Snort Installation.pdf

7/22/2019 Snort Installation.pdf

1/21

MODULE 3 Snort Installation

About This ModuleThis module covers the entire installation process including some of the additional componentsto better manage, store and receive alert feedback. To make this work properly, severaladditional supporting packages will be installed as well. This installation will be performed ona Linux platform since all ofthe tools required to do an installation are freely available.Module Objectives:o Build a secure OS foundationo Understand the basic installation processo Installing from a combination of RPM packages and source codeo Discuss RPM package update toolso Perform installation and initial configurationo Test the installation

27


2/21

Slide 34

*w\&*kWSnort lnstallation

Building a Secure OS FoundationThe platform on which your Snort installation resides is as critical as any component of theinstallation. It is good practice to have the operating system on which you will install Snort andits components prepared and in a secure state. While a precise step-by-step how-to tutorial onbuilding a secure OS is beyond the scope of this class, we will present the fundamentals ofbuilding a secure OS. There are many techniques that can be employed and an equally largenumber of opinions on how to deploy a secure OS, so it is critical that you do some research tocome up with a secure configuration that makes sense for the environment in which you willdeploy your Snort sensors.Major Issues to ConsiderThe list below contains some of the most prominent issues that should be addressed whenconstructing a secure OS platform:r lJnnecessary servicesr Default accounts and settingso Review installation, including OS and installed packages, for security issueso Obtain and install latest security patches. Continuously monitor newsgroups and mailing lists for security information that mightaffect your installation. If applicable, a local firewall is a good idea to block access to ports other than those youintend to use. Check your organization's security policy for guidelines on password usage and accountprivilege administrationClass OS InstallationThe OS platform that has been provided is based on CentOS. It was installed with a minimalset of applications. Basically, there is enough to boot the system and compile and install thesoftware packages we will need to complete our Snort deployment. The local firewall has beenenabled. It has been configured to only allow incoming connections on ports 22 (ssh),80 (http)and 443(ssl). Although, from a security perspective, it makes sense to disable access to port 80once your installation is up and running. This leaves remote access to your sensor onlyavailable via secure, encrypted protocols.

Slide 35

Notes:

28

sllffiBt&"


3/21

Slide 36

Snort Installation

Pre- ins tall ation ltemsThe Base OSThe base operating system was prepared to facilitate the installation of Snort and the tools youwill install along side Snort for alert analysis and storage. If you are building an installationfrom scratch, use the following guide lines:

Since the CentOS linux distribution is largely RPM based, you can take advantage of toolssuch as 'yum' to install andupdate packages as needed.yum is a skaight forward, command line application for managing RPMs. Without anyconfiguration of the tool, it is preconfigured to point to some default RPM repositories, so itcan be used right away. You can configure yum to point to specific repositories, but thatdiscussion goes beyond the scope of this class.yum also has the ability to resolve and fetch package dependencies. This feature will save alot of time and effort over manual package management. To use yum, see the followingexamples:

yum i-nsta1I - This syntax fetches the package and itsdependencies, if any exist, from the package repository. Note that only the base packagename is necessary; yum will pull down the most up-to-date version.yum update - This syntax can be used to update a previouslyinstalled package.yum list installed - This command lets you see whatpackages are already installed on your system. It also accepts wild card characters whereasthe previous two examples do not.

yum list avaif abl-e - This queries the yum repositories forpackages available for download. It too accepts wildcards to facilitate you semches.The base OS was initially configured with the following pre-installed:o The Apache web servero MySQL Server- MySQL Database Servero Development Tools - Compilers and other packages need for building Snort

Notes:

29


4/21

Snort lnstallation

. Applications added after initial OS configuration:o The MySQL database development libraries - The package listed below was installedwith the following command: yum install


5/21

Slide 38Graphical Interface and Alert Analysis ToolsThere are several open source interface options for managing alerts you can choose from. Forclass purposes, BASE is the interface that will be used. The items below represent thepackages needed to run BASE in addition to other graphical tools presented in this module.o base-1.4.5. adodb - Database abstraction libraries for PIIPo Packages to support the charting capabilities of BASE:o Image_Canvas. Image_Coloro Image_GraphPre-installationPrior to perfonning the Snort installation for this module you should familiarize yourself withthe network environment.o Network settings and virtual network topologyo The login credentials for all the deviceso Veri& that all the devices and services you expect are up and runningReviewthe diagram on the following page for details of the virtual network topology and thedevices in your environment.

Slide 39

Notes:

Snort lnstallation

31


6/21

Snort lnstallation

Notes:

32


7/21

Slide 40

Snort lnstallation

About The Virtual NetworkThe virtual network for the class consists offive separate zones. The zones are describedbelow in addition to the hosts located in each:. General Network Environment - This environment consists of the devices connected to

VMNetl (192.168.133.0 /24)o Student Desktop - The student host os running a variety of toolso Rugila - Linux serverrunning SMTP & IMAP serverI Attila - Linux host with scanners atrd attack toolso DW, - Tlris environment consists of the devices connected to VMNet2 (192.168.10.0/24)o Bleda - Linux server running HTTP & FTP serviceso Lamp - Limx server with MySQL & HTTP serviceso Management Network - This environment consists of the devices connected to VMNet4(192.168.111 .0124).This network segment is used for the management interfaces of yourSnort sensor and DMZ hosts.. snortbox - Your Snort sensor. This host also has a second interface facing the GeneralNetwork zone. This interface has no IP address and will be used as the sensing interfacefor your sensor.o Gateway Zone - This environment consists of the devices connected to VMNetS(192.t68.222.0/24),t router - This device is running the DNS server for the sfsnort.co,m domain. It has 4

interfaces and serves as the cental point ofingress and egress between the virtualnetwork and the classroom network.o Classroom Network - This environment consists of everything external to VMNetSThe entire infrastructure has been given the domain name sfsnort.com. Since there is a DNSserver servic.ing the network, all of the hosts are reachable by name.T\ehost student desktop can be used as your primary desktop. It contains tools to allow you toremotely shell into snorlbox for the installation labs. Altematively, you can work directly inthe snortbox virtual machine which has a graphical environment installed so you can use theGUI tools that are available.

Notes:

33


8/21

Slide 41

Snort lnstallation

Initializing The Virtual Network InfrastructureThe virtual machines in the training infrastructure as configured as members of a VMWareteam. This will allow you to initialize the devices in tandem rather than as individual virtualmachines.Use the following instructions to start the virfual infrastructure:1. Double click the VMWare application icon on your desktop.2. From the F'ile menu, select Open.3. In the Open dialog box, navigate to the desktop and open the folder called"3D_xxxx_Infrastructure". In that folder, double click the icon called"3D_xxxx_Infrastructure.vmtm ".a. Right click on the 3D2500 virtual machine and select 55Remove from Team". Close the tabcontaining the 3D2500 VM.5. Right click on the DC1000 virtual machine and select "Remove from Team". Close thetab containing the DC1000 VM.6. From the File menu, select Open. From the 663D_xxxx_infrastructure" folder open thesub-folder "Snortbox_4.0. Double click on "Snortbox_3.0.vmx"z. Click the green kiangular icon to start the virtual machines (besure to start the team andSnortbox). Allow at least three minutes for them to initialize. You will note that a tile bardisplays in the VMWare application window where each tile represents one of the virtual

machines in the infrastructure. One way to tell that the virtual hosts have initialized is towatch for the login prompt in the last tile.

Exploring The Virtual InfrastructureThe initialization process for the hosts in your virtual irfraskucture should now be complete.You should take some time to login to the various hosts and familiarize yourself with theenvironment. Also, use the diagram at the beginning of this module as a reference to get a feelfor the zones in which the hosts reside. You should be able to plng the various hosts to test theconnectivity between them with the exception of the DMZ hosts which will not be availableuntil you get the IPS installed and operating properly.The login credentials for the virtual hosts are as follows:. User: rooto Password: password

Notes:

34


9/21

Snort lnstallation

The virtual infrastructure consists of a variety of hosts running the following operatingsystems:o CentOS 5.5c attilu

. snofiboxo Ubuntu Server 10.04 LTS - Note that the initial login screens of the Ubuntu-based may notrender properly. You can press the Bnter] key to obtain a login prompt when needed.c rugils. toutero lampo bledaOther Items to Consider in The Virtual Environmento You must click in the virtual machine's window to control it. If at any time you need to

release the mouse or release control of the virtual machine so you can use your host OSdesktop, you can press [Ctrl ] + [AIt] on your keyboard. When you want to control theOS in the virtual machine again, just click in the VMWare window as you did before orpress [Ctrl] + [g] .

At this point your virtual network environment is ready. In the remainder of this section, youwill perforrn the installation of Snort and its supporting applications.Remember that you can use the snortbox console, or do every.thing from the student desktopsystem which has a browser and remote access tools, such as PuTTY so you can SSH intosnorlbox to perform the installation.Just open the classfiles folder on the slr dent deshtop system and double click the PuTTY icon.Enter snortbox's name or IP address in the Host Name field and click the Open button. Whenthe terminal window opens, enter snortbox's login credentials and begin the installationprocess from there.

Notes:

35


10/21

Snort lnstallation

Snort InstallationSlide 42 The local frewall is configured on snortbox to allow remote access to the following services:o Port22 - SSH

o Port 80 - HTTPo Port443 - SSLIt is highly recommended that you disable external access to port 80 once the installation is upand running. This allows only secure access to the Snort host from remote locations.Perform a Service CheckBefore beginning the installation process, you should check to see that the services you expectare up and running. Use the following command to perform this check:[rootGsnortbox -] # netstat -Itn

The screen should return results similar to the following:IrootGsnortbox -] * netstat -1tnActive Internet connections (on1y servers)Proto Recv-Q Send-Q l,ocal- AddresstcptcpLUPtcptcptcptcptcp

0 0 0. 0. 0. 0: 33060 0 0.0.0.028410 0 0.0.0.0:11-10 0 127 .0.0.1:6310 0 12'7.0.C.7:250 0 :::800 0 ::t22n n ...1t?

Foreign Address0.0.0.0:*0.0.0.0:*0.0.0.0:*0.0.0.0:*n n n n.*:::*:::*

StateLISTENLISTENl,ISTENLISTENT,ISTENLISTENLISTENLISTEN

You are looking for the presence of the following ports:o 22-SSHo 80 - HTTPo 3306 - MySQL

Notes:

36

mmurftre


11/21

Snort lnstallation

Install Snort and Its ComponentsIn this portion of the lab, you will install several components required to run Snort, the Snortcore and Snort rules. Then you will configure the MySQL database to receive Snort alerts.1. Install the PCRE libraries.

This package is required so that Snort's Perl Compatible Regular Expression capability isenabled. With these libraries, you can use PCRE in the rules that you create and the rulesthat ship with the Snort distribution that rely on PCRE will work properly.From the /usx / local directory enter the following commands:

Iroot@snortbox loca]-l# tar zxvf src/pcre-?.9.tar.gz[root@snortbox locaf]# cd pcre-7.9lrootGsnortbox pcre-7 . 9l # .,/configrurelrootGsnortbox pcre-7.91 # nakelrootGsnortbox pcre-'7 . 91# make insta].].froot@snortbox pcre-7.9] # ca . .lrootGsnortbox l-ocal-l #2. Install libpcap.

This is the package that allows the DAQ to read packets offthe network.From the /:usr / local directory enter the following commands:

Iroot0snortboxIrootGsnortboxIrootGsnortboxIrootGsnortboxIrootGsnortboxIrootGsnortboxIrootGsnortbox

locall # tar zxvf src,/Libpcap-1. 1. 1. tar. gzlocall# cet libpcap-1 .1.1libpcap-1. 1. f l # . /configrurelibpcap-1.1.11# nakelibpcap-1.1.f1 + make install1oca1l # cd ..l-oca1l #

Notes:

37


12/21

Snort lnstallation

3. Install libdnet.This package allows the DAQ to be used in the NFQ and IPQ mode as well as activeresponses.From the /usr / local directory enter the following commands:

IrootGsnortbox loca]-l # tar zxwf src/libdnet-I.11.tar.gzlrootGsnortbox local-l# cd libdnet-l.11[rootGsnortbox libdnet-1. 11] g .r/confiEure[rootGsnortbox libdnet-1. 11] # nakelroot0snorlbox l-i-bdnet-1. 111 # make instal-].[root@snortbox libdnet-1.11]# cd ../].iblrootGsnortbox 1j-bl# In -s Iibdnet.1 libdnet.so.1[rootGsnortbox 1ib] # IdconfiglrootGsnortbox libl # cd . .Iroot@snortbox loca]l #4. Install DAQ

The Data Aquisition library is the component that allows Snort to read packet data offthewire.

lrootGsnortbox locall # tar zxvf arc,/daq-O.5.1.tar.92lrootGsnortbox local] # cd daq-O. 6.1[root@snortbox daq-0. 6.f]+ ./configrrre[root@snortbox daq-O. 5. 1] # makelrootGsnortbox daq-O.6.f1# make instaLlIroot@snortbox daq-0. 6. 1] # Idconfig[root@snortbox daq-0.6.1] # ca . .Iroot@snortbox 1oca1] #

Notes:

38


13/21

Snort lnstallation

5. Install Snort.From the /usr / local directory enter the following commands:

IrootGsnortbox 1oca1] # tar zxwf src/snort-2.9.1.tar.92IrootGsnortbox 1oca1] # cd snort-2.9.1lrootGsnortbox snort-2.9.L|# ./configure --enable-ipv6 --enal.le-gre--enabJ-e-mpIs --enab1e-targetbased --enable-decoder-preprocessor-ruIes- -enabJ-e -ppm - -enable-perfprof iling - -enabJ-e-zJ.ib- -enable-active-response - -enabl-e -no:mali zer - -enable-reload--enable-react --enable-flexresp3lrootGsnortbox snort-2. 9.11# nakelrootGsnortbox snort-2.9.L)# nake installIrootGsnortbox snort-2. 9.7]#

Note that the configuration options used to build your Snort binary determine whichfeatures ofSnort you will enable. The options used in class axe the Sourcefire recomendedcompile options. In the example above, implementing the compile-time options do thefollowing:o IPv6 - gives snort the ability to decode IPv6 traffic. GRE - allows Snort to read GRE data. MPLS - allows snort to read MPLS informationo Targetbased - target-based support in the stream and frag preprocessors and ruleso Decoder-preprocessor-rules - allows you to apply rule action types to decoder and

preprocessor alerts. PPM - enables the packet and rule performance monitoring capabilityo Perfproliling - tums on Snort's performance profiling capability which lets you seestatistics related to rule and preprocessor usage. Zlib - allows the HTTP_inspect preprocessor to uncompress compressed data(gzipldeflate)o Active.response - allows configuration and customization of responses in Snorto Normalizer - when in inline mode allows Snort to normalize haffrc to minimizechances ofevasion.o Reload - allows configurations to be reloaded without stopping Snorto React - allows the use of the react rule optiono X'lexresp3 - enables flex-response or the ability to use Snort to reset connections

Notes:

39


14/21

Snort lnstallation

6. Create a / eLc directory entry for Snort and for Snort rules. Then, copy the configurationfiles and unpack the rules distribution into it.FromtheSnortinstallationdirectory /usr/loeat./snort-2.9.1,dothefollowing:

lrootGsnortbox snort-2.9.1)# nkdir /eLc/ anorlu[root@snortbox snort-2.9.L)# mkdir /war/Log/ sr:ori-I root G snortbox snort -2 . 9 . 7l # mkdir / ast / Local/1ib/snort_dynamicruleslrootGsnortbox snort-2.9.1]# tar zxw /wsr/Loca]-/etc/snortrules-snapshot-2910.tar .gz -C /etc/snort[rootGsnortbox snort-2.9.7)# tar z:xwf /rusr/Loc,aU src/opensource .gz -C/etc/snortlrootBsnortbox snort -2 . 9 . L1 # cp / etc./ snort-/ ei.c./ *. conf* / eLc./ srrorl.[root@snortbox snort-2.9.L)# cp /et.c:/snorL/etuc/*.map /etc/snortI root G snortbox snort -2 .9 . L) # cp / etc/ snort/so_rules/precompiled/Centos-5-

4 / L38 6 / 2 . 9 . t . O / *,/usr/ Iocal,/ Iib,/ snort_dynamicrules[rootGsnortbox snort-2. 9. 7]# ln -s /usr/Loc,al/bLt/ snori' /lu,sr/ sbi-n/snort7. Create a Snort user and user group.

From the directory you are currently in, issue the following commands:[rootGsnortbox snort-2.9.7]# groupadd snortIrootGsnortbox snort-2.9.7]# useradd -g snort snortlrootGsnortbox snort-2.9.7)# chown snort:snort /war/Log/ srrort

Notes:

40


15/21

Ihe sfeps that follow willassume that you are using theVl editor. Howevef you canuse any editor you arecomfoftable with.Note that in Vl, when you typethe slash character asinstructed, the information isdisplayed atthe bottom oftheterminal window.You may also jump to a linenumber in Vl by typing in anumber and press,ng


16/21

lf pu are using the Vl editor;use the search proceduredescibed inthe previous pagewith the slash character.

Notes:

Snort lnstallation

o Next, look for the three lines that include the following files (approximately line 587):# include $PREPROC_RULE_PATII/preprocessor. rules# include $PREPROC RtLE PAIH,/decoder.rules# incJ-ude $PREPRoc-Rt L{parn/ sensitive-data . ruJ-esUncomment these lines by removing the # symbol at the beginning of each line. Youcan move the cursor to the beginning of the line and press the [Del] key.Write these changes to the file. In VI use the command : wq to write the changes and quit

the editor.Since the VI is not the most friendly application to use, one handy trick in case you messthings up is to exit without saving.o First, make sure you are in command mode by pressing the Esc key (if you hear a beep,you were already in command mode).I Then, type the following command: : q

Start Snort1. Test Snort.

Run a test of your Snort installation to make sure it starts with no erors as follows:[rootGsnortbox]# snort -i ethl -c /etc/snort/snort.conf -A conEoLeUpon entering this command, you will see a series of messages scroll offthe screen. Even-tually it will stop with a screen similar to that which is depicted below.

42


17/21

Snort lnstallation

Rul-es Object: pop3 Version 1.0 Rules Object: web-misc Versj-on 1.0 Rules Object: chat Version 1.0 Rules Object: icmp Version 1.0 Rules Object: misc Version 1.0 Rules Object: web-activex Version 1.0 Rules Object: exploit Version 1.0 Rules Object: multimedia Version 1.0 Rules Object. p2p Version 1.0 Rules Object: netbios Version 1.0 Rules object: imap Version 1.0 Rules Object: dos Version 1.0 Rules Object: web-client Versj-on 1.0 Rules Object: sql Version 1.0 Rules Object: web-iis Version 1.0 Rules Object: specific-threats Version 1.0 Preprocessor Object: SF_SSH (IPV6) Version 1.1 Preprocessor Object: SF_SMTP (IPV6) Version 1.1 Preprocessor Object: SF_DNS (IPV6) Version 1.1 Preproeessor Object: SE_DCERPC2 (IPV6) Version 1.0 Preprocessor Object: SE_REPUTATION (IPV6) Version 1.1 Preprocessor Oblect: SF_SDF (IPV6) Version 1.1 Preprocessor Object: SE_POP (IPV6) Version 1.0 Preprocessor Object: SE_FTPTELNET (IPV6) Version 1.2 Preprocessor Object: SF_SIP (IPV6) Version 1.1 Preprocessor Object: SE_IMAP (IPV6) Version 1.0 Preprocessor Object: SE_SSLPP (IPV6) Version 1.1 Commencing packet processing (pld=31187)

Notes:

43


18/21


19/21

Snort lnstallation

Configure Snort to Start AutomaticallyUp to this point, all of the individual components of your installation should be up andrunning. The next step is to automate the process of starting Snort on system initialization.Use this procedure to configure Snort to start automatically:

[rootGsnortbox ] # cA /rusr/1oca1/snort-2.9.l/rpm/snortd/etclinit. d[rootGsnortbox ] # cp /usr/1oca1/snorL-2.9. 1/rpm/snort. sysconfig/ e|uc / sy s c.onf ig,/ snortlrootGsnortbox I # chrnod 155 /ebc/init.d/snortdlrootGsnortbox I #The chckconfig portion of the snort.d file needs to be modified so that Snort starts afterthe network and Mysql. It can be found around line 6. Edit the file /el"c,/ i:nit. d/snortdandmodiff the following line.# chkconfig: 2345 40 50to# ohkconfigz 2345 99 99Then execute the following command:[rootGsnortbox ] # chkconfig --add snortd

Notes:

45


20/21


21/21

Snort lnstallation

SIide 43Module SummaryThis module stepped through the process of conskucting a Snort system with all of itssupporting components. This included installation and conliguration of the following:

. The Snort corer Supporting librariesWhile there are many components to this lab, the end result yielded a Snort system ready fordeployment.

Notes:

47

Snort Installation.pdf

Documents

Transcript of Snort Installation.pdf