zbeng Posted November 14, 2006 Report Share Posted November 14, 2006 The tutorial deals with the installation, configuration and the maintenance of an IPS system based on Snort.Testing EnvironmentThe testing environment used in this tutorial has been composed of the following software: 1. hakin9 live 2.8-ng 2. a computer equipped with three network interface cards: eth0, eth1, eth2PurposeAfter completing the exercises below, the user will have gained knowledge regarding the configuration and maintenance of an IPS system based on the Snort program.Step 1. Configuring the network bridgeWe are building a network bridge which will be used as an IPS system.We assign interfaces eth0 and eth1 to the br0 interface which is our bridge and configure eth2 which will administrate the entire machine. For that purpose we use the makeBridge.sh and eth2Config.sh shell scripts.Step 2. Configuring SnortThe only step which we have to take is the modification of the snort configuration file /etc/snort/snort.conf. We don't have any attack signatures, so we turn all lines into comment lines (by adding a # at the beginning of each line):include $RULE_PATH/*.rulesThe lines can be found at the end of the configuration file.We also change the line:var RULE_PATH ../rulesintovar RULE_PATH /etc/snort/rulesand add:config layer2resetsWe then create our own rules by adding appropriate lines to the /etc/snort/rules/test.rules file.Now all we have to do is let snort know about our rules file; in the /etc/snort/snort.conf file, we create the line:include $RULE_PATH/test.rulesThat's it!Step 3. Configuring iptablesWe will configure iptables in a way which will force all received packets to go through the Snort system. We do this with the iptabConfig.sh shell script.We can also modify the script in a way which would make Snort go after only those packets which have been addressed to WWW servers: iptabConfigWWW.shStep 4. Testing the IPSOnce we have Snort installed and all rules configured as described above, we can start testing our settings.If a packet is sent from the network to port 22 in our computer the system will register the following message in its logs:[**] [1:0:0] Port 22 Connection Initiated [**][Classification: Attempted User Privilege Gain] [Priority: 1]09/19-20:19:07.436667 192.168.0.2:1049 -> 193.219.28.2:22TCP TTL:128 TOS:0x0 ID:702 IpLen:20 DgmLen:48 DF******S* Seq: 0x29821EB9 Ack: 0x0 Win: 0xFAF0 TcpLen: 28TCP Options (4) => MSS: 1460 NOP NOP SackOKAn Echo Request will result in the following:[**] [1:0:0] ICMP Echo Request [**][Classification: Attempted User Privilege Gain] [Priority: 1]09/19-20:12:57.194560 192.168.0.2 -> 212.76.32.1ICMP TTL:128 TOS:0x0 ID:420 IpLen:20 DgmLen:60Type:8 Code:0 ID:512 Seq:256 ECHOIf Snort finds a packet corresponding to the third rule, the result will be as follows:[**] [1:0:0] DNS Request [**][Classification: Attempted User Privilege Gain] [Priority: 1]09/19-20:21:12.989775 192.168.0.2:1041 -> 212.76.39.45:53UDP TTL:128 TOS:0x0 ID:818 IpLen:20 DgmLen:59Len: 31Step 5. Installing official rulesThe first task one has to do is to obtain current rules from the Snort homepage. They are available on The'>http://www.snort.org/rules/The downloaded archive should be uncompressed into the /etc/snort/ directory.The default action undertaken by Snort for all rules is the registering of an attack (the alert directive). Since we are going to block attacks, we must modify all rules appropriately by changing the alert action to drop. We can accomplish this by using the chRules.sh shell script.The last thing which we need to do before restarting Snort is yet another modification of the /etc/snort/snort.conf file (we must uncomment corresponding lines to which we previously added the # sign).If all went well, the time has come to start our system:# snort -Q -D -c /etc/snort/snort.conf -l /var/log/snortStep 6. Automatic Actualizations of the Snort SystemThe first thing is the installation of the Oinkmaster program: $ tar zxvf oinkmaster-1.2.tar.gz$ cd oinkmaster-1.2# cp oinkmaster.pl /usr/local/bin/# cp oinkmaster.conf /etc/Now we must configure the program. We will need the code generated for rules meant for registered users. We register at the Snort homepage and generate the appropriate code. We choose which rules we want to actualize by editing the oinkmaster.conf file. We uncomment the line:# url = by'>http://www.snort.org/pub-bin/oinkmaster.cgi/oinkcode/snortrules-snapshot-CURRENT.tar.gzby removing the # sign at its beginning and replace oinkcode by the code generated for us by the script on the Snort homepage.There is still one more oinkmaster.conf modification to make. We add the line:modifysid * "^alert" | "drop"Due to this last modification the default action for all actualized rules will be to drop all suspicious packets rather than inform about them.Now all we have to do is start the program by:oinkmaster.pl -o /etc/snort/rules/ Quote Link to comment Share on other sites More sharing options...