logo

Select Sidearea

Populate the sidearea with useful widgets. It’s simple to add images, categories, latest post, social media icon links, tag clouds, and more.
hello@youremail.com
+1234567890
0
  • No products in the cart.
0
  • No products in the cart.

Snort & OpenAppID on ESXi virtual ubuntu (2 NICs)

Innovation & Multi-Tech - ASEAN > All  > Technology  > Network  > Snort & OpenAppID on ESXi virtual ubuntu (2 NICs)
Snort OpenAppID

Snort & OpenAppID on ESXi virtual ubuntu (2 NICs)

A Network Intrusion Detection & Prevention with Snort and OpenAppID (application identification) on a ESXi ubuntu virtual machine (2 NICs) with PF_RING.

 

An open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) created by Martin Roesch in 1998 and owned by Cisco since 2013.

 

For our test we need to add a masquerade in iptables between the 2 NICs to make NAT. Take a look on the post about bro framework for the HowTo

 

Prepare & Install

 

OpenAppID

 

Install the pre-requisites from the Ubuntu repositories

 

$ sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev libnghttp2-dev libluajit-5.1-dev pkg-config openssl libssl-dev checkinstall autoconf automake libtool

Create the source folder for our install

 

$ mkdir ~/snort_src
$ cd ~/snort_src


Download and install Data Acquisition library (DAQ)

 

$ wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
$ tar -xvzf daq-2.0.6.tar.gz
$ cd daq-2.0.6
$ ./configure
$ make
$ sudo checkinstall

**********************************************************************

 Done. The new package has been installed and saved to

 /home/sysadmin/snort_src/daq-2.0.6/daq_2.0.6-1_amd64.deb

 You can remove it from your system anytime using:

 dpkg -r daq

**********************************************************************

Use checkinstall, better if you want to remove after. For remove do dpkg -r daq

 

Snort

 

You’re ready to install it, make the install with –enable-open-appid and –enable-sourcefire option to enable OpenAppID support.

 

$ cd ..
$ wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz
$ tar -xvzf snort-2.9.9.0.tar.gz
$ cd snort-2.9.9.0
$ ./configure --enable-sourcefire --enable-open-appid
$ make
$ sudo checkinstall

**********************************************************************

 Done. The new package has been installed and saved to

 /home/sysadmin/snort_src/snort-2.9.9.0/snort_2.9.9.0-1_amd64.deb

 You can remove it from your system anytime using:

 dpkg -r snort

**********************************************************************

Same before, use checkinstall to have a debian package (.deb) in the directory.

 

Update the shared libraries

 

sudo ldconfig

Specifics

 

Time to create few directories and files

 

# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
 
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
 
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
 
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

Next, copy few files

 

cd ~/snort_src/snort-2.9.9.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

Finish this part by running the following command

 

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

 

Edit the /etc/snort/snort.conf

 

On line 45 put your local network (to protect)

 

###################################################
# Step #1: Set the network variables. For more information, see README.variables
###################################################

# Setup the network addresses you are protecting
ipvar HOME_NET 172.16.0.0/20

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

Starting line 104 modify few lines like this

 

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# If you are using reputation preprocessor set these
# Currently there is a bug with relative paths, they are relative to where snort is
# not relative to snort.conf like the above variables
# This is completely inconsistent with how other vars work, BUG 89986
# Set the absolute path appropriately
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists

Uncomment line 546 to enable the local.rules file

 

###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# site specific rules
include $RULE_PATH/local.rules

It’s time to make a first test

 

$ sudo snort -T -i ens160 -c /etc/snort/snort.conf

 --== Initialization Complete ==--

 ,,_ -*> Snort! <*-
 o" )~ Version 2.9.9.0 GRE (Build 56)
 '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
 Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
 Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 Using libpcap version 1.7.4
 Using PCRE version: 8.38 2015-11-23
 Using ZLIB version: 1.2.8

 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 <Build 1>
 Preprocessor Object: SF_POP Version 1.0 <Build 1>
 Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
 Preprocessor Object: appid Version 1.1 <Build 5>
 Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
 Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
 Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
 Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
 Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
 Preprocessor Object: SF_GTP Version 1.1 <Build 1>
 Preprocessor Object: SF_SDF Version 1.1 <Build 1>
 Preprocessor Object: SF_SSH Version 1.1 <Build 3>
 Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
 Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
 Preprocessor Object: SF_DNS Version 1.1 <Build 4>
 Preprocessor Object: SF_SIP Version 1.1 <Build 1>

Snort successfully validated the configuration!
Snort exiting

Application Detector Package

 

Download the Application Detector Package, which contains the rules for detecting types of traffic, and copy the extracted files. Create also a folder for thirdparty application detectors.

 

$ cd ~/snort_src
$ wget https://snort.org/downloads/openappid/5048 -O snort-openappid.tar.gz
$ tar -xvzf snort-openappid.tar.gz
$ sudo cp -r ~/snort_src/odp/ /etc/snort/rules/
$ sudo mkdir /usr/local/lib/thirdparty

Enable OpenAppID

 

Edit the file /etc/snort/snort.conf, add pre-processor before Step 6 (after preprocessor reputation) and configure output plugins of Step 6

 

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
 memcap 500, \
 priority whitelist, \
 nested_ip inner, \
 whitelist $WHITE_LIST_PATH/white_list.rules, \
 blacklist $BLACK_LIST_PATH/black_list.rules

preprocessor appid: app_stats_filename appstats-u2.log, \
 app_stats_period 60, \
 app_detector_dir /etc/snort/rules

###################################################
# Step #6: Configure output plugins
# For more information, see Snort Manual, Configuring Snort - Output Modules
###################################################

# unified2
# Recommended for most installs
output unified2: filename snort.u2, limit 128, appid_event_types

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

Enable HTTP uri & hostname logging

 

We want logging the URI and the hostname (only logged in Unified2 mode), edit the /etc/snort/snort.conf file and add log_uri and log_hostname

 

# HTTP normalization and anomaly detection. For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
 http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
 chunk_length 500000 \
 server_flow_depth 0 \
 client_flow_depth 0 \
 post_depth 65495 \
 oversize_dir_length 500 \
 max_header_length 750 \
 max_headers 100 \
 max_spaces 200 \
 small_chunk_length { 10 5 } \
 ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \
 non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
 enable_cookie \
 extended_response_inspection \
 inspect_gzip \
 normalize_utf \
 unlimited_decompress \
 normalize_javascript \
 apache_whitespace no \
 ascii no \
 bare_byte no \
 directory no \
 double_decode no \
 iis_backslash no \
 iis_delimiter no \
 iis_unicode no \
 multi_slash no \
 utf_8 no \
 u_encode yes \
 webroot no \
 log_uri \
 log_hostname

Launch at startup (as systemd service)

Create systemd service file at /lib/systemd/system/snort.service with the following contents:

 

[Unit]
Description=Snort: Network Intrusion Detection & Prevention
After=syslog.target network.target
Documentation=https://www.snort.org/

[Service]
Type=simple
#User=root
#Group=
WorkingDirectory=/var/log/snort
ExecStart=/usr/local/bin/snort -i ens160 -c /etc/snort/snort.conf -k none

[Install]
WantedBy=multi-user.target

Make a symbolic link, activate the service.

 

$ sudo ln -s /lib/systemd/system/snort.service /etc/systemd/system/multi-user.target.wants/snort.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable snort.service

Start and Check the status

 

$ sudo service snort start
$ sudo service snort status

Barnyard2-extra

 

This version contains functionality and features not found (yet) in the original Barnyard2. Support of database storage of “ExtraData” and New database schema to store Unified2 “ExtraData”

 

Pre-requisites

 

$ sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

Install

 

$ cd ~/snort_src
$ git clone https://github.com/beave/barnyard2-extra.git
$ cd barnyard2-extra
$ autoreconf -fvi -I ./m4
$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
$ sudo ldconfig
$ ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --enable-dns --enable-healthcheck
$ make
$ sudo checkinstall

**********************************************************************

 Done. The new package has been installed and saved to

 /home/sysadmin/snort_src/barnyard2-extra/barnyard2_2.1.14-1_amd64.deb

 You can remove it from your system anytime using:

 dpkg -r barnyard2

**********************************************************************

Make a check

 

$ /usr/local/bin/barnyard2 -V


 ______ -*> Barnyard2 <*-
 / ,,_ \ Version 2.1.14 (Build 336-Quadrant-7)
 |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com>
 Modified by Champ Clark <clark@quadrantsec.com> & Adam Hall
 <ahall@quadrantsec.com> - DNS, Health and ExtraData.

Configure Snort to use Barnyard2

 

sudo cp ~/snort_src/barnyard2-extra/etc/barnyard2.conf /etc/snort/
 
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
 
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

The  MySQL database

 

$ mysql -u root -p
mysql> create database radius;
mysql> use radius;
mysql> source ~/snort_src/barnyard2-extra/schemas/create_mysql
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD';
mysql> grant create, insert, select, delete, update on radius.* to 'snort'@'localhost';
mysql> exit

Edit the /etc/snort/barnyard2.conf file

 

# database: log to a variety of databases
# ----------------------------------------------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=radius host=localhost sensor name=sensor01
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#

 

Protect the barnyard2.conf file

$ sudo chmod o-r /etc/snort/barnyard2.conf

 

Disable Strict SQL Mode

 

Due to incompatibility we need to desactivate the STRICT_TRANS_TABLES modes, to do this create the file /etc/mysql/conf.d/disable_strict_mode.cnf and put inside

 

[mysqld]
sql_mode=IGNORE_SPACE,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Then restart the service mysql 

 

 

MAYEUX Alexandre

Follower of computing and technology evolution since November 29, 1972 (pong release)

No Comments

Post a Comment

Comment
Name
Email
Website