1. Snort is considered to be an NIDS/NIPS solution NOT IDS/IPS solution
2. Confirm MD5SUM - using md5sum 3. Verify the PGP/GPG signature - gpg --verify snort*.sig snort*.gz 4. pcre* - performs parsing of traffic using Perl-compatible Regular Expressions 5. libpcap - facilitates packet capturing @ a low-level in OSI-model OSI Model contains 7-Layers: 7 - Application 6 - Presentation 5 - Session 4 - Transport(sport:3100 - dport:80) 3 - IP routing(source_ip:192.168.1.20 - destination_ip:192.168.1.1) 2 - Data-Link(MAC) - Framing(Ethernet) - LIBPCAP(Snort) 1 - Physical - Switch/NIC/Hub/etc. Snort's Modes of Operation: 1. there are 3 modes Sniffing Mode - TCPDUMP - Packet Sniffer Sniffing mode logs to the console, which is VERY slow Consequently, Snort is subject to dropping a high-percentage of packets Note: Snort needs root privileges to change NIC into promiscuous mode Note: Snort binds to 'eth0' by default snort -v - dumps TCP/IP packet headers snort -vd - dumps to the output location TCP/UDP/ICMP headers snort -vde - dumps full packet information (TCP/UDP/ICMP/IP headers and payload) snor -vd(e) - layer 2 - related - MAC addresses snort -v(d) - application layer(Layer 7) information 2. Snort as a Packet Logger a. default packet mode logs using ASCII files b. only information specified using -vde options will be captured (ASCII) c. logging mode utilizes same -vde switches to log information plus -l switch to indication location of output snort -v -K ascii -l ./log - operates @ layers 3,4 snort -ve -K ascii -l ./log - operates @ layers 2,3,4 in OSI model snort -vde -K ascii -l ./log - operates @ layers 2,3,4,5,6,7 Tip: Use managed-switches and restrict port-capabilities to lessen eavesdropping/passive attacks; sniffing. d. Binary Logging Mode - snort -b Snort logs layers 2-7 when using binary mode Default log directory is /var/log/snort Default nomenclature for binary output file: snort.log.Unix Epoch Timestamp snort -b -L test.snort.binary.1 - /var/log/snort/test.snort.binary.1 Use fast disks for logging - 7200RPM or better/RAID 0 Berkeley Packet Filters (BPF) - feasible to log to screen (Sniffing mode) 1. Snort supports filtering captured traffic using BPFs 2. We need to use one or more qualifiers 3. 3 major categories of qualifiers: a. Type qualifiers: host(default), net, port b. Directional qualifiers: src, dst, src or dst(default), src and dst c. Protocol qualifiers: tcp, udp, ether, ip, arp(ip-mac), rarp(mac-ip) BPF supports logical and AND or Note: BPF rules are specified AFTER normal snort options Syslog BPF: snort -vde port 514 When combining qualifier you usually don't need to specify the qualifier twice. i.e.
snort -vde port 514 or 123
snort -vde not port 5901 snort -vdeC src 192.168.1.30 and not dst port 32790 Logging with BPFs - snort -b -l ./log not 5901 Note: consider perspective of Snort box when writing rules Snort can read TCPDUMP-compliant binary files using BPFs 1. snort -vder snort.log.1134955365 <BPF> Use Snort in Daemon Mode to log interesting traffic. snort -b -l ./log -D port 21 Configure Cisco Switch with appropriate VLANs and security 1. VLAN 1 - 192.168.1.0/24 - management subnet 2. VLAN 2 - represents External(Internet) VLAN (PIX Firewall/ISP Device) 3. VLAN 3 - for all unused ports Cisco 3500-48 Switch Management IP: 192.168.1.253 4. Disable all unused ports and assign them to VLAN 3 5. Secure access to the vty (telnet) ports using an access-list 6. Configure Network Time Protocol (NTP) Common terms related to SPAN: 1. Port Mirroring 2. SPAN 3. Port Monitoring Applying Packet Sniffing and logging modes to SPAN traffic - External snort -vde -i eth1 snort -b -l ./log -i eth1 Note: Stealth Snort Interfaces should NOT have a layer-3 address! 1. Disable layer-3 address Configure Secondary Snort NIDS/NIPS Sensor - Sensor #2 (linuxcbtserv3) 1. configured the Cisco Switch port 2. ensured that the NIC was configured to static settings with no IP address Note: We should only see the following traffic on Sensor #2: a. Traffic from internal hosts to the Internet b. Return traffic from the Internet c. holes configured on the external firewall permitting inbound traffic Prepare Snort to be an NIDS/NIPS(IPTables) Note: NIDS/NIPS mode differs from Sniffing/Packet-logging modes in that, in NIDS/NIPS mode, Snort compares traffic to pre-defined rules. 1. prepare /etc/snort (snort.conf, rules, associated files) Snort's traffic flow: a. Capture (NIC is in promiscuous mode/SPAN is enabled) -> b. decode(normalization) -> c. preprocessor(third-party modules) d. detection engine (pattern-matching of traffic to signatures) e. output logging (TCPDump, DBMS, CSV, etc.) TCP 3-Way Handshake 1. attacker(client) -> SYN host(server) 2. host -> ACK attacker 3. attacker -> SYN|ACK Stage 1 attacks (Reconnaissance Attacks) - Gather information
a. the attacker tends to use stealth means
frag2/frag3 preprocessor notes: a. packets are fragmented during transmission across the Internet 1. 1500 bytes - Message/Maximum Transfer Unit (MTU) i.e. file = 3000 bytes gets fragmented into 2 1500-byte packets - defragmentation preprocessors reassemble the 3000-byte file Preprocessors are defined to pickup reconnaissance attacks (NMAP) Preprocessor - sfPortScan scan_type { portscan portsweep decoy_portscan distributed_portscan all } a. portscan - is vertical - scans 1 host for all open ports b. portsweep - is horizontal - scans many hosts(IP block) for 1 or more common open ports c. decoy_portscan - ip spoofing - intersperse fake IPs with real ip d. distributed_portscan - DDOS, scan from multiple hosts Implementing latest Community rules: Note: if you start Snort in NIDS/NIPS modes without rules, it will fail Snort's Outputs: Separate Alerts(rule has been matched) from Logs(packets captured) Default log location is a TCPDump compliant binary file in /var/log/snort Default Alert location is an ASCII file in /var/log/snort SYSLOG: output alert_syslog: <facility> <priority> <options> Unified Logging: 1. Snort's core-comptencies include the following: a. Capturing traffic from stealth/non-stealth interfaces b. Analyzing captured data Note: Unified logging allows Snort to focus on its core competencies 2. Unified logging does the following: a. Outputs both Log and Alert data to binary(TCPDump) format b. Snort allows a separate program to process the logs & alert data c. Snort becomes a 2-process (Snort, Barnyard) environment 3. Steps to configuring Unified Logging: a. reconfigure snort.conf - setup Unified output plugins b. Download and configure Barnyard post-processor 4. Installation steps for Barnyard a. ./configure b. make c. make install - perform as root - allows copy of binary to /usr/local/bin 5. Barnyard operates in 3 modes a. One-shot -o - process in one-pass the specifed binary file b. Continual -f - Default Mode c. Continual with checkpoint -w - Writes checkpoint file for easy Note: Barnyard relies upon /etc/snort/barnyard.conf Configuring BASE for web-based analysis: 1. ADODB 2. BASE 3. php-gd* Securing BASE Console:
recovery
1. Configure Apache for basic authentication (clear text)
Output Database section of snort.conf - make sensors unique by: sensor_name=sensor1 sensor_name=sensor2 Configuring Startup Environment for NIDS Framework: 1. Configure each sensor to load Snort @ startup 2. Configure DBMS/HTTP(BASE) to start MySQL & HTTPD @ startup #Initialize Snort Sensor #Enable sensor on Stealth - External - Internet-facing Interface /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D #Ensable sensor on Management - Non-Stealth - Intranet-facing Interface /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D Understand Snort Rules: Rules contain 2 sections: a. Rule Header b. Rule Body Rule Header: alert|pass|drop|etc. tcp|udp|icmp|ip $EXTERNAL_NET any ->|<> 192.168.1.0/24 80 Rule Body: (content: "bad string"; msg: Hack Attempt) Auto-Rules Update: Download and use oinkmaster from oinkmaster.sourceforge.net