Linux security measures Intrusion detection by Snort
Introduction
This article describes Snort intrusion detection as a Linux security measure.
Snort is an open source network IDS. It can be used free of charge under the GPL (GNU General Public License).
It's still under development, so you can download and use the latest ruleset for free.
Building Snort
Snort is provided as a source, so you need to download and maik the source.
Therefore, if a library that is highly environment-dependent is not installed, an error will occur in configure and you will have to check the dependency and install it yourself.
In this article, I will explain how to build Snort using CentOS 7 as an example. The version of Snort etc. is the version at the time of writing this article.
Environment of this article: CentOS Linux release 7.7.1908 (Core)
Snort
--Move directory
# cd /usr/local/src/
--Download Snort
# wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz
--Unzip
# tar xzvf snort-2.9.16.tar.gz
--Move directory
# cd snort-2.9.16
- configure
# ./coonfigure
** I get an error when I run configure on CentOS 7 installed with minimal configuration.
The following describes how to install the required libraries for errors that occur after executing configure in the Snort directory. ** **
Libpcap
checking for pcap_datalink in -lpcap... no
checking pfring.h usability... no
checking pfring.h presence... no
checking for pfring.h... no
checking for pfring_open in -lpfring... no
checking for pfring_open in -lpcap... no
ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)
not found, go get it from http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place. Also check if your libpcap depends on another
shared library that may be installed in an unusual place
--Download libpcap
# wget http://www.tcpdump.org/release/libpcap-1.9.1.tar.gz
--Unzip
# tar xzvf libpcap-1.9.1.tar.gz
--Move directory
# cd libpcap-1.9.1
- configure
# ./configure - make
# make
# make install
Libpcre
./configure: line 15614: pcre-config: command not found
./configure: line 15620: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... no
ERROR! Libpcre header not found.
Get it from http://www.pcre.org
--download pcre
# wget ftp://ftp.pcre.org/pub/pcre/pcre2-10.34.tar.gz
--Unzip
# tar xzvf pcre2-10.34.tar.gz
--Move directory
# cd pcre2-10.34
- configure
# ./configure - make
# make
# make install
pcre-devel
./configure: line 15614: pcre-config: command not found
./configure: line 15620: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... no
ERROR! Libpcre header not found.
Get it from http://www.pcre.org
--Installing pcre-devel
# yum install -y pcre-devel
dnet header
checking for SHA256_Init in -lcrypto... no
checking for MD5_Init in -lcrypto... no
checking dnet.h usability... no
checking dnet.h presence... no
checking for dnet.h... no
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... no
ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the --with-dnet-*
options, if you have it installed in an unusual place
--Installing libdnet and libdnet-devel
# yum install -y libdnet libdnet-devel
daq
./configure: line 16267: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... no
ERROR! daq_static library not found, go get it from
http://www.snort.org/.
--download daq
# wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
--Unzip
# tar xzvf daq-2.0.7.tar.gz
--Move directory
# cd daq-2.0.7
- configure
# ./configure - make
# make
An error occurred in make, so execute ʻautoreconf` and build again
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /usr/local/src/daq-2.0.7/missing aclocal-1.15 -I m4
/usr/local/src/daq-2.0.7/missing:Line 81: aclocal-1.15:Command not found
WARNING: 'aclocal-1.15' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<http://www.gnu.org/software/automake>
It also requires GNU Autoconf, GNU m4 and Perl in order to run:
<http://www.gnu.org/software/autoconf>
<http://www.gnu.org/software/m4/>
<http://www.perl.org/>
make: *** [aclocal.m4]Error 127
- autoconf
# autoreconf - configure
# ./configure - make
# make
# make install
zlib
checking zlib.h usability... no
checking zlib.h presence... no
checking for zlib.h... no
ERROR! zlib header not found, go get it from
http://www.zlib.net
--installing zlib
# yum install -y zlib zlib-devel
LuaJIT
checking for luajit... no
ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"
--Installing LuaJIT-devel
# yum install -y luajit-devel.x86_64
openssl-devel
checking openssl/x509.h usability... no
checking openssl/x509.h presence... no
checking for openssl/x509.h... no
ERROR! openssl/x509.h or openssl library not found.
Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"
--Installing openssl-devel
# yum install openssl-devel.x86_64
In the environment of this article, after the installation of openssl-devel is completed, Snort's configure is finally completed normally. The following is running in the Snort directory.
- configure
# ./configure - make
# make
# make install
Snort settings
After installing Snort, some settings are required to use Snort.
After that, when using the cp command, it is executed in the directory / usr / local / src / snort-2.9.16.
User created
--User created
# useradd snort
Editing / etc / sysconfig / snort
The / etc / sysconfig / snort file configures the service.
--Copy of snort.sysconfig
# cp rpm/snort.sysconfig /etc/sysconfig/snort
--Edit snort.sysconfig
# vi /etc/sysconfig/snort
Change the value of INTERFACE to the value of the interface you are using.
< INTERFACE=eth0
---
> INTERFACE=enp0s8
Creating a startup script
The default startup script execution path is / usr / sbin / snort. Create a symbolic link because it is different from the installed path.
--Creating a startup script
# cp rpm/snortd /etc/init.d/
# chmod 755 /etc/init.d/snortd
--Creating a symbolic link
# ln -s /usr/local/bin/snort /usr/sbin/snort
Rule set
Generally, in security software and IDS, the characteristic access pattern of an attacker is called a signature. Snort detects malicious packets by referring to the signature described in the ruleset (rule file). The community version of the ruleset on the official website is free to use.
--Download rule set
# cd /tmp
# wget https://www.snort.org/downloads/community/community-rules.tar.gz
--Unzip
# tar xzvf community-rules.tar.gz
--Move directory
# cd community-rules
--Creating a directory
# mkdir -p /etc/snort/rules
--Copy of sid-msg.map
# cp sid-msg.map /etc/snort/
--Copy of community.rules
# cp community.rules /etc/snort/rules/
--Permission change
# chown -R snort.snort /etc/snort
Log settings
--Creating a directory
# mkdir /var/log/snor
--Permission change
# chown -R snort.snort /var/log/snort
--Copy of snort.logrotate
# cd /usr/local/src/snort-2.9.16
# cp rpm/snort.logrotate /etc/logrotate.d/snort
Editing /etc/snort/snort.conf
The /etc/snort/snort.conf file is the operation setting file.
--Editing snort.conf
# vi /etc/snort/snort.conf
Change the value of ** ipvar HOME_NET ** to specify the network to monitor.
< ipvar HOME_NET any
---
> ipvar HOME_NET 192.168.1.0/24
Set the external network address. Basically, specify the default "any".
ipvar EXTERNAL_NET any
Modify the relative path of the following variables to the current path.
< var RULE_PATH ../rules
< var SO_RULE_PATH ../so_rules
< var PREPROC_RULE_PATH ../preproc_rules
---
> var RULE_PATH ./rules
> var SO_RULE_PATH ./so_rules
> var PREPROC_RULE_PATH ./preproc_rules
113,114c113,114
< var WHITE_LIST_PATH ../rules
< var BLACK_LIST_PATH ../rules
---
> var WHITE_LIST_PATH ./rules
> var BLACK_LIST_PATH ./rules
510,512c510,513
Comment out unused settings and add community.rules.
< nested_ip inner, \
< whitelist $WHITE_LIST_PATH/white_list.rules, \
< blacklist $BLACK_LIST_PATH/black_list.rules
---
> # nested_ip inner, \
> nested_ip inner
> # whitelist $WHITE_LIST_PATH/white_list.rules, \
> # blacklist $BLACK_LIST_PATH/black_list.rules
< include $RULE_PATH/app-detect.rules
< include $RULE_PATH/attack-responses.rules
< include $RULE_PATH/backdoor.rules
< include $RULE_PATH/bad-traffic.rules
< include $RULE_PATH/blacklist.rules
< include $RULE_PATH/botnet-cnc.rules
< include $RULE_PATH/browser-chrome.rules
< include $RULE_PATH/browser-firefox.rules
< include $RULE_PATH/browser-ie.rules
< include $RULE_PATH/browser-other.rules
< include $RULE_PATH/browser-plugins.rules
< include $RULE_PATH/browser-webkit.rules
< include $RULE_PATH/chat.rules
< include $RULE_PATH/content-replace.rules
< include $RULE_PATH/ddos.rules
< include $RULE_PATH/dns.rules
< include $RULE_PATH/dos.rules
< include $RULE_PATH/experimental.rules
< include $RULE_PATH/exploit-kit.rules
< include $RULE_PATH/exploit.rules
< include $RULE_PATH/file-executable.rules
< include $RULE_PATH/file-flash.rules
< include $RULE_PATH/file-identify.rules
< include $RULE_PATH/file-image.rules
< include $RULE_PATH/file-multimedia.rules
< include $RULE_PATH/file-office.rules
< include $RULE_PATH/file-other.rules
< include $RULE_PATH/file-pdf.rules
< include $RULE_PATH/finger.rules
< include $RULE_PATH/ftp.rules
< include $RULE_PATH/icmp-info.rules
< include $RULE_PATH/icmp.rules
< include $RULE_PATH/imap.rules
< include $RULE_PATH/indicator-compromise.rules
< include $RULE_PATH/indicator-obfuscation.rules
< include $RULE_PATH/indicator-shellcode.rules
< include $RULE_PATH/info.rules
< include $RULE_PATH/malware-backdoor.rules
< include $RULE_PATH/malware-cnc.rules
< include $RULE_PATH/malware-other.rules
< include $RULE_PATH/malware-tools.rules
< include $RULE_PATH/misc.rules
< include $RULE_PATH/multimedia.rules
< include $RULE_PATH/mysql.rules
< include $RULE_PATH/netbios.rules
< include $RULE_PATH/nntp.rules
< include $RULE_PATH/oracle.rules
< include $RULE_PATH/os-linux.rules
< include $RULE_PATH/os-other.rules
< include $RULE_PATH/os-solaris.rules
< include $RULE_PATH/os-windows.rules
< include $RULE_PATH/other-ids.rules
< include $RULE_PATH/p2p.rules
< include $RULE_PATH/phishing-spam.rules
< include $RULE_PATH/policy-multimedia.rules
< include $RULE_PATH/policy-other.rules
< include $RULE_PATH/policy.rules
< include $RULE_PATH/policy-social.rules
< include $RULE_PATH/policy-spam.rules
< include $RULE_PATH/pop2.rules
< include $RULE_PATH/pop3.rules
< include $RULE_PATH/protocol-finger.rules
< include $RULE_PATH/protocol-ftp.rules
< include $RULE_PATH/protocol-icmp.rules
< include $RULE_PATH/protocol-imap.rules
< include $RULE_PATH/protocol-pop.rules
< include $RULE_PATH/protocol-services.rules
< include $RULE_PATH/protocol-voip.rules
< include $RULE_PATH/pua-adware.rules
< include $RULE_PATH/pua-other.rules
< include $RULE_PATH/pua-p2p.rules
< include $RULE_PATH/pua-toolbars.rules
< include $RULE_PATH/rpc.rules
< include $RULE_PATH/rservices.rules
< include $RULE_PATH/scada.rules
< include $RULE_PATH/scan.rules
< include $RULE_PATH/server-apache.rules
< include $RULE_PATH/server-iis.rules
< include $RULE_PATH/server-mail.rules
< include $RULE_PATH/server-mssql.rules
< include $RULE_PATH/server-mysql.rules
< include $RULE_PATH/server-oracle.rules
< include $RULE_PATH/server-other.rules
< include $RULE_PATH/server-webapp.rules
< include $RULE_PATH/shellcode.rules
< include $RULE_PATH/smtp.rules
< include $RULE_PATH/snmp.rules
< include $RULE_PATH/specific-threats.rules
< include $RULE_PATH/spyware-put.rules
< include $RULE_PATH/sql.rules
< include $RULE_PATH/telnet.rules
< include $RULE_PATH/tftp.rules
< include $RULE_PATH/virus.rules
< include $RULE_PATH/voip.rules
< include $RULE_PATH/web-activex.rules
< include $RULE_PATH/web-attacks.rules
< include $RULE_PATH/web-cgi.rules
< include $RULE_PATH/web-client.rules
< include $RULE_PATH/web-coldfusion.rules
< include $RULE_PATH/web-frontpage.rules
< include $RULE_PATH/web-iis.rules
< include $RULE_PATH/web-misc.rules
< include $RULE_PATH/web-php.rules
< include $RULE_PATH/x11.rules
---
> include $RULE_PATH/community.rules
Set the promiscuous mode to receive packets destined for other hosts. Add the ** PROMISC ** settings to the interface file.
--Network settings
# vi /etc/sysconfig/network-scripts/ifcfg-enp0s8
PROMISC=yes
Operation check of Snort
Create a rule for verification and check the operation. In this article, we will use ping detection as an example.
Edit rule file
The rule file is stored under / etc / snort / rules.
Describes the rule file.
The rule file signature consists of a rule header and a rule body.
Rule Header: Rule Accession/protocol/IP address/port/Direction operator/IP address/port/
Rule body: Optional
There are the following types of rule actions.
| Type | Overview |
|---|---|
| alert | Outputs packets that match the rules to the log and outputs a warning |
| log | Output packets that match the rules to the log |
| pass | Ignore packets that match the rule |
| acitive | Outputs a warning for packets that match the rule and executes the action of the corresponding dynamic rule |
| dynamic | Output the corresponding packet to the log |
--Edit local.rules
# vi /etc/snort/rules/local.rules
alert icmp any any -> any any (msg: "ICMP Packet detected"; sid:999999;)
You will need to restart snort after editing the rule.
Snort startup confirmation
The option -D is specified in the default startup script, so if you run the startup script, it will start in daemon mode.
- Start-up
# /etc/init.d/snortd start
** Check the syslog to make sure there are no errors at startup. ** **
If it is started normally, you can check the following process.
[root@localhost snort-2.9.16]# ps aux | grep snort | grep -v grep
snort 11481 0.0 6.3 164828 64456 ? Ssl 03:03 0:07 /usr/sbin/snort -A fast -b -d -D -i enp0s8 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
You can also start it as a sniffer as shown below. If you start it as a sniffer, it will take time to process, so basically you will not use it for anything other than checking the operation.
# snort -v
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "enp0s3".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.16 GRE (Build 118)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
Commencing packet processing (pid=17768)
Validation of rules file (local.rules)
Ping from another terminal. If you look at the log below, you can see that the ICMP packet was detected.
--Log check
# tail -f /var/log/snort/alert
04/22-03:04:27.545270 [**] [1:999999:0] ICMP Packet detected [**] [Priority: 0] {ICMP} 192.168.1.10 -> 192.168.1.16
in conclusion
Installation of Snot is difficult, but in actual operation, tuning of the ruleset occurs and work such as checking abnormalities from a huge log is required.
There is a tool called Oinkmaster that can automatically update the rule file, and SnortSnarf that can convert the log file output by Snort into an HTML file so that it can be checked on a Web browser.
As an aside, Snort means snorting.