LinuxCBT NIDS Edition - Snort:

1. Snort is considered to be an NIDS/NIPS solution NOT IDS/IPS solution

2. Confirm MD5SUM - using md5sum
3. Verify the PGP/GPG signature - gpg --verify snort*.sig snort*.gz
4. pcre* - performs parsing of traffic using Perl-compatible Regular Expressions
5. libpcap - facilitates packet capturing @ a low-level in OSI-model
OSI Model contains 7-Layers:
7 - Application
6 - Presentation
5 - Session
4 - Transport(sport:3100 - dport:80)
3 - IP routing(source_ip:192.168.1.20 - destination_ip:192.168.1.1)
2 - Data-Link(MAC) - Framing(Ethernet) - LIBPCAP(Snort)
1 - Physical - Switch/NIC/Hub/etc.
Snort's Modes of Operation:
1. there are 3 modes
Sniffing Mode - TCPDUMP - Packet Sniffer
Sniffing mode logs to the console, which is VERY slow
Consequently, Snort is subject to dropping a high-percentage of packets
Note: Snort needs root privileges to change NIC into promiscuous mode
Note: Snort binds to 'eth0' by default
snort -v - dumps TCP/IP packet headers
snort -vd - dumps to the output location TCP/UDP/ICMP headers
snort -vde - dumps full packet information (TCP/UDP/ICMP/IP headers and payload)
snor -vd(e) - layer 2 - related - MAC addresses
snort -v(d) - application layer(Layer 7) information
2. Snort as a Packet Logger
a. default packet mode logs using ASCII files
b. only information specified using -vde options will be captured (ASCII)
c. logging mode utilizes same -vde switches to log information plus -l switch to indication location of output
snort -v -K ascii -l ./log - operates @ layers 3,4
snort -ve -K ascii -l ./log - operates @ layers 2,3,4 in OSI model
snort -vde -K ascii -l ./log - operates @ layers 2,3,4,5,6,7
Tip: Use managed-switches and restrict port-capabilities to lessen eavesdropping/passive attacks; sniffing.
d. Binary Logging Mode - snort -b
Snort logs layers 2-7 when using binary mode
Default log directory is /var/log/snort
Default nomenclature for binary output file: snort.log.Unix Epoch Timestamp
snort -b -L test.snort.binary.1 - /var/log/snort/test.snort.binary.1
Use fast disks for logging - 7200RPM or better/RAID 0
Berkeley Packet Filters (BPF) - feasible to log to screen (Sniffing mode)
1. Snort supports filtering captured traffic using BPFs
2. We need to use one or more qualifiers
3. 3 major categories of qualifiers:
a. Type qualifiers: host(default), net, port
b. Directional qualifiers: src, dst, src or dst(default), src and dst
c. Protocol qualifiers: tcp, udp, ether, ip, arp(ip-mac), rarp(mac-ip)
BPF supports logical and AND or
Note: BPF rules are specified AFTER normal snort options
Syslog BPF: snort -vde port 514
When combining qualifier you usually don't need to specify the qualifier twice. i.e.

snort -vde port 514 or 123

snort -vde not port 5901
snort -vdeC src 192.168.1.30 and not dst port 32790
Logging with BPFs - snort -b -l ./log not 5901
Note: consider perspective of Snort box when writing rules
Snort can read TCPDUMP-compliant binary files using BPFs
1. snort -vder snort.log.1134955365 <BPF>
Use Snort in Daemon Mode to log interesting traffic.
snort -b -l ./log -D port 21
Configure Cisco Switch with appropriate VLANs and security
1. VLAN 1 - 192.168.1.0/24 - management subnet
2. VLAN 2 - represents External(Internet) VLAN (PIX Firewall/ISP Device)
3. VLAN 3 - for all unused ports
Cisco 3500-48 Switch Management IP: 192.168.1.253
4. Disable all unused ports and assign them to VLAN 3
5. Secure access to the vty (telnet) ports using an access-list
6. Configure Network Time Protocol (NTP)
Common terms related to SPAN:
1. Port Mirroring
2. SPAN
3. Port Monitoring
Applying Packet Sniffing and logging modes to SPAN traffic - External
snort -vde -i eth1
snort -b -l ./log -i eth1
Note: Stealth Snort Interfaces should NOT have a layer-3 address!
1. Disable layer-3 address
Configure Secondary Snort NIDS/NIPS Sensor - Sensor #2 (linuxcbtserv3)
1. configured the Cisco Switch port
2. ensured that the NIC was configured to static settings with no IP address
Note: We should only see the following traffic on Sensor #2:
a. Traffic from internal hosts to the Internet
b. Return traffic from the Internet
c. holes configured on the external firewall permitting inbound traffic
Prepare Snort to be an NIDS/NIPS(IPTables)
Note: NIDS/NIPS mode differs from Sniffing/Packet-logging modes in that, in NIDS/NIPS mode, Snort compares traffic to
pre-defined rules.
1. prepare /etc/snort (snort.conf, rules, associated files)
Snort's traffic flow:
a. Capture (NIC is in promiscuous mode/SPAN is enabled) ->
b. decode(normalization) ->
c. preprocessor(third-party modules)
d. detection engine (pattern-matching of traffic to signatures)
e. output logging (TCPDump, DBMS, CSV, etc.)
TCP 3-Way Handshake
1. attacker(client) -> SYN host(server)
2. host -> ACK attacker
3. attacker -> SYN|ACK
Stage 1 attacks (Reconnaissance Attacks) - Gather information

a. the attacker tends to use stealth means

frag2/frag3 preprocessor notes:
a. packets are fragmented during transmission across the Internet
1. 1500 bytes - Message/Maximum Transfer Unit (MTU)
i.e. file = 3000 bytes gets fragmented into 2 1500-byte packets
- defragmentation preprocessors reassemble the 3000-byte file
Preprocessors are defined to pickup reconnaissance attacks (NMAP)
Preprocessor - sfPortScan
scan_type { portscan portsweep decoy_portscan distributed_portscan all }
a. portscan - is vertical - scans 1 host for all open ports
b. portsweep - is horizontal - scans many hosts(IP block) for 1 or more common open ports
c. decoy_portscan - ip spoofing - intersperse fake IPs with real ip
d. distributed_portscan - DDOS, scan from multiple hosts
Implementing latest Community rules:
Note: if you start Snort in NIDS/NIPS modes without rules, it will fail
Snort's Outputs:
Separate Alerts(rule has been matched) from Logs(packets captured)
Default log location is a TCPDump compliant binary file in /var/log/snort
Default Alert location is an ASCII file in /var/log/snort
SYSLOG:
output alert_syslog: <facility> <priority> <options>
Unified Logging:
1. Snort's core-comptencies include the following:
a. Capturing traffic from stealth/non-stealth interfaces
b. Analyzing captured data
Note: Unified logging allows Snort to focus on its core competencies
2. Unified logging does the following:
a. Outputs both Log and Alert data to binary(TCPDump) format
b. Snort allows a separate program to process the logs & alert data
c. Snort becomes a 2-process (Snort, Barnyard) environment
3. Steps to configuring Unified Logging:
a. reconfigure snort.conf - setup Unified output plugins
b. Download and configure Barnyard post-processor
4. Installation steps for Barnyard
a. ./configure
b. make
c. make install - perform as root - allows copy of binary to /usr/local/bin
5. Barnyard operates in 3 modes
a. One-shot -o - process in one-pass the specifed binary file
b. Continual -f - Default Mode
c. Continual with checkpoint -w - Writes checkpoint file for easy
Note: Barnyard relies upon /etc/snort/barnyard.conf
Configuring BASE for web-based analysis:
1. ADODB
2. BASE
3. php-gd*
Securing BASE Console:

recovery

1. Configure Apache for basic authentication (clear text)

Output Database section of snort.conf - make sensors unique by:
sensor_name=sensor1
sensor_name=sensor2
Configuring Startup Environment for NIDS Framework:
1. Configure each sensor to load Snort @ startup
2. Configure DBMS/HTTP(BASE) to start MySQL & HTTPD @ startup
#Initialize Snort Sensor
#Enable sensor on Stealth - External - Internet-facing Interface
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D
#Ensable sensor on Management - Non-Stealth - Intranet-facing Interface
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D
Understand Snort Rules:
Rules contain 2 sections:
a. Rule Header
b. Rule Body
Rule Header:
alert|pass|drop|etc. tcp|udp|icmp|ip $EXTERNAL_NET any ->|<> 192.168.1.0/24 80
Rule Body:
(content: "bad string"; msg: Hack Attempt)
Auto-Rules Update:
Download and use oinkmaster from oinkmaster.sourceforge.net