Protect your network with Snort
Selasa, 16 April 2013
0
komentar
http://www.linuxuser.co.uk/tutorials/protect-your-network-with-snort
Snort is an intrusion detection system (IDS). It works by monitoring network activity and raising an alert in the case of suspicious activity. What constitutes suspicious activity is definable by rules, and it comes with a massive selection. It can protect a single machine from attacks or even an entire network. This guide will show you how to set up and use Snort and also take you through some typical security scenarios in which Snort will prove useful.
As you get to know Snort, you might consider setting up a testing environment using virtual machines. A simple approach would be to use a virtual machine that has its network adaptor configured to be visible on your network (the setting is called ‘bridged adaptor’ in VirtualBox, for example). The techniques outlined here are not dangerous, but they can be considerably easier to get working within a controllable environment.
The Snort manual
A second network card (optional)
Install Snort with ‘sudo apt-get install snort’. If you need the very latest version, visit the website and fetch, build and install it.
When first setting up Snort, it helps to have as little activity on the network as possible. Disconnect other computers or even set up a VM with a bridged adaptor which you can operate upon from the host machine.
Nearly all Snort operations need to be carried out by the root user. On Ubuntu, it’s probably worth using ‘sudo -i’ to avoid password prompts. Use ‘su’ on other distros. As root, type ‘snort -v’. This puts Snort into packet sniffer mode.
Presuming that the network you are on is reasonably quiet, you can generate some network activity by pinging the server. Open another terminal and type ‘ping [IP address of server]’, and cancel after a couple of successful pings. Now, go back to the terminal with Snort running.
In this example, the ping activity is reported in entries that end with lines ‘ECHO’ and ‘ECHO REPLY’. You may have to scroll back in the terminal to see these entries. Notice that the entries contain the time that the activity occurred and the source and destination of the traffic.
Exit Snort by hitting Ctrl+C. When you exit Snort, it prints a statistical summary of the traffic that it observed. In this example, there should have been some ICMP traffic from the ping operation.
Here’s a more extensive command line: ‘snort -vde’. This produces more output due to the d (display packet data) and e (application layer). For example, if you fetch POP email without SSL selected, you’ll be able to see the username and password scroll past.
Make a directory called ‘snort_logs’. Now run ‘snort -d -l ./snort_logs’ and Snort will log all recorded traffic into the log directory with a separate file for each interface. We’ll skip the verbose flag (-v), as all of the screen output eats into Snort’s throughput.
Snort comes with a default configuration file which we will back up. Type ‘locate snort.conf’ to find the file and then make a copy of it. ‘cp /etc/ snort/snort.conf /etc/snort/snort.conf_old’ should work for Ubuntu, for example.
Open the config file in a text editor. For now, make sure that the variable ‘HOME_NET’ accurately describes your network. For example, if your computers have IP addresses that begin at 192.168.0.1, set it to 192.168.0.1/24.
Make a startup script to save time. Create an empty file with ‘nano start_snort’, then add the line ‘snort -de -l [full path to script]/snort_logs -c /etc/snort/snort.conf’ to it, and then save. Now type “chmod +x start_ snort”. This will launch snort in IDS mode, with reasonable defaults.
First, find the IP address of the machine running Snort by using ‘ifconfig’ and make a note of it. Now run ‘./start_snort’. Some extra startup information scrolls past as we are now using the Snort configuration file and the rules files that it references.
We’ll begin by carrying out a port scan on the machine running Snort using Nmap, a common first step in a typical intrusion attempt. From a different machine on your network, type ‘nmap [IP address of Snort machine]’. A file called ‘alert’ should have appeared in the log folder. Examine it.
The method to launch a script at startup varies between distributions. On Ubuntu, simply add our ‘start_snort’ script to ‘/etc/init’ by typing ‘ln start_snort /etc/init/’. Remember to use fully qualified path names in the script.
Protecting an entire network requires either a dedicated Snort machine or a dedicated network adaptor on your server. This is because the network card must be put into promiscuous mode to capture all traffic being transmitted, and this is the scenario we will work with here. Once you have installed the second card and rebooted the machine, determine the naming of the two network interfaces by typing ‘ifconfig’. In this example, the second network card is called ‘eth1’. Now open ‘/etc/networking/interfaces’ in a text editor.
Add the following lines to the file: ‘iface eth1 inet manual’, ‘up ifconfig $IFACE 0.0.0.0 up’, ‘up ip link set $IFACE promisc on’, ‘down ip link set $IFACE promisc off’, ‘down ifconfig $IFACE down’. Type ‘sudo ifup eth1’ to start up the second Ethernet adaptor and physically plug it into your router, hub or spanning switch.
Type ‘ifconfig’ and eth1 should be listed without an IP address. Now add ‘sudo ifup eth1’ to your Snort startup script along with the flag ‘-i eth1’ on the Snort launch command. When launched, Snort will now monitor all traffic on your network.
For the sake of simplicity, we are going to add a rule to the configuration file rather than create a new rule file. As root, open up snort.conf in a text editor. On the final line of the configuration file, add the following line: ‘alert tcp any any -> any 23 ( msg: “telnet alert!”; sid: 1; )’.
Launch Snort with ‘snort -dev -l ./snort_logs -c /etc/snort.conf’. From another machine, type ‘telnet [IP address of Snort machine]’. If everything has worked, you should now have an update in the alert file. See the Snort manual for a full breakdown, but open the file and check that source IP and destination IP look correct.
Get extra rules from the Snort website (free sign-up required). They belong in ‘/etc/ snort/rules’ and should be enabled using the ‘include’ directive in snort.conf. The comprehensive selection is an excellent starting point for creating your own rules for dealing with, for example, application-specific exploits.
Unless you know that you are going to have to use Snort alert logs as input for another networking utility, consider switching it to CSV output so that you can view the data in a spreadsheet. Simply add the line ‘output alert_csv: alert.csv default’ to the end of the configuration file.
When an attack is logged, begin by looking up the IP address with the ‘whois’ command or by using an online geographic IP lookup address. Note the port number of the attack to try to figure out the service or application that is the focus of the attack.
Block the IP address of the attacker as reported in the alert file. Obviously, the address can change, but they tend to be fairly static from the most common type of automated attacks. Use the command ‘iptables -A INPUT -s [attacker IP address] -j DROP’.
It’s possible that an attack is targeting an unused or unimportant port on your network. Use ‘/iptables -A INPUT -p tcp –destination- port 80 -j DROP’ to block a port, if you have determined that it will not harm the normal function of your system. To unblock a port or IP address, use the ‘-D’ switch instead of ‘-A’.
Whether meaning to be mischievous or malicious, hackers can wreak havoc on your network. Fortunately, Snort makes it easy to spot them and set up protection
Snort is an intrusion detection system (IDS). It works by monitoring network activity and raising an alert in the case of suspicious activity. What constitutes suspicious activity is definable by rules, and it comes with a massive selection. It can protect a single machine from attacks or even an entire network. This guide will show you how to set up and use Snort and also take you through some typical security scenarios in which Snort will prove useful.
As you get to know Snort, you might consider setting up a testing environment using virtual machines. A simple approach would be to use a virtual machine that has its network adaptor configured to be visible on your network (the setting is called ‘bridged adaptor’ in VirtualBox, for example). The techniques outlined here are not dangerous, but they can be considerably easier to get working within a controllable environment.
Resources
SnortThe Snort manual
A second network card (optional)
Step by Step
Step 01
Install SnortInstall Snort with ‘sudo apt-get install snort’. If you need the very latest version, visit the website and fetch, build and install it.
Step 02
Set Up a ‘quiet’ network environmentWhen first setting up Snort, it helps to have as little activity on the network as possible. Disconnect other computers or even set up a VM with a bridged adaptor which you can operate upon from the host machine.
Step 03
Test Snort installationNearly all Snort operations need to be carried out by the root user. On Ubuntu, it’s probably worth using ‘sudo -i’ to avoid password prompts. Use ‘su’ on other distros. As root, type ‘snort -v’. This puts Snort into packet sniffer mode.
Step 04
Create network activityPresuming that the network you are on is reasonably quiet, you can generate some network activity by pinging the server. Open another terminal and type ‘ping [IP address of server]’, and cancel after a couple of successful pings. Now, go back to the terminal with Snort running.
Step 05
Interpreting the dataStep 06
Exiting SnortExit Snort by hitting Ctrl+C. When you exit Snort, it prints a statistical summary of the traffic that it observed. In this example, there should have been some ICMP traffic from the ping operation.
Step 07
More detailHere’s a more extensive command line: ‘snort -vde’. This produces more output due to the d (display packet data) and e (application layer). For example, if you fetch POP email without SSL selected, you’ll be able to see the username and password scroll past.
Step 08
log packet dataMake a directory called ‘snort_logs’. Now run ‘snort -d -l ./snort_logs’ and Snort will log all recorded traffic into the log directory with a separate file for each interface. We’ll skip the verbose flag (-v), as all of the screen output eats into Snort’s throughput.
Step 09
Back up Snort configuration fileSnort comes with a default configuration file which we will back up. Type ‘locate snort.conf’ to find the file and then make a copy of it. ‘cp /etc/ snort/snort.conf /etc/snort/snort.conf_old’ should work for Ubuntu, for example.
Step 10
Initial configurationOpen the config file in a text editor. For now, make sure that the variable ‘HOME_NET’ accurately describes your network. For example, if your computers have IP addresses that begin at 192.168.0.1, set it to 192.168.0.1/24.
Step 11
Create launch scriptMake a startup script to save time. Create an empty file with ‘nano start_snort’, then add the line ‘snort -de -l [full path to script]/snort_logs -c /etc/snort/snort.conf’ to it, and then save. Now type “chmod +x start_ snort”. This will launch snort in IDS mode, with reasonable defaults.
Step 12
Intrusion detection modeFirst, find the IP address of the machine running Snort by using ‘ifconfig’ and make a note of it. Now run ‘./start_snort’. Some extra startup information scrolls past as we are now using the Snort configuration file and the rules files that it references.
Step 13
Simulate an attack (Nmap)We’ll begin by carrying out a port scan on the machine running Snort using Nmap, a common first step in a typical intrusion attempt. From a different machine on your network, type ‘nmap [IP address of Snort machine]’. A file called ‘alert’ should have appeared in the log folder. Examine it.
Step 14
Automatically start SnortThe method to launch a script at startup varies between distributions. On Ubuntu, simply add our ‘start_snort’ script to ‘/etc/init’ by typing ‘ln start_snort /etc/init/’. Remember to use fully qualified path names in the script.
Step 15
Protect the networkProtecting an entire network requires either a dedicated Snort machine or a dedicated network adaptor on your server. This is because the network card must be put into promiscuous mode to capture all traffic being transmitted, and this is the scenario we will work with here. Once you have installed the second card and rebooted the machine, determine the naming of the two network interfaces by typing ‘ifconfig’. In this example, the second network card is called ‘eth1’. Now open ‘/etc/networking/interfaces’ in a text editor.
Step 16
Configure promiscuous modeAdd the following lines to the file: ‘iface eth1 inet manual’, ‘up ifconfig $IFACE 0.0.0.0 up’, ‘up ip link set $IFACE promisc on’, ‘down ip link set $IFACE promisc off’, ‘down ifconfig $IFACE down’. Type ‘sudo ifup eth1’ to start up the second Ethernet adaptor and physically plug it into your router, hub or spanning switch.
Step 17
Test promiscuous modeType ‘ifconfig’ and eth1 should be listed without an IP address. Now add ‘sudo ifup eth1’ to your Snort startup script along with the flag ‘-i eth1’ on the Snort launch command. When launched, Snort will now monitor all traffic on your network.
Step 18
Create a simple Snort ruleStep 19
Test simple ruleLaunch Snort with ‘snort -dev -l ./snort_logs -c /etc/snort.conf’. From another machine, type ‘telnet [IP address of Snort machine]’. If everything has worked, you should now have an update in the alert file. See the Snort manual for a full breakdown, but open the file and check that source IP and destination IP look correct.
Step 20
Fetch extra rulesGet extra rules from the Snort website (free sign-up required). They belong in ‘/etc/ snort/rules’ and should be enabled using the ‘include’ directive in snort.conf. The comprehensive selection is an excellent starting point for creating your own rules for dealing with, for example, application-specific exploits.
Step 21
Add CSV output moduleUnless you know that you are going to have to use Snort alert logs as input for another networking utility, consider switching it to CSV output so that you can view the data in a spreadsheet. Simply add the line ‘output alert_csv: alert.csv default’ to the end of the configuration file.
Step 22
Interpreting an attackWhen an attack is logged, begin by looking up the IP address with the ‘whois’ command or by using an online geographic IP lookup address. Note the port number of the attack to try to figure out the service or application that is the focus of the attack.
Step 23
Block an attack (part 1)Block the IP address of the attacker as reported in the alert file. Obviously, the address can change, but they tend to be fairly static from the most common type of automated attacks. Use the command ‘iptables -A INPUT -s [attacker IP address] -j DROP’.
Step 24
Block an attack (part 2)It’s possible that an attack is targeting an unused or unimportant port on your network. Use ‘/iptables -A INPUT -p tcp –destination- port 80 -j DROP’ to block a port, if you have determined that it will not harm the normal function of your system. To unblock a port or IP address, use the ‘-D’ switch instead of ‘-A’.
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: Protect your network with Snort
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke https://androidblackberries.blogspot.com/2013/04/protect-your-network-with-snort.html. Terima kasih sudah singgah membaca artikel ini.Ditulis oleh Unknown
Rating Blog 5 dari 5
0 komentar:
Posting Komentar