| 1 | <h1 id="introduction">Introduction</h1> | 
|---|
| 2 | <p>In this exercise we will set up Snort, a popular Intrusion Detection System, in order to demonstrate how to monitor traffic and receive alarms for network traffic patterns that could be related to an intrusion.</p> | 
|---|
| 3 | <h2 id="notes">Notes</h2> | 
|---|
| 4 | <ul> | 
|---|
| 5 | <li>Commands preceded with "$" imply that you should execute the command as a general user - not as root.</li> | 
|---|
| 6 | <li>Commands preceded with "#" imply that you should be working as root.</li> | 
|---|
| 7 | <li>Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") imply that you are executing commands on remote equipment, or within another program.</li> | 
|---|
| 8 | </ul> | 
|---|
| 9 | <h2 id="goals">Goals</h2> | 
|---|
| 10 | <ul> | 
|---|
| 11 | <li>Learn how to install the Snort package on Ubuntu</li> | 
|---|
| 12 | <li>Learn the locations of the different configuration files and logs</li> | 
|---|
| 13 | <li>Learn how to read alerts and identify rules that triggered them</li> | 
|---|
| 14 | <li>Learn how to disable rules and suppress alerts</li> | 
|---|
| 15 | <li>Use a port scanning tool to generate alerts on other PCs in the classroom</li> | 
|---|
| 16 | </ul> | 
|---|
| 17 | <h1 id="installation">Installation</h1> | 
|---|
| 18 | <p>Log in to the PC assigned to you, and install the Snort package:</p> | 
|---|
| 19 | <pre><code>$ sudo apt-get install snort</code></pre> | 
|---|
| 20 | <p>You will see a window prompting you to provide the "Address range for the local network". Type the network address of your particular group.</p> | 
|---|
| 21 | <p>For example, for the first group, the network block is:</p> | 
|---|
| 22 | <pre><code>10.10.1.0/24</code></pre> | 
|---|
| 23 | <p>For the second group, the network block is</p> | 
|---|
| 24 | <pre><code>10.10.2.0/24</code></pre> | 
|---|
| 25 | <p>etc...</p> | 
|---|
| 26 | <p>Check that the snort deaemon is running:</p> | 
|---|
| 27 | <pre><code>$ ps -ef |grep snort</code></pre> | 
|---|
| 28 | <p>You should see something like this:</p> | 
|---|
| 29 | <pre><code>snort     1523     1  0 16:22 ?        00:00:01 /usr/sbin/snort -m 027 -D -d \ | 
|---|
| 30 | -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf \ | 
|---|
| 31 | -S HOME_NET=[10.10.1.0/24] -i eth0</code></pre> | 
|---|
| 32 | <p>The configuration is read from the file /etc/snort/snort.conf, which we discuss below.</p> | 
|---|
| 33 | <p>Notice the variable "HOME_NET". It should reflect the value you used for your network during the installation.</p> | 
|---|
| 34 | <p>Also, notice that the logs are sent to "/var/log/snort".</p> | 
|---|
| 35 | <p>The Ubuntu package creates an additional configuration file that you should know of:</p> | 
|---|
| 36 | <pre><code>$ cat /etc/snort/snort.debian.conf | 
|---|
| 37 | # This file is used for options that are changed by Debian to leave | 
|---|
| 38 | # the original lib files untouched. | 
|---|
| 39 | # You have to use "dpkg-reconfigure snort" to change them. | 
|---|
| 40 |  | 
|---|
| 41 | DEBIAN_SNORT_STARTUP="boot" | 
|---|
| 42 | DEBIAN_SNORT_HOME_NET="10.10.1.0/24" | 
|---|
| 43 | DEBIAN_SNORT_OPTIONS="" | 
|---|
| 44 | DEBIAN_SNORT_INTERFACE="eth0" | 
|---|
| 45 | DEBIAN_SNORT_SEND_STATS="true" | 
|---|
| 46 | DEBIAN_SNORT_STATS_RCPT="root" | 
|---|
| 47 | DEBIAN_SNORT_STATS_THRESHOLD="1"</code></pre> | 
|---|
| 48 | <h1 id="operation">Operation</h1> | 
|---|
| 49 | <h2 id="overview">Overview</h2> | 
|---|
| 50 | <p>Let's take a look at the logs directory:</p> | 
|---|
| 51 | <pre><code>$ ls -l /var/log/snort | 
|---|
| 52 | total 8 | 
|---|
| 53 | -rw-r--r-- 1 root  adm 371 2012-03-12 16:39 alert | 
|---|
| 54 | -rw-r----- 1 snort adm 106 2012-03-12 16:39 tcpdump.log.1331569367</code></pre> | 
|---|
| 55 | <p>The file "alert" is where Snort will write its alert messages when the traffic on eth0 matches patterns in one of the configured rules.</p> | 
|---|
| 56 | <p>The other file "tcpdump.log.*" is a binary file in tcpdump capture format. Let's see what is in that file. We need to install tcpdump first.</p> | 
|---|
| 57 | <p>NOTE: YOU MAY NOT HAVE ANY ALERTS YET. This is just an example. Keep reading!</p> | 
|---|
| 58 | <pre><code>$ sudo apt-get install tcpdump</code></pre> | 
|---|
| 59 | <p>Now, if you do have a file under /var/log/snort/, let's use tcpdump that we want to read the packets stored in that file.</p> | 
|---|
| 60 | <p>Now, let's use tcpdump:</p> | 
|---|
| 61 | <pre><code>$ sudo tcpdump -nv -r /var/log/snort/tcpdump.log.1331569367 </code></pre> | 
|---|
| 62 | <p>Result:</p> | 
|---|
| 63 | <pre><code>reading from file /var/log/snort/tcpdump.log.1331569367, link-type EN10MB \ | 
|---|
| 64 | (Ethernet) | 
|---|
| 65 | 16:39:33.296390 IP (tos 0x0, ttl 64, id 39949, offset 0, flags [DF], proto \ | 
|---|
| 66 | TCP (6), length 52) | 
|---|
| 67 | 10.10.1.1.33154 > 10.10.0.250.3142: Flags [.], cksum 0x1b59 (correct), \ | 
|---|
| 68 | ack 1505459219, win 5208, options [nop,nop,TS val 1533593 ecr 20155833], length 0</code></pre> | 
|---|
| 69 | <p>This is telling us that Snort found some traffic that matched one of its rules. In particular, TCP traffic from IP 10.10.1.1 going to 10.10.0.250, towards port 3142.</p> | 
|---|
| 70 | <p>Let's see what is in the alert file:</p> | 
|---|
| 71 | <pre><code>$ less /var/log/snort/alert </code></pre> | 
|---|
| 72 | <p>You might see:</p> | 
|---|
| 73 | <pre><code>[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] | 
|---|
| 74 | [Classification: Attempted Denial of Service] [Priority: 2] | 
|---|
| 75 | 03/12-16:39:33.296390 10.10.1.1:33154 -> 10.10.0.250:3142 | 
|---|
| 76 | TCP TTL:64 TOS:0x0 ID:39949 IpLen:20 DgmLen:52 DF | 
|---|
| 77 | ***A**** Seq: 0xA6FCD5A  Ack: 0x59BB7C13  Win: 0x1458  TcpLen: 32 | 
|---|
| 78 | TCP Options (3) => NOP NOP TS: 1533593 20155833 </code></pre> | 
|---|
| 79 | <p>The first line is important. It's revealing information about the Snort rule that caused this alert. The numbers [1:100000160:2] represent [gid:sid:rev] where:</p> | 
|---|
| 80 | <p>gid = Generator ID: Indicates what part of Snort generates the event sid = Signature ID: Uniquely identifies Snort rules rev = Revision: The version number of this rule</p> | 
|---|
| 81 | <p>We can quickly determine the location of this particular rule by grepping for that sid number in the directory where Snort stores its rules:</p> | 
|---|
| 82 | <pre><code>$ grep -r sid:100000160 /etc/snort/rules/*</code></pre> | 
|---|
| 83 | <pre><code>/etc/snort/rules/community-sip.rules:alert ip any any -> any 5060 \ | 
|---|
| 84 | (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; \ | 
|---|
| 85 | threshold: type both, track by_src, count 300, seconds 60; \ | 
|---|
| 86 | classtype:attempted-dos; sid:100000160; rev:2;)</code></pre> | 
|---|
| 87 | <p>There's a problem with this rule. It says "alert ip any -> any 5060". The problem is that it should be looking for TCP or UDP traffic destined to port 5060, not just "ip" traffic.</p> | 
|---|
| 88 | <p>NOTE: This rule exists in the Snort package for Ubuntu 12.04. It has been removed in more recent versions of the package.</p> | 
|---|
| 89 | <h2 id="supressing-alerts">Supressing alerts</h2> | 
|---|
| 90 | <p>You will notice that Snort will initially generate lots of invalid alerts like the one above (false positives). If your alerts file gets filled up with junk, it won't be very useful, so you'll need to fine-tune Snort to suit your needs.</p> | 
|---|
| 91 | <h3 id="method-1-disable-the-rules-file.">Method 1: Disable the rules file.</h3> | 
|---|
| 92 | <p>In the example shown above, all the rules in the file community-sip.rules are incorrect. In that case, the easiest thing is to just not include that file when loading Snort. For that, do the following:</p> | 
|---|
| 93 | <pre><code>$ sudo editor /etc/snort/snort.conf</code></pre> | 
|---|
| 94 | <p>find this line:</p> | 
|---|
| 95 | <pre><code>include $RULE_PATH/community-sip.rules</code></pre> | 
|---|
| 96 | <p>and comment it out like this:</p> | 
|---|
| 97 | <pre><code>#include $RULE_PATH/community-sip.rules</code></pre> | 
|---|
| 98 | <p>then, save and restart Snort</p> | 
|---|
| 99 | <pre><code>$ sudo service snort restart</code></pre> | 
|---|
| 100 | <h3 id="method-2-supress-the-specific-rule-in-the-configuration-file">Method 2: Supress the specific rule in the configuration file</h3> | 
|---|
| 101 | <ul> | 
|---|
| 102 | <li>To suppress the above rule so that it doesn't match traffic from/to any hosts, the configuration syntax is:</li> | 
|---|
| 103 | </ul> | 
|---|
| 104 | <pre><code>supress gen_id <gid>, sig_id <sid></code></pre> | 
|---|
| 105 | <ul> | 
|---|
| 106 | <li>If, on the other hand, you wanted to supress events from this rule that match a specific origin or destination host, the syntax is:</li> | 
|---|
| 107 | </ul> | 
|---|
| 108 | <pre><code>suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip-list></code></pre> | 
|---|
| 109 | <p>Let's suppress events from our broken rule using the first option:</p> | 
|---|
| 110 | <pre><code>$ sudo EDITOR /etc/snort/threshold.conf</code></pre> | 
|---|
| 111 | <p>At the end of the file, add the following line:</p> | 
|---|
| 112 | <pre><code>suppress gen_id 1, sig_id 100000160</code></pre> | 
|---|
| 113 | <p>then, save and exit. Restart Snort</p> | 
|---|
| 114 | <pre><code>$ sudo service snort restart</code></pre> | 
|---|
| 115 | <h2 id="simulate-intrusion-attempts">Simulate intrusion attempts</h2> | 
|---|
| 116 | <p>Let's generate some traffic towards your classmates' networks in other groups.</p> | 
|---|
| 117 | <p>First, install the nmap package:</p> | 
|---|
| 118 | <pre><code>$ sudo apt-get install nmap</code></pre> | 
|---|
| 119 | <p>Now we are going to scan all the TCP ports on another machine to see what could be potentially vulnerable.</p> | 
|---|
| 120 | <p>NOTE: Change "X" to the number of a group in a network <em>other</em> than your own. Otherwise, the alerts will not trigger because Snort is looking at traffic coming from EXTERNAL networks.</p> | 
|---|
| 121 | <pre><code>$ sudo nmap -sS 10.10.X.10 | 
|---|
| 122 | $ sudo nmap -sS 10.10.X.253</code></pre> | 
|---|
| 123 | <p>Repeat the above commands for as many hosts as you can (in other groups).</p> | 
|---|
| 124 | <p>Wait a little bit, and check your alerts:</p> | 
|---|
| 125 | <pre><code>$ less /var/log/snort/alert</code></pre> | 
|---|
| 126 | <p>If someone is scanning your PC, you should start seeing some entries.</p> | 
|---|
| 127 | <p>If not, ask a person from another group to scan your PC: remember that other people in the class may not yet be ready with the Snort part of their labs, so just ask them to scan you instead.</p> | 
|---|
| 128 | <p>For example, you might find:</p> | 
|---|
| 129 | <pre><code>[**] [1:469:3] ICMP PING NMAP [**] | 
|---|
| 130 | [Classification: Attempted Information Leak] [Priority: 2] | 
|---|
| 131 | 03/12-18:30:21.185863 10.10.4.13 -> 10.10.1.1 | 
|---|
| 132 | ICMP TTL:55 TOS:0x0 ID:44605 IpLen:20 DgmLen:28 | 
|---|
| 133 | Type:8  Code:0  ID:3517   Seq:0  ECHO | 
|---|
| 134 | [Xref => http://www.whitehats.com/info/IDS162]</code></pre> | 
|---|
| 135 | <p>Let's see where that came from:</p> | 
|---|
| 136 | <pre><code>$ grep 'sid:469' /etc/snort/rules/*</code></pre> | 
|---|
| 137 | <p>You should see something like this:</p> | 
|---|
| 138 | <pre><code>/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any \ | 
|---|
| 139 | (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; \ | 
|---|
| 140 | classtype:attempted-recon; sid:469; rev:3;)</code></pre> | 
|---|
| 141 | <p>Here, the interesting information is "dsize:0". This alert is triggered when the size of the data in the ping packet is zero (0). The tool nmap typically pings the host via ICMP if the user has root privileges.</p> | 
|---|
| 142 | <p>Also, you may see this in your alerts:</p> | 
|---|
| 143 | <pre><code>[**] [122:1:0] (portscan) TCP Portscan [**] | 
|---|
| 144 | [Priority: 3] | 
|---|
| 145 | 03/12-18:30:21.305881 10.10.4.13 -> 10.10.1.1 | 
|---|
| 146 | PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:155 DF</code></pre> | 
|---|
| 147 | <p>If you try searching for this rule (122:1) in /etc/snort/rules, you will not find it. The reason is that this alert is not triggered by a standard rule but by a Snort "preprocessor". In these cases, you may find it easier to learn more about the mechanism that triggered this alert by searching the gid and sid in the snort search engine:</p> | 
|---|
| 148 | <pre><code>http://www.snort.org/search/ </code></pre> | 
|---|
| 149 | <p>For example, you will find details about this alert by searching for "sid:122-1"</p> | 
|---|
| 150 | <h1 id="more-information">More information</h1> | 
|---|
| 151 | <p>The Snort website contains lots of useful information</p> | 
|---|
| 152 | <pre><code>http://www.snort.org</code></pre> | 
|---|