Hello friends! As you people
must be aware of various types of security issues facing by IT sector
originations daily. There are so many types of firewall and IDS or third party
software available to shoot out major different types of security issues in the
network.
In this article you will
learn how to configure the famous “SNORT as IDS” of IT sector originations which
work as real-time machine.
Snort is software created by Martin Roesch, which is widely use
as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It
is separated into the five most important mechanisms for instance: Detection
engine, Logging and alerting system, Packet decoder, Preprocessor and Output
modules.
The program is quite famous to
carry out real-time traffic analysis, also used to detect query or attacks,
packet logging on Internet
Protocol networks,
to detect malicious activity, denial of service attacks and port scans
by monitoring network traffic, buffer overflows, server message block probes, and
stealth port scans.
Snort can be configured in
three main modes:
·
Sniffer mode: it will observe
network packets and present them on the console.
·
Packet logger mode: it will record packets to the disk.
·
Intrusion detection mode: the program will monitor network
traffic and analyze it against a rule set defined by the user.
After
that the application will execute a precise action depend upon what has been
identified.
Let’s Begin!!
Snort Installation
We
had chosen ubuntu 14.04 operating
system for installation and configuration of snort. Earlier than installing
snort in your machine, you should need to install necessary dependencies of
ubuntu. Therefore open the terminal and type given below command to install pre-requisites:
sudo apt-get install -y build-essential libpcap-dev
libpcre3-dev libdumbnet-dev bison flex zlib1g-dev
mkdir ~/snort_src && cd ~/snort_src
Snort need
to set up the DAQ, or Data Acquisition
library, for packet I/O. The DAQ change
direct calls into lib pcap functions with an abstraction layer that facilitates
operation on a variety of hardware and software interfaces without requiring
changes to Snort. It is possible to
select the DAQ type and mode when
invoking Snort to perform pcap read back or inline operation, etc. The DAQ
library may be useful for other packet processing applications and the modular
nature allows you to build new modules for other platforms.
From given
below image you can confirm that we had successfully downloaded daq-2.0.6 tar
file.
Now execute given below command to extract tar file.
tar xvfz
daq-2.0.6.tar.gz
Move inside daq-2.0.6 folder by executing given below first
command and then execute second command for automatically installation and
configuration.
cd daq-2.0.6
./configure
&& make && sudo make install
Till here you had learn how install daq-2.0.6 for snort.
From given below
image you can confirm that we had successfully downloaded snort-2.9.11 tar
file.
Now execute given below command to extract tar file.
tar xvfz
snort-2.9.11.tar.gz
Move inside snort-2.9.11 folder by executing given below
first command and then execute second command for automatically installation
and configuration.
cd snort-2.9.11
./configure
--enable-sourcefire && make && sudo make install
Run following command to
manage and install shared libraries
sudo ldconfig
Type given below command for generating symbolic link
sudo ln -s
/usr/local/bin/snort /usr/sbin/snort
A symbolic link also known as soft link is a file
system entry that points to the file name and location. Deleting the
symbolic link does not remove the original file. If, on the other hand, the
file to which the soft link point is removed, the soft link stops working, it
is broken.
Now execute given below command that snort to verify itself
by testing its installation and configuration.
snort –V
The first part of snort installation finished here
Configure Snort to in
IDS Mode in Network
Execute given below command to create the snort user and
group, where snort will run as an unprivileged user.
sudo groupadd snort
sudo useradd snort -r
-s /sbin/nologin -c SNORT_IDS -g snort
Above command will create a group as “snort” and add a member
“snort” into it.
Type given below command to create the Snort
directories:
sudo
mkdir /etc/snort
sudo
mkdir /etc/snort/rules
sudo
mkdir /etc/snort/rules/iplists
sudo
mkdir /etc/snort/preproc_rules
sudo
mkdir /usr/local/lib/snort_dynamicrules
sudo
mkdir /etc/snort/so_rules
Type given below command to create some files that stores
rules and ip lists
sudo touch
/etc/snort/rules/iplists/black_list.rules
sudo touch
/etc/snort/rules/iplists/white_list.rules
sudo touch
/etc/snort/rules/local.rules
sudo touch
/etc/snort/sid-msg.map
Type given below command to create our logging
directories:
sudo mkdir
/var/log/snort
sudo mkdir
/var/log/snort/archived_logs
Type given below command to adjust permissions:
sudo chmod -R 5775
/etc/snort
sudo chmod -R 5775
/var/log/snort
sudo chmod -R 5775
/var/log/snort/archived_logs
sudo chmod -R 5775
/etc/snort/so_rules
sudo chmod -R 5775
/usr/local/lib/snort_dynamicrules
Snort required some configuration files and the dynamic
preprocessors to be copied from the Snort source folder into the /etc/snort
folder therefore execute given below command for that.
cd
snort_src/snort-2.9.11/etc/
sudo cp *.conf*
/etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd
snort_src/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp *
/usr/local/lib/snort_dynamicpreprocessor/
Editing snort configuration
file
Now
we need to comment out all rulesets with the following command:
sudo sed -i
"s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
After then open the configuration file using gedit for
making some changes inside.
sudo gedit /etc/snort/snort.conf
Scroll down the text file near line number 45 to specify your network for protection as shown in given image.
#Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.1/24
Now again scroll down near line number 108 to set the path
of your rule file which you had created above for storing snort rules, as shown
in given below image.
var RULE_PATH
/etc/snort/rules
var SO_RULE_PATH
/etc/snort/so_rules
var PREPROC_RULE_PATH
/etc/snort/preproc_rules
var WHITE_LIST_PATH
/etc/snort/rules/iplists
var BLACK_LIST_PATH
/etc/snort/rules/iplists
One more time scroll down the text near line number 546 to
uncomment highlighted text.
include
$RULE_PATH/local.rules
Save the file and close it once all the editing is done in
snort configuration file.
sudo
snort -T -i eth0 -c /etc/snort/snort.conf
Now it will compile the complete file and test
the configuration setting automatically as shown in given below image:
