Linux security measures Intrusion detection by Snort

Introduction

This article describes Snort intrusion detection as a Linux security measure.

Snort is an open source network IDS. It can be used free of charge under the GPL (GNU General Public License).

スクリーンショット 2020-04-23 12.32.37.png

It's still under development, so you can download and use the latest ruleset for free.

Building Snort

Snort is provided as a source, so you need to download and maik the source.

Therefore, if a library that is highly environment-dependent is not installed, an error will occur in configure and you will have to check the dependency and install it yourself.

In this article, I will explain how to build Snort using CentOS 7 as an example. The version of Snort etc. is the version at the time of writing this article.

Environment of this article: CentOS Linux release 7.7.1908 (Core)

Snort

--Move directory # cd /usr/local/src/ --Download Snort # wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz --Unzip # tar xzvf snort-2.9.16.tar.gz --Move directory # cd snort-2.9.16

** I get an error when I run configure on CentOS 7 installed with minimal configuration. The following describes how to install the required libraries for errors that occur after executing configure in the Snort directory. ** **

Libpcap

checking for pcap_datalink in -lpcap... no
checking pfring.h usability... no
checking pfring.h presence... no
checking for pfring.h... no
checking for pfring_open in -lpfring... no
checking for pfring_open in -lpcap... no

   ERROR!  Libpcap library/headers (libpcap.a (or .so)/pcap.h)
   not found, go get it from http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place.  Also check if your libpcap depends on another
   shared library that may be installed in an unusual place

--Download libpcap # wget http://www.tcpdump.org/release/libpcap-1.9.1.tar.gz --Unzip # tar xzvf libpcap-1.9.1.tar.gz --Move directory # cd libpcap-1.9.1

Libpcre

./configure: line 15614: pcre-config: command not found
./configure: line 15620: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... no

   ERROR!  Libpcre header not found.
   Get it from http://www.pcre.org

--download pcre # wget ftp://ftp.pcre.org/pub/pcre/pcre2-10.34.tar.gz --Unzip # tar xzvf pcre2-10.34.tar.gz --Move directory # cd pcre2-10.34

pcre-devel

./configure: line 15614: pcre-config: command not found
./configure: line 15620: pcre-config: command not found
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... no

   ERROR!  Libpcre header not found.
   Get it from http://www.pcre.org

--Installing pcre-devel # yum install -y pcre-devel

dnet header

checking for SHA256_Init in -lcrypto... no
checking for MD5_Init in -lcrypto... no
checking dnet.h usability... no
checking dnet.h presence... no
checking for dnet.h... no
checking dumbnet.h usability... no
checking dumbnet.h presence... no
checking for dumbnet.h... no

   ERROR!  dnet header not found, go get it from
   http://code.google.com/p/libdnet/ or use the --with-dnet-*
   options, if you have it installed in an unusual place

--Installing libdnet and libdnet-devel # yum install -y libdnet libdnet-devel

daq

./configure: line 16267: daq-modules-config: command not found
checking for daq_load_modules in -ldaq_static... no

   ERROR!  daq_static library not found, go get it from
   http://www.snort.org/.

--download daq # wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz --Unzip # tar xzvf daq-2.0.7.tar.gz --Move directory # cd daq-2.0.7

An error occurred in make, so execute ʻautoreconf` and build again

CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /usr/local/src/daq-2.0.7/missing aclocal-1.15 -I m4
/usr/local/src/daq-2.0.7/missing:Line 81: aclocal-1.15:Command not found
WARNING: 'aclocal-1.15' is missing on your system.
         You should only need it if you modified 'acinclude.m4' or
         'configure.ac' or m4 files included by 'configure.ac'.
         The 'aclocal' program is part of the GNU Automake package:
         <http://www.gnu.org/software/automake>
         It also requires GNU Autoconf, GNU m4 and Perl in order to run:
         <http://www.gnu.org/software/autoconf>
         <http://www.gnu.org/software/m4/>
         <http://www.perl.org/>
make: *** [aclocal.m4]Error 127

zlib

checking zlib.h usability... no
checking zlib.h presence... no
checking for zlib.h... no

   ERROR!  zlib header not found, go get it from
   http://www.zlib.net

--installing zlib # yum install -y zlib zlib-devel

LuaJIT

checking for luajit... no

   ERROR!  LuaJIT library not found. Go get it from http://www.luajit.org/ (or)
   Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"

--Installing LuaJIT-devel # yum install -y luajit-devel.x86_64

openssl-devel

checking openssl/x509.h usability... no
checking openssl/x509.h presence... no
checking for openssl/x509.h... no

   ERROR!  openssl/x509.h or openssl library not found.
   Try compiling without openAppId using '--disable-open-appid'
configure: error: "Fatal!"

--Installing openssl-devel # yum install openssl-devel.x86_64

In the environment of this article, after the installation of openssl-devel is completed, Snort's configure is finally completed normally. The following is running in the Snort directory.

Snort settings

After installing Snort, some settings are required to use Snort.

After that, when using the cp command, it is executed in the directory / usr / local / src / snort-2.9.16.

User created

--User created # useradd snort

Editing / etc / sysconfig / snort

The / etc / sysconfig / snort file configures the service.

--Copy of snort.sysconfig # cp rpm/snort.sysconfig /etc/sysconfig/snort

--Edit snort.sysconfig # vi /etc/sysconfig/snort

Change the value of INTERFACE to the value of the interface you are using.

< INTERFACE=eth0
---
> INTERFACE=enp0s8

Creating a startup script

The default startup script execution path is / usr / sbin / snort. Create a symbolic link because it is different from the installed path.

--Creating a startup script # cp rpm/snortd /etc/init.d/
# chmod 755 /etc/init.d/snortd --Creating a symbolic link # ln -s /usr/local/bin/snort /usr/sbin/snort

Rule set

Generally, in security software and IDS, the characteristic access pattern of an attacker is called a signature. Snort detects malicious packets by referring to the signature described in the ruleset (rule file). The community version of the ruleset on the official website is free to use.

--Download rule set # cd /tmp
# wget https://www.snort.org/downloads/community/community-rules.tar.gz --Unzip # tar xzvf community-rules.tar.gz --Move directory # cd community-rules --Creating a directory # mkdir -p /etc/snort/rules --Copy of sid-msg.map # cp sid-msg.map /etc/snort/ --Copy of community.rules # cp community.rules /etc/snort/rules/ --Permission change # chown -R snort.snort /etc/snort

Log settings

--Creating a directory # mkdir /var/log/snor --Permission change # chown -R snort.snort /var/log/snort --Copy of snort.logrotate # cd /usr/local/src/snort-2.9.16
# cp rpm/snort.logrotate /etc/logrotate.d/snort

Editing /etc/snort/snort.conf

The /etc/snort/snort.conf file is the operation setting file.

--Editing snort.conf # vi /etc/snort/snort.conf

Change the value of ** ipvar HOME_NET ** to specify the network to monitor.

< ipvar HOME_NET any
---
> ipvar HOME_NET 192.168.1.0/24

Set the external network address. Basically, specify the default "any".

ipvar EXTERNAL_NET any

Modify the relative path of the following variables to the current path.

< var RULE_PATH ../rules
< var SO_RULE_PATH ../so_rules
< var PREPROC_RULE_PATH ../preproc_rules
---
> var RULE_PATH ./rules
> var SO_RULE_PATH ./so_rules
> var PREPROC_RULE_PATH ./preproc_rules
113,114c113,114
< var WHITE_LIST_PATH ../rules
< var BLACK_LIST_PATH ../rules
---
> var WHITE_LIST_PATH ./rules
> var BLACK_LIST_PATH ./rules
510,512c510,513

Comment out unused settings and add community.rules.

<    nested_ip inner, \
<    whitelist $WHITE_LIST_PATH/white_list.rules, \
<    blacklist $BLACK_LIST_PATH/black_list.rules 
---
> #   nested_ip inner, \
>    nested_ip inner
> #   whitelist $WHITE_LIST_PATH/white_list.rules, \
> #   blacklist $BLACK_LIST_PATH/black_list.rules 

< include $RULE_PATH/app-detect.rules
< include $RULE_PATH/attack-responses.rules
< include $RULE_PATH/backdoor.rules
< include $RULE_PATH/bad-traffic.rules
< include $RULE_PATH/blacklist.rules
< include $RULE_PATH/botnet-cnc.rules
< include $RULE_PATH/browser-chrome.rules
< include $RULE_PATH/browser-firefox.rules
< include $RULE_PATH/browser-ie.rules
< include $RULE_PATH/browser-other.rules
< include $RULE_PATH/browser-plugins.rules
< include $RULE_PATH/browser-webkit.rules
< include $RULE_PATH/chat.rules
< include $RULE_PATH/content-replace.rules
< include $RULE_PATH/ddos.rules
< include $RULE_PATH/dns.rules
< include $RULE_PATH/dos.rules
< include $RULE_PATH/experimental.rules
< include $RULE_PATH/exploit-kit.rules
< include $RULE_PATH/exploit.rules
< include $RULE_PATH/file-executable.rules
< include $RULE_PATH/file-flash.rules
< include $RULE_PATH/file-identify.rules
< include $RULE_PATH/file-image.rules
< include $RULE_PATH/file-multimedia.rules
< include $RULE_PATH/file-office.rules
< include $RULE_PATH/file-other.rules
< include $RULE_PATH/file-pdf.rules
< include $RULE_PATH/finger.rules
< include $RULE_PATH/ftp.rules
< include $RULE_PATH/icmp-info.rules
< include $RULE_PATH/icmp.rules
< include $RULE_PATH/imap.rules
< include $RULE_PATH/indicator-compromise.rules
< include $RULE_PATH/indicator-obfuscation.rules
< include $RULE_PATH/indicator-shellcode.rules
< include $RULE_PATH/info.rules
< include $RULE_PATH/malware-backdoor.rules
< include $RULE_PATH/malware-cnc.rules
< include $RULE_PATH/malware-other.rules
< include $RULE_PATH/malware-tools.rules
< include $RULE_PATH/misc.rules
< include $RULE_PATH/multimedia.rules
< include $RULE_PATH/mysql.rules
< include $RULE_PATH/netbios.rules
< include $RULE_PATH/nntp.rules
< include $RULE_PATH/oracle.rules
< include $RULE_PATH/os-linux.rules
< include $RULE_PATH/os-other.rules
< include $RULE_PATH/os-solaris.rules
< include $RULE_PATH/os-windows.rules
< include $RULE_PATH/other-ids.rules
< include $RULE_PATH/p2p.rules
< include $RULE_PATH/phishing-spam.rules
< include $RULE_PATH/policy-multimedia.rules
< include $RULE_PATH/policy-other.rules
< include $RULE_PATH/policy.rules
< include $RULE_PATH/policy-social.rules
< include $RULE_PATH/policy-spam.rules
< include $RULE_PATH/pop2.rules
< include $RULE_PATH/pop3.rules
< include $RULE_PATH/protocol-finger.rules
< include $RULE_PATH/protocol-ftp.rules
< include $RULE_PATH/protocol-icmp.rules
< include $RULE_PATH/protocol-imap.rules
< include $RULE_PATH/protocol-pop.rules
< include $RULE_PATH/protocol-services.rules
< include $RULE_PATH/protocol-voip.rules
< include $RULE_PATH/pua-adware.rules
< include $RULE_PATH/pua-other.rules
< include $RULE_PATH/pua-p2p.rules
< include $RULE_PATH/pua-toolbars.rules
< include $RULE_PATH/rpc.rules
< include $RULE_PATH/rservices.rules
< include $RULE_PATH/scada.rules
< include $RULE_PATH/scan.rules
< include $RULE_PATH/server-apache.rules
< include $RULE_PATH/server-iis.rules
< include $RULE_PATH/server-mail.rules
< include $RULE_PATH/server-mssql.rules
< include $RULE_PATH/server-mysql.rules
< include $RULE_PATH/server-oracle.rules
< include $RULE_PATH/server-other.rules
< include $RULE_PATH/server-webapp.rules
< include $RULE_PATH/shellcode.rules
< include $RULE_PATH/smtp.rules
< include $RULE_PATH/snmp.rules
< include $RULE_PATH/specific-threats.rules
< include $RULE_PATH/spyware-put.rules
< include $RULE_PATH/sql.rules
< include $RULE_PATH/telnet.rules
< include $RULE_PATH/tftp.rules
< include $RULE_PATH/virus.rules
< include $RULE_PATH/voip.rules
< include $RULE_PATH/web-activex.rules
< include $RULE_PATH/web-attacks.rules
< include $RULE_PATH/web-cgi.rules
< include $RULE_PATH/web-client.rules
< include $RULE_PATH/web-coldfusion.rules
< include $RULE_PATH/web-frontpage.rules
< include $RULE_PATH/web-iis.rules
< include $RULE_PATH/web-misc.rules
< include $RULE_PATH/web-php.rules
< include $RULE_PATH/x11.rules
---
> include $RULE_PATH/community.rules

Set the promiscuous mode to receive packets destined for other hosts. Add the ** PROMISC ** settings to the interface file.

--Network settings # vi /etc/sysconfig/network-scripts/ifcfg-enp0s8

PROMISC=yes

Operation check of Snort

Create a rule for verification and check the operation. In this article, we will use ping detection as an example.

Edit rule file

The rule file is stored under / etc / snort / rules. Describes the rule file.

The rule file signature consists of a rule header and a rule body.

Rule Header: Rule Accession/protocol/IP address/port/Direction operator/IP address/port/
Rule body: Optional

There are the following types of rule actions.

Type Overview
alert Outputs packets that match the rules to the log and outputs a warning
log Output packets that match the rules to the log
pass Ignore packets that match the rule
acitive Outputs a warning for packets that match the rule and executes the action of the corresponding dynamic rule
dynamic Output the corresponding packet to the log

--Edit local.rules # vi /etc/snort/rules/local.rules

alert icmp any any -> any any (msg: "ICMP Packet detected"; sid:999999;)

You will need to restart snort after editing the rule.

Snort startup confirmation

The option -D is specified in the default startup script, so if you run the startup script, it will start in daemon mode.

** Check the syslog to make sure there are no errors at startup. ** **

If it is started normally, you can check the following process.

[[email protected] snort-2.9.16]# ps aux | grep snort | grep -v grep
snort    11481  0.0  6.3 164828 64456 ?        Ssl  03:03   0:07 /usr/sbin/snort -A fast -b -d -D -i enp0s8 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

You can also start it as a sniffer as shown below. If you start it as a sniffer, it will take time to process, so basically you will not use it for anything other than checking the operation.

# snort -v

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "enp0s3".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.16 GRE (Build 118) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=17768)

Validation of rules file (local.rules)

Ping from another terminal. If you look at the log below, you can see that the ICMP packet was detected.

--Log check # tail -f /var/log/snort/alert

04/22-03:04:27.545270  [**] [1:999999:0] ICMP Packet detected [**] [Priority: 0] {ICMP} 192.168.1.10 -> 192.168.1.16

in conclusion

Installation of Snot is difficult, but in actual operation, tuning of the ruleset occurs and work such as checking abnormalities from a huge log is required.

There is a tool called Oinkmaster that can automatically update the rule file, and SnortSnarf that can convert the log file output by Snort into an HTML file so that it can be checked on a Web browser.

As an aside, Snort means snorting.

Recommended Posts

Linux security measures Intrusion detection by Snort
Linux security measures Host intrusion detection (chkrootkit / rkhunter / maldetect)
Effective and simple Web server security measures "Linux"