hacking with Snort IDS/IPS

Snort
Snort is a free lightweight network intrusion detection system for both UNIX and Windows.
Snort Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide
in the blog i am gonna show you how to install snort from source, write rules, and perform basic testing.

Download and Extract Snort

# cd /usr/src
# wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116
# tar xvzf snort-2.8.6.1.tar.gz

Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.
these are the essential to build a good ids

#apt-get install snort-mysql
#apt-get install libpcap0.8-dev
#apt-get install libnet1-dev
#apt-get install build-essential
#apt-get install checkinstall
#apt-get install libpcre3-dev
#apt-get install libmysqlclient12-dev


# cd snort-2.8.6.1
# ./configure
# make
# make install

Create the required files and directory
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort

Copy two files inside our new /etc/snort/rules directory:
- classification.config: defines URLs for the references found in the rules.
- reference.config: includes information for prioritizing rules.


#cp snort-2.6.1.3/etc/classification.config /etc/snort_inline/rules/
#cp snort-2.6.1.3/etc/reference.config /etc/snort_inline/rules/


Create a user called snort to launch Snort:
#useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS

Create a log directory owned by the snort user:

You need first to use the "configure" command to check the dependancies and prepare Snort to be compiled for MySQL.
#cd snort_inline-2.6.1.3
#./configure --with-mysq

Create the following snort.conf and icmp.rules files:

# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules
# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

Execute snort

Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Try pinging some IP from your machine, to check our ping rule
# head /var/log/snort/alert
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64
209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO


Alert Explanation
# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

configure database

Add a password for the MySQL root user:
#mysqladmin -u root password new_root_password
Create the MySQL database and tables Create the MySQL database
#mysql -u root -p
>create database snort;


 Packaged installation
Find the tables: dpkg -L snort-mysql
We are looking for the create_mysql.gz file, it is normally located in the /usr/share/doc/snort-mysql folder.

#gzip –d /usr/share/doc/snort-mysql/create_mysql.gz
Import the MySql tables:

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql

 CONFIGURE SNORT FOR SQL

We now have to forward the logs into the MySql database:
This is already done by installing the snort-mysql package, we just need only to configure the username and password to access the snort database.
In the /etc/snort/snort.conf file, we have to change the line between (#DBSTART#) and (#DBEND#):

output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost

 uncomment the following lines:

ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG ALERT
output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
}
Start Snort !!

snort –u snort –c /etc/snort/snort.conf

Snort is started under the snort user and will load the config stored in the /etc/snort/snort.conf file


We have to add a line inside the /etc/crontab file to start Snort automatically after a reboot:

@reboot root snort -u snort -c /etc/snort/snort.conf >> /dev/null