SNORT

I was speaking with a SIEM vendor a while back and a thought struck me: a SIEM can’t report on what it can’t see…. I know, that sounds so obvious, but it wasn’t – at least to me initially. A server can use syslog to report multiple failed attempts at password brute forcing, but the server cannot report a failed (or successful) exploit because it doesn’t know how to identify an exploit.

Clearly this would be a problem for any SIEM. So the next question was this: how do I “see” exploits while still operating on a shoestring budget? (Or at least a budget that didn’t include lots of IPS sensors around my network.) Answer: SNORT.

I couldn’t have SNORT maintenance take all of my time. I needed a robust, reliable and stupidly simple setup that would grant me visibility into my network. I’ve developed that setup and am sharing it to save you the pain of solving the problem yourself.

My goal was to drop headless boxes on span ports of the various switches around the organization (generally switches connecting directly to clients not backbone switches). So I would have a general SNORT setup that I could shove onto a box modify the IP addresses for this new box and go. Simple and reliable. If a box dies, just configure another and shove it in place.

(If you are wanting a VM setup with wireless, you will need a few changes that I will detail at the bottom. The next series of setup are designed for a distributed environment where you are shipping syslogs to a SIEM.)

Hardware (your mileage may vary):

  • 12GB HD
  • 1GB NIC (connected to the span port)
  • 100MB NIC (or better for reporting/connected to a management VLAN)
  • 2GB RAM

I used Ubuntu server 9.10 as it has the SNORT packages in apt-get. I said I wanted simple….

Step 1:

  • Install the OS; select no packages (the fewer packages the lower the risk of a vulnerability)
  • Configure /etc/network/interfaces
  • Download my config here.
  • Your management NIC will have a static IP
  • Your sniffing NIC will be “up” but will not have an IP. Get the config above; this is the critical piece.
  • Run: apt-get update; apt-get dist-upgrade; apt-get install openssh-server ntp
  • Modify /etc/ntp.conf to point to your corp time server

Step 2

Now run:

  • apt-get install snort build-essential libpcap0.8-dev (you will need to configure the /etc/snort/snort.debian.conf).

Obtain barnyard-0.2 from snort.org and install. Barnyard handles the processing of the Snort logs so that snort can focus on it’s job. Snort should be outputting binary/unified logs for barnyard. This is a speed issue.

  • tar -zxvf barnyard.tar.gz; cd barnyard
  • ./configure; make; make install
  • cp barnyard.conf /etc/snort/barnyard.conf (and configure in a manner similar to this)

Edit /etc/rc.local

  • above the ‘exit 0’ line, add: /usr/local/bin/barnyard -d /var/log/snort -f snort.alert -D

Step 3

Now run:

  • apt-get remove build-essential libpcap0.8-dev
  • apt-get autoremove
  • Remove the barnyard .tar.gz and directory
  • Modify the /etc/oinkmaster.conf to point to your latest ruleset

Run the following commands

  • #sudo vi /etc/cron.daily/oinkmaster (and add the next three lines):
  • #!/bin/sh -e
  • #update snort rules
  • oinkmaster -o /etc/snort/rules

Run:

  • #sudo chmod +x /etc/cron.daily/oinkmaster

Step 4

Configure firewall with the following commands

  • #sudo ufw allow proto tcp from to any port 22
  • #sudo ufw default deny
  • #sudo ufw enable

This prevents anyone from connecting to your box except approved machines using SSH.

Wireless

If you are creating a VM on this setup for Wireless auditing, you need to change a few things. I will detail more at a future date, but in the short term, you need to install the following packages:

  • snort-mysql
  • mysql-server
  • mysql-client
  • apache2
  • php5
  • php5-pear
  • base
  • adodb
  • The idea here is that Snort will output to MySQL (not as fast as using barnyard, but simple enough and this is a VM, won’t be running for long). BASE will use adodb to connect to MySQL and process the alerts. That goes: Snort -> MySQL -> Base -> to your browser. You will load Base in your browser and see the alerts.

    Your sniffing interface should be your ALFA wireless card. Your localhost only interface hosts the Base page. This prevents attackers from seeing your machine.

This is round one of the page. Email me or leave a comment as I will be updating it in the future. I’d be glad to help you out further if you have questions.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s