Wednesday, November 9, 2011

Snort gets a little help from swatch

Wanna know who is attacking your network and be notified ASAP? Maybe this setup might help you. Snort is a well developed open source IDS/IPS (intrusion detection/prevention system). An IDS is basically a sniffer (like tcpdump, wireshark, etc.) that looks at all the packets on the network and keeps an eye out for only interesting information. When it sees information that might be of interest (like a tcp port scan), it will log the packets pertaining to the port scan. An IDS will only log these packets, but doesn't take the extra steps to prevent the network attack from happening. An IPS will take the role of the IDS one step farther and has the ability to perform other actions in addition to logging. These might include blocking ports, setting firewall rules to block traffic based on port or ip address, etc.

Lets start using snort.

Snort can be used as a regular sniffer, like tcpdump. See the commands below:
# snort -dev -i eth0

To log the packets to a file, use the -l switch and specify a directory. Snort will create the file for you.
# snort -dev -i eth0 -l /root/snort/

Depending on your defaults, snort may log in Ascii mode or pcap mode. You can use the -K switch to specify (ascii, pcap or none).
# snort -K Ascii -dev -i eth0 -l /root/snort

To log packets in tcpdump format you can use the -b only.
# snort -b -dev -i eth0 -l /root/snort

Using snort as an IDS

This is accomplished by specifying a config file on the command line.
# snort -c snort.conf -i eth0

I always like to use -A for alert mode. Basically a file gets created called alerts, and when bad traffic is seen on the network, snort will make a note of it in this alert file. There are a few options for these, but i like using the fast option (see man snort for more details). Note that two files are created, the alert file and the snort.log file. The alert file will contain syslog like log entires when an attach happens and the snort log file will contain the bad traffic data(in tcpdump format if thats the option you went with) that triggered the alerts.
# snort -A fast -c snort.conf -i eth0

The snort.conf file is well doucmented and easy to configue. Here is a very barebones config file example.

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH $IDS_BASE/rules

include /etc/snort/classification.config

include $RULE_PATH/icmp.rules

The above example snort.conf will look for bad icmp traffic. If you ping your loopback interface, snort will generate some alerts and start logging this traffic.

How swatch can help you.

I blogged about swatch already so you can refer to my posting on that. Swatch can be used to monitor a snort alert file and be configured to send an email to you when a specific alert gets triggered. See the video below for a demonstration.

combining snort and swatch from aerokid240 on Vimeo.

One issue that will arise is that you may start recieving multiple emails. For example, if 4 ping packets were sent from the loopback address, then 4 alerts should be triggered by snort. Therefore, when swatch is notified about these alerts, 4 emails would be sent instead of just one. So if snort sets the same alert 100 times, you can expect 100 emails in this setup. I'm sure you can set swatch to run a script that would overcome this problem, but that is beyond what i wanted to demonstrate in this post.

Resources/Good Reading:
snort.org
pauldotcom.com





No comments:

Post a Comment