This article is a supplement to my series of articles detailing the installation of Snort on Ubuntu, available here, but is helpful to anyone who needs to setup a VMware virtual switch for promiscuous mode. When you enable promiscuous mode on a virtual switch, you are allowing any host on that virtual switch to listen to all traffic on that virtual switch, rather than for traffic destined solely for that host. Because this is a vulnerability (a malicious host could collect information not intended for it), you will only want to configure promiscuous mode if you have a host on that switch that specifically needs to see all traffic on the switch, often when you have a NIDS like Snort installed.
From the VMware webpage:
To test that promiscuous mode is working correctly on the virtual switch, you have a few options, mostly based around using packet capture software on one host to see if you are able to see traffic passing between two other hosts.
If you configured Snort as detailed in my series of guides (available here), you should still have the rule enabled to alert whenever the Snort server sees ICMP messages. Ping between two different hosts on the virtual switch, and the Snort server should generate alerts.
Other methods of testing if promiscuous mode is working would be to use packet capture software such as wireshark or tcpdump, just look for traffic passing between two other hosts on the same virtual switch. Wireshark is a graphical tool, while tcpdump is a console tool.
A quick tcpdump to print out ICMP packets (ping echo request and reply for example):
sudo tcpdump -n -q icmp -i eth0
we have chosen to use the following flags in the example above:
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. -q Be less verbose (than the default) while capturing packets. icmp Only show ICMP messages (ICMP echo request and reply generated by ping). -i eth0 Listen for traffic on interface eth0
Example output when pinging xkcd.com:
user@server:~$ sudo tcpdump -n -q icmp -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:20:44.811692 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 1, length 64 22:20:44.922617 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 1, length 64 22:20:45.811962 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 2, length 64 22:20:45.927140 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 2, length 64 22:20:46.812684 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 3, length 64 22:20:46.924001 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 3, length 64 22:20:47.814323 IP 192.168.1.109 > 107.6.106.82: ICMP echo request, id 8581, seq 4, length 64 22:20:47.925460 IP 107.6.106.82 > 192.168.1.109: ICMP echo reply, id 8581, seq 4, length 64 ^C 8 packets captured 8 packets received by filter 0 packets dropped by kernel user@server:~$
UPDATE: Snort 2.9.9.x has been released. Please see the updated version my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The instructions below show how to install Snort 2.9.7.x and 2.9.6.x on both the x86 and x64 architectures for Ubuntu 12, 13, 14, and 15. If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort on Ubuntu. If you want to test the new alpha version of Snort, please see my articles: Installing Snort 3 Alpha in Ubuntu 14, or Ubuntu 12.
So let’s get started. First we need to install all the pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev
Disable LRO and GRO for all interfaces. This requires the ethtool program: (notes on this in the The Snort Manual):
sudo apt-get install -y ethtool
Use a text editor with sudo to edit the /etc/network/interfaces file and add the following two lines for each interface Snort will listen on:
spost-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
for example, my /etc/network/interfaces file looks like this:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Reboot the system and verify that LRO and GRO are off:
user@snortserver:~$ ethtool -k eth0 | grep receive-offload generic-receive-offload: off large-receive-offload: off user@snortserver:~$
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Download and install Data AcQuisition library (DAQ) from the Snort website:
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source:
cd ~/snort_src wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz tar -xvzf snort-2.9.7.6.tar.gz cd snort-2.9.7.6 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snortserver:~$ snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.6 GRE (Build 285)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4
user@snortserver:~$
If you have output similar to the above, then Snort is installed and works. If you want to learn more about how to run Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I hope this series of articles has been helpful to you. Please feel free to provide feedback, both issues you experienced and recommendations that you have. The goal of this guide was not just for you to create a Snort NIDS, but to understand how all the parts work together, and get a deeper understanding of all the components, so that you can troubleshoot and modify your Snort NIDS with confidence.
You will probably want to configure your network infrastructure to mirror traffic meant for other hosts to your Snort sensor. This configuration is dependent on what network equipment you are using. If you are running Snort as a Virtual Machine on a VMware ESXi server, you can configure promiscuous mode for ESXi by following my instructions in this article: configure promiscuous mode for ESXi.
For different network infrastrucutre, you will need to do a little research to configure network mirroring for your Snort server. Cisco calls this a span port, but most other vendors call this Port Mirroring. Instructions for Mikrotik (a linux based switch and router product that i like). If you run DD-WRT, it can be configured with iptables, like any linux based system. If you have network equipment not listed above, any search engine should point you towards a solution, if one exists. Note that many consumer switches will not have the ability to mirror ports.
Snort has the ability to do much more than we’ve covered in this set of articles. Hopefully you’ve learned enough through this setup that you will be able to implement more advanced configurations and make Snort work for you. Some things that Snort is capable of:
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the previous articles in this series, we have created a complete Snort NIDS with a web interface and rulesets that automatically update. In this article, we will finalize the configuration of our Snort server by creating startup scripts for the Snort and Barnyard2 daemons. We will use Upstart for Ubuntu 12 and 14, and systemD for Ubuntu 15.
Skip down to the Ubuntu 15 systemD scripts.
This section is ror Ubuntu 12 and 14. If you are using Ubuntu 15, skip this section and go to the next section titled “Creating a systemD startup script in Ubuntu 15”.
First create the Snort daemon script:
sudo vi /etc/init/snort.conf
We will insert the below content into this Upstart script. Note that we are using the same flags that we used in earlier articles, so if Snort ran correctly for you earlier, then you shouldn’t need to change any of these flags:
description "Snort NIDS service"
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script
Now make the script executable, and tell Upstart that the script exists:
sudo chmod +x /etc/init/snort.conf initctl list | grep snort snort stop/waiting
do the same for our Barnyard2 script:
sudo vi /etc/init/barnyard2.conf
with the following content:
description "barnyard2 service"
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
end script
Now make the script executable, and tell Upstart that the script exists:
sudo chmod +x /etc/init/barnyard2.conf initctl list | grep barnyard barnyard2 stop/waiting
Reboot the computer and check that both services are started:
user@snortserver:~$ service snort status snort start/running, process 1116 user@snortserver:~$ service barnyard2 status barnyard2 start/running, process 1109 user@snortserver:~$
Congratulations, if you have output similar to the above then you have sucessfully Configured an entire Snort NIDS. Continue to the next section to learn how to Configuring Promiscuous Mode for ESXi and for our wrap up (or continue below to use Ubuntu 15 systemD startup scripts).
Ubuntu 15 has moved to systemD for services / daemons. For more information about creating and managing systemD servcies, please see this excellent article.
To create the Snort systemD service, use an editor to create a service file:
sudo vi /lib/systemd/system/snort.service
with the following content (change eth0 if different on your system):
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 [Install] WantedBy=multi-user.target
Now we tell systemD that the service should be started at boot:
sudo systemctl enable snort
And start the Snort service:
sudo systemctl start snort
Verify the service is running
systemctl status snort
Next, create the Barnyard2 systemd service. We will add two flags here: -D to run as a daemon, and -a /var/log/snort/archived logs, this will move logs that Barnyard2 has processed to the /var/log/snort/archived/ folder. Use an editor to create a service file:
sudo vi /lib/systemd/system/barnyard2.service
With the following content:
[Unit] Description=Barnyard2 Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs [Install] WantedBy=multi-user.target
Make the script executable and check to see that it installed correctly:
user@snortserver:~$ sudo chmod +x /etc/init/barnyard2.conf user@snortserver:~$ initctl list | grep barnyard barnyard2 stop/waiting user@snortserver:~$
Now we tell systemD that the service should be started at boot:
sudo systemctl enable barnyard2
And start the barnyard2 service:
sudo systemctl start barnyard2
Verify the service is running
systemctl status barnyard2
Reboot the computer and check that both services are started
user@snortserver:~$ service snort status snort start/running, process 1116 user@snortserver:~$ service barnyard2 status barnyard2 start/running, process 1109 user@snortserver:~$
Congratulations, if you have output similar to the above then you have sucessfully Configured an entire Snort NIDS. Continue to the next section to learn how to Configuring Promiscuous Mode for ESXi and for our wrap up.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the previous two articles in this series: we installed Snort, configured it to work as a NIDS with Barnyard2, and setup PulledPork to automatically download rulesets from snort.org. In this article, we are going to configure BASE, a web front end for viewing Snort alerts from the MySQL database we created in earlier articles.
We start by installing pre-requisites from the Ubuntu repository:
sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear
And then install pear Image_Graph (ignore the warnings below):
sudo pear install -f Image_Graph ... WARNING: failed to download pear.php.net/Image_Graph within preferred state "stable", will instead download version 0.8.0, stability "alpha" WARNING: failed to download pear.php.net/Image_Canvas within preferred state "stable", will instead download version 0.3.5, stability "alpha" ...done: 9,501 bytes install ok: channel://pear.php.net/Image_Color-1.0.4 install ok: channel://pear.php.net/Image_Canvas-0.3.5 install ok: channel://pear.php.net/Image_Graph-0.8.0
We need to install 5.18 version of ADODB (people have reported that newer versions of ADODB work, but I haven’t tested them):
cd ~/snort_src wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz tar -xvzf adodb518.tgz sudo mv adodb5 /var/adodb
Now we can download and install BASE 1.4.5:
cd ~/snort_src wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz tar -zxvf base-1.4.5.tar.gz
Here we run into a difference between Ubuntu 12 and 13 versus 14. Ubuntu 12 and 13 use Apache 2.2, while Ubuntu 14 uses Apache 2.4. The difference affects where you copy BASE to, and where the configuration file is stored.
For Ubuntu 12 and 13:
sudo mv base-1.4.5 /var/www/base/ cd /var/www/base sudo cp base_conf.php.dist base_conf.php sudo chown -R www-data:www-data /var/www/base sudo chmod o-r /var/www/base/base_conf.php sudo vi /var/www/base/base_conf.php
For Ubunt 14:
sudo mv base-1.4.5 /var/www/html/base/ cd /var/www/html/base sudo cp base_conf.php.dist base_conf.php sudo chown -R www-data:www-data /var/www/html/base sudo chmod o-r /var/www/html/base/base_conf.php sudo vi /var/www/html/base/base_conf.php
Now for both systems, make the following edits to base_conf.php:
$BASE_urlpath = '/base'; # line 50 $DBlib_path = '/var/adodb/'; #line 80 $alert_dbname = 'snort'; # line 102 $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'MYSQLSNORTPASSWORD'; # line 106
Now we need to restart Apache:
sudo service apache2 restart
The last step to configure BASE is done via http:
Congratulations, if you see the ICMP events in the BASE web page, you have successfully set-up BASE. Continue to the next section to Creating Startup Scripts for Snort and Barnyard2.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the previous two sections of this article, we installed Snort and configured it to work as a NIDS with Barnyard2 processing packets that generated alerts based on a rule. In this article, we are going to install a Perl script called PulledPork, which will automatically download the latest rulesets from the Snort website.
To download rules from Snort, you need an oinkcode. Register on the Snort website and save your oinkcode before continuing, as the oinkcode is required for PulledPork to work.
Install the PulledPork pre-requisites:
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
Note on PulledPork Version: The command below installs the 0.7.2 version of PulledPork with patch 194 applied. There are issues with the base 0.7.2 version of PulledPork that are fixed with later patches, but a version release (0.7.3) hasn’t been created that includes those patches yet. I don’t want to use the 0.7.2 version of PulledPork because of the issues, and I don’t want to install the current Master version of PulledPork because it may change after the release of this guide (breaking this guide), so I’ve compromised by linking to a current (as of the time of this writing) version that works well and won’t change. As newer releases come out, they should work, but you will need to test if you choose something different.
download PulledPork and install:
cd ~/snort_src wget https://github.com/finchy/pulledpork/archive/66241690356d54faa509625a78f80f326b75c339.tar.gz -O pulledpork-0.7.2-194.tar.gz tar xvfvz pulledpork-0.7.2-194.tar.gz mv pulledpork-66241690356d54faa509625a78f80f326b75c339 pulledpork-0.7.2-194 cd pulledpork-0.7.2-194/ sudo cp pulledpork.pl /usr/local/bin sudo chmod +x /usr/local/bin/pulledpork.pl sudo cp etc/*.conf /etc/snort
Test that PulledPork runs by running the following command, looking for the output below:
user@snortserver:~$ /usr/local/bin/pulledpork.pl -V PulledPork v0.7.2 - E.Coli in your water bottle! user@snortserver:~$
Now that we are sure that PulledPork works, we need to configure it:
sudo vi /etc/snort/pulledpork.conf
Make the following changes to the pulledpork.conf file. Anywhere you see ‹oinkcode› enter your oinkcode from the Snort website. I have included line numbers to help you identify the location of these lines in the configuration file.
Line 19 & 26: enter your oinkcode where appropriate (or comment out if no oinkcode) Line 29: Un-comment for Emerging threats ruleset (not tested with this guide) Line 74: change to: rule_path=/etc/snort/rules/snort.rules Line 89: change to: local_rules=/etc/snort/rules/local.rules Line 92: change to: sid_msg=/etc/snort/sid-msg.map Line 96: change to: sid_msg_version=2 Line 119: change to: config_path=/etc/snort/snort.conf Line 133: change to: distro=Ubuntu-12-04 Line 141: change to: black_list=/etc/snort/rules/iplists/default.blacklist Line 150: change to: IPRVersion=/etc/snort/rules/iplists
We want to run PulledPork once manually to make sure it works. We use the following flags:
-c /etc/snort/pulledpork.conf the location of the snort.conf file -l Write detailed logs to /var/log
Run the following command:
sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
After this command runs (it takes some time), you should now see snort.rules in /etc/snort/rules, and .sorules in /usr/local/lib/snort_dynamicrules. Pulled Pork combines all the rulesets that it downloads into these two files. You need to make sure to add the line: include $RULE_PATH/snort.rules to the snort.conf file, or the pulled pork rules will never be read into memory when Snort starts:
sudo vi /etc/snort/snort.conf
Add the following line to enable snort to use the rules that PulledPork downloaded (line 547), after the line for local.rules:
include $RULE_PATH/snort.rules
Since we have modified snort.conf, we should test that Snort loads correctly in NIDS mode with the PulledPork rules included:
sudo snort -T -c /etc/snort/snort.conf
Once that is successful, we want to test that Snort and Barnyard2 load correctly when run manually as daemons:
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
As before, ping the IP address of the Snort eth0 interface, and then check the database for more events (remember to use the MYSQLSNORTPASSWORD):
mysql -u snort -p -D snort -e "select count(*) from event"
The number of events reported should be greater than what you saw the last time you ran this command. Now that we are sure that PulledPork runs correctly, we want to add PulledPork to root’s crontab to run daily:
sudo crontab -e
Choose any editor if prompted, then add the following line and save:
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
Stop the running daemons from earlier testing:
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$ ps aux | grep barnyard2 snort 1298 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D user 1316 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto barnyard2 user@snortserver:~$ sudo kill 1298
Note: Snort needs to be reloaded to see the new rules. This can be done with kill -SIGHUP
Additional note about shared object rules: In addition to regular rules, The above section will download Shared object rules. Shared object rules are also known as ”Shared Object rules”, ”SO rules”, ”pre-compiled rules”, or ”Shared Objects”. These are detection rules that are written in the Shared Object rule language, which is similar to C.
These rules are pre-compiled by the provider of the rules, and allow for more complicated rules, and allow for obfuscation of rules (say to detect attacks that haven’t been patched yet, but the vendor wants to allow detection without revealing the vulnerability). These rules are compiled by the vendor for specific systems. One of these systems is Ubuntu 12, and luckily these rules also work on Ubuntu 14 and 15.
Congratulations, if you have output similar to the above then you have successfully Configured PulledPork. Continue to the next section to install BASE.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the previous two articles in this series, we installed Snort an configured it to run as a NIDS. In this article, we are going to create a rule which causes Snort to generate an alert whenever it sees an ICMP message. If you want, you can skip this section, as it is not required to get a Snort NIDS up and running, but it will help you to gain a better understanding of how Snort rules are created and loaded.
In the previous article, we created the /etc/snort/rules/local.rules file and left it empty. We also edited the snort.conf file to load this file (when we un-commented the line: include $RULE_PATH/local.rules in snort.conf). When Snort starts, it will use the #include directive in snort.conf to load all rules in local.rules. The local.rules file is a place where we can place rules that are specific to our environment, and is great for testing.
First, we need to edit the local.rules file:
sudo vi /etc/snort/rules/local.rules
input the following text and save the file:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
What this rule says is that for any ICMP packets it sees from any network to our HOME_NET, generate an alert with the text ICMP test.
Since we have made changes to the files that snort loads, it is a good idea to test the configuration file again:
sudo snort -T -c /etc/snort/snort.conf
If sucessful, you should be able to scroll up through the output and see that Snort has loaded our rule:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 1 0 | nc 0 0 1 0 | s+d 0 0 0 0 +----------------------------------------------------------------------------
Now to test the rule. We need to verify that Snort generates an alert when it processes an ICMP packet. We will launch Snort with the following options:
-A console the console option prints fast mode alerts to stdout -q Quiet. Don't show banner and status report. -u snort run snort as the following user after startup -g snort run snort as the following group after startup -c /etc/snort/snort.conf the path to our snort.conf file -i eth0 the interface to listen on
Run Snort with the command below, modifying the parameters as required specific for your configuration:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Note: If you are running Ubuntu 15.10, remember that your interface name is not eth0.
Once you have started Snort with the above command, you need use another computer or another terminal window to ping the interface that you directed Snort to listen on. You should see output similar to the below on the terminal of the Snort machine:
10/31-02:27:19.663643 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:19.663675 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:20.658378 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:20.658404 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:21.766521 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:21.766551 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:22.766167 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:22.766197 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74
^C*** Caught Int-Signal
You have to use ctrl-c to stop snort from running after the above output. What the above example shows is the 4 ICMP Echo Request and Reply messages between our Snort server (IP 10.0.0.64) and our other machine (10.0.0.74). If you look in /var/log/snort, you will also see a file with the name snort.log.nnnnnnnnnn (the n’s are replaced by numbers), which contains the same information that Snort printed to the screen.
Congratulations, if you have output similar to the above then you have successfully created a rule for Snort to alert on. Continue to the next section to Install Barnyard2.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the second in a set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS), along with additional software that extends the functionality of your Snort system. In the previous article we installed the Snort binary and verified that it correctly executed. In this section, we will configure Snort to run as a NIDS by creating the files and folders that Snort expects when running as a NIDS, and we will learn about the Snort configuration file: snort.conf.
First off, for security reasons we want Snort to run as an unprivileged user. We create the snort user and group for this purpose:
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Next, we need to create a number of files and folders that Snort expects when running in NIDS mode. We will then change the ownership of those files to our new snort user. Snort stores configuration files in /etc/snort, rules in /etc/snort/rules and /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:
# Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/default.blacklist sudo touch /etc/snort/rules/iplists/default.whitelist sudo touch /etc/snort/rules/local.rules # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules # Change Ownership on folders: sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
We now need to move the following files from the extracted Snort tarball to the snort configuration folder:
Run the commands below to move the files listed above to the /etc/snort folder:
cd ~/snort_src/snort-2.9.7.6/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-2.9.7.6/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
The Snort configuration folder and file structure should now look like the following:
user@snortserver:~$ tree /etc/snort /etc/snort ├── attribute_table.dtd ├── classification.config ├── file_magic.conf ├── gen-msg.map ├── preproc_rules ├── reference.config ├── rules │.. ├── local.rules │.. ├── iplists │ .. ├── black_list.rules │ .. ├── white_list.rules ├── snort.conf ├── so_rules ├── threshold.conf └── unicode.map
The Snort configuration file is stored at /etc/snort/snort.conf, and contains all the settings that Snort will use when it is run in NIDS mode. This is a large file (well over 500 lines), and contains a number of options for the configuration of Snort. We are interested in only a few settings at this time.
First, we need to comment out the lines that causes Snort to import the default set of rule files. We do this because we will be using PulledPork to manage our rulesets, which saves all the rules into a single file. The easy way to comment out all these lines is to use sed to append the “#” (hash) character to those lines. This is accomplished by running the following command:
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
The result of this command is that lines 547 to 651 in snort.conf will now be commented out, which will prevent Snort from loading those rule files on start-up.
Next, we need to manually edit a few lines in the snort.conf file. Use vi (or your favorite editor) to edit /etc/snort/snort.conf:
sudo vi /etc/snort/snort.conf
First, we need to let Snort know the network range of your home network (the assets you are trying to protect) and all other external networks. We do this by editing lines 45 and 48 of snort.conf to tell it the IP ranges of these two networks. In the example below, our home network is 10.0.0.0 with a 24 bit subnet mask (255.255.255.0), and our external networks are all other networks.
ipvar HOME_NET 10.0.0.0/24 # (line 45) make this match your internal (friendly) network
Note: it is not recommended to set EXTERNAL NET to !$HOME NET as recommended in some guides, since it
can cause Snort to miss alerts.
Next we need to tell Snort about the locations of all the folders we created earlier. These settings are also part of the snort.conf file. I have included the line numbers after the hash so you can more easily find the setting (do not write the line number, just change the path to match what is below):
var RULE_PATH /etc/snort/rules # line 104 var SO_RULE_PATH /etc/snort/so_rules # line 105 var PREPROC_RULE_PATH /etc/snort/preproc_rules # line 106 var WHITE_LIST_PATH /etc/snort/rules/iplists # line 113 var BLACK_LIST_PATH /etc/snort/rules/iplists # line 114
In order to enable IP whitelists and blacklists (blacklists are downloaded by PulledPork, and you can manually
whitelist ip addressses or ranges), make the following two changes to lines 510 and 511:
whitelist $WHITE_LIST_PATH/default.whitelist, \ blacklist $BLACK_LIST_PATH/default.blacklist
Finally, we want to enable one included rule file: /etc/snort/rules/local.rules. We will use this file to store our own rules, including one rule that we will write in the next article in this series that will allow us to easily check that Snort is correctly generating alerts. Un-comment the following line (line 545) by deleting the hash from the beginning of the line:
include $RULE_PATH/local.rules
Snort has the ability to validate the configuration file, and you should do this whenever you make modifications to snort.conf. Run the following command to have Snort test the configuration file:
sudo snort -T -c /etc/snort/snort.conf
The -T tells snort to test, and -c tells snort the path to the configuration file. You should see some output, with the following lines at the end:
...
Snort successfully validated the configuration!
Snort exiting
Congratulations, if you have output similar to the above then you have successfully Configured Snort to run as a NIDS. Continue to the next section: Writing and Testing a Single Rule With Snort.
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This detailed set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS), along with additional software that extends the functionality of your Snort system. These articles are based on the Snort Installation guide I wrote, and which was posted in the documents section of the Snort website. If you are instead looking for a quick install guide for Snort on Ubuntu, please see my other standalone article: Snort 2.9.7.x on Ubuntu (quick install guide). If you want to test the new alpha version of Snort, please see my article: Installing Snort 3 Alpha in Ubuntu.
These articles are designed to take you step-by-step through the installation, configuration, and testing of each component of a Snort system. I will explain the design decisions and the purpose of specific commands throughout this guide, which will will help you understand how Snort is installed, configured, tested, executed, and how it interfaces with its supporting software. You can follow the steps in this guide, but choose to skim the detailed explanations if you would like, and you will still end up with a working Snort system. However, if you take the effort to understand every step you will have a much deeper understanding of Snort, be better able to troubleshoot issues, and fully customize your Snort installation.
This guide has been tested with Snort 2.9.7.x and 2.9.6.x on both the x86 and x64 architectures of Ubuntu 12, and 14 and 15. This guide wil note VMware specific configuration options, if you want to run Snort as a virtual machine. At the time of this writing, the latest version of Snort is 2.9.7.6, and the instructions below are tailored for that version. If you want to use more recent versions of any of the software installed below, it should work without significant changes (except where noted, BASE for example).
On its own, Snort runs in standalone mode as a packet sniffer and logger. With a few additional applications and some configuration, a Snort system becomes much more useful as a NIDS. The supporting software components we will install in this set of articles are:
If you just want a Snort system installed and running without having to compile and install all the individual components, there are some alternatives:
If you are running Snort as a VMware ESXi virtual machine, it is recommended that you use the vmxnet 3 network adapter.
So let’s get started. First we need to install all the prerequisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev
Breakdown of the packages you are installing:
Next, we need to ensure that the network card does not truncate over-sized packets. From The Snort Manual:
Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.
Disable LRO and GRO:
install ethtool if you are on Ubuntu 12
sudo apt-get install -y ethtool
now edit /etc/network/interfaces as an admin:
sudo vi /etc/network/interfaces
Append the following two lines for each network interface you will have Snort listen on (See note below for Ubuntu 15):
post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Important note for people running Ubuntu 15.10: In Ubuntu 15.10, for new installations (not upgrades), network interfaces no longer follow the ethX standard (eth0, eth1, …). Instead, interfaces names are assigned as Predictable Network Interface Names. This means you need to check the names of your interfaces using ifconfig -a. In my case, what was originally eth0 is now ens160. If you are running Ubuntu 15.10, anywhere in this guide you see eth0, you will need to replace with your new interface name.
an example of how the /etc/network/interfaces file should look for a single interface:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Snort uses the Data Acquisition library (DAQ) to abstract calls to packet capture libraries. DAQ is downloaded and installed from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source. When we configure the build of Snort, we use the --enable-sourcefire flag, which enables Packet Performance Monitoring (PPM), and matches the way the sourcefire team builds Snort.
cd ~/snort_src wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz tar -xvzf snort-2.9.7.6.tar.gz cd snort-2.9.7.6 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is a good policy to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to show the version number:
/usr/sbin/snort -V
and you should see output similar to the following:
user@snortserver:~$ /usr/sbin/snort -V
,,_ -*&amp;gt; Snort! &amp;lt;*-
o&amp;quot; )~ Version 2.9.7.6 GRE (Build 285)
'''' By Martin Roesch &amp;amp; The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4
user@snortserver:~$
Congratulations, if you have output similar to the above then you have successful installed Snort. Continue to the next section to Configure Snort to Run as a NIDS.