CounterSnipe Software Installation Guide Software Version 10.x.x

CounterSnipe software installs on any system compatible with Ubuntu 14.04 LTS server which is supported until 2019

Initial Set-up- Note: An internet connection is required for installation.

Installing Linux

Download Ubuntu as per the links on http://countersnipe.com/index.php/trial-software and depending upon your OS. You can also search for ubuntu 14.04.2 LTS download and download directly from the Ubuntu site,

ensuring you choose server images. (PLEASE DO NOT INSTALL 14.04.5)

Burn this file onto a bootable CD or a bootable Pen Drive/Usb Stick

Physically connect the machine to the internet.

Boot from the newly burnt CD

Go through the various menus and provide the following;

o Countryo Language

o Network card. Please make sure to pick eth0 as the management interface.

o Enter a host name or accept default

o Select use entire disk (without LVM) and ‘enter’

o Select all files in one partition and ‘enter’

o At write partition to disk select ‘yes’ and ‘enter’

o At the software selector box select Openssh and press enter to continue.

o At the grub boot loader question select ‘yes’ and enter

o Reboot into Ubuntu by selecting ‘continue’

After rebooting the system login is using the user name created during setup.

o type sudo passwd root

o follow instructions to assign new password for root

o type su root and provide root passwd to become root.

o Type ifconfig and check to see if eth0 is listed with an IP address

o make a note of the mac address for eth0 nic as you will need this to enable installation. If your NICs appear as em0 etc, please see http://countersnipe.com/index.php/1 to rename them as eth0.

STOP! Email support@countersnipe.com the MAC address and your Public facing IP address before continuing the installation below.

Installing CounterSnipe

Once you have Ubuntu installed and have received a confirmation following sending us the MAC and Public IP address, please follow the steps as below;

o log onto your system as root

o wget http://rd.countersnipe.com/.cs500/.countersnipe

o chmod 755 .countersnipe

o ./.countersnipe and make your selection – CS-APS for complete install ( note it is dot/dotcountersnipe)

o The software will begin installing and may take 10-30 mins depending on the speed of your network

o Once installation is finished you will be presented with an initial configuration menu.o Select Passwd from the menu and enter the root password (note this will be the first

user account when logging on to the device via a Web Browser. The password you assigned earlier for root must be registered here for you to be able to login via https://)

o Interface: Enter IP address of the management port also enter netmask and defaultgateway. Note: This step is a must to create working IPS device.

o Certificates: A Common Name (CN) for the SSL certificate to be used on this device. This is normally the FQDN of the device, e.g demo.countersnipe.com. Please note that this step must be performed in order to gain https:// access to the system. Please use the management port IP address if not sure.

o Leave all other options untouched for now.

Connecting the system to network.

When the device boots, it will detect and load drivers for all supported network interfaces.

Eth0 (the first detected network card) is the management interface, this is used to remotely administer the device via a web browser.

The other two interfaces (eth1 and eth2) are used to either bridge or passively monitor network traffic.

The default configuration is Threat and Asset Monitoring. Therefore we recommend that you plug eth1 or eth2 or both to a SPAN/MIRROR port on a switch so that they can see all of the network traffic.

Once you have a working system you can switch the software to be an Inline System, following which you can plug it in line between a firewall and the switch or a network segment to be protected.

Accessing the Device.Direct a web browser at the assigned URL: https://hostname :8443

Where hostname should be the CN (Common Name) of the device entered earlier, or if you prefer theIP address of the system.

You will be presented with the APD login screen, enter the username root with the password selected during setup.

Assigning a DNS:Once you have access to the device as above. Select ‘Device Groups” and ‘View” From the menu atthe top select ‘DNS” Type in the DNS information and click ‘submit’

Click ‘Summary’ and “Deploy Configurations’

Your DNS setting should now be updated.

Downloading Risk Data:

The install CD does not contain any risk data….snort signatures, application detection signatures andNIST vulnerability signatures. So next the system will download the risk data. By default Poll Hourly isunchecked.

Click Initiate Poll to start downloading the riskdata. Please note for the first time the download process may take several minutes.

Observe various time stamps and if they all start populating your database has started to download.

Once the process is completed the Risk Database light will turn green.

Group Setup.Before the APD is ready to have its bridging/sniffing interfaces connected to the live network the device needs to be configured.

Every APD in the deployment belongs to a group, this is to ease the administration of multiple device,as settings can be kept the same across many APDs. Properties such as domain name, time serversand operating mode, are best set at group level.

To enter group configuration, select device groups from the left hand menu bar, and then view the group (Default Group) you would like to configure.

Step through the following configuration tabs filling in network details where required, press submit oneach property page to save your changes.

General – Group name and description

Mode – Operational mode, can be one of the following

Tap, Traditional IDS mode, the APD will listen on both non-management interfaces and alerton suspicious traffic. Connect either of the interfaces to a mirror or span port on a switch, anyport on a hub, or both to an optical tap if appropriate.

IDS Bridge mode - The Device functions as a bridge and will forward any traffic between theeth1 and eth2 interfaces.

IPS Bridge mode - The Device functions as a bridge and will forward traffic that does notmatch signatures containing IPS actions (drop, sdrop, reject) between eth1 and eth2.

Open Bridge mode - The Device functions as a bridge and no traffic will be evaluated by theSnort engine.

Blocked mode - The Device will not forward any traffic between eth1 and eth2 and no trafficwill be evaluated by the Snort engine.

DNS – The domain name and IP address the APD should use to resolve names Email – The IP address of an SMTP relay that the APD can use to send email alerts Clock – Local time zone, and location of a time server, eg 0.pool.ntp.org

Please note that Variables are set at each device level.

Device ConfigurationOnce the group configuration is completed, sensor independent preferences need to be set. Select Devices from the left hand menu and then view “console”.

Fill out the network specific data in the following tabs: General – Host name and description of this device

Classifications – Groups of signatures linked by the type of attack or risk presented to thenetwork. Each classification group can have an action associated with it, this is action theAPD will take when it finds packets that match one of of the associated rules.

Signatures – Fine grain control over exactly which rules are enabled and what actions shallbe taken on each.

Variables.

Variable ConfigurationThe CounterSnipe makes use of the highly versatile Snort detection engine. Snort provides the userwith many choices on how and what traffic should be inspected for attacks, this is set through the useof variables. After specifying that internal web servers listen on port TCP:80, only this port shall bechecked for web attacks. This decreases the load placed upon the device and allows higherperformance. The syntax of variables allows both arrays of IP address and IP ranges to be combined,see below for examples of syntax.

HOME_NET – Networks to be considered as internal. In the above example this containsboth 192.168.0.0/16 and 172./16.1.0/24. Any system existing in these IP ranges will betreated as internal and therefore protected by the APD.

HTTP_SERVERS – The IP address' of web servers that are to be protected by the APD,[192.168.0.1, 192.168.0.2, 192.1968.0.3]

EXTERNAL_NET – IP range that should be considered untrusted, e.g. the Internet or apartner network. Setting this to !$HOME_NET will treat everything that is NOT (!) the localnetwork ($HOME_NET). This is a simple method of specifying “everything that's not myhome network should be treated as untrusted”.

Deploying a configuration.

Before the device will act on a configuration change, the settings need to be deployed

Select the summary tab, and click submit to update the device or Deploy configurations in devicegroup.

Once the configuration is deployed, the sensing interfaces are ready to be connected to the livenetwork.

Using your new Network Security System:

Now that you have your new system up and running, it is time to explore some of the fine features foryour network security.

The countersnipe network security system ;

Provides all information about all hosts on your network – access by clicking on hosts….see figs below;

Select a host to obtain further information about it…see below

Logs, Alerts or Drops bad traffic on your network – Use the classifications provided to

determine what actions you would like to carry out on what traffic. See example setting below;

Enables you to write new policies based on 1000’s of template policies. Access these by clicking signatures, drop down arrow next to local and choosing Policy Violations;

Provides you with all the information regarding intrusion events/policy violations that take place on your network….access by clicking events

Provides you detailed information about particular events by providing the payload (dataportion) of the packets.

Provides you a way to block particular hosts from gaining access to the entire network or aparticular segment of a network….access by clicking signatures, new, give it a name, clickthe new signature, edit, add the information as below and submit…it will then adopt thelocal group policy.

Enables you to manage alerts by priority or criticality….Access these by clicking ‘Alert Handling’

Further information on the options available can be obtained from within the Management Console and by accessing the Admin Guide.

We would sincerely appreciate your feedback on how we could improve this document. Please let ushave your thoughts by emailing support@countersnipe.com

Document Revised in May 2017. Copyright CounterSnipe Systems LLC. All rights reserved.