works in a switched environment.a. Host based IDS | | | | # snort -vd |
| (HIDS)b. Network based IDS (NIDS) | | | | This instructs Snort to display the packet data as well |
| Let's discuss the NIDS, let's say you have a DMZ | | | | as the headers. If you want an even more descriptive |
| where you're FTP, HTTP and DATABASE server is | | | | display, showing the data link layer headers, do this: |
| placed and you are worried about for the intrusions | | | | # snort -vde |
| coming from internet facing interface of your perimeter | | | | (As an aside, these switches may be divided up or |
| device. | | | | smashed together in any combination. The last |
| To monitor intrusions in a switched environment you | | | | command could also be typed out as: and it would do |
| required a packet level intrusion detection system, the | | | | the same thing.) |
| choice I would recommend would be the de-facto | | | | # snort -d -v -e |
| standard for intrusion detection, SNORT! | | | | As we want to detect intrusions in our DMZ we will |
| 2. Packet Analysis | | | | run snort as a intrusion detection system, to enable |
| Scenario, a security analyst needs to monitor intrusions | | | | network intrusion detection (NIDS) mode so that we |
| occurring towards server, answer is placement of | | | | don't need to record every single packet sent down to |
| Intrusion detection system in the DMZ. | | | | wire try this commandsnort -dev -l ./log -h 192.168.1.0/24 |
| Preparing Sort Box: | | | | -c snort.conf |
| Snort is the de-facto standard for intrusion detection | | | | Where snort.conf is the name of your rules file this will |
| and I would say for intrusion prevention as well. | | | | apply the rules configured in the snort.conf file to each |
| Sources you can download snort from are snort.org it | | | | packet to decide if an action based upon the rule type |
| is freely available. At this stage I am assuming you | | | | in the file should be taken. If you don't specify an output |
| have downloaded the snort, let me clear snort is open | | | | directory for the program, it will default to /var/log |
| source intrusion detection system which runs on Linux | | | | snort. |
| Unix platform. | | | | One thing to note about the last command line is that if |
| I would also recommend that prepare a Linux machine | | | | Snort is going to be used in a long term way as an |
| (recommended to use Cent OS Server) stop all | | | | IDS, the -v switch should be left off the command line |
| unnecessary services make sure you have MySql | | | | for the sake of speed. The screen is a slow place to |
| server, php and apache installed in your sever, solidify | | | | write data to, and packets can be dropped while |
| this Linux box it at first. When you are done with | | | | writing to the display. |
| solidifying your Cent OS server than it's time for | | | | It's also not necessary to record the data link headers |
| snorting | | | | for most applications, so you can usually omit the -e |
| Un tar your snort source you have just downloaded | | | | switch, too.snort -d -h 192.168.1.0/24 -l ./log -c snort.conf |
| into /usr/snort and use the following commands to | | | | This will configure Snort to run in its most basic NIDS |
| install snort | | | | form, logging packets that trigger rules specified in the |
| Configure snort accordingly | | | | snort.conf in plain ASCII to disk using a hierarchical |
| # configure --with-mysql --enable-dynamicplugin | | | | directory structure (just like packet logger mode). |
| Once you get no error while configuring then build the | | | | Now as I have covered enough about snort let me |
| configuration with make command | | | | explain how snort will alert when it detect the intrusion |
| If it shows no error then its time to install your freshly | | | | as I mentioned in the beginning of the document that |
| configured snort with make install command once you | | | | you can only detect intrusions when you know the |
| done with installing snort you need to add snort user | | | | normal behavior of your network. |
| use the following commandsgroupadd snortuseradd -g | | | | When Snort generates an alert message, it will usually |
| snort snort -s /sbin/nologin | | | | look like the following: |
| Now you have to make following directories.mkdir /etc | | | | [**] [116:56:1] (snort_decoder): T/TCP Detected [**] |
| snortmkdir /etc/snort/rulesmkdir /var/log/snortcd etc/ | | | | The first number is the Generator ID, this tells the user |
| (make not this is not /etc. it is the etc dir under the | | | | what component of Snort generated this alert. For a |
| snort source code)cp * /etc/snortin the source code | | | | list of GIDs, please read etc/generators in the Snort |
| directory there would be /etc/rules directory now copy | | | | source. In this case, we know that this event came |
| all rules to /etc/snort/rules directory | | | | from the ``decode'' (116) component of Snort. |
| At this stage your IDS is installed now you need to | | | | The second number is the Snort ID (sometimes |
| learn how to use this IDS effectively in order to detect | | | | referred to as Signature ID). For a list of preprocessor |
| intrusions coming into your DMZ. | | | | SIDs, please see etc/gen-msg.map. Rule-based SIDs |
| This is a high level if you like to learn more about | | | | are written directly into the rules with the sid option. In |
| installing and configuring please read snort user manual | | | | this case, 56 represents a T/TCP event. |
| available on snort.org | | | | The third number is the revision ID. This number is |
| Snort runs in four different modes which are as | | | | primarily used when writing signatures, as each |
| follows.o Sniffer mode, which simply reads the packets | | | | rendition of the rule should increment this number with |
| off of the network and displays them for you in a | | | | the rev option. |