What is Snort?

Introduction

Snort is a Network Intrusion and Detection System used to detect and prevent intrusions into the network. Detection is done through protocol discovery, content analysis, and various preprocessors.

Snort comes with features including detection of various types of attacks, overflow buffers, stealth port scanning, CGI attacks, and more.

Snort 2.9 introduces the DAQ data acquisition library for packet I / O. DAQ replaces direct calls to libpcap functions with an abstraction layer that makes it easy to operate on a variety of hardware and software interfaces without requiring changes to Snort.

Prerequisites

On the web01 server in the DMZ.

stop httpd

# systemctl stop httpd

# systemctl disable httpd

Replace firewalld for iptables if it’s not already done.

# yum install iptables-services -y

# systemctl stop firewalld

# systemctl disable firewalld

# yum remove firewalld -y

# systemctl start iptables

# systemctl enable iptables

Clean the iptables rules

# iptables -F

# iptables -X

# iptables -vnL (Check IPTables)

# iptables -P INPUT ACCEPT

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD ACCEPT

# iptables -vnL (Check IPTables)

# /sbin/service iptables save

You can see this Message

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

SElinux

You must also set the SELinux to disabled

Validate the state of SELinux

# getenforce

If the result is not Disabled, you must change it. Here is the command with sed

# sed -i ‘s/^SELINUX=.*/SELINUX=disabled/’ /etc/selinux/config  

Install the necessary tools for this lab

# yum install -y git wget vim net-tools epel-release

# yum install -y gcc flex bison zlib libpcap pcre libdnet libdnet-devel tcpdump

Update the system and restart

yum update -y && reboot

Installation

Snort

Download Snort :  https://www.snort.org/downloads/snort/snort-2.9.15.1-1.centos7.x86_64.rpm

Navigate to download folder via terminal and install snort

# yum install snort-2.9.15.1-1.centos7.x86_64.rpm -y

Test if snort is installed correctly

# snort -v

If you have an error message with libdnet.1

#  ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1

Otherwise press CRTL + C to stop scrolling

Community rules

Download the community rules and unpack the tarball, then copy the rules to the /etc/snort/rules folder

# wget https://www.snort.org/rules/community -O ~/community.tar.gz

# tar -xvf ~/community.tar.gz -C ~/

# cp ~/community-rules/* /etc/snort/rules

As we only use community rules, we will modify the configuration file so that it does not look for rules that are not installed

# sed -i ‘s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

The command, above, will comment on all the lines that starts with include $RULE_PATH

Editing the file snort.conf

There are some changes to make with the configuration file.

# vi /etc/snort/snort.conf

Make the following changes:

ipvar HOME_NET 192.168.100.16/29

ipvar EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

At the end of the file, add the following lines

include $RULE_PATH/local.rules

include $RULE_PATH/community.rules

Save and quit (First Press ESC then Shift+Q then :wq)

Create missing rule files

# touch /etc/snort/rules/white_list.rules

# touch /etc/snort/rules/black_list.rules

# touch /etc/snort/rules/local.rules

# mkdir /usr/local/lib/snort_dynamicrules

Validate the configuration

# snort -T -c /etc/snort/snort.conf

First rule
Create a rule in the file local.rules

# vim /etc/snort/rules/local.rules

Add the following line (one line)

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000001; rev:001; classtype:icmp-event;)

Save and quit (First Press ESC then Shift+Q then :wq)

Rule Header

Action                                   alert

Protocole                            icmp, ip, tcp, udp, any

Source IP                             IP address / variable / any

Source Port                         Port number / any

Direction                              < /  > /  -> (direction of communication between source and destination)

Destination IP                    IP address / variable / any

Destination Port               IP address / variable / any

Rule Options

msg:”ICMP test”               Snort will include this message with the alert

sid:1000001                        ID number for the rules. All numbers less than 1,000,000 are reserved. You can use the number you want

rev:1                                      Revision number, for internal use. Facilitates the maintenance of rules

classtype:icmp-event     Categorizes the rules with one of the predefined rules. Help with the organization of the rules.

Test the rule On the DMZ server, launch this command

# snort -A console -q -c /etc/snort/snort.conf -i eth0

Convert SNORT from HID to NID (Network Intrusion Détection)


If Snort is in console mode, press CRTL + C to stop

Create a rule in the file local.rules

# vim /etc/snort/rules/local.rules

Change the line you did. Change $HOME_NET for any

alert icmp any any -> any any (msg:”ICMP test”; sid:10000001; rev:001; classtype:icmp-event;)

Save and quit
Restart the snort console and keep the terminal open

# snort -A console -q -c /etc/snort/snort.conf -i eth0

Network Firewall configuration


Configuring rules of the mangle table on the network firewall

# iptables -t mangle -A PREROUTING -d 192.168.100.0/28 -j TEE –gateway 192.168.100.18

# iptables -t mangle -A POSTROUTING -s 192.168.100.0/28 -j TEE –gateway 192.168.100.18

# service iptables save


Test a ping
From the VM srv01, ping a school server

# ping 192.168.20.10

See the result on snort

LEAVE A REPLY

Please enter your comment!
Please enter your name here