Snort is a network Intrusion Detection System (IDS) application that analyzes network traffic for matches against user defined rule sets and performs several actions based upon its network analysis. Snort decodes application-layer packet contents, allowing it to detect thousands of network attack signatures, including such things as buffer overflows, fragmentation bombs, denial-of-service activity, and stealth scans.
I was inspired by the book: INTRUSION DETECTION with SNORT written by Rafeeq UR Rehman and scripted an Enterprise snort solution based on this book. A federation of NST probe sensors can be quicky setup for IDS using snort throughout an enterprise network computing envrionment as shown in Figure 6.5, “Network Enterprise Diagram”. Most of the advanced IDS techniques and integration with recommended network applications by Rafeeq: Apache, MySQL, php, and BASE are automatically setup and configured for use with a single script.
The setup_snort script found in the "/usr/local/snort" directory is the primary means to run snort on a NST probe system. NST's Web User Interface found in Chapter 2, The Web User Interface (WUI) can also be used to launch this script. Information on how to start snort via a Web user interface can be found in the section called “Snort In Two Clicks”.
There are 6 operational "setup_snort" modes that one can chose with this script.
This mode ("-r") sets up a standalone Snort instance with local MySQL database and BASE (Basic Analysis and Security Engine) support.
This mode ("-r" and "-d") sets up a standalone Snort instance and uses a remote MySQL database engine for archiving and requesting Snort IDS events.
This mode ("-c") creates a "collector" for remote Snort security and alert incident archiving. An enterprise configuration of remote Snort sensors can be deployed with the "collector" serving as a backend Snort database engine and console access to security incidents for the network security administrator using BASE. Permanent storage for Snort incidents can be sent to local hard disk or a networked file system.
This mode ("-k") is used to stop (kill) a snort instance or all snort instances running on the probe system. Optionally one can choose to delete (erase: "-e") the associated runtime directory and snort configuration file for the snort instance specified by the interface parameter: "-i <interface>".
This mode ("-l") is used to list the status of one or more snort instances configured on the NST probe system.
This mode ("-sig") is used to either reload the snort configuration for one or more snort instances ("reload") or dump stats ("dump") for all or a single snort instance.
Note:
If a NST probe was originally configured as a Snort "collector" only, one can add Snort IDS capability to the probe by ruuning the "setup_snort" script a second time with the operational mode setting (1.) described above. The MySQL database engine associated with the Snort "collector" operation will be automatically detected and used.
The help information for the Snort setup script:
/usr/local/snort/setup_snort is shown
below:
[root@probe root]#/usr/local/snort/setup_snort -hUsage: setup_snort -r <local | remote [-rs <URL: rules site]> [-i <interface>] [-d <database hostname>] [-p <database port>] [-s <sensor name>] [-a <full | fast>] [-rd <RAM device>] [-rds <RAM disk size (MB)>] [-rmp <RAM mount point>] [-rdir <runtime directory>] [-x] [-e] [-v] [-h] setup_snort -c [-x] [-rd <RAM device>] [-rds <RAM disk size (MB)>] [-rmp <RAM mount point>] [-rdir <runtime directory>] [-v] setup_snort -k [-e] [-i <interface>] [-v] setup_snort -l [-i <interface>] setup_snort -sig <reload | dump> [-i <interface>] [-v] The first form of this script: "-r" is used to setup an instance of the Snort Network Intrusion Detection System (IDS) on a NST probe system. A Snort session can be used with any configured interface [-i <interface>]. All associated alert and log events will be redirected to a MySQL database server on host [-d <database name>]. The default setting is to create a 64MB RAM Disk at mount point: "/mnt/ram4" for MySQL and Snort data files. If the database hostname [-d <database name>] is "localhost" (i.e. the default value), a MySQL database server will be configured and started on this NST probe system for immediate Snort usage. A PHP-based analysis engine: BASE (Basic Analysis and Security Engine) will also be configured to search and process all security incidents generated by Snort that are stored within the MySQL database. End user access to BASE is via the Apache Web Server. One needs to make sure that an instance of Apache is up and running on the NST probe system for proper access to BASE generated Web pages. The following 2 examples demonstrate how one accesses BASE's Web interface: Example 1: Local Access (IP Address "localhost": 127.0.0.1) NST probe running Snort, MySQL, and BASE Interface: "Firefox" browser using X Windows or VNC client, or the "elinks" browser using the console or a SSH session. URL: http://127.0.0.1/base Example 2: Remote Access (IP Address of NST Probe running Snort, MySQL, and BASE: 10.21.33.44) Interface: Any Web browser that supports SSL URL: https://10.21.33.44/base The second form of this script: "-c" can also be used to setup and run a backend MySQL database server engine tailored with the BASE analysis engine for the collection of remote Snort security incidents and log information (see the [-c] parameter below). A federation of remote Snort IDS probes can be populated throughout an Enterprise network computing evironment and be configured to send any security incidents and log information to this database server. The third form of this script: "-k" is used to stop (kill) a snort instance or all snort instances running on the probe system. Optionally one can choose to delete (erase: "-e") the associated runtime directory and snort configuration file for the snort instance specified by the interface parameter: "-i <interface>". The forth form of this script: "-l" is used to list the status of one or more snort instances configured on the NST probe system. The fifth form of the script: "-sig" is used to either reload one or more snort instances ("reload") or dump stats ("dump") for all or a single snort instance. -r <local | remote> | --rules <local | remote> This option specifies the first form of the "setup_snort" script. The rules parameter is require for determining which Snort rule set source to use: local - a copy of the rules that came with the NST distribution will be transferred to read/write Snort runtime directory. Use these method if one does not have access to the internet. remote - use "wget" to update the latest Snort rules from default site: http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz -rs <URL: rules site> | --rules-site <URL: rules site> Optional setting to change the default location of the remote "-r" rule site. Use a URL formatted site name for the alternate Snort rules site. -i <interface name> | --interface <interface name> Interface name for which Snort will perform intrusion detection: Ex: "eth1". This is the associated network interface for a snort instance. Default: "eth0" -d <database hostname> | --db_hostname <database hostname> This parameter sets the MySQL database hostname for alert events and log information collection. It can be either an IP address or a name resolved through the naming service "/etc/hosts" file or DNS. ** Note: If the name of the database hostname is resolved to a remote host, a MySQL database instance will not be started on this NST probe system. Default: "localhost" -p <database port> | --db_port <database port> This sets the database port number that the MySQL server is listening on. Default: "3306" -c | --collector_mode This option specifies the second form of the "setup_snort" script. It is used to setup a MySQL database for the collection of remote Snort IDS probe's security alert events and log information. This parameter is useful when setting up an IDS architecture consisting of a federation of Snort probe sensors with a backend MySQL server and BASE analysis engine. -s <sensor name> | --sensor_name <sensor name> Use this parameter to identify the sensor name used by this Snort instance. This is useful when many Snort sensors are logging to the same MySQL database. It will be easier to distinguish between multiple sensors when using the BASE tool for viewing alert and logged events. ** Note: Do not use spaces within the <sensor name> Ex: "Sensor 1" => "Sensor_1" Default: "IP address of probe interface: eth0" -a <full | fast> | --alert_detail <full | fast> Used to set the detail of Snort alert and log events to the data base. full - All alert information for an event will be logged. fast - An abbreviated version of the alert event will be logged. Default: "full" -rd <RAM device> | --ram-device <RAM device> Use this optional parameter to change the default RAM device that will be used for this instance of Snort and the associated MySQL database files. Available RAM device names on NST: "/dev/ram0 - /dev/ram9". A cooresponding mount point: "/mnt/ram0 - /mnt/ram9" will be automatically selected for the RAM device. One can use the following optional parameter: "-rmp <mount point>" to change mount point location for the selected RAM device. Default: "/dev/ram4" -rds <RAM dsk size (MB)> | --ram-disk-size <RAM disk size (MB)> Use this optional parameter to change the default RAM disk size in MegaBytes (MB) that will be used for this instance of Snort and the associated MySQL database data files. Default: "64" ** Note: Use a reasonable value and make sure you to not exceed your available system RAM. The system memory utility: "free" can be used to help make your determination. -rmp <mount point> | --ram-mount-point <mount point> Use this optional parameter to change the selected RAM device's: "-rd <RAM device>" mount point for this instance of Snort and the associated MySQL database data files. Default: "/mnt/ram4" -rdir <runtime directory> | --runtime-directory <runtime directory> One can use this optional parameter to force the "setup_snort" script to use an existing runtime directory on a locally attached disk drive or a mounted network file system and bypass the creation of a RAM disk. To do this, make sure the directory initially exists prior to running this script. Example: Mount Point: "/dev/hdc1" mount at: "/probe1" type ext3 (rw) Directory: "/probe1/snort" Use: "-rdir /probe1/snort" to create the top level runtime directory structure for this instance of Snort and the associated MySQL database (if needed). Directory Structure: Snort => /probe1/snort/snort mysql => /probe1/snort/var/lib/mysql (if needed) -k | --kill This option specifies the third form of the "setup_snort" script. If no interface parameter ("-i <interface>") is specified, then all running snort instances will be stopped ("killed"). If an interface parameter ("-i <interface>") is specified, then only the running snort instance for that associated interface will be stopped. -x | --extra-servies This option installs the extra network services mapping values (protocols, services and flags) into the Snort MySQL database. These tables are intended to supplement the base tables required for database support in snort in order to make data more human readable. -e | --erase One can specify this parameter to erase the runtime directory and snort configuration file for a prior configured snort instance. If used with the first form, the setup script will try to erase any prior existing runtime snort setup directory and configuration file. If used with the third form, the setup script will try to erase either one or more snort runtime directories and configuration files depending on whether or not the interface parameter ("-i <interface>") is specified. ** Note: A particular snort runtime directory will not be erased if it is being shared with another snort instance using a different network interface. The snort configuration file will always be removed. Only the directory structure for snort will be erased. The MySQL directory structure will not be erased. -l | --list-status This option specifies the forth form of the "setup_snort" script. The status for all snort instances including processes, configuration directories, runtime directories and configured network interfaces are listed. If an interface parameter ("-i <interface>") is specified, then only the status pertaining to the selected interface is displayed. -sig <reload | dump> | --signal <reload | dump> This option specifies the fifth form of the "setup_snort" script. The "-sig reload" option will cause one of more running snort instances to reload their associated configuration file. A "SIGHUP" signal is sent to one or more running snort processes resulting in closure of all opened files and restarting the snort process. If no ("<-i interface>") parameter was specified, then all running snort instances will be sent the "SIGHUP" signal for reloading. The "-sig dump" option will cause one of more running snort instances to dump their current statistics. The output of the statistics is controlled by how a snort process was initially executed. A "SIGUSR1" signal is sent to one of more snort instances to dump their current packet statistical information to the current shell, console or syslogd(8) if in daemon mode ("-D" option to snort). If no ("<-i interface>") parameter was specified, then all running snort instances will be sent the "SIGUSR1" signal to dump their statistics. If the snort process is run in daemon mode, the statistics will be typically dumped to the syslog file: "/var/log/messages". -v | --verbose This optional switch will enable verbose output. Without this switch set, minimal output from the execution of this script will be displayed. -h | --help Displays this help information.
We will now demonstrate a standalone snort configuration using this script with NST. It will be based upon the small business network configuration shown in Figure 6.4, “Small Business Diagram”. We will be using network interface "eth2" in stealth mode (i.e. no IP address bound to the network interface) as the probe monitor sensor interface. In this example network interface "eth2" is attached to a network "Hub" and all traffic on the "dirty side" of the Internet connection (i.e. Internet side of the firewall with respect to the small business network) will been seen. This particular NST probe is configured with 3 10/100 NICs. The "ifconfig -a" command reveals the following:
[root@probe root]#ifconfig -aeth0 Link encap:Ethernet HWaddr 00:50:FC:9C:D0:A7 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:fcff:fe9c:d0a7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:20437 errors:0 dropped:0 overruns:0 frame:0 TX packets:789 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2756634 (2.6 Mb) TX bytes:139064 (135.8 Kb) Interrupt:10 Base address:0x7800 eth1 Link encap:Ethernet HWaddr 00:30:BD:1E:98:1E inet6 addr: fe80::230:bdff:fe1e:981e/64 Scope:Link BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:3 Base address:0x9c00 eth2 Link encap:Ethernet HWaddr 00:04:75:A1:EF:AB inet6 addr: fe80::204:75ff:fea1:efab/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:80106 errors:0 dropped:0 overruns:1 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:100 RX bytes:4831006 (4.6 Mb) TX bytes:60 (60.0 b) Interrupt:9 Base address:0xdc00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:30 errors:0 dropped:0 overruns:0 frame:0 TX packets:30 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10680 (10.4 Kb) TX bytes:10680 (10.4 Kb)
The setup_snort script will be
started by obtaining up to date remote rules from the
"www.snort.org" site (this implies
internet connectivity to the NST probe system). The NST
probe system will be labeled with a sensor name:
"FW-Dirty" and full snort details
will be generated. A 128MB RAM disk will be created using the
default RAM device: "/dev/ram4" at mount
point: "/mnt/ram4". Since this is a
standalone setup, a MySQL database engine will also be
configured and started for this snort instance. Below
is the command-line script execution for this IDS snort
example:
[root@probe root]#/usr/local/snort/setup_snort -r remote -i eth2 -s "FW-Dirty" -a full -rds 128 -v*** Creating a 128MByte RAM disk at mount point: "/mnt/ram4".../root/bin/create_ramdisk -s 128 -d /dev/ram4 -m /mnt/ram4 -v ============================================================ = Creating a 131072KB RAM disk at mount point: /mnt/ram4... = ============================================================ *** Zeroing out RAM device: "/dev/ram4"... /bin/dd if=/dev/zero of=/dev/ram4 bs=1k count=131072 131072+0 records in 131072+0 records out *** Creating a 131072KB Linux ext2 file system on RAM device: "/dev/ram4"... /sbin/mke2fs -vm 0 /dev/ram4 131072 mke2fs 1.32 (09-Nov-2002) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 32768 inodes, 131072 blocks 0 blocks (0.00%) reserved for the super user First data block=1 16 block groups 8192 blocks per group, 8192 fragments per group 2048 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 26 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. *** Mounting RAM disk device: "/dev/ram4" at mount point: "/mnt/ram4"... /bin/mount -t ext2 /dev/ram4 /mnt/ram4 *** Show all current mounts... /bin/df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 31218 32243 50% / none 256892 0 256892 0% /dev/shm /dev/cdrom 493888 493888 0 100% /mnt/cdrom /dev/ram4 126931 13 126918 1% /mnt/ram4 *** Successfully created a 131072KB RAM Disk: "/dev/ram4" at mount point: "/mnt/ram4"... *** Using remote Snort rules definitions...
*** Fetching the latest Snort rule definitions from: "http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz" /usr/local/bin/wget http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz --01:39:13-- http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz => `snortrules-snapshot-CURRENT.tar.gz' Resolving www.snort.org... done. Connecting to www.snort.org[199.107.65.177]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 166,475 [application/x-gzip] 100%[==================================================================>] 166,475 312.21K/s ETA 00:00 01:39:15 (312.21 KB/s) - `snortrules-snapshot-CURRENT.tar.gz' saved [166,475/166,475] rules/ rules/classification.config rules/generators rules/gen-msg.map rules/reference.config rules/sid rules/sid-msg.map rules/snort.conf rules/threshold.conf rules/unicode.map rules/attack-responses.rules rules/backdoor.rules rules/bad-traffic.rules rules/cgi-bin.list rules/chat.rules rules/ddos.rules rules/deleted.rules rules/dns.rules rules/dos.rules rules/experimental.rules rules/exploit.rules rules/finger.rules rules/ftp.rules rules/icmp-info.rules rules/icmp.rules rules/imap.rules rules/info.rules rules/local.rules rules/misc.rules rules/multimedia.rules rules/mysql.rules rules/netbios.rules rules/nntp.rules rules/oracle.rules rules/other-ids.rules rules/p2p.rules rules/policy.rules rules/pop2.rules rules/pop3.rules rules/porn.rules rules/rpc.rules rules/rservices.rules rules/scan.rules rules/shellcode.rules rules/smtp.rules rules/snmp.rules rules/sql.rules rules/telnet.rules rules/tftp.rules rules/virus.rules rules/web-attacks.rules rules/web-cgi.rules rules/web-client.rules rules/web-coldfusion.rules rules/web-frontpage.rules rules/web-iis.rules rules/web-misc.rules rules/web-php.rules rules/x11.rules *** Setup the MySQL Server...
/root/bin/setup_mysql -rd /dev/ram4 -rds 128 -rmp /mnt/ram4 -v *** Creating a 128MByte RAM disk at mount point: "/mnt/ram4"... /root/bin/create_ramdisk -s 128 -d /dev/ram4 -m /mnt/ram4 -v *** Mount point: "/mnt/ram4" is already in use, script: "create_ramdisk" is exiting normally... *** (mount): /dev/ram4 on /mnt/ram4 type ext2 (rw) *** (df -k): Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 31477 31984 50% / none 256892 0 256892 0% /dev/shm /dev/cdrom 493888 493888 0 100% /mnt/cdrom /dev/ram4 126931 1335 125596 2% /mnt/ram4 *** Creating a new MySQL database file structure at: "/mnt/ram4/var/lib/mysql"... *** Starting up the MySQL database server... Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] *** Assigning a password for database user: "root"... *** Successfully started up a MySQL database server... *** List MySQL Database Directory... /mnt/ram4/var/lib: total 3 drwxr-xr-x 3 root root 1024 Dec 1 01:39 . drwxr-xr-x 3 root root 1024 Dec 1 01:39 .. drwxr-xr-x 4 mysql mysql 1024 Dec 1 01:39 mysql /mnt/ram4/var/lib/mysql: total 4 drwxr-xr-x 4 mysql mysql 1024 Dec 1 01:39 . drwxr-xr-x 3 root root 1024 Dec 1 01:39 .. drwx------ 2 mysql mysql 1024 Dec 1 01:39 mysql srwxrwxrwx 1 mysql mysql 0 Dec 1 01:39 mysql.sock drwx------ 2 mysql mysql 1024 Dec 1 01:39 test /mnt/ram4/var/lib/mysql/mysql: total 67 drwx------ 2 mysql mysql 1024 Dec 1 01:39 . drwxr-xr-x 4 mysql mysql 1024 Dec 1 01:39 .. -rw-rw---- 1 mysql mysql 8778 Dec 1 01:39 columns_priv.frm -rw-rw---- 1 mysql mysql 0 Dec 1 01:39 columns_priv.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 01:39 columns_priv.MYI -rw-rw---- 1 mysql mysql 8982 Dec 1 01:39 db.frm -rw-rw---- 1 mysql mysql 302 Dec 1 01:39 db.MYD -rw-rw---- 1 mysql mysql 3072 Dec 1 01:39 db.MYI -rw-rw---- 1 mysql mysql 8641 Dec 1 01:39 func.frm -rw-rw---- 1 mysql mysql 0 Dec 1 01:39 func.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 01:39 func.MYI -rw-rw---- 1 mysql mysql 8958 Dec 1 01:39 host.frm -rw-rw---- 1 mysql mysql 0 Dec 1 01:39 host.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 01:39 host.MYI -rw-rw---- 1 mysql mysql 8877 Dec 1 01:39 tables_priv.frm -rw-rw---- 1 mysql mysql 0 Dec 1 01:39 tables_priv.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 01:39 tables_priv.MYI -rw-rw---- 1 mysql mysql 9148 Dec 1 01:39 user.frm -rw-rw---- 1 mysql mysql 428 Dec 1 01:39 user.MYD -rw-rw---- 1 mysql mysql 2048 Dec 1 01:39 user.MYI /mnt/ram4/var/lib/mysql/test: total 2 drwx------ 2 mysql mysql 1024 Dec 1 01:39 . drwxr-xr-x 4 mysql mysql 1024 Dec 1 01:39 .. *** List MySQL Processes... root 2826 2825 1 01:39 ttyp0 00:00:00 /bin/bash /root/bin/setup_mysql -rd /dev/ram4 -rds 128 -rmp /mnt/ram4 -v root 2908 1 0 01:39 ttyp0 00:00:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf mysql 2930 2908 0 01:39 ttyp0 00:00:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/mnt/ram4/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking *** Try to initialize the Snort MySQL databases... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 4 sec Threads: 1 Questions: 7 Slow queries: 0 Opens: 7 Flush tables: 1 Open tables: 1 Queries per second avg: 1.750 -------------- -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort_archive Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 4 sec Threads: 1 Questions: 13 Slow queries: 0 Opens: 8 Flush tables: 1 Open tables: 2 Queries per second avg: 3.250 -------------- *** Initialize the base Snort MySQL database tables... /usr/local/bin/mysql -u snort -p****** snort < /usr/local/snort/contrib/create_mysql *** Initialize the Snort archive database tables... /usr/local/bin/mysql -u snort -p****** snort_archive < /usr/local/snort/contrib/create_mysql *** Test for proper MySQL database setup for Snort...
List Snort database status and table entries... -and- List Snort Archive database status and table entries... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 17 sec Threads: 1 Questions: 131657 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 7744.529 -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort_archive Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 17 sec Threads: 1 Questions: 131660 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 7744.706 -------------- Tables_in_snort_archive data detail encoding event icmphdr iphdr opt reference reference_system schema sensor sig_class sig_reference signature tcphdr udphdr *** Create BASE config file: "/etc/base_conf.php"...
*** Create BASE MySQL database tables... /usr/local/bin/mysql -u snort -p****** snort < /usr/local/var/www/base/sql/create_base_tbls_mysql.sql *** Snort config files: "/etc/snort_eth2"... total 262 drwxr-xr-x 2 root root 1024 Dec 1 01:39 . drwxr-xr-x 45 root root 3072 Dec 1 01:39 .. -rw-r--r-- 1 root root 3521 Dec 1 13:15 classification.config -rw-r--r-- 1 root root 1622 Dec 1 13:15 generators -rw-r--r-- 1 root root 6799 Dec 1 13:15 gen-msg.map -rw-r--r-- 1 root root 608 Dec 1 13:15 reference.config -rw-rw-r-- 1 root root 59 Dec 1 13:15 sid -rw-rw-r-- 1 root root 167674 Dec 1 13:15 sid-msg.map -rw-rw-r-- 1 root root 22834 Dec 1 01:39 snort.conf -rw-r--r-- 1 root root 53841 Dec 1 13:15 unicode.map *** Setup Snort complete... ... A SNORT CONFIGURATION INSTANCE FOR INTERFACE: eth2 ...
************************************************************** ************************************************************** *** Snort Version: 2.3.0 *** Snort MySQL Version: 2.3.0 *** BASE Version: 1.0.1 *** ADODB Version: 4.52
*** JPGraph Version: 1.16
*** Snort Runtime Directory: /mnt/ram4/snort *** Snort Configuration File: /etc/snort_eth2/snort.conf *** Snort Rules Directory: /mnt/ram4/snort/rules *** Snort Configuration Rules Version: Snort current Ruleset *** MySQL Database Hostname: localhost *** MySQL Database Port: 3306 *** Snort IDS Interface: eth2 *** Snort IDS Sensor Name: FW-Dirty *** Snort Alert Event Logging Mode: full ************************************************************** ************************************************************** --- To run this snort instance on network interface: eth2 --- # Startup using: "snort": # ifconfig eth2 up # /usr/local/bin/snort -c /etc/snort_eth2/snort.conf & # Startup using: "/etc/init.d/snortd": # export SNORTINTERFACES="eth2"; /etc/init.d/snortd start
Each step in the setup process for the NST snort implementation is described in the above caption. One can see the following:
Creation of a 128MB RAM disk for snort data files, MySQL database directory structure, and ACID related data files. | |
Remote rule set download from "http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz". | |
Creation of a MySQL database instance for logging snort security incident alerts, events, extra tables, and archiving database. | |
Basic Analysis and Security Engine (BASE) setup. | |
A summary section with commands to execute for running the configured snort setup. | |
Active Data Objects Data Base (ADODB). | |
Object-Oriented (OO) graphics class library (JPGRAPH). |
In the next caption we will show the results of starting
up a snort instance on network interface
"eth2". One should edit the snort
configuration file:
/etc/snort_eth2/snort.conf for this
interface prior to starting up a snort instance if
there are any changes to be made from snort default
values. The following commands to start up a snort
instance on network interface "eth2" are
shown below:
[root@probe snort]#ifconfig eth2 up[root@probe snort]#/usr/local/snort/snort -c /etc/snort_eth2/snort.conf &[1] 3033 [root@probe snort]# Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_eth2/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Found logdir config directive (/mnt/ram4/snort/logs) Initializing Network Interface eth2 OpenPcap() device eth2 network lookup: eth2: no IPv4 address assigned ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_eth2/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: port = 3306 database: sensor name = FW-Dirty database: detail level = full database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 2180 Snort rules read... 2180 Option Chains linked into 176 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Warning: flowbits key 'realplayer.playlist' is checked but not ever set. +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2923 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 | gen-id=1 sig-id=2924 type=Threshold tracking=src count=10 seconds=60 | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.3.0 (Build 10) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2004 Sourcefire Inc., et al.
As this point snort is up and running on stealth network interface "eth2". One needs to proceed to the section called “Examining Snort Results” and use BASE for monitoring any network intrusion traffic activity.
There is an alternate way to start up one or more
snort instances. NST comes with a
start/stop script:
/etc/init.d/snortd that can startup one
or more instances of snort. The environment variable:
"SNORTINTERFACES" controls the behavior
in which snort instances are started by specifying the
appropriate network interface for a configured snort
instance. Network interface name values associated with this
variable are space delimited. The example below starts up two
previously configured snort instances associated with network
interfaces: "eth0" and
"eth1".
Note:
If the environment variable: "SNORTINTERFACES" is not set, all configured snort instances that are not already running will be started.
[root@probe snort]#export SNORTINTERFACES="eth0 eth1"; /etc/init.d/snortd startStarting The "Intrusion Detection System" (IDS) Snort: [ OK ] Configuration instance: /etc/snort_eth0: [ OK ] Configuration instance: /etc/snort_eth1: [ OK ]
At anytime, one can view the state of all snort instances configured on the NST probe system with the following setup_snort script command line option: "-l".
[root@probe snort]#/usr/local/snort/setup_snort -l*** Snort Configuration Directories: *** ===== ============= ============ eth0: /etc/snort_eth0 eth1: /etc/snort_eth1 *** Snort Database Connectivity Information: *** ===== ======== ============ ============ eth0: host=localhost port=3306 sensor_name=Intranet detail=full eth1: host=localhost port=3306 sensor_name=Internet detail=full *** Snort Runtime Directories: *** ===== ======= ============ eth0: /mnt/ram4/snort eth1: /mnt/ram4/snort *** Running Snort Processes: *** ======= ===== ========== root 2360 1 0 18:30 ? 00:00:02 /usr/local/snort/snort -c /etc/snort_eth0/snort.conf -D root 2371 1 0 18:30 ? 00:00:14 /usr/local/snort/snort -c /etc/snort_eth1/snort.conf -D *** ifconfig For Configured Snort Instances: *** ======== === ========== ===== ========== eth0 Link encap:Ethernet HWaddr 00:50:FC:9C:D0:A7 inet addr:10.222.18.103 Bcast:10.222.18.255 Mask:255.255.255.0 inet6 addr: fe80::250:fcff:fe9c:d0a7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:35766 errors:0 dropped:0 overruns:0 frame:0 TX packets:16538 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6439984 (6.1 Mb) TX bytes:6772800 (6.4 Mb) Interrupt:10 Base address:0xd400 eth1 Link encap:Ethernet HWaddr 00:30:BD:1E:98:1E inet6 addr: fe80::230:bdff:fe1e:981e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:330306 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23268146 (22.1 Mb) TX bytes:378 (378.0 b) Interrupt:3 Base address:0xd800 *** MySQL Running Process Information: *** ===== ======= ======= ============ root 2114 1 0 18:17 pts/0 00:00:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf mysql 2137 2114 0 18:17 pts/0 00:00:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/mnt/ram4/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking
The above caption lists the status for all configured snort instances on the NST probe system.
At anytime, one can kill one or more running instances of snort with the following setup_snort script command line option: "-k". The configuration and runtime directories can also be erased with the "-e" option. A particular snort instance can be selected with the "-i <interface>" option.
[root@probe snort]#/usr/local/snort/setup_snort -k -e -vCurrent Running Snort Processes: ======= ======= ===== ========== root 2360 1 0 18:30 ? 00:00:02 /usr/local/snort/snort -c /etc/snort_eth0/snort.conf -D root 2371 1 0 18:30 ? 00:00:18 /usr/local/snort/snort -c /etc/snort_eth1/snort.conf -D /usr/bin/killall -v snort Killed snort(2360) with signal 15 Killed snort(2371) with signal 15 *** All snort instances killed... List Of Snort Runtime Directories To Erase: ==== == ===== ======= =========== == ====== Erasing directory: "/mnt/ram4/snort" List Of Snort Configuration Directories To Erase: ==== == ===== ============= =========== == ====== Erasing directory: "/etc/snort_eth0" Erasing directory: "/etc/snort_eth1"
The caption above shows the results of killing all running snort instances on the NST probe system. It also erases all configuration and runtime directories for all configured snort instances. The output is displayed in verbose mode.
The snort configuration file can be modified and new snort rules added as an update to a configured snort instance. Once that all updates have been completed, the running snort instance needs to be sent a "SIGHUP" signal which will in turn cause the snort process to reload its configuration file. The setup_snort "-sig reload" option handles the proper "reload" signal sequence which is sent to a running snort process. Individual selection of a particular snort instance can be specified with the "-i <interface>" option.
[root@probe snort]#/usr/local/snort/setup_snort -sig reload -i eth1 -v*** Try to reload snort instance associated with network interface: "eth1"... /bin/kill -s HUP 2710 *** Snort instance on network interface: "eth1", process: "2710" reloaded...
The above caption demostrates how to selectively choose
a snort instance associated with network interface:
"eth1" for configuration file
"reload". If the snort process was
running as a daemon "-D", then all
"reload" output from the results of
sending the "SIGHUP" signal can be found
in the syslog file:
/var/log/messages.
The current collected statistical information for a
particular snort instance can be dumped by sending a
"SIGUSR1" signal to the snort
process. The setup_snort "-sig
dump" option is used to
"dump" the stats. If the snort process
was running as a daemon "-D", then all
stats "dumped" will be found in the
syslog file: /var/log/messages.
[root@probe snort]#/usr/local/snort/setup_snort -sig dump -i eth1 -v*** Try to dump statistics for snort instance associated with network interface: "eth1"... /bin/kill -s USR1 2710 *** Snort instance on network interface: "eth1", process: "2710" dumped statistics...
Below is a section of text taking from a syslog file:
/var/log/messages showing the results
from a stat dump for a snort instance associated with network
interface: "eth1".
Dec 18 08:40:13 localhost snort: ###SNORT DUMP### was sent to snort process: "2710", interface: "eth1"...
Dec 18 08:40:13 localhost snort: Snort received 857983 packets
Dec 18 08:40:13 localhost snort: Analyzed: 857983(100.000%)
Dec 18 08:40:13 localhost snort: Dropped: 0(0.000%)
Dec 18 08:40:13 localhost snort: ===============================================================================
Dec 18 08:40:13 localhost snort: Breakdown by protocol:
Dec 18 08:40:13 localhost snort: TCP: 6507 (0.758%)
Dec 18 08:40:13 localhost snort: UDP: 989 (0.115%)
Dec 18 08:40:13 localhost snort: ICMP: 11 (0.001%)
Dec 18 08:40:13 localhost snort: ARP: 843806 (98.348%)
Dec 18 08:40:13 localhost snort: EAPOL: 0 (0.000%)
Dec 18 08:40:13 localhost snort: IPv6: 0 (0.000%)
Dec 18 08:40:13 localhost snort: IPX: 0 (0.000%)
Dec 18 08:40:13 localhost snort: OTHER: 6666 (0.777%)
Dec 18 08:40:13 localhost snort: DISCARD: 0 (0.000%)
Dec 18 08:40:13 localhost snort: ===============================================================================
Dec 18 08:40:13 localhost snort: Action Stats:
Dec 18 08:40:13 localhost snort: ALERTS: 14
Dec 18 08:40:13 localhost snort: LOGGED: 14
Dec 18 08:40:13 localhost snort: PASSED: 0
Dec 18 08:40:13 localhost snort: ===============================================================================
Dec 18 08:40:13 localhost snort: Fragmentation Stats:
Dec 18 08:40:13 localhost snort: Fragmented IP Packets: 8 (0.001%)
Dec 18 08:40:13 localhost snort: Fragment Trackers: 4
Dec 18 08:40:13 localhost snort: Rebuilt IP Packets: 4
Dec 18 08:40:13 localhost snort: Frag elements used: 8
Dec 18 08:40:13 localhost snort: Discarded(incomplete): 0
Dec 18 08:40:13 localhost snort: Discarded(timeout): 3
Dec 18 08:40:13 localhost snort: Frag2 memory faults: 0
Dec 18 08:40:13 localhost snort: ===============================================================================
Dec 18 08:40:13 localhost snort: TCP Stream Reassembly Stats:
Dec 18 08:40:13 localhost snort: TCP Packets Used: 6507 (0.758%)
Dec 18 08:40:13 localhost snort: Stream Trackers: 684
Dec 18 08:40:13 localhost snort: Stream flushes: 148
Dec 18 08:40:13 localhost snort: Segments used: 427
Dec 18 08:40:13 localhost snort: Stream4 Memory Faults: 0
Dec 18 08:40:13 localhost snort: ===============================================================================
In this example we will setup and configure a backend MySQL database that is snort ready. A federation of remote IDS snort probes strategically placed throughout an enterprise network computing environment as shown in Figure 6.5, “Network Enterprise Diagram” can then forward any detected security incidents to this database engine. Typically the positioning of an IDS snort probe will be at the ingress/egress interface point for a particular security zone. The setup_snort script will be run with the "collector" mode option enabled for initializing the backend MySQL database.
The backend MySQL database will be running on NST "Probe7": 10.222.222.107:3306. This particular NST system has a locally attached disk drive formatted with a Linux Ext3 file system. The runtime MySQL database file structure will be located on this disk at mount point: "/mnt/ext3/mysql". The "collector" configuration is now shown with the following options to the setup_snort script. In this case no prior MySQL setup occurred. This is the initial setup.
[root@probe snort]#/usr/local/snort/setup_snort -c -rdir /mnt/ext3/mysql -v*** Setup the MySQL Server... /root/bin/setup_mysql -rdir /mnt/ext3/mysql -v *** Creating a new MySQL database file structure at: "/mnt/ext3/mysql/var/lib/mysql"... *** Starting up the MySQL database server... Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] *** Assigning a password for database user: "root"... *** Successfully started up a MySQL database server... *** List MySQL Database Directory... /mnt/ext3/mysql/var/lib: total 12 drwxr-xr-x 3 root root 4096 Dec 1 21:24 . drwxr-xr-x 3 root root 4096 Dec 1 21:24 .. drwxr-xr-x 4 mysql mysql 4096 Dec 1 21:24 mysql /mnt/ext3/mysql/var/lib/mysql: total 16 drwxr-xr-x 4 mysql mysql 4096 Dec 1 21:24 . drwxr-xr-x 3 root root 4096 Dec 1 21:24 .. drwx------ 2 mysql mysql 4096 Dec 1 21:24 mysql srwxrwxrwx 1 mysql mysql 0 Dec 1 21:24 mysql.sock drwx------ 2 mysql mysql 4096 Dec 1 21:24 test /mnt/ext3/mysql/var/lib/mysql/mysql: total 112 drwx------ 2 mysql mysql 4096 Dec 1 21:24 . drwxr-xr-x 4 mysql mysql 4096 Dec 1 21:24 .. -rw-rw---- 1 mysql mysql 8778 Dec 1 21:24 columns_priv.frm -rw-rw---- 1 mysql mysql 0 Dec 1 21:24 columns_priv.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 21:24 columns_priv.MYI -rw-rw---- 1 mysql mysql 8982 Dec 1 21:24 db.frm -rw-rw---- 1 mysql mysql 302 Dec 1 21:24 db.MYD -rw-rw---- 1 mysql mysql 3072 Dec 1 21:24 db.MYI -rw-rw---- 1 mysql mysql 8641 Dec 1 21:24 func.frm -rw-rw---- 1 mysql mysql 0 Dec 1 21:24 func.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 21:24 func.MYI -rw-rw---- 1 mysql mysql 8958 Dec 1 21:24 host.frm -rw-rw---- 1 mysql mysql 0 Dec 1 21:24 host.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 21:24 host.MYI -rw-rw---- 1 mysql mysql 8877 Dec 1 21:24 tables_priv.frm -rw-rw---- 1 mysql mysql 0 Dec 1 21:24 tables_priv.MYD -rw-rw---- 1 mysql mysql 1024 Dec 1 21:24 tables_priv.MYI -rw-rw---- 1 mysql mysql 9148 Dec 1 21:24 user.frm -rw-rw---- 1 mysql mysql 428 Dec 1 21:24 user.MYD -rw-rw---- 1 mysql mysql 2048 Dec 1 21:24 user.MYI /mnt/ext3/mysql/var/lib/mysql/test: total 8 drwx------ 2 mysql mysql 4096 Dec 1 21:24 . drwxr-xr-x 4 mysql mysql 4096 Dec 1 21:24 .. *** List MySQL Processes... root 1330 697 1 21:24 ttyp0 00:00:00 /bin/bash ./setup_snort -c -rdir /mnt/ext3/mysql -v root 1339 1338 2 21:24 ttyp0 00:00:00 /bin/bash /root/bin/setup_mysql -rdir /mnt/ext3/mysql -v root 1402 1 1 21:24 ttyp0 00:00:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf mysql 1428 1402 1 21:24 ttyp0 00:00:00 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/mnt/ext3/mysql/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking *** Try to initialize the Snort MySQL databases... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 5 sec Threads: 1 Questions: 7 Slow queries: 0 Opens: 7 Flush tables: 1 Open tables: 1 Queries per second avg: 1.400 -------------- -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 5 Current database: snort_archive Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 5 sec Threads: 1 Questions: 13 Slow queries: 0 Opens: 8 Flush tables: 1 Open tables: 2 Queries per second avg: 2.600 -------------- *** Initialize the base Snort MySQL database tables... /usr/local/bin/mysql -u snort -p****** snort < /usr/local/snort/contrib/create_mysql *** Create the extra Snort MySQL database tables and entries... /bin/zcat /usr/local/snort/contrib/snortdb-extra.gz | /usr/local/bin/mysql -u snort -p****** snort *** Initialize the Snort archive database tables... /usr/local/bin/mysql -u snort -p****** snort_archive < /usr/local/snort/contrib/create_mysql *** Test for proper MySQL database setup for Snort... List Snort database status and service entries: (ports: between 20 and 30)... -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 58 sec Threads: 1 Questions: 131657 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 2269.948 -------------- port protocol name description 21 6 ftp File Transfer [Control] 21 17 ftp File Transfer [Control] 22 6 - Unassigned 22 17 - Unassigned 23 6 telnet Telnet 23 17 telnet Telnet 24 6 - Unassigned 24 17 - Unassigned 25 6 smtp Simple Mail Transfer 25 17 smtp Simple Mail Transfer 26 6 - Unassigned 26 17 - Unassigned 27 6 nsw-fe NSW User System FE 27 17 nsw-fe NSW User System FE 28 6 - Unassigned 28 17 - Unassigned 29 6 msg-icp MSG ICP 29 17 msg-icp MSG ICP -------------- /usr/local/bin/mysql Ver 11.18 Distrib 3.23.58, for redhat-linux-gnu (i386) Connection id: 9 Current database: snort_archive Current user: snort@localhost Current pager: stdout Using outfile: '' Server version: 3.23.58 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 58 sec Threads: 1 Questions: 131660 Slow queries: 0 Opens: 52 Flush tables: 1 Open tables: 11 Queries per second avg: 2270.000 -------------- Tables_in_snort_archive data detail encoding event icmphdr iphdr opt reference reference_system schema sensor sig_class sig_reference signature tcphdr udphdr *** Creating config file: "/etc/base_conf.php"... **************************************************** **************************************************** *** A MySQL database is running on this probe at *** IP:Port: 10.222.222.107:3306 for the collection *** of remote Snort security incidents. **************************************************** ****************************************************
Another setup example is shown where a prior
MySQL instance existed and was configured for
snort. The -rdir DIR option will be
used to attach to the existing MySQL file structure at
directory location:
/mnt/ext3/mysql.
[root@probe root]#fdisk -l[root@probe root]#mount -t ext3 /dev/hdc1 /mnt/ext3[root@probe root]#df[root@probe root]#ls -al /mnt/ext3[root@probe root]#cd /usr/local/snort[root@probe snort]#./setup_snort -c -rdir /mnt/ext3/mysql -v
List the partition table found in the Kernel proc
file: | |
Mount the Linux Ext3 file system found on partition:
| |
Display all mounted file systems with command: df. | |
Display a long directory listing at the mount point:
| |
Setup the Snort "Collector" using
the exiting MySQL at directory location:
|
At this point a backend MySQL snort database collector is configured, running, and waiting for remote snort security incidents. The collector mode also configures BASE to be used with this snort database.
Note:
The collector mode does not setup the NST probe as a IDS snort sensor. The "IP address:port" for the MySQL listening TCP/IP connection in this example is: 10.222.222.107:3306.
We will now setup a remote snort IDS probe: 10.222.200.106 Security Zone: 1 "DMZ" - NST "Probe2" and log all security incidents detected on stealth interface: "eth1" to the backend MySQL snort database collector at: 10.222.222.107:3306 Security Zone: 5 "Security Management" - NST "Probe7". Stealth interface "eth1" is monitoring all traffic entering and leaving the: Security Zone: 1 "DMZ" as shown in Figure 6.5, “Network Enterprise Diagram”.
Note:
It is best practice to secure all network communications between the IDS probe and snort database collector. This can be done on a separate out-of-band security network or with a VPN.
[root@probe snort]#ifconfig eth0eth0 Link encap:Ethernet HWaddr 00:90:27:0A:A9:3A inet addr:10.222.200.106 Bcast:10.222.222.255 Mask:255.255.255.0 inet6 addr: fe80::290:27ff:fe0a:a93a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:123193 errors:0 dropped:0 overruns:0 frame:0 TX packets:163564 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10724840 (10.2 Mb) TX bytes:177310400 (169.0 Mb)[root@probe snort]#/usr/local/snort/setup_snort -r remote -i eth1 -d 10.222.222.107 -s DMZ -a full -v*** Creating a 64MByte RAM disk at mount point: "/mnt/ram4"... /root/bin/create_ramdisk -s 64 -d /dev/ram4 -m /mnt/ram4 -v ============================================================ = Creating a 65536KB RAM disk at mount point: /mnt/ram4... = ============================================================ *** Zeroing out RAM device: "/dev/ram4"... /bin/dd if=/dev/zero of=/dev/ram4 bs=1k count=65536 65536+0 records in 65536+0 records out *** Creating a 65536KB Linux ext2 file system on RAM device: "/dev/ram4"... /sbin/mke2fs -vm 0 /dev/ram4 65536 mke2fs 1.32 (09-Nov-2002) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 16384 inodes, 65536 blocks 0 blocks (0.00%) reserved for the super user First data block=1 8 block groups 8192 blocks per group, 8192 fragments per group 2048 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 23 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. *** Mounting RAM disk device: "/dev/ram4" at mount point: "/mnt/ram4"... /bin/mount -t ext2 /dev/ram4 /mnt/ram4 *** Show all current mounts... /bin/df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 31255 32206 50% / none 256892 0 256892 0% /dev/shm /dev/cdrom 494048 494048 0 100% /mnt/cdrom /dev/ram4 63461 13 63448 1% /mnt/ram4 *** Successfully created a 65536KB RAM Disk: "/dev/ram4" at mount point: "/mnt/ram4"... *** Using remote Snort rules definitions... *** Fetching the latest Snort rule definitions from: "http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz" /usr/local/bin/wget http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz --10:35:53-- http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz => `snortrules-snapshot-2_2.tar.gz' Resolving www.snort.org... 199.107.65.177 Connecting to www.snort.org[199.107.65.177]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 166,457 [application/x-gzip] 100%[==================================================================>] 166,457 297.54K/s 10:35:54 (296.26 KB/s) - `snortrules-snapshot-2_2.tar.gz' saved [166,457/166,457] rules/ rules/classification.config rules/generators rules/gen-msg.map rules/reference.config rules/sid rules/sid-msg.map rules/snort.conf rules/threshold.conf rules/unicode.map rules/attack-responses.rules rules/backdoor.rules rules/bad-traffic.rules rules/cgi-bin.list rules/chat.rules rules/ddos.rules rules/deleted.rules rules/dns.rules rules/dos.rules rules/experimental.rules rules/exploit.rules rules/finger.rules rules/ftp.rules rules/icmp-info.rules rules/icmp.rules rules/imap.rules rules/info.rules rules/local.rules rules/misc.rules rules/multimedia.rules rules/mysql.rules rules/netbios.rules rules/nntp.rules rules/oracle.rules rules/other-ids.rules rules/p2p.rules rules/policy.rules rules/pop2.rules rules/pop3.rules rules/porn.rules rules/rpc.rules rules/rservices.rules rules/scan.rules rules/shellcode.rules rules/smtp.rules rules/snmp.rules rules/sql.rules rules/telnet.rules rules/tftp.rules rules/virus.rules rules/web-attacks.rules rules/web-cgi.rules rules/web-client.rules rules/web-coldfusion.rules rules/web-frontpage.rules rules/web-iis.rules rules/web-misc.rules rules/web-php.rules rules/x11.rules *** Snort config files: "/etc/snort_eth0"... total 326 drwxr-xr-x 2 root root 1024 Dec 1 10:35 . drwxr-xr-x 48 root root 4096 Dec 1 10:35 .. -rw-r--r-- 1 root root 3521 Dec 1 10:15 classification.config -rw-r--r-- 1 root root 1622 Dec 1 10:15 generators -rw-r--r-- 1 root root 6800 Dec 1 10:15 gen-msg.map -rw-r--r-- 1 root root 608 Dec 1 10:15 reference.config -rw-r--r-- 1 root root 58 Dec 1 10:15 sid -rw-r--r-- 1 root root 231902 Dec 1 10:15 sid-msg.map -rw-r--r-- 1 root root 23332 Dec 1 10:35 snort.conf -rw-r--r-- 1 root root 53841 Dec 1 10:15 unicode.map *** Setup Snort complete... ... A SNORT CONFIGURATION INSTANCE FOR INTERFACE: eth0 ... ***************************************************************** ***************************************************************** *** Snort Version: 2.2.0 *** Snort Execution Directory: /mnt/ram4/snort *** Snort Configuration File: /etc/snort_eth0/snort.conf *** Snort Rules Directory: /mnt/ram4/snort/rules *** Snort Rules Definitions: http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz *** Snort Configuration Rules Version: Snort 2.2.0 Ruleset *** MySQL Database Hostname: 10.222.222.107 *** MySQL Database Port: 3306 *** Snort IDS Interface: eth1 *** Snort IDS Sensor Name: DMZ *** Snort Alert Event Logging Mode: full ***************************************************************** ***************************************************************** ---- To run Snort on interface: eth1 ---- # ifconfig eth1 up # /usr/local/snort/snort -c /etc/snort_eth1/snort.conf &
The remote snort setup is now complete. Prior to
starting the IDS snort sensor one needs to bring up the
stealth interface: "eth1" and make any
additional snort rules set changes from the default in
configuration file:
/etc/snort_eth1/snort.conf.
Results for starting up this remote IDS snort sensor (NST "Probe2") are now presented:
[root@probe snort]#ifconfig eth1 up[root@probe snort]#/usr/local/snort/snort -c /etc/snort_eth1/snort.conf &[1] 1335 [root@probe snort]# Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_eth1/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Found logdir config directive (/mnt/ram4/snort/logs) Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_eth0/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = 10.222.222.107