- Introduction
- Previous Requirements
- Choice and Installation of the Snort Package
- Elements to Analyze and Mode of Operation of the Service
- Installing the redBorder Package
- Sensor Registration in redBorder Live
- Sensor Registered in redborder Live
- Necessary Configuration of the System
Introduction
Security is a key element in many environments, whatever their size.
One of the free software projects, leader in its field and widely used to reinforce network security, is Snort: a NIDPS (Network Intrusion Detection and Prevention System) very present in multiple professional, academic and laboratory facilities.
This guide was born with the aim of facilitating the integration of this type of facilities in the new Cloud environment of redBorder: redBorder Live.
In this way, the user can easily and effectively configure multiple rules policies, as well as store and analyze the alerts generated by Snort in an elegant, fast and productive way.
Following these simple steps it is possible to register the system with Snort on the Live as if it were a proprietary sensor of redBorder
Previous Requirements
The procedure described here takes as reference an installation on a completely updated CentOS 6 system.
To begin with the integration, it is necessary to comply with the requirements detailed below.
- Access to repositories:
- EPEL
- redBorder (publicrepo)
- cert-forensics-tools
- Have an account and an organization created in redBorder Live.
To install the repositories, just execute the following command:
[root@snortstd-centos6 ~]# rpm -ivh \ https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm \ https://forensics.cert.org/cert-forensics-tools-release-el6.rpm \ http://publicrepo.redborder.com/redBorder-release-6-5.noarch.rpm
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm Retrieving https://forensics.cert.org/cert-forensics-tools-release-el6.rpm Retrieving http://publicrepo.redborder.com/redBorder-release-6-5.noarch.rpm Preparing... ########################################### [100%] 1:redBorder-release ########################################### [ 33%] 2:cert-forensics-tools-re########################################### [ 67%] 3:epel-release ########################################### [100%]
Choice and Installation of the Snort Package
The cert-forensics-tools repository contains several versions of Snort compiled for CentOS 6:
root@snortstd-centos6 ~]# yum search snort --showduplicates
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* base: mirror.tedra.es
* epel: ftp.cica.es
* extras: mirror.tedra.es
* updates: mirror.tedra.es
============================== N/S Matched: snort ==============================
fwsnort-1.6.4-1.el6.noarch : Translates snort rules into equivalent iptables
: rules
1:snort-mysql-2.9.1.1-1.el6.x86_64 : snort with MySQL support
1:snort-postgresql-2.9.1.1-1.el6.x86_64 : snort with PostgreSQL support
snort-sample-rules-2.9.7.5-1.el6.noarch : Sample rules for snort
snort-sample-rules-2.9.7.6-1.el6.noarch : Sample rules for snort
snort-sample-rules-2.9.8.0-1.el6.noarch : Sample rules for snort
1:snort-unixODBC-2.9.1.1-1.el6.x86_64 : snort with unixODBC support
1:snort-2.9.7.5-1.el6.x86_64 : An open source Network Intrusion Detection System
: (NIDS)
1:snort-2.9.7.5-1.el6.x86_64 : An open source Network Intrusion Detection System
: (NIDS)
1:snort-2.9.7.6-1.el6.x86_64 : An open source Network Intrusion Detection System
: (NIDS)
1:snort-2.9.8.0-1.el6.x86_64 : An open source Network Intrusion Detection System
: (NIDS)
1:snort-openappid-2.9.7.5-1.el6.x86_64 : An open source Network Intrusion
...: Detection System (NIDS) with open AppId support
1:snort-openappid-2.9.7.6-1.el6.x86_64 : An open source Network Intrusion
...: Detection System (NIDS) with open AppId support
1:snort-openappid-2.9.8.0-1.el6.x86_64 : An open source Network Intrusion
...: Detection System (NIDS) with open AppId support
Name and summary matches only, use "search all" for everything.
In this case, the version snort-2.9.7.5-1 will be chosen as a package to install (valid for the other versions).
[root@snortstd-centos6 ~]# yum install snort-2.9.7.5-1.el6.x86_64 Loaded plugins: fastestmirror, security Setting up Install Process Loading mirror speeds from cached hostfile * base: mirror.tedra.es * epel: ftp.cica.es * extras: mirror.tedra.es * updates: mirror.tedra.es Resolving Dependencies --> Running transaction check ---> Package snort.x86_64 1:2.9.7.5-1.el6 will be installed --> Processing Dependency: libsfbpf.so.0()(64bit) for package: 1:snort-2.9.7.5-1.el6.x86_64 --> Processing Dependency: libdnet.so.1()(64bit) for package: 1:snort-2.9.7.5-1.el6.x86_64 --> Running transaction check ---> Package daq.x86_64 0:2.0.6-1.el6 will be installed ---> Package libdnet.x86_64 0:1.12-6.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: snort x86_64 1:2.9.7.5-1.el6 forensics 5.1 M Installing for dependencies: daq x86_64 2.0.6-1.el6 forensics 252 k libdnet x86_64 1.12-6.el6 epel 28 k Transaction Summary ================================================================================ Install 3 Package(s) Total download size: 5.4 M Installed size: 19 M Is this ok [y/N]: y Downloading Packages: (1/3): daq-2.0.6-1.el6.x86_64.rpm | 252 kB 00:00 (2/3): libdnet-1.12-6.el6.x86_64.rpm | 28 kB 00:00 ... (3/3): snort-2.9.7.5-1.el6.x86_64.rpm | 5.1 MB 00:02 -------------------------------------------------------------------------------- Total 1.0 MB/s | 5.4 MB 00:05 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libdnet-1.12-6.el6.x86_64 1/3 Installing : daq-2.0.6-1.el6.x86_64 2/3 Installing : 1:snort-2.9.7.5-1.el6.x86_64 3/3 Verifying : daq-2.0.6-1.el6.x86_64 1/3 Verifying : 1:snort-2.9.7.5-1.el6.x86_64 2/3 Verifying : libdnet-1.12-6.el6.x86_64 3/3 Installed: snort.x86_64 1:2.9.7.5-1.el6 Dependency Installed: daq.x86_64 0:2.0.6-1.el6 libdnet.x86_64 0:1.12-6.el6 Complete!
This guide is focused on the realization of a basic configuration that allows the Snort service to work, so that it serves as a starting point for a more complex configuration.
The particular configuration of Snort to suit the inspection needs of the environment is beyond the scope of this document.
Elements to Analyze and Mode of Operation of the Service
- Interface to analyze: eth0
- Mode of operation of the service: IDS
- Output of snort: unified2
Taking these parameters as a starting point, the configuration file will be used as it is by default, changing some entries:
- Disable the ALERTMODE and BINARY_LOG options in the / etc / sysconfig / snort file. For example:
# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.3 2005/05/05 18:23:45 jhewlett Exp $
# All of these options with the exception of -c, which tells Snort where
# the configuration file is, may be specified in that configuration file as
# well as the command line. Both the command line and config file options
# are listed here for reference.
#### General Configuration
# What interface should snort listen on? [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth0
#
# The following two options are not directly supported on the command line
# or in the conf file and assume the same Snort configuration for all
# instances
#
# To listen on all interfaces use this:
#INTERFACE=ALL
#
# To listen only on given interfaces use this:
#INTERFACE="eth1 eth2 eth3 eth4 eth5"
# Where is Snort's configuration file?
# -c {/path/to/snort.conf}
CONF=/etc/snort/snort.conf
# What user and group should Snort drop to after starting? This user and
# group should have very few privileges.
# -u {user} -g {group}
# config set_uid: user
# config set_gid: group
USER=snort
GROUP=snort
# Should Snort change the order in which the rules are applied to packets.
# Instead of being applied in the standard Alert->Pass->Log order, this will
# apply them in Pass->Alert->Log order.
# -o
# config order: {actions in order}
# e.g. config order: log alert pass activation dynamic suspicious redalert
PASS_FIRST=0
#### Logging & Alerting
# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.
# Where should Snort log?
# -l {/path/to/logdir}
# config logdir: {/path/to/logdir}
LOGDIR=/var/log/snort
# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock. Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message. Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message. None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
#ALERTMODE=fast
# Should Snort dump the application layer data when displaying packets in
# verbose or packet logging mode.
# -d
# config dump_payload
DUMP_APP=1
# Should Snort keep binary (AKA pcap, AKA tcpdump) logs also? This is
# recommended as it provides very useful information for investigations.
# -b
# output log_tcpdump: {log name}
#BINARY_LOG=1
# Should Snort turn off packet logging? The program still generates
# alerts normally.
# -N
# config nolog
NO_PACKET_LOG=0
# Print out the receiving interface name in alerts.
# -I
# config alert_with_interface_name
PRINT_INTERFACE=0
# When dumping the stats, what log file should we look in
SYSLOG=/var/log/messages
# When dumping the stats, how long to wait to make sure that syslog can
# flush data to disk
SECS=5
# To add a BPF filter to the command line uncomment the following variable
# syntax corresponds to tcpdump(8)
#BPF="not host 192.168.1.1"
# To use an external BPF filter file uncomment the following variable
# syntax corresponds to tcpdump(8)
# -F {/path/to/bpf_file}
# config bpf_file: /path/to/bpf_file
#BPFFILE=/etc/snort/bpf_file
- Delete all entries that refer to rules files (include $RULE_PATH/*.rules). Leave only those that use local.rules (include $RULE_PATH/local.rules).
... ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules include $RULE_PATH/local.rules #include $RULE_PATH/app-detect.rules #include $RULE_PATH/attack-responses.rules #include $RULE_PATH/backdoor.rules #include $RULE_PATH/bad-traffic.rules #include $RULE_PATH/blacklist.rules #include $RULE_PATH/botnet-cnc.rules ...
- Activate the perfmonitor preprocessor that allows registering the Snort statistics. These will be sent to redBorder Live and can be consulted in a simple way (pay attention to the proposed path).
... # performance statistics. For more information, see the Snort Manual, # Configuring Snort - Preprocessors - Performance Monitor preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 1000 ...
- Disable the reputation preprocessor, which will not be used in this basic configuration.
... # Reputation preprocessor. For more information see README.reputation #preprocessor reputation: \ # memcap 500, \ # priority whitelist, \ # nested_ip inner, \ # whitelist $WHITE_LIST_PATH/white_list.rules, \ # blacklist $BLACK_LIST_PATH/black_list.rules ...
To complete the configuration process and, in this way, the service is operational at a basic operating level, it is necessary to carry out two more steps:
1. Create the dynamics rules directory:
[root@snortstd-centos6 ~]# mkdir /usr/local/lib/snort_dynamicrules
2. Create the rules file local.rules, initially empty:
[root@snortstd-centos6 ~]# touch /etc/snort/rules/local.rules
Once these steps are executed, it is possible to start the service:
[root@snortstd-centos6 ~]# /etc/init.d/snortd start
Starting snort: Spawning daemon child...
My daemon child 31590 lives...
Daemon parent exiting (0)
[ OK ]
Installing the redBorder Package
Once the Snort package has been installed and after checking that it works correctly, the redBorder-IPS-generic package should be installed. This package allows the integration of the Snort installation into redBorder Live and serves to manage both the rules to be applied in the form of policies and the events generated.
The redBorder-IPS-generic package requires other packages for its operation:
- ruby
- GeoIP
- net-snmp
- sharutils
- Some gems that will be installed as dependencies
[root@snortstd-centos6 ~]# yum install redBorder-IPS-generic Loaded plugins: fastestmirror, security Setting up Install Process Loading mirror speeds from cached hostfile * base: mirror.tedra.es * epel: ftp.cica.es * extras: mirror.tedra.es * updates: mirror.tedra.es Resolving Dependencies --> Running transaction check ---> Package redBorder-IPS-generic.x86_64 0:3.1.65-1 will be installed --> Processing Dependency: sharutils for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: rubygems for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: rubygem-mixlib-config for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: rubygem-mixlib-authentication for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: ruby for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: net-snmp-utils for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: net-snmp-libs for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: net-snmp for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Processing Dependency: GeoIP for package: redBorder-IPS-generic-3.1.65-1.x86_64 --> Running transaction check ---> Package GeoIP.x86_64 0:1.6.5-1.el6 will be installed --> Processing Dependency: geoipupdate for package: GeoIP-1.6.5-1.el6.x86_64 --> Processing Dependency: GeoIP-data for package: GeoIP-1.6.5-1.el6.x86_64 ---> Package net-snmp.x86_64 1:5.5-54.el6_7.1 will be installed --> Processing Dependency: libsensors.so.4()(64bit) for package: 1:net-snmp-5.5-54.el6_7.1.x86_64 ---> Package net-snmp-libs.x86_64 1:5.5-54.el6_7.1 will be installed ---> Package net-snmp-utils.x86_64 1:5.5-54.el6_7.1 will be installed ---> Package ruby.x86_64 0:1.8.7.374-4.el6_6 will be installed --> Processing Dependency: ruby-libs = 1.8.7.374-4.el6_6 for package: ruby-1.8.7.374-4.el6_6.x86_64 --> Processing Dependency: libruby.so.1.8()(64bit) for package: ruby-1.8.7.374-4.el6_6.x86_64 ---> Package rubygem-mixlib-authentication.noarch 0:1.3.0-6.el6 will be installed --> Processing Dependency: rubygem(mixlib-log) for package: rubygem-mixlib-authentication-1.3.0-6.el6.noarch ---> Package rubygem-mixlib-config.noarch 0:2.1.0-3.el6 will be installed ---> Package rubygems.noarch 0:1.3.7-5.el6 will be installed --> Processing Dependency: ruby-rdoc for package: rubygems-1.3.7-5.el6.noarch ---> Package sharutils.x86_64 0:4.7-6.1.el6 will be installed --> Running transaction check ---> Package GeoIP-GeoLite-data.noarch 0:2015.12-1.el6 will be installed --> Processing Dependency: GeoIP-GeoLite-data-extra = 2015.12-1.el6 for package: GeoIP-GeoLite-data-2015.12-1.el6.noarch ---> Package geoipupdate.x86_64 0:2.2.1-2.el6 will be installed ---> Package lm_sensors-libs.x86_64 0:3.1.1-17.el6 will be installed ---> Package ruby-libs.x86_64 0:1.8.7.374-4.el6_6 will be installed --> Processing Dependency: libreadline.so.5()(64bit) for package: ruby-libs-1.8.7.374-4.el6_6.x86_64 ---> Package ruby-rdoc.x86_64 0:1.8.7.374-4.el6_6 will be installed --> Processing Dependency: ruby-irb = 1.8.7.374-4.el6_6 for package: ruby-rdoc-1.8.7.374-4.el6_6.x86_64 ---> Package rubygem-mixlib-log.noarch 0:1.6.0-1.el6 will be installed --> Running transaction check ---> Package GeoIP-GeoLite-data-extra.noarch 0:2015.12-1.el6 will be installed ---> Package compat-readline5.x86_64 0:5.2-17.1.el6 will be installed ---> Package ruby-irb.x86_64 0:1.8.7.374-4.el6_6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: redBorder-IPS-generic x86_64 3.1.65-1 redBorder 46 M Installing for dependencies: GeoIP x86_64 1.6.5-1.el6 epel 113 k GeoIP-GeoLite-data noarch 2015.12-1.el6 epel 363 k GeoIP-GeoLite-data-extra noarch 2015.12-1.el6 epel 23 M compat-readline5 x86_64 5.2-17.1.el6 base 130 k geoipupdate x86_64 2.2.1-2.el6 epel 28 k lm_sensors-libs x86_64 3.1.1-17.el6 base 38 k net-snmp x86_64 1:5.5-54.el6_7.1 updates 308 k net-snmp-libs x86_64 1:5.5-54.el6_7.1 updates 1.5 M net-snmp-utils x86_64 1:5.5-54.el6_7.1 updates 176 k ruby x86_64 1.8.7.374-4.el6_6 base 538 k ruby-irb x86_64 1.8.7.374-4.el6_6 base 317 k ruby-libs x86_64 1.8.7.374-4.el6_6 base 1.7 M ruby-rdoc x86_64 1.8.7.374-4.el6_6 base 381 k rubygem-mixlib-authentication noarch 1.3.0-6.el6 redBorder 14 k rubygem-mixlib-config noarch 2.1.0-3.el6 redBorder 14 k rubygem-mixlib-log noarch 1.6.0-1.el6 epel 12 k rubygems noarch 1.3.7-5.el6 base 207 k sharutils x86_64 4.7-6.1.el6 base 187 k Transaction Summary ================================================================================ Install 19 Package(s) Total download size: 75 M Installed size: 149 M Is this ok [y/N]: y Downloading Packages: (1/19): GeoIP-1.6.5-1.el6.x86_64.rpm | 113 kB 00:00 ... (2/19): GeoIP-GeoLite-data-2015.12-1.el6.noarch.rpm | 363 kB 00:00 ... (3/19): GeoIP-GeoLite-data-extra-2015.12-1.el6.noarch.rp | 23 MB 00:01 ... (4/19): compat-readline5-5.2-17.1.el6.x86_64.rpm | 130 kB 00:00 (5/19): geoipupdate-2.2.1-2.el6.x86_64.rpm | 28 kB 00:00 ... (6/19): lm_sensors-libs-3.1.1-17.el6.x86_64.rpm | 38 kB 00:00 (7/19): net-snmp-5.5-54.el6_7.1.x86_64.rpm | 308 kB 00:00 (8/19): net-snmp-libs-5.5-54.el6_7.1.x86_64.rpm | 1.5 MB 00:00 (9/19): net-snmp-utils-5.5-54.el6_7.1.x86_64.rpm | 176 kB 00:00 (10/19): redBorder-IPS-generic-3.1.65-1.x86_64.rpm | 46 MB 00:05 (11/19): ruby-1.8.7.374-4.el6_6.x86_64.rpm | 538 kB 00:00 (12/19): ruby-irb-1.8.7.374-4.el6_6.x86_64.rpm | 317 kB 00:00 (13/19): ruby-libs-1.8.7.374-4.el6_6.x86_64.rpm | 1.7 MB 00:00 (14/19): ruby-rdoc-1.8.7.374-4.el6_6.x86_64.rpm | 381 kB 00:00 (15/19): rubygem-mixlib-authentication-1.3.0-6.el6.noarc | 14 kB 00:00 (16/19): rubygem-mixlib-config-2.1.0-3.el6.noarch.rpm | 14 kB 00:00 (17/19): rubygem-mixlib-log-1.6.0-1.el6.noarch.rpm | 12 kB 00:00 ... (18/19): rubygems-1.3.7-5.el6.noarch.rpm | 207 kB 00:00 (19/19): sharutils-4.7-6.1.el6.x86_64.rpm | 187 kB 00:00 -------------------------------------------------------------------------------- Total 6.3 MB/s | 75 MB 00:11 warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org> Package: centos-release-6-6.el6.centos.12.2.x86_64 (@anaconda-CentOS-201410241409.x86_64/6.6) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Is this ok [y/N]: y Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : lm_sensors-libs-3.1.1-17.el6.x86_64 1/19 Installing : 1:net-snmp-libs-5.5-54.el6_7.1.x86_64 2/19 Installing : 1:net-snmp-utils-5.5-54.el6_7.1.x86_64 3/19 Installing : 1:net-snmp-5.5-54.el6_7.1.x86_64 4/19 Installing : GeoIP-GeoLite-data-2015.12-1.el6.noarch 5/19 Installing : GeoIP-GeoLite-data-extra-2015.12-1.el6.noarch 6/19 Installing : geoipupdate-2.2.1-2.el6.x86_64 7/19 Installing : GeoIP-1.6.5-1.el6.x86_64 8/19 Installing : sharutils-4.7-6.1.el6.x86_64 9/19 Installing : compat-readline5-5.2-17.1.el6.x86_64 10/19 Installing : ruby-libs-1.8.7.374-4.el6_6.x86_64 11/19 Installing : ruby-1.8.7.374-4.el6_6.x86_64 12/19 Installing : ruby-irb-1.8.7.374-4.el6_6.x86_64 13/19 Installing : ruby-rdoc-1.8.7.374-4.el6_6.x86_64 14/19 Installing : rubygems-1.3.7-5.el6.noarch 15/19 Installing : rubygem-mixlib-log-1.6.0-1.el6.noarch 16/19 Installing : rubygem-mixlib-authentication-1.3.0-6.el6.noarch 17/19 Installing : rubygem-mixlib-config-2.1.0-3.el6.noarch 18/19 Installing : redBorder-IPS-generic-3.1.65-1.x86_64 19/19 Claim this IPS with the UUID: bd93699b-ff15-4d07-a0f2-f07da1a9ca81 INFO: Please, add this lines to your snmpd.conf file in order to allow get basic statistics: >>> /etc/snmp/snmpd.conf disk / com2sec redBorderUser localhost redBorder group redBorderGroup v1 redBorderUser group redBorderGroup v2c redBorderUser view all included .1 80 access redBorderGroup "" any noauth exact all none none INFO: You must enable perfmonitor preprocessor to enable statistics. To enable it add the folowing line: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 Verifying : redBorder-IPS-generic-3.1.65-1.x86_64 1/19 Verifying : compat-readline5-5.2-17.1.el6.x86_64 2/19 Verifying : GeoIP-GeoLite-data-extra-2015.12-1.el6.noarch 3/19 Verifying : GeoIP-1.6.5-1.el6.x86_64 4/19 Verifying : ruby-libs-1.8.7.374-4.el6_6.x86_64 5/19 Verifying : lm_sensors-libs-3.1.1-17.el6.x86_64 6/19 Verifying : ruby-rdoc-1.8.7.374-4.el6_6.x86_64 7/19 Verifying : 1:net-snmp-libs-5.5-54.el6_7.1.x86_64 8/19 Verifying : sharutils-4.7-6.1.el6.x86_64 9/19 Verifying : ruby-1.8.7.374-4.el6_6.x86_64 10/19 Verifying : GeoIP-GeoLite-data-2015.12-1.el6.noarch 11/19 Verifying : rubygem-mixlib-log-1.6.0-1.el6.noarch 12/19 Verifying : geoipupdate-2.2.1-2.el6.x86_64 13/19 Verifying : 1:net-snmp-utils-5.5-54.el6_7.1.x86_64 14/19 Verifying : rubygem-mixlib-authentication-1.3.0-6.el6.noarch 15/19 Verifying : rubygems-1.3.7-5.el6.noarch 16/19 Verifying : 1:net-snmp-5.5-54.el6_7.1.x86_64 17/19 Verifying : rubygem-mixlib-config-2.1.0-3.el6.noarch 18/19 Verifying : ruby-irb-1.8.7.374-4.el6_6.x86_64 19/19 Installed: redBorder-IPS-generic.x86_64 0:3.1.65-1 Dependency Installed: GeoIP.x86_64 0:1.6.5-1.el6 GeoIP-GeoLite-data.noarch 0:2015.12-1.el6 GeoIP-GeoLite-data-extra.noarch 0:2015.12-1.el6 compat-readline5.x86_64 0:5.2-17.1.el6 geoipupdate.x86_64 0:2.2.1-2.el6 lm_sensors-libs.x86_64 0:3.1.1-17.el6 net-snmp.x86_64 1:5.5-54.el6_7.1 net-snmp-libs.x86_64 1:5.5-54.el6_7.1 net-snmp-utils.x86_64 1:5.5-54.el6_7.1 ruby.x86_64 0:1.8.7.374-4.el6_6 ruby-irb.x86_64 0:1.8.7.374-4.el6_6 ruby-libs.x86_64 0:1.8.7.374-4.el6_6 ruby-rdoc.x86_64 0:1.8.7.374-4.el6_6 rubygem-mixlib-authentication.noarch 0:1.3.0-6.el6 rubygem-mixlib-config.noarch 0:2.1.0-3.el6 rubygem-mixlib-log.noarch 0:1.6.0-1.el6 rubygems.noarch 0:1.3.7-5.el6 sharutils.x86_64 0:4.7-6.1.el6 Complete!
When installing the package, a message appears requesting the inclusion of some lines in the snmpd.conf configuration of the net-snmp package:
... INFO: Please, add this lines to your snmpd.conf file in order to allow get basic statistics: >>> /etc/snmp/snmpd.conf disk / com2sec redBorderUser localhost redBorder group redBorderGroup v1 redBorderUser group redBorderGroup v2c redBorderUser view all included .1 80 access redBorderGroup "" any noauth exact all none none
These lines allow the installed networkBorder agent to send basic system information to RedBorder Live obtained through local snmp requests to the Community redBorder.
In addition to the message mentioned above, there are two others that must be taken into account:
... INFO: You must enable perfmonitor preprocessor to enable statistics. To enable it add the folowing line: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
This message refers to the configuration of the perfmonitor preprocessor.
... Claim this IPS with the UUID: bd93699b-ff15-4d07-a0f2-f07da1a9ca81 ...
This last message informs us of the UUID reserved for this installation and with which the system in redBorder Live will be identified.
At any time you can check this value in the file /opt/rb/etc/rb-uuid:
[root@snortstd-centos6 ~]# cat /opt/rb/etc/rb-uuid bd93699b-ff15-4d07-a0f2-f07da1a9ca81
Next, the recommended configuration is added in snmpd.conf:
[root@snortstd-centos6 ~]# cat >> /etc/snmp/snmpd.conf <<EOF com2sec redBorderUser localhost redBorder group redBorderGroup v1 redBorderUser group redBorderGroup v2c redBorderUser view all included .1 80 access redBorderGroup "" any noauth exact all none none EOF
To monitor the status of the file system (status, occupation, assembly point, etc.) add the following line:
[root@snortstd-centos6 ~]# cat >> /etc/snmp/snmpd.conf <<EOF disk / EOF
Finally, the snmpd service is restarted.
[root@snortstd-centos6 ~]# /etc/init.d/snmpd restart Stopping snmpd: [ OK ] Starting snmpd: [ OK ]
It is possible to check if the configuration is correct by means of a simple query:
[root@snortstd-centos6 ~]# snmpwalk -v2c -c redBorder \ localhost UCD-SNMP-MIB::systemStats UCD-SNMP-MIB::ssIndex.0 = INTEGER: 1 UCD-SNMP-MIB::ssErrorName.0 = STRING: systemStats UCD-SNMP-MIB::ssSwapIn.0 = INTEGER: 0 kB UCD-SNMP-MIB::ssSwapOut.0 = INTEGER: 0 kB UCD-SNMP-MIB::ssIOSent.0 = INTEGER: 4 blocks/s UCD-SNMP-MIB::ssIOReceive.0 = INTEGER: 0 blocks/s UCD-SNMP-MIB::ssSysInterrupts.0 = INTEGER: 17 interrupts/s UCD-SNMP-MIB::ssSysContext.0 = INTEGER: 58 switches/s UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 99 UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 6379 UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 1545 UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 4131 UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 8684393 UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 27199 UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1 UCD-SNMP-MIB::ssIORawSent.0 = Counter32: 1720732 UCD-SNMP-MIB::ssIORawReceived.0 = Counter32: 770644 UCD-SNMP-MIB::ssRawInterrupts.0 = Counter32: 625495 UCD-SNMP-MIB::ssRawContexts.0 = Counter32: 875982 UCD-SNMP-MIB::ssCpuRawSoftIRQ.0 = Counter32: 73 UCD-SNMP-MIB::ssRawSwapIn.0 = Counter32: 0 UCD-SNMP-MIB::ssRawSwapOut.0 = Counter32: 0 [root@snortstd-centos6 ~]# snmpwalk -v2c -c redBorder localhost \ UCD-SNMP-MIB::dskEntry UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1 UCD-SNMP-MIB::dskPath.1 = STRING: / UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/mapper/vg_snortstd-lv_root UCD-SNMP-MIB::dskMinimum.1 = INTEGER: 100000 UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: -1 UCD-SNMP-MIB::dskTotal.1 = INTEGER: 14225776 UCD-SNMP-MIB::dskAvail.1 = INTEGER: 11303996 UCD-SNMP-MIB::dskUsed.1 = INTEGER: 2192488 UCD-SNMP-MIB::dskPercent.1 = INTEGER: 16 UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 6 UCD-SNMP-MIB::dskTotalLow.1 = Gauge32: 14225776 UCD-SNMP-MIB::dskTotalHigh.1 = Gauge32: 0 UCD-SNMP-MIB::dskAvailLow.1 = Gauge32: 11303996 UCD-SNMP-MIB::dskAvailHigh.1 = Gauge32: 0 UCD-SNMP-MIB::dskUsedLow.1 = Gauge32: 2192488 UCD-SNMP-MIB::dskUsedHigh.1 = Gauge32: 0 UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0) UCD-SNMP-MIB::dskErrorMsg.1 = STRING:
Sensor Registration in redBorder Live
First of all, it is necessary to verify that the rb_register service is stopped:
[root@snortstd-centos6 ~]# /etc/init.d/rb-register status rb_register is stopped
Then, start the service so that the first phase of the registration occurs:
[root@snortstd-centos6 ~]# /etc/init.d/rb-register start Starting rb_register: [ OK ] Domain to connect: https://live.redorder.com Verify remote certificate: enabled Claim this IPS with the UUID: bd93699b-ff15-4d07-a0f2-f07da1a9ca81
At this time, the team has registered the UUID in the Cloud waiting for it to be reclaimed. You can verify this situation through the logs of the system:
[root@snortstd-centos6 ~]# tail -f /var/log/messages Feb 2 12:03:30 snortstd rb_register[31958]: Registering sensor -- URL: https://live.redborder.com/api/v1/sensors Feb 2 12:03:30 snortstd rb_register[31958]: STATUS: REGISTERING Feb 2 12:03:31 snortstd rb_register[31958]: STATUS: REGISTERED -- UUID: 1226748192552511968 Feb 2 12:04:31 snortstd rb_register[31958]: STATUS: VERIFYING
At any time you can force the regeneration of a new UUID by disassociating the sensor using the following script:
[root@snortstd-centos6 ~]# /opt/rb/bin/rb_disassociate_sensor.sh Are you sure you want to disassociate this sensor from the manager? (y/N) y Stopping rb_register: [ OK ] Deleting /opt/rb/etc/chef/client.pem Deleting /opt/rb/etc/chef/client.rb Deleting /etc/cron.d/redborder Deleting /opt/rb/etc/sysconfig/barnyard2 Deleting /opt/rb/etc/sid-msg.map Deleting /opt/rb/etc/barnyard2.conf Deleting /opt/rb/etc/rb-conf Deleting /opt/rb/etc/rb-conf-final.sh Starting rb_register: [ OK ] Sensor UUID to claim: 28e4df0f-4fd5-4fe2-9142-d4b92ea96e9d
At any time you can force the regeneration of a new UUID by disassociating the sensor using the following script:
This resource should only be used in the following cases:
- If there is a suspicion that an error has occurred and the sensor can not be claimed for any reason.
- To obtain a new UUID.
In this case the logs would look like this:
[root@snortstd-centos6 ~]# tail -f /var/log/messages Feb 2 12:03:30 snortstd rb_register[31958]: Registering sensor -- URL: https://10.0.150.73/api/v1/sensors Feb 2 12:03:30 snortstd rb_register[31958]: STATUS: REGISTERING Feb 2 12:03:31 snortstd rb_register[31958]: STATUS: REGISTERED -- UUID: 1226748192552511968 Feb 2 12:04:31 snortstd rb_register[31958]: STATUS: VERIFYING Feb 2 12:05:32 snortstd rb_register[31958]: STATUS: VERIFYING Feb 2 12:06:05 snortstd rb_disassociate_sensor: Deleting sensor Feb 2 12:06:08 snortstd rb_register[32025]: Registering sensor -- URL: https://10.0.150.73/api/v1/sensors Feb 2 12:06:08 snortstd rb_register[32025]: STATUS: REGISTERING Feb 2 12:06:09 snortstd rb_register[32025]: STATUS: REGISTERED -- UUID: 5031124327583811291
To claim the new sensor it is necessary to enter RedBorder Live with the user and password obtained, access the Sensors section and select the option + Claim sensor.
Enter a name for that sensor and the UUID for its location in RedBorder Live.
Clicking Save redBorder Live permanently links that sensor to the current account.
Sensor Registered in redBorder Live
The user can check that the sensor has received the registration confirmation through the logs of the system:
[root@snortstd-centos6 ~]# tail -f /var/log/messages Feb 2 16:43:51 snortstd rb_register[32025]: STATUS: VERIFYING Feb 2 16:44:51 snortstd rb_register[32025]: STATUS: VERIFYING Feb 2 16:45:51 snortstd rb_register[32025]: STATUS: CLAIMED Feb 2 16:45:51 snortstd rb_register[32025]: Saved certificate in: /opt/rb/etc/chef/client.pem Feb 2 16:45:53 snortstd snort[31590]: *** Caught Term-Signal Feb 2 16:45:53 snortstd kernel: device eth0 left promiscuous mode Feb 2 16:45:53 snortstd snort[31590]: =============================================================================== Feb 2 16:45:53 snortstd snort[31590]: Run time for packet processing was 22705.930140 seconds Feb 2 16:45:53 snortstd snort[31590]: snort processed 117312 packets.
The rb_register service passes from the VERIFYING state to the CLAIMED state and stores the certificate with which it will authorize communications with redBorder Live.
The rb_register service passes from the VERIFYING state to the CLAIMED state and stores the certificate with which it will authorize communications with redBorder Live.
Also, this field informs about the elapsed time since the last sensor check was made.
From this moment you can configure the Snort type sensor and perform the policy assignment.
Necessary Configuration of the System
To edit the sensor configuration it is necessary to click on the Configuration icon located on the right margin. Select the Edit among the options included in the submenu.
Next, the user accesses the screen where he can modify the general parameters of the Snort sensor.
The system offers a series of default values that are suitable for the installation described in this guide, so it is not necessary for the user to make any changes.
In the event that the installation is performed for a different environment, you must enter the corresponding values in the fields that the user deems necessary.
The next step is to apply a rules policy. To do this, we will return to the Sensors interface and in the submenu displayed by the edit icon we will select the Signature Policies option.
Select the policy you wish to apply by clicking on the Assign icon. Finally, to apply this policy to the sensor, click the Apply Conf option located in the upper right margin of the screen. The policy assigned to the sensor will be shaded green.
Comments
0 comments
Article is closed for comments.