IPS System Based on Snort

[zbeng]

The tutorial deals with the installation, configuration and the maintenance of an IPS system based on Snort.

Testing Environment

The testing environment used in this tutorial has been composed of the following software:

1. hakin9 live 2.8-ng

2. a computer equipped with three network interface cards: eth0, eth1, eth2

Purpose

After completing the exercises below, the user will have gained knowledge regarding the configuration and maintenance of an IPS system based on the Snort program.

Step 1. Configuring the network bridge

We are building a network bridge which will be used as an IPS system.

We assign interfaces eth0 and eth1 to the br0 interface which is our bridge and configure eth2 which will administrate the entire machine. For that purpose we use the makeBridge.sh and eth2Config.sh shell scripts.

Step 2. Configuring Snort

The only step which we have to take is the modification of the snort configuration file /etc/snort/snort.conf. We don't have any attack signatures, so we turn all lines into comment lines (by adding a # at the beginning of each line):

include $RULE_PATH/*.rules

The lines can be found at the end of the configuration file.

We also change the line:

var RULE_PATH ../rules

into

var RULE_PATH /etc/snort/rules

and add:

config layer2resets

We then create our own rules by adding appropriate lines to the /etc/snort/rules/test.rules file.

Now all we have to do is let snort know about our rules file; in the /etc/snort/snort.conf file, we create the line:

include $RULE_PATH/test.rules

That's it!

Step 3. Configuring iptables

We will configure iptables in a way which will force all received packets to go through the Snort system. We do this with the iptabConfig.sh shell script.

We can also modify the script in a way which would make Snort go after only those packets which have been addressed to WWW servers: iptabConfigWWW.sh

Step 4. Testing the IPS

Once we have Snort installed and all rules configured as described above, we can start testing our settings.

If a packet is sent from the network to port 22 in our computer the system will register the following message in its logs:

[**] [1:0:0] Port 22 Connection Initiated [**]

[Classification: Attempted User Privilege Gain] [Priority: 1]

09/19-20:19:07.436667 192.168.0.2:1049 -> 193.219.28.2:22

TCP TTL:128 TOS:0x0 ID:702 IpLen:20 DgmLen:48 DF

******S* Seq: 0x29821EB9 Ack: 0x0 Win: 0xFAF0 TcpLen: 28

TCP Options (4) => MSS: 1460 NOP NOP SackOK

An Echo Request will result in the following:

[**] [1:0:0] ICMP Echo Request [**]

[Classification: Attempted User Privilege Gain] [Priority: 1]

09/19-20:12:57.194560 192.168.0.2 -> 212.76.32.1

ICMP TTL:128 TOS:0x0 ID:420 IpLen:20 DgmLen:60

Type:8 Code:0 ID:512 Seq:256 ECHO

If Snort finds a packet corresponding to the third rule, the result will be as follows:

[**] [1:0:0] DNS Request [**]

[Classification: Attempted User Privilege Gain] [Priority: 1]

09/19-20:21:12.989775 192.168.0.2:1041 -> 212.76.39.45:53

UDP TTL:128 TOS:0x0 ID:818 IpLen:20 DgmLen:59

Len: 31

Step 5. Installing official rules

The first task one has to do is to obtain current rules from the Snort homepage. They are available on The'>http://www.snort.org/rules/

The downloaded archive should be uncompressed into the /etc/snort/ directory.

The default action undertaken by Snort for all rules is the registering of an attack (the alert directive). Since we are going to block attacks, we must modify all rules appropriately by changing the alert action to drop. We can accomplish this by using the chRules.sh shell script.

The last thing which we need to do before restarting Snort is yet another modification of the /etc/snort/snort.conf file (we must uncomment corresponding lines to which we previously added the # sign).

If all went well, the time has come to start our system:

# snort -Q -D -c /etc/snort/snort.conf -l /var/log/snort

Step 6. Automatic Actualizations of the Snort System

The first thing is the installation of the Oinkmaster program: $ tar zxvf oinkmaster-1.2.tar.gz

$ cd oinkmaster-1.2

# cp oinkmaster.pl /usr/local/bin/

# cp oinkmaster.conf /etc/

Now we must configure the program. We will need the code generated for rules meant for registered users. We register at the Snort homepage and generate the appropriate code. We choose which rules we want to actualize by editing the oinkmaster.conf file. We uncomment the line:

# url =

by'>http://www.snort.org/pub-bin/oinkmaster.cgi/oinkcode/snortrules-snapshot-CURRENT.tar.gz

by removing the # sign at its beginning and replace oinkcode by the code generated for us by the script on the Snort homepage.

There is still one more oinkmaster.conf modification to make. We add the line:

modifysid * "^alert" | "drop"

Due to this last modification the default action for all actualized rules will be to drop all suspicious packets rather than inform about them.

Now all we have to do is start the program by:

oinkmaster.pl -o /etc/snort/rules/