- Introduction
- Prerequisites
- Selection and Installation of the Snort Packet
- Basic Snort configuration
- Installing the redBorder package
Introduction
Security is a vital element in many environments, regardless of their size.
Snort is a free software project that is a leader in the field and widely used to reinforce network security. It is a NIDPS (Network Intrusion Detection and Prevention System) that is very present in many professional, academic, and laboratory installations.
This guide aims to facilitate the integration of these types of installations in the new redborder Cloud environment: redborder Live.
This way, the user can easily and effectively configure multiple rule policies, as well as store and analyze the alterts generated by Snort quickly and productively.
Following these simple steps, the system can be registered in Live as if it were a redborder sensor.
Prerequisites
The procedure described here takes as a reference a completely updated installation of a CentOS 7 system.
To begin with the integration, the following requirements must be met:
- Access to repositories:
- EPEL
- redBorder (publicrepo)
- cert-forensics-tools
- Have an account and organization created in redborder Live.
To install the repositories, simply execute the following command:
[root@snortstd-centos7 ~]# rpm -ivh \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \ https://forensics.cert.org/cert-forensics-tools-release-el7.rpm \ http://publicrepo.redborder.com/redBorder-release-6-5.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm Retrieving https://forensics.cert.org/cert-forensics-tools-release-el7.rpm Retrieving http://publicrepo.redborder.com/redBorder-release-6-5.noarch.rpm Preparing... ########################################### [100%] 1:redBorder-release ########################################### [ 33%] 2:cert-forensics-tools-re########################################### [ 67%] 3:epel-release ########################################### [100%]
Selection and Installation of the Snort Packet
You can skip this chapter if you already have Snort properly installed and running.
The cert-forensics-tools repository contains various versions of Snort compiled for CentOS 7:
[root@snortstd-centos7 ~]# yum search snort --showduplicates
Loaded plugins: fastestmirror
epel/x86_64/metalink | 19 kB 00:00:00
epel | 4.3 kB 00:00:00
forensics | 2.9 kB 00:00:00
forensics-splunk | 2.9 kB 00:00:00
redBorder | 3.0 kB 00:00:00
(1/6): epel/x86_64/group_gz | 170 kB 00:00:00
(2/6): epel/x86_64/updateinfo | 566 kB 00:00:00
(3/6): redBorder/primary_db | 4.7 kB 00:00:00
(4/6): forensics-splunk/7/x86_64/primary_db | 11 kB 00:00:01
(5/6): forensics/7/x86_64/primary_db | 243 kB 00:00:01
(6/6): epel/x86_64/primary_db | 4.1 MB 00:00:03
Loading mirror speeds from cached hostfile
* base: mirror.tedra.es
* epel: ftp.uma.es
* extras: mirror.tedra.es
* updates: mirror.tedra.es
============================================================================================================= N/S matched: snort ==============================================================================================================
snort-sample-rules-2.9.8.0-1.el7.noarch : Sample rules for snort
1:snort-2.9.8.0-1.el7.x86_64 : An open source Network Intrusion Detection System (NIDS)
1:snort-openappid-2.9.8.0-1.el7.x86_64 : An open source Network Intrusion Detection System (NIDS) with open AppId support
Name and summary matches only, use "search all" for everything.
In this case, snort version 2.9.8.0-1 is going to be selected as the packet to be installed (valid for all versions).
[root@snortstd-centos7 ~]# yum install snort-2.9.8.0-1.el7.x86_64
This guide is focused on performing a basic configuration that allows the Snort service to function, such that it serves as a starting point for a more complex configuration.
The specific Snort configuration to adapt to the inspection needs of your particular environment is outside the scope of this document.
Basic Snort configuration
You can skip this chapter if you already have Snort properly installed and running.
Let's assume the following configuration parameters:
- Management interface: eno16780032
- Inspected interface: eno33559296
- Snort operation mode: IDS
- Snort output format: unified2
Based on these parameters, we are going to slightly modify the default configuration files to make it work. This is far from a properly-secured configuration. The idea is to make it work easily as a proof of concept.
- Disable the ALERTMODE and BINARY_LOG options in /etc/sysconfig/snort. For example:
# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.3 2005/05/05 18:23:45 jhewlett Exp $
# All of these options with the exception of -c, which tells Snort where
# the configuration file is, may be specified in that configuration file as
# well as the command line. Both the command line and config file options
# are listed here for reference.
#### General Configuration
# What interface should snort listen on? [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth1
#
# The following two options are not directly supported on the command line
# or in the conf file and assume the same Snort configuration for all
# instances
#
# To listen on all interfaces use this:
#INTERFACE=ALL
#
# To listen only on given interfaces use this:
#INTERFACE="eth1 eth2 eth3 eth4 eth5"
# Where is Snort's configuration file?
# -c {/path/to/snort.conf}
CONF=/etc/snort/snort.conf
# What user and group should Snort drop to after starting? This user and
# group should have very few privileges.
# -u {user} -g {group}
# config set_uid: user
# config set_gid: group
USER=snort
GROUP=snort
# Should Snort change the order in which the rules are applied to packets.
# Instead of being applied in the standard Alert->Pass->Log order, this will
# apply them in Pass->Alert->Log order.
# -o
# config order: {actions in order}
# e.g. config order: log alert pass activation dynamic suspicious redalert
PASS_FIRST=0
#### Logging & Alerting
# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.
# Where should Snort log?
# -l {/path/to/logdir}
# config logdir: {/path/to/logdir}
LOGDIR=/var/log/snort
# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock. Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message. Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message. None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
#ALERTMODE=fast
# Should Snort dump the application layer data when displaying packets in
# verbose or packet logging mode.
# -d
# config dump_payload
DUMP_APP=1
# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
# recommended as it provides very useful information for investigations.
# -b
# output log_tcpdump: {log name}
#BINARY_LOG=1
# Should Snort turn off packet logging? The program still generates
# alerts normally.
# -N
# config nolog
NO_PACKET_LOG=0
# Print out the receiving interface name in alerts.
# -I
# config alert_with_interface_name
PRINT_INTERFACE=0
# When dumping the stats, what log file should we look in
SYSLOG=/var/log/messages
# When dumping the stats, how long to wait to make sure that syslog can
# flush data to disk
SECS=5
# To add a BPF filter to the command line uncomment the following variable
# syntax corresponds to tcpdump(8)
#BPF="not host 192.168.1.1"
# To use an external BPF filter file uncomment the following variable
# syntax corresponds to tcpdump(8)
# -F {/path/to/bpf_file}
# config bpf_file: /path/to/bpf_file
#BPFFILE=/etc/snort/bpf_file
- Configure HOME_NET and EXTERNAL_NET variables in /etc/snort/snort.conf. In order to avoid conflicts with some rules, please, avoid set this variables to "any". If you aren't sure which values use, you can set HOME_NET with private networks (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12) and EXTERNAL_NET with !HOME_NET.
... ###################################################
# Step #1: Set the network variables. For more information, see README.variables
###################################################
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET ...
- Configure output using unified2 format. Example:
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
- Disable all the references to rules archives (include $RULE_PATH/*.rules) except those that point to local.rules (include $RULE_PATH/local.rules) in /etc/snort/snort.conf.
... ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules include $RULE_PATH/local.rules #include $RULE_PATH/app-detect.rules #include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/blacklist.rules #include $RULE_PATH/botnet-cnc.rules ...
- Enable the perfmonitor preprocessor to gather statistics on Snort usage. These values will be sent to redBorder Live were you can view them in an understandable format (watch out for the proposed path).
... # performance statistics. For more information, see the Snort Manual, # Configuring Snort - Preprocessors - Performance Monitor preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 ...
- Disable the reputation preprocessor that won't be used in this basic configuration in /etc/snort/snort.conf.
... # Reputation preprocessor. For more information see README.reputation #preprocessor reputation: \ # memcap 500, \ # priority whitelist, \ # nested_ip inner, \ # whitelist $WHITE_LIST_PATH/white_list.rules, \ # blacklist $BLACK_LIST_PATH/black_list.rules ...
To finish this basic configuration and thus enable the service to run in very basic mode, two more steps are still pending:
1. Create the dynamic rules directory:
[root@snortstd-centos7 ~]# mkdir /usr/local/lib/snort_dynamicrules
2. Create the local.rules archive, initially empty:
[root@snortstd-centos7 ~]# touch /etc/snort/rules/local.rules
Now we should be able to start the basic service:
[root@snortstd-centos7 ~]# /etc/init.d/snortd start
Starting snortd (via systemctl): [ OK ]
Installing the redBorder package
Once Snort is properly installed and running (or if you already had it running), you need to proceed to install the redBorder-IPS-generic package. This package allows you to bind the Snort instance to the redBorder Live service, to enable rule management, and to configure barnyard2 to securely send the events to the cloud.
redBorder-IPS-generic requires the following additional packages in order to work:
- ruby
- GeoIP
- net-snmp
- sharutils
- Additional gems installed as part of the dependencies
[root@snortstd-centos7 ~]# yum install bc sharutils net-snmp net-snmp-utils net-snmp-libs GeoIP
Need to create /etc/init directory:
[root@snortstd-centos7 ~]# mkdir /etc/init
Download the package from redborder repository:
[root@snortstd-centos7 ~]# yum install --downloadonly --downloaddir=~/ redBorder-IPS-generic
Include some lines in the snmpd.conf file of the net-snmp package:
... INFO: Please, add these lines to your snmpd.conf file in order to allow get basic statistics: >>> /etc/snmp/snmpd.conf disk / com2sec redBorderUser localhost redBorder group redBorderGroup v1 redBorderUser group redBorderGroup v2c redBorderUser view all included .1 80 access redBorderGroup "" any noauth exact all none none
These lines allow the installed redBorder agent to send basic system information to the redBorder Live service obtained using local snmp queries to the redBorder Community.
Another two messages appear that you need to consider:
... INFO: You must enable perfmonitor preprocessor to enable statistics. To enable it add the folowing line: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
This first message references the configuration of the Snort perfmonitor preprocessor.
... Claim this IPS with the UUID: bd93699b-ff15-4d07-a0f2-f07da1a9ca81 ...
The second message reports the unique UUID reserved for this installation, which will be used to identify the system in the redBorder Live environment.
You will be asked to prompt this UUID when registering the system in redBorder Live, and can view it at any time in the /opt/rb/etc/rb-uuid file:
[root@snortstd-centos6 ~]# cat /opt/rb/etc/rb-uuid bd93699b-ff15-4d07-a0f2-f07da1a9ca81
Now we add the proposed changes into the snmpd.conf file:
[root@snortstd-centos6 ~]# cat >> /etc/snmp/snmpd.conf <<EOF com2sec redBorderUser localhost redBorder group redBorderGroup v1 redBorderUser group redBorderGroup v2c redBorderUser view all included .1 80 access redBorderGroup "" any noauth exact all none none EOF
To monitor the state of the file system (state, usage, mounting point, etc.) add the following line:
[root@snortstd-centos6 ~]# cat >> /etc/snmp/snmpd.conf <<EOF disk / EOF
Finally, restart the snmpd service:
[root@snortstd-centos6 ~]# /etc/init.d/snmpd restart Stopping snmpd: [ OK ] Starting snmpd: [ OK ]
Check that the configuration is correct by executing the following basic queries:
[root@snortstd-centos6 ~]# snmpwalk -v2c -c redBorder localhost \ UCD-SNMP-MIB::systemStats UCD-SNMP-MIB::ssIndex.0 = INTEGER: 1 UCD-SNMP-MIB::ssErrorName.0 = STRING: systemStats UCD-SNMP-MIB::ssSwapIn.0 = INTEGER: 0 kB UCD-SNMP-MIB::ssSwapOut.0 = INTEGER: 0 kB UCD-SNMP-MIB::ssIOSent.0 = INTEGER: 4 blocks/s UCD-SNMP-MIB::ssIOReceive.0 = INTEGER: 0 blocks/s UCD-SNMP-MIB::ssSysInterrupts.0 = INTEGER: 17 interrupts/s UCD-SNMP-MIB::ssSysContext.0 = INTEGER: 58 switches/s UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 99 UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 6379 UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 1545 UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 4131 UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 8684393 UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 27199 UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1 UCD-SNMP-MIB::ssIORawSent.0 = Counter32: 1720732 UCD-SNMP-MIB::ssIORawReceived.0 = Counter32: 770644 UCD-SNMP-MIB::ssRawInterrupts.0 = Counter32: 625495 UCD-SNMP-MIB::ssRawContexts.0 = Counter32: 875982 UCD-SNMP-MIB::ssCpuRawSoftIRQ.0 = Counter32: 73 UCD-SNMP-MIB::ssRawSwapIn.0 = Counter32: 0 UCD-SNMP-MIB::ssRawSwapOut.0 = Counter32: 0 [root@snortstd-centos6 ~]# snmpwalk -v2c -c redBorder localhost \ UCD-SNMP-MIB::dskEntry UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1 UCD-SNMP-MIB::dskPath.1 = STRING: / UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/mapper/vg_snortstd-lv_root UCD-SNMP-MIB::dskMinimum.1 = INTEGER: 100000 UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: -1 UCD-SNMP-MIB::dskTotal.1 = INTEGER: 14225776 UCD-SNMP-MIB::dskAvail.1 = INTEGER: 11303996 UCD-SNMP-MIB::dskUsed.1 = INTEGER: 2192488 UCD-SNMP-MIB::dskPercent.1 = INTEGER: 16 UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 6 UCD-SNMP-MIB::dskTotalLow.1 = Gauge32: 14225776 UCD-SNMP-MIB::dskTotalHigh.1 = Gauge32: 0 UCD-SNMP-MIB::dskAvailLow.1 = Gauge32: 11303996 UCD-SNMP-MIB::dskAvailHigh.1 = Gauge32: 0 UCD-SNMP-MIB::dskUsedLow.1 = Gauge32: 2192488 UCD-SNMP-MIB::dskUsedHigh.1 = Gauge32: 0 UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0) UCD-SNMP-MIB::dskErrorMsg.1 = STRING:
From here, you can continue with the registration and configuration process here.
Comments
0 comments
Article is closed for comments.