Hack65.Detect Network Intruders with snort
Hack 65. Detect Network Intruders with snort
Let snort watch for network intruders and log attacksand alert you when problems arise. Security is a big deal in today's connected world. Every school and company of any decent size has an internal network and a web site, and they are often directly connected to the Internet. Many connected sites use dedicated firewall hardware to allow only certain types of access through certain network ports or from certain network sites, networks, and subnets. However, when you're traveling and using random Internet connections from hotels, cafes, or trade shows, you can't necessarily bank on the security that your academic or work environment traditionally provides. Your machine may actually be on the Net, and therefore a potential target for script kiddies and dedicated hackers anywhere. Similarly, if your school or business has machines that are directly on the Net with no intervening hardware, you may as well paint a big red bull's-eye on yourself. Most Linux distributions nowadays come with built-in firewalls based on the in-kernel packet-filtering rules that are supported by the most excellent iptables package. However, these can be complex even to iptables devotees, and they can also be irritating if you need to use standard old-school transfer and connectivity protocols such as TFTP or telnet, since these are often blocked by firewall rule sets. Unfortunately, this leads many people to disable the firewall rules, which is the conceptual equivalent of dropping your pants on the Internet. You're exposed! This hack explores the snort package, an open source software intrusion detection system (IDS) that monitors incoming network requests to your system, alerts you to activity that appears to be spurious, and captures an evidence trail. While there are a number of other popular open source packages that help you detect and react to network intruders, none is as powerful, flexible, and actively supported as snort. 7.4.1. Installing snortThe source code for snort is freely available from its home page at http://www.snort.org. At the time this book was written, the current version was 2.4. Because snort needs to be able to capture and interpret raw Ethernet packets, it requires that you have the Packet Capture library and headers (libpcap) installed on your system. libpcap is installed as a part of most modern Linux distributions, but it is also available in source form from http://www.tcpdump.org. You can configure and build snort with the standard configuration, build, and install commands used by any software package that uses autoconf: $ tar zxf snort-2.4.0.tar.gz $ cd snort-2.4.0 $ ./configure [much output removed] $ make [much output removed] As with most open source software, installing into /usr/local is the default. You can change this behavior by specifying a new location, using the configure command's --prefix option. To install snort, su to root or use sudo to install the software to the appropriate subdirectories of /usr/local using the standard make install command: # make install At this point, you can begin using snort in various simple packet capture modes, but to take advantage of its full capabilities, you'll want to create a snort configuration file and install a number of default rule sets, as explained in the next section. 7.4.2. Configuring snortsnort is a highly customizable IDS that is driven by a combination of configuration statements and loadable rule sets. The default snort configuration file is the file /etc/snort.conf, though you can use a configuration file in any location by specifying the full path to and name of the configuration file using the snort command's -c option. The snort source package includes a generic configuration file that is preconfigured to load many sets of rules, which are also available from the snort web site at http://www.snort.org/pub-bin/downloads.cgi.
It's perfectly fine to create your own configuration file, but since the template provided with the snort source is quite complete and shows how to take advantage of many of the capabilities of snort, we'll focus on adapting the template configuration file to your system. To begin customizing snort, su to root and create two directories that we'll use to hold information produced by and about snort: # mkdir -p /var/log/snort # mkdir -p /etc/snort/rules The /var/log/snort directory is required by snort; this is where alerts are recorded and packet captures are archived. The /etc/snort directory and its subdirectories are where I like to centralize snort configuration information and rules. You can select any location that you want, but the instructions in this hack will assume that you're putting everything in /etc/snort. Next, cd to /etc/snort and copy the files snort.conf and unicode.map to the parent directory (/etc). The /etc directory is the default location specified in the source code for these core snort configuration files. As we'll see in the rest of this hack, we'll put everything else in our own /etc/snort directory. Now you can bring up the file /etc/snort.conf in your favorite text editor (which should be emacs, by the way), and start making changes. First, set the value of the HOME_NET variable to the base value of your home or business network. This prevents snort from logging outbound and generic intermachine communication on your network unless it triggers an IDS rule.
Next, set the variable EXTERNAL_NET to identify the hosts/networks from which you want to monitor traffic. To avoid logging local traffic between hosts on the network, the most convenient setting is !$HOME_NET: var EXTERNAL_NET !$HOME_NET
If your network runs various servers, the next step is to update the configuration file to identify the hosts on which they are running. This enables snort to focus on looking for certain types of attacks on systems that are actually running those services. snort provides a number of variables for various services, all of which are set to the value of the HOME_NET variable by default: # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET Next, copy the classification.config and reference.config files to /etc/snort and set the include statements for these in snort.conf to point to the full path to these files: include /etc/snort/classification.config include /etc/snort/reference.config Now set the value of the RULE_PATH variable in the snort configuration file to /etc/snort/rules (this variable can point anywhere, of course, but I prefer to centralize as much of the snort configuration information in /etc/snort as possible): var RULE_PATH /etc/snort/rules Finally, configure snort's output plug-ins to log rule transgressions (known as alerts) however you'd like. By default, snort enables you to log alerts to the system log and various databases, and also makes it easy for you to define custom alert mechanisms. I'll focus on using the system log, since that's the most common (and generic) logging mechanism. To enable logging alerts to the system log (/var/log/messages), simply uncomment the following line in /etc/snort.conf: output alert_syslog: LOG_AUTH LOG_ALERT Almost there! You're now ready to download and install the rules files that are referenced in your snort configuration file. As mentioned previously, you should seriously consider subscribing to these if you're using snort in an enterprise environment, both in order to support further development of snort and because it's simply the right thing to do. For the purposes of this hack, you can retrieve and install the free (unregistered user) rules files from http://www.snort.org/pub-bin/downloads.cgi by searching the page for the "unregistered user release" section and retrieving a gzipped tarball of the rules that match the version of snort you've built. To install these rules, change directory to your /etc/snort directory and su to root or use sudo to extract the contents of the tarball with a standard tar incantation: $ cd /etc/snort $ sudo tar zxvf /home/wvh/snortrules-pr-2.4.tar.gz This will create /rules and /doc subdirectories in /etc/snort. (Again, these rules can actually live anywhere on your system since their location is identified by the RULE_PATH variable in the snort configuration file. We set this variable to /etc/snort/rules earlier.) 7.4.3. Starting snortAt this point, you're ready to run snort. Though snort offers a daemon mode, it's generally useful to run it in interactive mode from the command line until you're sure you've made the correct modifications to your /etc/snort.conf file. To do this, execute the following command: # snort -A full You'll see a lot of output as snort parses your configuration file and rule sets. If you've done everything right and not made any typos, this output will conclude with the following block of output: --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.4.0 (Build 18) x86_64 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2005 Sourcefire Inc., et al. If you see this, all is well and snort is running correctly. If not, correct the problems identified by the snort error messages (which are usually quite good), and try the snort command again until snort starts correctly. One especially common and irritating message when getting started using snort is the following: socket: Address family not supported by protocol You will see this message if your system's kernel is not configured to support the CONFIG_PACKET option, which enables applications (the packet capture library, in this case) to read directly from network interfaces. This capability can be compiled directly into the kernel, but it's more commonly built as a loadable kernel module (LKM) with the name af_packet.ko (af_packet.o if you're still running a pre-2.6 Linux kernel). If this capability is provided as an LKM on your system, you can generally load it by executing the modprobe af_packet.ko command as root or via sudo. If modprobe doesn't work for some reason, you can load the module directly using the insmod command. The name of the appropriate /lib/modules subdirectory where the module is located is contingent on the version of the kernel you're running, which you can determine by executing the uname -r command. For example: # uname -r 2.6.11.4-21.8-default # insmod /lib/modules/2.6.11.4-21.8-default/kernel/net/packet/af_packet.ko Testing Snort The fact that snort is running without complaints is all well and good, but executing correctly isn't the same thing as doing what you want it to do. It's therefore useful to actually test snort by triggering one of its rules. The easiest of these to trigger are the port scan rules. To test these, connect to a machine outside your network and issue the nmap command, identifying the machine on which you're running snort as the target, as in the following example: $ nmap -P0 24.3.53.235 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Warning: You are not root -- using TCP pingscan rather than ICMP Nmap run completed -- 1 IP address (0 hosts up) scanned in 60 seconds You can now check /var/log/snort, in which you should see a filenames alert with contents like the following: a[**] [122:17:0] (portscan) UDP Portscan [**] 09/14-20:53:16.024463 24.3.53.235 -> 192.168.6.64 RAW TTL:0 TOS:0xC0 ID:29863 IpLen:20 DgmLen:163 You will also see a directory with the name 24.3.53.235. This directory contains logs of the offending packets that triggered the alert. Congratulations! snort is working correctly.
Once you're satisfied that snort is working correctly, you'll probably want to terminate the interactive snort session we started earlier and restart snort in daemon mode, using the following command: # snort -A full -D This starts snort in the background and sends its initialization messages to /var/log/messages. To add this command to your system's startup mechanisms, either append it to a startup script such as /etc/rc.local or integrate it into the standard system startup process by creating a start/stop script in /etc/init.d and adding the appropriate symbolic links to the /etc/rc.runlevel directory that corresponds to the default runlevel for the system on which you're running snort. 7.4.4. Advanced snortYou can extend snort in an infinite number of ways. One of the easiest is to take advantage of more of its default capabilities by activating additional rule sets that are provided in the bundle that you downloaded but are commented out of the default snort configuration file template. Some of my favorites to uncomment are the following: include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/virus.rules Once you uncomment these and restart snort, you'll probably start to see additional snort alerts such as the following: [**] [1:651:8] SHELLCODE x86 stealth NOOP [**] [Classification: Executable code was detected] [Priority: 1] 09/15-04:49:32.299135 70.48.80.189:6881 -> 192.168.6.64:52757 TCP TTL:109 TOS:0x0 ID:53803 IpLen:20 DgmLen:1432 DF ***AP*** Seq: 0x1869E9D1 Ack: 0x18F60ED8 Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 719694 594700245 [Xref => http://www.whitehats.com/info/IDS291] Better to know about attempted attacks than to be blissfully unaware! Of course, whether or not you want to monitor your network for these types of attacks is entirely dependent on your site's network policieswhich is why they're commented out of the snort configuration file template. Your mileage may vary, but I find these quite useful. 7.4.5. Summarysnort is an extremely powerful, flexible, and configurable intrusion detection system. This hack focused on getting it up and running in a standard fashionexplaining how to create your own rules and take advantage of all of its capabilities would require its own book. Actually, a number of books on snort are available, as well as extensive discussions in more general networking texts such as O'Reilly's own Network Security Hacks, by Andrew Lockhart. If you're interested in a simpler network-monitoring package, PortSentry (http://sourceforge.net/projects/sentrytools/) is one of the best known, though it hasn't been updated for quite a while now. However, snort is a much more powerful tool and is actively under development. Newer snort developments include the ability to actively respond to certain types of attacks by sending certain types of packages (known as flexresp, or flexible response) and increasing integration with dynamic notification tools on both the Linux and Windows platforms. In today's connected world, you can't really afford not to firewall your hosts and scan for clever folks that can still punch through your defenses. In the open source world, there's no better tool for the latter task than snort. 7.4.6. See Also
|
EAN: 2147483647
Pages: 162