Beruflich Dokumente
Kultur Dokumente
Installation of an
08/05/06 – 07/07/06
Year 2005-2006
Høgskolen I Sør-Trøndelag
Telecom-Lille
Telecommunication placement
5
Table of contents
Introduction................................................................................................7
I. Presentation...........................................................................................8
A. Norway...............................................................................8
B. Trondheim..........................................................................9
C. The Sør-Trøndelag University College...............................10
D. The Faculty of Informatics and e-Learning.......................11
E. The network of the school................................................13
II. Before use Snort .................................................................................15
A. Introduce Snort................................................................15
What is an IDS?............................................................15
What is Snort?..............................................................16
B. Discover Debian Linux.....................................................17
Windows mode.............................................................17
Shell mode....................................................................18
C. Install Snort.....................................................................20
III. Snort...................................................................................................22
A. Before using Snort as an IDS...........................................22
First uses of Snort.........................................................22
Snort as sniffer and logger...........................................23
B. Snort as an IDS................................................................24
C. User’s quick manual........................................................26
Conclusion................................................................................................29
Glossary....................................................................................................30
Bibliography and links .............................................................................31
Books:....................................................................................31
Websites:...............................................................................31
Appendix .................................................................................................32
6
Introduction
7
I. Presentation
A. Norway
Norway is not a part of the European Union but the country takes
part on an active cooperation with it. The government held two
referendums to join the EU but the result was always “no”. The Norwegian
8
foreign policy is based on an active international cooperation. It is a
member of the United Nations and the North Atlantic Treaty Organisation.
B. Trondheim
9
Trondheim takes up around 350km² (for comparison, Lille takes up
40km² and counts 230,000 inhabitants). So it has all the charm of a small
town (with low density) but the facilities of
a city. Crime is fortunately rare and the
social atmosphere is friendly. You can find
a lot of quiet places in the city, especially
along the well preserved coast of the fjord
and as in most parts of Norway,
mountains, forests and fjords are close at hand.
10
Work, Nursing, Teacher Education and Deaf Studies, Technology, Food
Science and Medical Technology, Business Administration and, which we
are interested in, Informatics and e-Learning.
11
The bachelor in IT-supported Business Administration focuses on
how to use IT to improve business. In order to do it, this programme gives
to students the necessary background in economics and business. In
brief, this programme covers three areas of subjects: business
development (economics, product development, etc.), organization
(cooperation, project management, etc.) and informatics (lighter subjects
such as web publishing and basic security).
12
E. The network of the school
All the Norway's colleges and universities are connected, and any
non-commercial research or educational institution such as libraries,
archives and schools may be connected for a yearly fee. You can find the
map of this network in the appendix.
Kaluskinnet-gsw.hist.no
This network is made
Other
up of Optic Fiber between
Networks
buildings and floors and the br280-sw.hist.no
connections on a same floor
are performed by Ethernet
cables.
Test Network
14
II. Before use Snort
A. Introduce Snort
What is an IDS?
There are two great distinct families of IDS: The Network Intrusion
Detection System (NIDS) and the Host Intrusion Detection System (HIDS).
15
even be staged from the inside of the monitored network or network
segment, and are therefore not regarded as incoming traffic at all.
What is Snort?
16
B. Discover Debian Linux
The servers where Snort had had to be installed run under Linux, in
distribution Debian and, for me, it was the first difficulty I encountered.
Windows mode
17
Something I had to understand was the architecture of directories.
The root folder is / and inside, you can find /home for the personal
documents (folder subdivided in a directory per user: /home/root,
/home/david, etc.), /tmp for the temporary files, and so on.
To install a software, you have two choices. The first way (the
simplest) consists on using the Package Manager (KPackage with KDE
interface or the function aptitude in the shell). But most of the Linuxers
prefer use the second way: download the source code in a tar.gz archive,
compile it and install it by themselves. This is harder and you need to
know how your computer operates but it is more configurable and
flexible.
Shell mode
As I said it, the biggest difficulty for me was the shell. To allow me
to use it easier, I always used the terminal program in window mode,
which allows me to use the shell with more safety and which also let me
to use several shells in the same time (helpful to keep an eye on the help
file when you run a software). I also use a little software running under
Windows®, called PuTTY, which let me get the control of the Linux
machine with my laptop, using SSH secured connection.
18
• cd : it is the function to browse the different directories.
cd directory puts you in the directory specified. cd –
changes to the previous directory and cd .. changes to
parent directory.
19
C. Install Snort
When I was accustomed with the shell mode, I installed Snort with
its source code. It was not so easy and I spent a lot of hours to do it. I will
sum up here the main steps to install snort, with some of the main
problems I encountered.
To begin, I needed to download the source code. For Linux, the code
is downloadable in an archive tar.gz. So, I went to the snort website, with
a web browser and I download it in /usr/local/src/gz. After this, I
unpacked it with the command tar zxf. tar is a command for archives, z
is the option for the gz compression, x for extract and f to create a new
directory before unzip.
In the new folder where the files had been extracted, a file was very
useful: INSTALL. This file explained how to install snort and its first
warning was about the libpcap library. I needed it but I didn’t manage to
find it on the computer. In the website Debian.org, there is a search
engine to know in which packages we can find a file. So, I installed a
package with the libpcap library.
20
you if you want to uninstall the software (which I made several times) but
it involves building some links by yourself.
The second step uses the command make. This command reads the
Makefile (made by configure) and compiles the source code to build the
executable program.
The third step, make install, again invokes make, which finds the
target install in Makefile and files the directions to install the program.
These three steps, “configure, make, make install” are common for
the most software under Linux and are very famous, even if I discovered
them for the first time in this placement.
It was only after all this I could start to use Snort, and I will explain
this in the third main part of this report.
21
III. Snort
The first of them was the Network definition: where are the internal
network (defined by the variable HOME_NET) and the external network
22
(defined by EXTERNAL_NET). To create an internal and an external
networks for the tests, we installed a second network card on the
computer (with some hardware difficulties) and we configured the
computer as a gateway between my personal laptop and the network
school. By this way, the Linux machine was like a server with my laptop
as the internal network and the school network as the external network.
To define the networks, I chose the easiest and most complete solution:
all traffic by each card was considered like a network (it is also possible to
analyse traffic coming from a list of IP addresses).
The USAGE file is a very well written help for beginners which
explains step by step how to use Snort, from the simplest way to the
most completed functions.
The simplest mode in Snort is the sniffer mode which just prints out
the TCP/IP packet headers to the screen. The simplest command in this
mode is snort –v: this runs Snort and just shows the IP address and the
23
TCP/IP packet headers on the screen, nothing else. If you want to see the
payload data in transit, you can type snort –vd (or snort –v –d, it is the
same). This prints out the packet data as well as the headers. And if you
want an even more descriptive display, showing the data link layer
headers, type snort –vde. The option –e display the layer 2 packet
header data. To stop Snort, just press ctrl + C.
If you want to record the packets to the disk, you need to specify a
logging directory and Snort will automatically know to go into packet
logger mode. For example, you create a directory log in your current
directory (using the command mkdir log) and after, you can run snort
with this options: snort –vde –l ./log. The –vde option still does the
same thing and the –l option tells to Snort where it has to stock the logs.
If you are on a high speed network or if you want to log the packets into a
more compact form for later analysis, you can log in “binary mode”.
Binary mode logs the packets in tcpdump format to a single binary file in
the logging directory specified. To use the binary mode, type snort –l
./log –b (-b for binary). Here, we don’t use the –vde option because it is
not useful and, with high speed network, it is even a little bit dangerous
because of the slowness of the verbose mode, which will drop packets
(not many, but some).
In reality, I didn’t use the logger mode. I used the sniffer mode to
see whether there was some bug and, as soon as all the bugs were fixed,
I used the IDS mode.
B. Snort as an IDS
24
Networks, my laptop working as the internal network, communicating
with the Internet through the Debian machine.
To enable the NIDS mode on Snort, you just have to use the option –
c with the name of the rule file behind. As I already said, I used the
snort.conf file. It is very useful because it contains all the variable
definitions and, moreover, it enables to launch several rules files at the
same time.
To do this, you have to place all the rules files in a same directory.
By default, some common rules files are in /etc/snort/rules (these are
just some common rules but you can download or write a lot of rules files
by yourself). Because it is more convenient, I copied the rules directory in
/usr/local/snort, with all the other Snort files. After this, you have to
define in snort.conf what is the rule path (not necessary but highly
advisable) and, at the end of snort.conf, you will find some lines like
include $RULE_PATH/rules.rules where rules is the name of the rule.
To decide which rules must be applied and which must not, just put a # at
the beginning of the lines which you do not want to apply (that will
comment the line and, so, won’t apply it).
When you have chosen your rules files, type snort –c snort.conf.
This runs Snort with the configuration chosen in snort.conf and logs the
alerts in /var/log/snort. If you want to stock them in another folder, tell
it using the option –l (the same as in logger mode). When Snort runs like
this, it logs the packets creating directory hierarchy based upon the IP
address of one of the hosts in the datagram and it logs the alerts in a
single file named alert. If you want to print out the alerts to the screen
25
(not all the packet but just the alerts), use the option –A console. You
can also run Snort as Daemon mode, using the option –D.
When you quit Snort, typing ctrl + C, a statistic table appears which
tells you the number of packets sniffed, their type and their ratio, and the
number of alerts (logged or passed).
To test the rules and see if Snort really did its work, the concept was
simple: I run Snort on the Debian machine and, with my laptop, I did
something wrong. With this, I just had to see if Snort logged my outlaw
packets. I did it for the most of the rules.
26
When I understood how to run Snort, I could write a manual for the
next users. I asked to Øyvind how I had to write it (text document,
Microsoft word document, etc.) and he answered me he would like an
html document, very basic with no graphics and just the necessary.
27
I decided to split the tutorial in three parts. To begin, how to install
and configure Snort. Then, how to run snort. And I chose to explain the
rules system.
28
Conclusion
I would like to thank again Øyvind for his help, his patience and his
attendance during this entire placement in the all day work as much as in
the discovery of Norwegian life.
I am sure this placement will be helpful for me and will have a great
impact in the future.
29
Glossary
• IDS: Intrusion System Detection. There exist two types of IDS: NIDS,
Network Intrusion System Detection and HIDS, Host Intrusion System
Detection.
30
Bibliography and links
Books:
The Debian System, Concepts and Techniques; Martin F. Krafft
Websites:
www.hist.no
www.aitel.hist.no
www.uninett.no
www.debian.org
www.snort.org
www.wikipedia.org
31
Appendix
32
33
The manual I wrote for AITeL users had to be reachable only
for authorized people in an internal webpage but it is finally
available for everybody and you can reach it at this address:
http://aitel.hist.no/labben/snort/.
34
David Férot 08/05 – 07/07/2006 FI 2009
Placement at the faculty of informatics
and e-learning in Trondheim
A lifetime experience
This training period was my first real stay abroad. I had the opportunity
to discover an unknown country, its way of life, culture and language and I
discovered what Norway is, falling stereotypes. Norway is a welcoming
country with open-minded people and it was easy to meet them.
IDS
An intrusion In a network-based
detection system system (NIDS), the
inspects all inbound and External Network individual packets flowing
outbound network through a network are
activity and identifies analyzed. The NIDS can
suspicious patterns that detect malicious packets
may indicate a network NIDS that are designed to be
or system attack from overlooked by a firewall’s
someone attempting to simplistic filtering rules. In a
Internal Network
break into or host-based system (HIDS),
compromise a system. It the IDS examines at the
is a good complement activity on each individual
to firewall. computer or host.
Snort at AITeL