Cluster-Handbook/SnortIDS
SnortIDS
editWhat is Snort?
editSnort is a network intrusion detection system and a network intrusion prevention system. It is a free and open source system created by Martin Roesch in 1998. Snort was developed by Sourcefire and in 2009, Snort entered InfoWorld’s Open Source Hall of Fame as one of the “greatest open source software of all time“.
Usage
editSnort has the ability to perform real-time traffic analysis and packet logging on Internet Protocol networks and performs protocol analysis, content searching, and content matching. Snort can also be used to detect probes or attacks, including operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes and stealth port scans.
Snort has three main configuration modes: sniffer, packet logger and network intrusion detection. In sniffer mode, Snort will read the network packets and display them on the console. Snort will log packets to the disk in the packet logger mode and in the intrusion detection mode, Snort will monitor the network traffic and analyze it against a rule set the user has defined. Snort will then alarm the user or it will perform a specific action based on what has happened.
Packages
editLAMP-Server
editLAMP is a combination of free, open source software, LAMP refers to Linux, Apache HTTP Server, MySQL and PHP, Perl or Python. The exact Software may vary in the LAMP-Package and it is not designed by its original authors as one Package. But it is developed in close conjunction, therefore it is easy adaptable. When used together, they support web application servers.
BASE
editBASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
BASE is a web interface to perform analysis of intrusions that snort has detected on your network. It uses a user authentication and role-base system, so that you as the security admin can decide what and how much information each user can see. It also has a simple to use, web-based setup program for people not comfortable with editing files directly.
Setup
editFor SnortIDS you will use the LAMP Server. It will serve as a HTTP server for ACID, your Webinterface, and will also serve as a MySQL backend for Snort. Ubuntu 12.04 LTS was used for this Setup.
LAMP-Server
editroot@master:/# sudo tasksel install lamp-server
tasksel: Starts a simple Interface for the user to select general tasks for the installation.
You will be prompted to select a MySQL root password. This will be needed further in the installation.
Snort-Mysql
editFirst you create a database.
root@master:/# mysql -u root -p
mysql> create database snort;
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'masterusername'@'localhost' IDENTIFIED BY 'password';
mysql> FLUSH PRIVILEGES;
mysql> quit
root@master:/# _
Further on you can now install SNORT
root@master:/# sudo apt-get -y install snort-mysql
You will be prompted to enter the IP address for your local network. It is your cluster-network, that you want to protect. The Classless Inter-Domain Routing (CIDR) format have to be used. 10.0.x.0/24
You will be asked, if you wish to set up a database for use with Snort.
Choose no. You already created the database, you only need to configure it. With this you will update the Snort table structure.
root@master:/# pushd /usr/share/doc/snort-mysql
root@master:/# sudo zcat create_mysql.gz | mysql -u snort -p snort
# The syntax is: mysql -u <username> -p <prompt for password> <database>
root@master:/# popd
Now modify the Snort configuration file to include your MySQL specific information.
root@master:/# sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=password dbname=snort host=localhost/" /etc/snort/snort.conf
The above line was located at line number 786 /etc/snort/snort.conf. The snippet simply places a comment in front of the output for the log, and appends the output line for our database.
Now remove the pending Snort database configuration file.
root@master:/# sudo rm -rf /etc/snort/db-pending-config
Start Snort.
root@master:/# sudo /etc/init.d/snort start
To check the status of the Snort daemons use:
root@master:/# sudo /etc/init.d/snort status
Acidbase
editTo check the output of Snort, you will use ACID, a web front-end.
root@master:/# sudo apt-get -y install acidbase
You will be asked to configure a database for acidbase. Choose yes and use MySQL.
You will be prompted for the password of the database administrator. This is the same password you used when MySQL was initially installed with LAMP.
To get access for the acidbase web front-end, you have to edit the apache.conf
root@master:/# sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ 'your IP'/255.255.255.0#" /etc/acidbase/apache.conf
This will allow your and the machine to get access to the front-end.
You can also allow access for all
To take affect, you have to restart Apache.
root@master:/# sudo /etc/init.d/apache2 restart
Browse to: http://’IP of the machine with SNORT’/acidbase
For testing purpose perform a portscan of the Snort host. You will need the nmap-package for this.
root@master:/# sudo nmap -p1-65535 -sV -sS -O 'IP of your SNORT-machine'
If something is not working properly, try to reconfigure SNORT. With the following command, you can reset the IP´s.
root@master:/# sudo dpkg-reconfigure snort-mysql