LinuxCBT NIDS Edition - Snort:1. Snort is considered to be an NIDS/NIPS solution NOT IDS/IPS solution2. Confirm MD5SUM - using md5sum3. Verify the PGP/GPG signature - gpg --verify snort*.sig snort*.gz4. pcre* - performs parsing of traffic using Perl-compatible Regular Expressions5. libpcap - facilitates packet capturing @ a low-level in OSI-model

OSI Model contains 7-Layers:7 - Application6 - Presentation5 - Session4 - Transport(sport:3100 - dport:80)3 - IP routing(source_ip:192.168.1.20 - destination_ip:192.168.1.1)2 - Data-Link(MAC) - Framing(Ethernet) - LIBPCAP(Snort)1 - Physical - Switch/NIC/Hub/etc.

Snort's Modes of Operation:1. there are 3 modesSniffing Mode - TCPDUMP - Packet Sniffer Sniffing mode logs to the console, which is VERY slow Consequently, Snort is subject to dropping a high-percentage of packetsNote: Snort needs root privileges to change NIC into promiscuous modeNote: Snort binds to 'eth0' by default

snort -v - dumps TCP/IP packet headerssnort -vd - dumps to the output location TCP/UDP/ICMP headerssnort -vde - dumps full packet information (TCP/UDP/ICMP/IP headers and payload)snor -vd(e) - layer 2 - related - MAC addressessnort -v(d) - application layer(Layer 7) information

2. Snort as a Packet Logger a. default packet mode logs using ASCII files b. only information specified using -vde options will be captured (ASCII) c. logging mode utilizes same -vde switches to log information plus -l switch to indication location of outputsnort -v -K ascii -l ./log - operates @ layers 3,4snort -ve -K ascii -l ./log - operates @ layers 2,3,4 in OSI modelsnort -vde -K ascii -l ./log - operates @ layers 2,3,4,5,6,7Tip: Use managed-switches and restrict port-capabilities to lessen eavesdropping/passive attacks; sniffing. d. Binary Logging Mode - snort -b Snort logs layers 2-7 when using binary mode Default log directory is /var/log/snort Default nomenclature for binary output file: snort.log.Unix Epoch Timestamp

snort -b -L test.snort.binary.1 - /var/log/snort/test.snort.binary.1Use fast disks for logging - 7200RPM or better/RAID 0

Berkeley Packet Filters (BPF) - feasible to log to screen (Sniffing mode)1. Snort supports filtering captured traffic using BPFs2. We need to use one or more qualifiers3. 3 major categories of qualifiers: a. Type qualifiers: host(default), net, port b. Directional qualifiers: src, dst, src or dst(default), src and dst c. Protocol qualifiers: tcp, udp, ether, ip, arp(ip-mac), rarp(mac-ip)

BPF supports logical and AND orNote: BPF rules are specified AFTER normal snort optionsSyslog BPF: snort -vde port 514When combining qualifier you usually don't need to specify the qualifier twice. i.e.

snort -vde port 514 or 123snort -vde not port 5901snort -vdeC src 192.168.1.30 and not dst port 32790Logging with BPFs - snort -b -l ./log not 5901Note: consider perspective of Snort box when writing rules

Snort can read TCPDUMP-compliant binary files using BPFs1. snort -vder snort.log.1134955365 <BPF>

Use Snort in Daemon Mode to log interesting traffic.snort -b -l ./log -D port 21

Configure Cisco Switch with appropriate VLANs and security1. VLAN 1 - 192.168.1.0/24 - management subnet2. VLAN 2 - represents External(Internet) VLAN (PIX Firewall/ISP Device)3. VLAN 3 - for all unused portsCisco 3500-48 Switch Management IP: 192.168.1.2534. Disable all unused ports and assign them to VLAN 35. Secure access to the vty (telnet) ports using an access-list6. Configure Network Time Protocol (NTP)

Common terms related to SPAN:1. Port Mirroring2. SPAN3. Port Monitoring

Applying Packet Sniffing and logging modes to SPAN traffic - Externalsnort -vde -i eth1snort -b -l ./log -i eth1

Note: Stealth Snort Interfaces should NOT have a layer-3 address!1. Disable layer-3 address

Configure Secondary Snort NIDS/NIPS Sensor - Sensor #2 (linuxcbtserv3)1. configured the Cisco Switch port2. ensured that the NIC was configured to static settings with no IP addressNote: We should only see the following traffic on Sensor #2: a. Traffic from internal hosts to the Internet b. Return traffic from the Internet c. holes configured on the external firewall permitting inbound traffic

Prepare Snort to be an NIDS/NIPS(IPTables)Note: NIDS/NIPS mode differs from Sniffing/Packet-logging modes in that, in NIDS/NIPS mode, Snort compares traffic to pre-defined rules.1. prepare /etc/snort (snort.conf, rules, associated files) Snort's traffic flow: a. Capture (NIC is in promiscuous mode/SPAN is enabled) -> b. decode(normalization) -> c. preprocessor(third-party modules) d. detection engine (pattern-matching of traffic to signatures) e. output logging (TCPDump, DBMS, CSV, etc.) TCP 3-Way Handshake1. attacker(client) -> SYN host(server)2. host -> ACK attacker3. attacker -> SYN|ACK

Stage 1 attacks (Reconnaissance Attacks) - Gather information

a. the attacker tends to use stealth means

frag2/frag3 preprocessor notes: a. packets are fragmented during transmission across the Internet 1. 1500 bytes - Message/Maximum Transfer Unit (MTU) i.e. file = 3000 bytes gets fragmented into 2 1500-byte packets - defragmentation preprocessors reassemble the 3000-byte filePreprocessors are defined to pickup reconnaissance attacks (NMAP)

Preprocessor - sfPortScanscan_type { portscan portsweep decoy_portscan distributed_portscan all }a. portscan - is vertical - scans 1 host for all open portsb. portsweep - is horizontal - scans many hosts(IP block) for 1 or more common open portsc. decoy_portscan - ip spoofing - intersperse fake IPs with real ipd. distributed_portscan - DDOS, scan from multiple hosts

Implementing latest Community rules:Note: if you start Snort in NIDS/NIPS modes without rules, it will fail

Snort's Outputs:Separate Alerts(rule has been matched) from Logs(packets captured)Default log location is a TCPDump compliant binary file in /var/log/snortDefault Alert location is an ASCII file in /var/log/snort

SYSLOG:output alert_syslog: <facility> <priority> <options>

Unified Logging:1. Snort's core-comptencies include the following: a. Capturing traffic from stealth/non-stealth interfaces b. Analyzing captured dataNote: Unified logging allows Snort to focus on its core competencies

2. Unified logging does the following: a. Outputs both Log and Alert data to binary(TCPDump) format b. Snort allows a separate program to process the logs & alert data c. Snort becomes a 2-process (Snort, Barnyard) environment3. Steps to configuring Unified Logging: a. reconfigure snort.conf - setup Unified output plugins b. Download and configure Barnyard post-processor4. Installation steps for Barnyard a. ./configure b. make c. make install - perform as root - allows copy of binary to /usr/local/bin

5. Barnyard operates in 3 modes a. One-shot -o - process in one-pass the specifed binary file b. Continual -f - Default Mode c. Continual with checkpoint -w - Writes checkpoint file for easy recoveryNote: Barnyard relies upon /etc/snort/barnyard.conf

Configuring BASE for web-based analysis:1. ADODB2. BASE3. php-gd*

Securing BASE Console:

1. Configure Apache for basic authentication (clear text)

Output Database section of snort.conf - make sensors unique by:sensor_name=sensor1sensor_name=sensor2

Configuring Startup Environment for NIDS Framework:1. Configure each sensor to load Snort @ startup2. Configure DBMS/HTTP(BASE) to start MySQL & HTTPD @ startup

#Initialize Snort Sensor#Enable sensor on Stealth - External - Internet-facing Interface/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D

#Ensable sensor on Management - Non-Stealth - Intranet-facing Interface/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D

Understand Snort Rules:Rules contain 2 sections: a. Rule Header b. Rule Body

Rule Header:alert|pass|drop|etc. tcp|udp|icmp|ip $EXTERNAL_NET any ->|<> 192.168.1.0/24 80 Rule Body:(content: "bad string"; msg: Hack Attempt)

Auto-Rules Update:Download and use oinkmaster from oinkmaster.sourceforge.net