A Brief Tutorial in Snort Jaland Worley CT312-900 12/10/2011 Ralph DeFrangesco

Page 1 of 31

Table of Contents Introduction to the Project System Configuration Virtualization Description of Snort Background System Requirements Installation Using Snort Configuration Writing Rules Violations Summary Advantages/Disadvantages Future Implications End Notes 3 4 4 5 5 5 6 10 10 17 18 26 26 30 31

Page 2 of 31

Introduction to the Project This project is designed to give a basic overview and tutorial of how to install, configure, and use the Snort intrusion detection system. In the first section of this document, the system configuration of the server will be described in detail to provide the reader with a walkthrough of how to configure a similar laboratory. Section two will provide a detailed description of Snort, its history, system requirements, and how it is best installed. Section three will provide full instructions on how to interact, configure, and make use of Snort. Section four will summarize the entire document and provide insight on advantages and disadvantages of Snort, as well as future implications.

Page 3 of 31

System Configuration For this project, the laboratory will consist of a gigabit LAN, containing a workstation, virtual server, and several mobile devices. The workstation is custom built. It contains an AMD Phenom II chip with six cores running at 3.2GHz per core. It is also hyper threaded, providing twelve threads for data processing. It also has 16GB of DDR3 1333 RAM and a 150GB Raptor hard drive. The virtual server is an Ubuntu Linux distribution. It has been installed on Oracles Virtual Box software. It shares resources with the custom workstation. Ubuntu will host our Snort installation, and it will be where most of the projects work will be performed. The mobile devices used in this project will be two Apple iPhone 4S smartphones. Virtualization is an amazing concept. For the purpose of this project, it provides a means for students to have multiple systems running off a single set of hardware components. It is required that CPUs and motherboards support virtualization in order to run software such as Virtual Box. However, most new computers are capable of virtualization. Virtual Box allows a user to configure the parameters of the machine they wish to create. From a single hardware resource pool, the user selects how much disk space, processing power, and memory is used to run the virtual machine. After these parameters are set, the user provides an image of whatever operating system they wish to use and it is installed as if the image were being fed to another machine made of real hardware. It is possible for a virtual machine to share one network interface card with the host it is sharing other resources with. This is called bridging. Bridging allows the laboratory in this project to function by binding a second IP address to the NIC.

Page 4 of 31

Description of Snort Snort was released in 1998 by Martin Roesch. It is a completely free of charge network intrusion detection system. Snort works by capturing packets as they pass through a network that Snort monitors. The software matches characteristics and payloads of packets against a detailed, and customizable, set of rules. When a packet or stream of packets sets meets the criterion of a rule, then an alert is logged and/or the packet is dropped. These alerts are also customizable to help network administrators categorize and manage their networks. Snort is the most widely deployed intrusion prevention technology in the world. Snort detects many types of attacks such as denial-of-service, buffer overflows, port scans, smb probes, fingerprinting, etc.; Snort also reacts in real time to traffic. Snort is open-source and much of its success and usefulness comes from the community that collaborates to make Snort a dynamic, living application. Snort has several requirements that must be fulfilled before it can be used properly. These requirements are software packages called libpcap, PCRE, libdnet, Barnyard2, and DAQ. Libpcap is a packet capture software that allows Snort to inspect packets. PCRE is the perl comptabile regular expression library that allows for special programming during the installation and use of Snort. Libdnet is a network API that allows Snort to use various networking protocols. Barnyard2 is an out put mechanism for Snort. This is used to output the data Snort collects to various databases. In order to make viewing the output easier, there are many frontend web interfaces that make Snort easier to use. In this tutorial mysql will be the back-end with Snorby on the front-end. However, this tutorial will also show raw output from the command line. There are no specific hardware requirements for Snort, but it should be understood that in order for Snort to process a large amount of packets, much processing power will be required.

Page 5 of 31

Snort can be installed from binaries and source code. In this tutorial, Ubuntu Linux is the platform being used for Snort. Other versions of Linux have been known to put a user into, dependency hell, where packages cannot be installed without installing pre requisite packages first. To avoid this, Ubuntu has a method of retrieving and installing software packages called APT-GET. APT-GET allows users to download a certain applications and all of its dependencies in one simple command. When APT-GET is used, Snort is installed in a matter of one to two minutes. The following screenshots show APT-GET in action.

Page 6 of 31

Page 7 of 31

Snort has already been installed on the server, but the process can be explained by the output. APT-GET INSTALL SNORT looks at the lists of packages it has available, builds the dependencies that Snort needs, and then it downloads everything and installs it for the user. If there is a need to update Snort to a newer version, APT-GET can handle this for the user as well. The command APT-GET UPGRADE looks for updates of all the packages installed on the server. Packages can also be removed with APT-GET REMOVE [package name]. Packages that are outdated can be removed with APT-GET AUTOREMOVE.

Page 8 of 31

The packages Libpcap, PCRE, and Libdnet are automatically found by APT-GET and installed. It is important to install the database that will be used in the installation. MySQL will be used in this project, but sqlite and Postgre SQL can be used as well. These can be installed through APT-GET, source code, binaries, and in the initial installation of the Linux server. The remaining package Barnyard2 needs to be installed separately. Unfortunately, there is not a APT-GET method to find Barnyard, so the binaries will have to be downloaded and run separately. The original host of Barnyard2 no longer hosts the file. The method used in this installation is called, git. Git is similar to WGET, which is used to download FTP files. GIT CLONE https://github.com/firnsy/barnyard2.git is the command to retrieve the file. Once the file has been downloaded, the source code can be compiled and run. Barnyard2 requires dhautoreconf packages to be installed in this manner.

Page 9 of 31

Using Snort Snort runs off of a configuration file. This file tells Snort where to look for its parameters, rules, and methods of operating.

Page 10 of 31

Variables are edited to customize Snort to use on the home network.

Page 11 of 31

Variables are also used to describe external networks.

Page 12 of 31

Page 13 of 31

Page 14 of 31

There are many rule sets to use in Snort. For this tutorial, custom rules were written in order to better explain and discover how Snort handles rule violations. The real power of Snort is in the ability to write customized rules. For this tutorial, five rules have been written to demonstrate different attacks. The first rule is a rule that looks for ICMP traffic from a certain host, the next rule is a rule that looks for ICMP traffic from any host, next is a telnet alert, an ssh alert, and a rule that alerts when a specific port is scanned.

Page 15 of 31

Page 16 of 31

The five rules that will be used in this tutorial. The rules are stored in a special rules file. All other files have been commented out of the configuration file so they are not used while Snort is running. Each rule has a special sid number that allows for further customization and organization of alerts. Also, each rule has a message field that allows the user to customize what the alert actually says.

Page 17 of 31

Once the rules are written and the rest of the configuration is complete. Snort can be started. Snort is started automatically as a daemon once it is installed. If Snort needs to be started manually, then it can be done with one of two commands snort c /etc/snort/snort.conf D l /var/log/snort will run Snort as a daemon. Also, /etc/init.d/snort start will run Snort with the basic configuration file, and as a daemon. The first rule looks for an ICMP packet coming from a particular host. The following screenshots shows the creation of the traffic and the alert that Snort creates.

Page 18 of 31

The alert log was tailed in the screenshot above, but in the log file there are four entries to match the four packets sent. The next alerts are generated by an application on an iPhone called Scany. It is a combination port scanner, OS fingerprinter, service probe multi-tool.

Page 19 of 31

Page 20 of 31

These three alerts were generated after the iPhone application was executed. The application sent many ICMP packets and probed around the operating system looks for open ports and services that were running . Snort alerted on three of the rules loaded into the Snort configuration. The TCP PortScan seems to be a rule that is loaded all the time, it was not specified in the experimental rules file. The next type of traffic is a telnet request. Telnet is not used very much these days. It transmits data in clear text, ant it is just inherently insecure, but it is often turned on by default in some systems.

Page 21 of 31

Page 22 of 31

Telnets successor, SSH, is used commonly in most organizations for remote access. It is often left open, and attackers can brute force passwords to gain access to the system. The following screenshots show an alert for an SSH attempt. SSH connections should only be allowed from trusted networks.

Page 23 of 31

Page 24 of 31

If Snort ever needs to be stopped, it can be stopped with the command killall snort or /etc/init.d/snort stop.

Page 25 of 31

Summary Snort is a great application. It is easy to install and configure, but it does have some disadvantages. The next section breaks down the advantages and disadvantages of Snort. Advantages Free Easy to install and configure (on certain platforms) Plentiful support through Snort Community Fully customizable Efficient with system resources Downloadable rule sets (with paid subscription)

y y y y y y

Disadvantages Difficult to install and configure (on certain platforms) Steep learning curve when writing rules Difficult to test rules in a production environment Limited Windows support Alerts can be overwhelming

y y y y y

The last disadvantage is the biggest flaw in Snort. If the default rule sets are used, even with customization. The amounts of alerts are almost too much to handle. The following screenshots demonstrate this.

Page 26 of 31

The configuration file is modified to allow all rule sets to be parsed. After running the application Scany, from the iPhone, this is what a portion of the alert file looks like.

Page 27 of 31

Page 28 of 31

In order to effectively use Snort, the time needed for testing and rule configuration is substantial. If an organization has the time, resources, and employee talent, Snort can be a useful tool to protect the organizations network from intrusion and attack.

Page 29 of 31

Future Implications Snort is only going to get better with time. The open source community is growing at a high rate, and the amount of support and rules are growing at a similar rate. With time, the Snort rules should become more streamlined to work in production environments, but the need for interaction and modification of these rules is never going to go away. Therefore, if one can become proficient with Snort, one can increase their marketability when searching for jobs. Due to its cost effectiveness, ease to obtain, and continued growth, Snort will remain the top open-source IDS for years to come.

Page 30 of 31

End Notes

Works Cited Peters, E. (n.d.). Snorby eBook. Retrieved 12 10, 201, from github: https://github.com/Snorby/snorby/wiki/Snorby-E-Book Snorby.org. (n.d.). Snorby. Retrieved 12 10, 2011, from Snorby - All About Simplicity: http://www.snorby.org Snort.org. (n.d.). Snort. Retrieved 12 10, 2011, from Snort.org: http://www.snort.org Ubuntu.com. (n.d.). dh-autoreconf. Retrieved 12 10, 2011, from Ubuntu.com: http://packages.ubuntu.com/maverick/all/dh-autoreconf/download

Page 31 of 31