Difference between revisions of "Snort"

From ArchWiki
Jump to: navigation, search
m (add ja link)
 
(44 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
 +
[[ja:Snort]]
 
{{poor writing}}
 
{{poor writing}}
 
{{accuracy}}
 
{{accuracy}}
[http://www.snort.org/ Snort] is a lightweight [[Wikipedia:Intrusion detection system|Intrusion Detection System]] (IDS). According to their homepage, ''"Snort has become the de facto standard for IPS."''
+
From the project [http://www.snort.org/ home page]:
 +
: ''Snort® is an open source network intrusion prevention and detection system ([[Wikipedia:Intrusion detection system|IDS]]/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.''
  
==Installation==
+
== General Setup and Notes ==
{{Pkg|snort}} is in [community]:
+
# pacman -S snort
+
  
==Configuration==
+
* A Snort setup that sniffs WAN <-> LAN is more difficult to use. It does not show you which computer triggered the alert, and it requires you to set HOME_NET as your WAN IP address, which can change if your modem uses DHCP.
The main configuration file is {{ic|/etc/snort/snort.conf}}.
+
* Snort will bridge the two interfaces for you, you will not need to configure this.
  
Read it carefully, as usual it is very well documented.
+
You can use Snort to sniff wireless traffic with two routers. For simplicity the router with ''DHCP on and wireless off'' will be called "router A" and the router with ''wireless on and DHCP off'' "router B".  
var HOME_NET        10.0.0.0/28          # Change to the subnet of your LAN.
+
var EXTERNAL_NET    !$HOME_NET
+
var DNS_SERVERS    $HOME_NET
+
var SMTP_SERVERS    $HOME_NET            # Comment these if you're not running any servers on the LAN.
+
var HTTP_SERVERS    $HOME_NET
+
var SQL_SERVERS    $HOME_NET
+
var TELNET_SERVERS  $HOME_NET
+
var HTTP_PORTS      80
+
var SHELLCODE_PORTS !80
+
var ORACLE_PORTS    1521
+
var AIM_SERVERS    [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/
+
                      24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
+
var RULE_PATH      /etc/snort/rules
+
var HTTP_PORTS      80:5000              # For HTTPd's running on port 80 and 5000. Change appropriately
+
                                          # to the ports you are using on your LAN.
+
config detection:  search-method lowmem  # If you're using a machine "with very limited resources".
+
  
At the bottom of the file, there is a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.
+
* Ensure the routers do not have the same IP address, but are on the same subnet.  
groupadd snort
+
* If the machine running Snort is configured for inline mode, you will need 3 network interface cards. One for management, one for incoming traffic, and one for outgoing traffic.
mkdir -p /var/log/snort
+
* Connect a ethernet cord from router B to a spare NIC on the Snort machine.  
useradd -g snort -d /var/log/snort snort
+
* Connect another ethernet cord from router A to a spare NIC on the Snort machine.
chown -R snort:snort /var/log/snort
+
* Once Snort is running traffic should flow from router B <-> Snort machine <-> router A <-> internet.
 +
* If you are not using inline mode, then the traffic will need to be forwarded to the Snort machine, see: [[wikipedia:Port_mirroring|Port Mirroring]]
  
{{Note|Under review -- I am not sure about this yet.}}
+
== Installation ==
  
Edit {{ic|/etc/conf.d/snort}}:
+
Install {{AUR|snort}} from the [[AUR]].
SNORT_ARGS="-u snort -g snort -l /var/log/snort -K ascii -c /etc/snort/snort.conf -D -h 10.0.0.0/28 -A full
+
  
Replace 10.0.0.0/28 with the CIDR of your LAN.
+
== Configuration ==
  
Now Snort will run as user snort in group snort. Should improve security. The other options make it log to {{ic|/var/log/snort}} in ASCII mode. Run ''snort -h'' to see other available options.
+
The main configuration file is located at {{ic|/etc/snort/snort.conf}}.
  
I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.
+
Let Snort know what network (or networks) you want to monitor.
 +
ipvar HOME_NET [10.8.0.0/24,192.168.1.0/24] 
 +
 
 +
At the bottom of the file, there is a list of includes. If you are going to use Pulledpork to download your rule set, then comment out all of the includes except for:
 +
include $RULE_PATH/snort.rules
 +
 
 +
=== Inline mode ===
 +
 
 +
If you are planning on using Snort in inline mode add these lines to the bottom of the configuration:
 +
config policy_mode:inline
 +
config daq: afpacket
 +
config daq_mode: inline
 +
config daq_var:  buffer_size_mb=1024
 +
A working example of inline mode in {{ic|snort.conf}} is also available on [http://pastebin.com/xNuVtni3 pastebin].
 +
 
 +
Then ensure your service file {{ic|/usr/lib/systemd/system/snort@.service}} has the correct arguments for inline mode. This meant adding {{ic|-Q}} to the service file. Also Snort advises you to turn off LRO and GRO, [http://manual.snort.org/node7.html source].
 +
[Unit]
 +
Description=Snort IDS system listening on '%I'
 +
 +
[Service]
 +
Type=simple
 +
ExecStartPre=/usr/sbin/ip link set up dev %I
 +
ExecStartPre=/usr/bin/ethtool -K %I gro off
 +
ExecStart=/usr/bin/snort --daq-dir /usr/lib/daq/ -A fast -b -p -u snort -g snort -c /etc/snort/snort.conf -i %I -Q
 +
 +
[Install]
 +
Alias=multi-user.target.wants/snort@%i.service
 +
 
 +
To start Snort that is configured for inline mode run (''your network interfaces may vary''):
 +
systemctl start snort@ens1:ens4
 +
 
 +
=== IDS mode ===
 +
 
 +
To start Snort in IDS mode run:
 +
systemctl start snort@ens1
 +
 
 +
== Updating the rules with Pulledpork ==
 +
Install {{AUR|pulledpork}} from the [[AUR]].
 +
 
 +
=== Configuration ===
 +
The configuration files are located in {{ic|/etc/pulledpork}}
 +
 
 +
Edit {{ic|/etc/pulledpork/pulledpork.conf}} and uncomment the rules you want to use. You will need an "oinkcode" to download some of the rules.  
 +
 
 +
* {{ic|dropsid.conf}} any rules matched in this file will have its traffic dropped.
 +
* {{ic|enablesid.conf}} is used to enable signatures. All signatures seem to be enabled by default, no need to edit this file.
 +
* {{ic|disablesid.conf}} is used to completely remove a signature from Snort.
 +
The current categories that are within your rule set can be found by running the following:
 +
pulledpork.pl -c /etc/snort/pulledpork.conf -Pw
 +
lz /var/tmp/*.gz | egrep '\.rules' | cut -d'/' -f3 | sort -u | perl -lne '/(.*).rules/ && print $1' > rules.`date +%F`
 +
 
 +
=== Drop traffic with Pulledpork ===
 +
If you want to drop ''all'' traffic that matches a Snort signature instead of just alerting, add the following to your {{ic|dropsid.conf}}:
 +
pcre:.
 +
 
 +
Or if you want to drop all traffic matching an entire category:
 +
policy-social
 +
policy-other
 +
file-other
 +
 
 +
If you only want to drop a single rule:
 +
118:7
 +
 
 +
=== Disabling rules with Pulledpork ===
 +
 
 +
If you want to disable a single signature add its gen_id and sig_id to {{ic|/etc/pulledpork/disablesid.conf}}
 +
118:22
 +
 
 +
If you want to disable an entire category:
 +
deleted
 +
protocol-icmp
 +
policy-social
 +
policy-other
 +
 
 +
=== Running Pulledpork ===
 +
This will pull the new rules and write them to {{ic|/etc/snort/rules/snort.rules}}
 +
pulledpork.pl -c /etc/pulledpork/pulledpork.conf  -P
 +
 
 +
== Update the rules: Oinkmaster ==
  
==Update the rules: Oinkmaster==
 
 
If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release.  
 
If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release.  
 
Go ahead and register at [https://www.snort.org/signup Snort]. If you really do not want to register, you can use the rules from [http://www.bleedingsnort.com/ BleedingSnort.com]. They are bleeding edge, meaning they have not been tested thoroughly.
 
Go ahead and register at [https://www.snort.org/signup Snort]. If you really do not want to register, you can use the rules from [http://www.bleedingsnort.com/ BleedingSnort.com]. They are bleeding edge, meaning they have not been tested thoroughly.
  
A user has created a [https://aur.archlinux.org/packages.php?do_Details=1&ID=4314 PKGBUILD for oinkmaster].
+
{{AUR|oinkmaster}} is available as [[AUR]] package.
 +
 
 +
=== Oinkmaster setup ===
  
===Oinkmaster setup===
 
 
Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.
 
Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.
  
 
When you log into your new account, create an "Oink code".
 
When you log into your new account, create an "Oink code".
 
Another thing to change is
 
Another thing to change is
  use_external_bins===1 # 1 uses wget, tar, gzip instead of Perl modules
+
  use_external_bins=1 # 1 uses wget, tar, gzip instead of Perl modules
  
 
The rest of the configuration file is fine.
 
The rest of the configuration file is fine.
  
===Oinkmaster usage===
+
=== Oinkmaster usage ===
 +
 
 
  oinkmaster.pl -o /etc/snort/rules
 
  oinkmaster.pl -o /etc/snort/rules
  
 
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.
 
Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.
  
==See also==
+
== See also ==
*[[Simple stateful firewall]]
+
 
*[[Router]]
+
* [[Simple stateful firewall]]
 +
* [[Router]]

Latest revision as of 01:33, 26 March 2016

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Snort#)

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Snort#)

From the project home page:

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.

General Setup and Notes

  • A Snort setup that sniffs WAN <-> LAN is more difficult to use. It does not show you which computer triggered the alert, and it requires you to set HOME_NET as your WAN IP address, which can change if your modem uses DHCP.
  • Snort will bridge the two interfaces for you, you will not need to configure this.

You can use Snort to sniff wireless traffic with two routers. For simplicity the router with DHCP on and wireless off will be called "router A" and the router with wireless on and DHCP off "router B".

  • Ensure the routers do not have the same IP address, but are on the same subnet.
  • If the machine running Snort is configured for inline mode, you will need 3 network interface cards. One for management, one for incoming traffic, and one for outgoing traffic.
  • Connect a ethernet cord from router B to a spare NIC on the Snort machine.
  • Connect another ethernet cord from router A to a spare NIC on the Snort machine.
  • Once Snort is running traffic should flow from router B <-> Snort machine <-> router A <-> internet.
  • If you are not using inline mode, then the traffic will need to be forwarded to the Snort machine, see: Port Mirroring

Installation

Install snortAUR from the AUR.

Configuration

The main configuration file is located at /etc/snort/snort.conf.

Let Snort know what network (or networks) you want to monitor.

ipvar HOME_NET [10.8.0.0/24,192.168.1.0/24]   

At the bottom of the file, there is a list of includes. If you are going to use Pulledpork to download your rule set, then comment out all of the includes except for:

include $RULE_PATH/snort.rules

Inline mode

If you are planning on using Snort in inline mode add these lines to the bottom of the configuration:

config policy_mode:inline
config daq: afpacket
config daq_mode: inline
config daq_var:  buffer_size_mb=1024

A working example of inline mode in snort.conf is also available on pastebin.

Then ensure your service file /usr/lib/systemd/system/snort@.service has the correct arguments for inline mode. This meant adding -Q to the service file. Also Snort advises you to turn off LRO and GRO, source.

[Unit]
Description=Snort IDS system listening on '%I'

[Service]
Type=simple
ExecStartPre=/usr/sbin/ip link set up dev %I
ExecStartPre=/usr/bin/ethtool -K %I gro off
ExecStart=/usr/bin/snort --daq-dir /usr/lib/daq/ -A fast -b -p -u snort -g snort -c /etc/snort/snort.conf -i %I -Q

[Install]
Alias=multi-user.target.wants/snort@%i.service

To start Snort that is configured for inline mode run (your network interfaces may vary):

systemctl start snort@ens1:ens4

IDS mode

To start Snort in IDS mode run:

systemctl start snort@ens1

Updating the rules with Pulledpork

Install pulledporkAUR from the AUR.

Configuration

The configuration files are located in /etc/pulledpork

Edit /etc/pulledpork/pulledpork.conf and uncomment the rules you want to use. You will need an "oinkcode" to download some of the rules.

  • dropsid.conf any rules matched in this file will have its traffic dropped.
  • enablesid.conf is used to enable signatures. All signatures seem to be enabled by default, no need to edit this file.
  • disablesid.conf is used to completely remove a signature from Snort.

The current categories that are within your rule set can be found by running the following:

pulledpork.pl -c /etc/snort/pulledpork.conf -Pw
lz /var/tmp/*.gz | egrep '\.rules' | cut -d'/' -f3 | sort -u | perl -lne '/(.*).rules/ && print $1' > rules.`date +%F`

Drop traffic with Pulledpork

If you want to drop all traffic that matches a Snort signature instead of just alerting, add the following to your dropsid.conf:

pcre:.

Or if you want to drop all traffic matching an entire category:

policy-social
policy-other
file-other

If you only want to drop a single rule:

118:7

Disabling rules with Pulledpork

If you want to disable a single signature add its gen_id and sig_id to /etc/pulledpork/disablesid.conf

118:22

If you want to disable an entire category:

deleted
protocol-icmp
policy-social
policy-other

Running Pulledpork

This will pull the new rules and write them to /etc/snort/rules/snort.rules

pulledpork.pl -c /etc/pulledpork/pulledpork.conf  -P

Update the rules: Oinkmaster

If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release. Go ahead and register at Snort. If you really do not want to register, you can use the rules from BleedingSnort.com. They are bleeding edge, meaning they have not been tested thoroughly.

oinkmasterAUR is available as AUR package.

Oinkmaster setup

Edit /etc/oinkmaster.conf and look for the URL section and uncomment the 2.4 line. Make sure to replace <oinkcode> by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

When you log into your new account, create an "Oink code". Another thing to change is

use_external_bins=1 # 1 uses wget, tar, gzip instead of Perl modules

The rest of the configuration file is fine.

Oinkmaster usage

oinkmaster.pl -o /etc/snort/rules

Create an executable script with the exact command and place it in /etc/cron.daily to update the rules daily automatically.

See also