Recipe 7.13. Snort as Evidence in the U.K.
You run a network, and you want to ensure that you can
Take all reasonable steps to ensure that your evidence can't be contaminated. Ensure that you have documented your system, policies, and procedures adequately, and also in cases of breach, ensure that you document the steps you take to resolve the situation.
This is a difficult area and can be substantially different depending upon where you are. In the United Kingdom, prosecutions are most likely to be brought under the Computer Misuse Act (1990), which creates the following
Each offense has a specific criteria defining guilt, which, like most U.K. law, requires that the offender intentionally commit the offense or intend to commit the offense. To help
To prosecute, you must show that:
Snort is capable of logging all network traffic, so you can show that a message indicating the authorization requirements has been sent to the offender and that she has
You must, however, ensure that there is no way that your logging system can be altered. This
Once you have determined that an event has taken place, it is
The key point to remember is that at any point in the process you must be able to account for what has
Computer Misuse Act, 1990
Recipe 7.14. Snort as a Virus Detection Tool
Can Snort be used to help us document and detect viruses traveling across our network?
Using the ClamAV engine (http://www.clamav.net), several Snort developers from the
For example, if you have a RAS connection that connects directly to your network
Another reason to run this preprocessor is that AV
To enable this preprocessor, you have to patch Snort and first get the file from:
This patch has been
Once the ClamAV source code is downloaded from http://www.clamav.net, it needs to be installed. At the time of writing, the most current version is 0.80, which will successfully detect the jpeg exploit found in MS04-028! This tool runs as its own user, so you'll have to create an account as well before installing. This account is also specified at install time to make sure the tool is compiled correctly.
root# adduser clamav root# ./configure --with-user=clamav & make
If no errors are displayed after the make is complete, install the tool to the default location of /usr/local/share/clamAV . Then make a test run to make sure the executables compiled correctly using the following example.
root# /usr/local/bin/clamscan /home/ <username>
If the summary doesn't look something like the following, the install failed, minus the actual exploit code.
[root# /usr/local/bin/clamscan /home/<username>/ /home/<username>//.bash_logout: OK /home/<username>//.bash_profile: OK /home/<username>//.bashrc: OK /home/<username>//.bash_history: OK /home/<username>//.viminfo: OK /home/<username>//virus-jpeg.zip: Exploit.JPEG.Comment.4 FOUND /home/<username>//.pinerc: OK /home/<username>//p0f_db-0.3.tar: OK /home/<username>//snort-2.2.0.tar.gz: OK ----------- SCAN SUMMARY ----------- Known viruses: 24618 Scanned directories: 1 Scanned files: 12 Infected files: 1 Data scanned: 28.71 MB I/O buffer size: 131072 bytes Time: 51.797 sec (0 m 51 s)
Now that ClamAV is installed and working, it is time to update the ClamAV database files with the most recent virus datafiles from http://www.clamAV.net. You can probably script the following example to pull the files daily, if your sensors aren't out of
Root# cd /usr/local/share/clamav root# wget http://db.local.clamav.net/main.cvd root# wget http://db.local.clamav.net/daily.cvd
Now that ClamAV is working on the sensor, it is time to build Snort 2.2.x to use the ClamAV preprocessor. Using the patch found at the following link:
The Snort source code will have to be patched to use the preprocessor. (A very special thanks to William Metcalf for his help in getting this preprocessor to compile.) Once the patching is done, Snort will have to be resourced to make the changes before compile time.
root# patch -p0 < clamav-snortv-2.2.0.diff # Either run root# autoreconf -f # OR #root# libtoolize -f & aclocal & autoheader & automake & autoconf
Now, compile Snort with the ClamAV preprocessor enabled, though you will have to compile Snort with all the ClamAV options. If all are not passed to the configure command, Snort does not compile the preprocessor correctly! Once configure is completed with no errors, make Snort as normal with make and make install .
root# ./configure --enable-clamav --with-clamav-includes=/usr/local/includes --with-clamav-defdir=/usr/local/share/clamav --with-mysql (--enable-debug ?optional) #
Finally, edit the snort.conf file to use the ClamAV preprocessor. The preprocessor has to be placed in the snort.conf file immediately after the stream4_reassemble preprocessor but before the http_inspect preprocessor, unless you want the preprocessor to detect test viruses such as EICAR only! One last suggestion would be to test the build in the local snort-2.2.x directory first, as in the following:
#"preprocessor clamav" # root# ./src/snort -c etc/snort.conf -i eth0 -l log -T
If you don't get any errors such as "unknown preprocessor: ClamAV," your build was successful. Simply install and change as necessary to start detecting viruses and Trojans on your network(s).
Unfortunately, there aren't many hard stats yet on the load this places on Snort and the sensor. But for a safe bet, either place a new sensor with this enabled or use on a slow link for staging until you are comfortable using the patch.
Another thought is this will detect only the viruses passing by your sensor. If your organization is considering venturing down the
Finally, there are several applications for this as seen earlier; the best to start out with is to demonstrate the risks exposed to your network(s) by remote/RAS/VPN users. This can help an organization weigh the risks of having those connections and the level of protection and assurance that needs to be applied to those connections. Another example would be to place it in front of a heavy-load mail server to
Snort-inline patches (http://www.sourceforge.net)