Beruflich Dokumente
Kultur Dokumente
2.16.2010 - 1
This document assumes that you are already familiar with Snort and IDS as well as the supporting applications mentioned above. The Snort website provide detailed documentation about the supporting applications that would help you setup and maintain your Sourcefire Snort for Amazon EC2 deployment.
The Amazon EC2 cloud does not allow visibility for the IDS image to the network it needs to monitor. To solve this challenge, additional application were installed on the Sourcefire Snort for Amazon EC2. You need to install those applications on the AMI in order to allow your IDS Image to protect your cloud. The following applications are needed: VTun-3.0.1 Daemonlogger
VTun is the easiest way to create Virtual Tunnels over TCP/IP networks. It support various tunnel types and provides many useful features: - Encryption - Compression - Traffic shaping VTun is easily and highly configurable. It can be used for various network tasks: - VPN - Mobile IP - etc Using Linux Based AMI, the easiest way to obtain VTun would be to use Yum or apt-get commands depending on your Linux distribution. Daemonlogger is a libpcap-based program. It has two runtime modes: - It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 1 GB of data is logged. - It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode. These two runtime modes are mutually exclusive, if the program is placed in tap mode (using the -I switch) then logging to disk is disabled. The Sourcefire Snort for Amazon EC2 image uses Daemonlogger as a soft tap to sniff packets from your client AMI and rewrite them to a second interface and tunnel the traffic to your Sourcefire Snort for Amazon EC2 image using VTun. Requirements for installing Daemonlogger: - A recent version of libpcap. - A recent version of libdnet. You can install both required libraries by using the Yum or apt-get commands depending on your Linux distribution. You would need to compile and install Daemonlogger from source. To obtain the source code use the following link: http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
Compiling and installing Daemonlogger from source is very simple. Follow the instruction at the README file with in the Daemonlogger directory.
Starting and Configuring an Initial Sourcefire Snort AMI for Amazon EC2
Before you start, you must get a license from Amazon Web Services for your account: https://aws-portal.amazon.com/gp/aws/user/subscription/index.html?offeringCode=3955FE73 To configure an initial Endpoint Protection AMI for Amazon EC2: 1. Navigate your browser to http://aws.amazon.com, and under the Developers tab, click on AWS Management Console.
2. At the AWS Management Console, click Sign in to the AWS Console, and enter your AWS username and password. The Amazon EC2 Console Dashboard appears.
3. Before launching an instance, create a new key-pair if one does not already exist by clicking on the Key-Pairs button under the Navigation tab.
4. Click on Create Key Pair, and provide a new key-pair name in the Create Key Pair popup window, and then click Create.
5. Click on AMIs under the Navigation tab, and look for the Sourcefire AMI, using the Instance-Store Images from the Viewing Tab.
7. In the pop-up window, then enter the number of instances (1 preferred), and select the key-pair that was created from the drop-down box. Add or change a security group if required as described in step 8.
8. Click the Create button in the Launch Instance Wizard window to the right of the Security Groups drop-down menu to create new Security Group.
You can change an existing security group, but changing an existing security group needs to be done prior to clicking on the Launch button. For more information about security groups, see the Amazon Elastic Compute Cloud User Guide at: http://awsdocs.s3.amazonaws.com/EC2/latest/ec2-ug.pdf. 9. Click Launch to start the Amazon EC2 instance. 10. Click on the Instances button under the Navigation tab. 11. Identify the instance that was started using our key-pair, and wait for the Status column to turn to running. This should take a couple of minutes. 12. Once the instance is running, select the instance, and then copy the Public DNS.
10
13. Run the SSH command or PuTTY from a Windows machine 14. Paste the Public DNS obtained from Step 12 in the Computer field, and click Connect. 15. At the AWS Management Console, click Instance Actions, and then click Get Certificate to include on your ssh command. 16. From the command prompt run shh i <your_certificate.pem> to login to your instance.
11
Additional Resources
For additional resources and reference refer to the following links:
Additional Applications
http://base.secureideas.net/ BASE for Snort http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html Daemonlogger http://vtun.sourceforge.net/ VTun Application
12