Snort is an open source intrusion detection and prevention system developed by Martin Roesch in 1998. Snort is capable of live traffic analysis and packet logging on IP networks. Snort can perform protocol content searching, matching and analysis. Snort uses flexible rules language to describe traffic that should be monitored as well as detection engine that utilizes a modular plug-in architecture. Snort can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts among others. Snort is also capable of real-time alerting that incorporates mechanisms for syslog, user specified file, a UNIX socket or Win Popup messages for Windows.
Snort can be configured using three main modes: sniffer, packet logger and network intrusion detection.
Sniffer mode: In sniffer mode, Snort will read the network traffic and print on the screen.
Packet logger mode: In packet logger mode, Snort will record the network traffic onto a file.
Network intrusion detection mode: In network intrusion detection mode, Snort will monitor network traffic and analyze it against a rule set defined by the user.
Snort consists of five major components namely: Decoders, Preprocessors, Detection Engine, Logging and alerting system and Output modules.
The first component of snort is the packet decoder, which collects data packets from different networks interfaces and makes it available for preprocessing.
Preprocessors arrange and modify the packets for being analyzed by the detection engine. Some preprocessors detect basic anomalies and logs port scanning activities by de fragmenting the packets.
Detection engine is the main component of snort IDPS. Its primary function is to analyze the packets passing through the detection engine and dissect the packets and applies rules to different components of the packet.
After detection, the activity is logged or an alert is generated. This process is done by the logging system.
Output modules enable snort to transfer the generated output to databases like Mysql or send messages to Syslog server. Output modules or plugins can control the type of output generated by the logging and alerting system. For this project, the output alerts are displayed on a web interface through BASE supported by Apache Web server. A list of tools that were used for this project is listed below • Snort • DAQ • MySQL • Barnyard2 • BASE • Apache Web Server • Bodgeit
To run the snort box three operating systems are connected using two network adapters on a single subnet.
Adapter 1: 192.168.248.0
Adapter 2: 192.168.232.0
Subnet: 255.255.255.0
Snort Router: Ubuntu @192.168.232.1 & @192.168.248.2, ipv4 forward=1
Attacking machine: Kali Linux @192.168.232.2
Victim machine: Ubuntu 12.04 @ 192.168.248.2
To setup snort we need to install pre-requisites using the command
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev
A clear explanation of the packages or pre-requisites installed using the previous command
build-essential: is a package which acts or has references to various packages required to build software.
bison, flex: Flex and Bison are tools that are used by almost all arbitrary file formats to write very fast parsers.
libpcap-dev Library used to capture network traffic required for smooth implementation of snort. It provides several low level netwok interfaces
libpcre3-dev This is library of functions and parameters to support regular expressions required by snort.
libdumbnet-dev is a dumb, portable network development library. It provides several simple, and portable interfaces to several low-level networking procedures, routines.`
zlib1g-dev A compression library installed, which is required by Snort to compress or modify the content.
Two adapters are installed for the snort box. These interfaces are configured by editing the network interface file using the following command as the network interface folder will be in the etc folder.
sudo nano /etc/network/interfaces
Edit the interfaces file with the following code
auto lo
iface lo inet loopback
#interface for victim
auth eth0
iface eth0 inet static
address 192.168.248.1
netmask 255.255.255.0
#interface for Attacker
auth eth1
iface eth0 inet static
address 192.168.232.1
netmask 255.255.255.0
Network interface for snort functionality
After completion of configuration of the network, we should test the configuration, for that testing we need to use ifconfig command.
ifconfig output
After installing pre-requisites and setting up our network interface. Now we are ready to install snort. Create a new folder in /usr named snort-install.
In this created folder we will download all the files required for snort installation and running of snort effeciently.
mkdir /usr/snort-install
cd /usr/snort-install
Snort uses the Data Acquisition library (DAQ) for inputting/outputting the packets to snort. to abstract calls to packet capture libraries. DAQ creates a layer of abstraction that allows snort to run on a variety of software without the need to make changes in its configuration. The DAQ library in the tar.gz file format is downloaded from snort.org using following command.
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
The downloaded file is extracted using the command shown below:
tar xvfz daq-2.0.6.tar.gz
To open the extracted file, navigate into that folder using the below command
cd daq-2.0.6
Then use these commands to configure and install the DAQ library required for snort
/configure && make && sudo make install
Next step is installling snort from the source. While configuring system for installation of SNORT, we include –enable-sourcefire flag which enables packet performance monitoring.
When we configure the build of Snort, we use the --enable-sourcefire flag, which enables Packet Performance Monitoring (PPM), providing basic level of control over packets to snort.
Same process of installation as of that we did for DAQ. While configuring use ./configure –enable-sourcefire so as to enable PPM.
cd /usr/snort-install
wget https://www.snort.org/downloads/snort/snort-2.9.9.0.tar.gz
tar xvfz snort-2.9.9.0.tar.gz
cd snort-2.9.9.0
./configure --enable-sourcefire && make && sudo make install
The last step of snort installation is to check wether the snort is installed to work efficiently without showing any error messages. For this snort binary run test we can execute snort using , this command gives us the output on the cosnole showing the vesrion number of snort installed.
Snort rules are downloaded from snort.org. We will download snort rules using wgetcommand from snort.org website. This rule files will be in tar.gz format.
The below command will extract the snort rule file from tar.gz format to normal format Next, we have downloaded 2990 tar.gz file and extracted by using the below command:
tar -xvzf snortrules-snapshot-2990.tar.gz -C /etc/snort/
After downloading snort rules, some folders and files are created to run snort in IPS mode
Different file are stored in the following locations
• Configuration files /etc/snort
• Rules /etc/snort/rules and /usr/local/lib/snort_dynamicrules
• logs /var/log/snort:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/rules/so_rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/ black_list.rules
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
sudo chmod 777 /etc/snort
sudo chmod 777 /var/log/snort
sudo chmod 777 /etc/snort/rules/so_rules
sudo chmod 777 /usr/local/lib/snort_dynamicrules
Snort files which are extracted are moved to snort folder.
sudo mv /etc/snort/etc/* /etc/snort
To configure snort, some lines are edited in the snort.conf file.
We have used gedit to edit /etc/snort/snort.conf
sudo gedit /etc/snort/snort.conf
First, we need to let Snort know the network range of the home network and all other external networks.
We do this by editing lines 45 and 48 of snort.conf to tell it the IP ranges of these two networks.
In the example below, our home network is 192.168.248.0 with a 24 bit subnet mask 255.255.255.0 and our external networks are all other networks.
ipvar HOME_NET 192.168.248.0/24 # (line 45)
Next, we need to tell Snort about the locations of all the folders we created earlier.
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/rules/so_rules
var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
We want to enable one included rule file /etc/snort/rules/snort-lab.rules. We will use this file to store our own rules. We now include the following line in sort.conf file.
include $RULE_PATH/snort-lab.rules
To run snort in IPS mode, DAQ is configured to afpacket type and mode in inline using the settings in the config file snort.conf.
config daq: afpacket
config policy_mode: inline
config daq_mode: inline
We need to add a line that tells Snort to output events in binary form. After line 520 in /etc/snort/snort.conf , add the following line and save the file.
output unified2: filename snort.u2, limit 128
This line tells snort to output events in the unified2 binary.
Now the snort is configured, we write the custom rules for our project in snort-lab.rules file.
sudo gedit /etc/snort/rules/snort-lab.rules
The following rules are added in the rule file
Check for Inverse TCP Flag Scan
Inverse TCP flag scans can be either FIN probe with FIN flag set
• alert tcp !$HOME_NET any -> 192.168.248.2 any (flags:F; msg: "FIN scan detected"; sid:1000032; rev:1)
XMAS probe with FIN URG PUSH flags set
• alert tcp !$HOME_NET any -> 192.168.248.2 any (flags:FPU; msg: "XMAS scan detected"; sid:1000033; rev:1)
Null probe with no TCP flag set
• alert tcp !$HOME_NET any -> 192.168.248.2 any (flags:0; msg: "NULL scan detected"; sid:1000034; rev:1)
Check whether data is carried in a SYN
• alert tcp !$HOME_NET any -> 192.168.248.2 any (flags:S; msg: "Data carried on SYN packet"; dsize:>0; sid:1000035; rev:1)
Check whether Options are carried in an IP header
• alert ip !$HOME_NET any -> 192.168.248.2 any (ipopts:any; msg: "ip options detected"; sid:1000036; rev:1)
Check whether fragmented packets are received packet
• alert icmp !$HOME_NET any -> 192.168.248.2 any (fragbits:M; msg: "Fragmentation detected"; sid:1000037; rev:1)
Alert when there is login attempt on the webserver
• alert tcp !$HOME_NET any -> 192.168.248.2 80 (MSG:"LOGIN ATTEMPT ON WEBSERVER";content:"Authorization";sid:1000070)
#Catching SQL injection
• drop tcp !$HOME_NET any -> 192.168.248.2 $HTTP_PORTS (msg:"SQL meta characters detected";pcre:"/(\%3D)|(=)[^\n]*(\%27)|(\')|(\-\-)|(\%3B)/i"; classtype:Web-application-attack; sid:1000049; rev:5;)
• drop tcp !$HOME_NET any -> 192.168.248.2 $HTTP_PORTS (msg:"SQL injection attack Attempted";pcre:"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; classtype:Web-application-attack; sid:1000050; rev:5;)
#Catching CSS attacks
• drop tcp !$HOME_NET any -> 192.168.248.2 $HTTP_PORTS (msg:"CSS Attack Attempted";pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:Web-application-attack; sid:1000051; rev:5;)
Detailed explanation of the rules for preventing CSS and SQL attacks are explained in the implementation (Prevention of attacks using snort) part of this report.
Barnyard2 is an open source interpreter or spooler for Snort unified2 binary output files. Its primary role is allowing snort to write alerts or logs or any activity it detects in an efficient manner and leaving the task of interpreting snort unified 2 output by snort and make it be conducted by barnyard. Such that no network traffic is missed by the snort. Using barnyard helps increasing the performance of snort. Barnyard will use MySQL database to store all this activity.
First, we need to install some pre-requisites:
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
After the successful completion of the previous step. We will be next prompted by MySQL for the root password. We choose PASSWORD as our root password.
As all the pre-requisites are installed successfully we need to download barnyard2, configure and install it successfully. we need to get, configure, and install Barnyard2.
Go to snort-install folder. Then use wget command to download barnyard2 files from the specified link, then extract it, configure and install.
cd /usr/snort-install
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./m4
Based on the architecture of the system we need to use one of the commands to configure mysql to run with Barnyard2, which communicates about the mysql libraries destination to the Barnyard2.
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
After this step continue with installation and later configure snort to use barnyard2.
sudo make install
Barnyard2 is now installed to /usr/local/bin/barnyard2.
To configure Snort to use Barnyard2, we need few files which we create by using the following commands and change permissions given based on the requirements to the folders created.
cd /usr/snort-install/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chmod 777 snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chmod 777 snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map
After the successful completion of all these steps and installation and configuration of mysql, barnyard2. Test the barnyard2 if its running without errors like the test of snort.
Use barnyard2 -V it gives out the version barnyard2 is running without errors.
Since Barnyard2 saves the output of snort to MySQL database, we need to create a database, as well as a user so that the database can be accessed. Run the following commands to create the database and MySQL user.
When prompted for a password, use the password that was previously given.
We will also be setting the MySQL snort user password in the fourth mysql command, so change it there as well.
$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source /usr/snort-install/barnyard2-2-1.13/schemas/create_mysql
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY ‘Password’;
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit
Now that the Snort database has been created, we need to tell Barnyard2 about the details of the database. We edit the Barnyard2 configuration file by the following command:
sudo gedit /etc/snort/barnyard2.conf
At the end of the file, we appended this line:
output database: log, mysql, user=snort password=Password dbname=snort host=localhost
Now we want to tell Barnyard2 to look at some required events and load into the snort database instance. In order to do that we run the following command:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
Basic Analysis and Security Engine (BASE) is a web front-end application used for querying and analyzing the alerts coming from SNORT IDPS system. It is a web interface to perform analysis of intrusions that snort had detected over a system. It has user role based authentication and access. It is simpler than compared to similar programs such as Splunk. BASE is written in PHP. BASE requires us to install apache2 webserver, PHP, latest version of AdoDB and make necessary changes in the base.conf file to run base successfully to analyze and represent snort alerts.
###Installing BASE Before installing BASE, we need to install few pre-requisites into our system for BASE to get installed using the command below
sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear
The above-mentioned command apache2 libapache2-mod-php5 is to enable php in apache server. AdoDB needs to run on the latest version before installing the BASE using wget from the link mentioned below.
cd /usr/snort-install
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tar.gz
tar -xvzf adodb518.tar.gz
sudo mv adodb5 /var/adodb
After the successful completion of the installation of pre-requisites we can now move into BASE installation: first download base then configure it.
cd /usr/snort-install
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar -zxvf base-1.4.5.tar.gz
For Ubuntu 14 copy base to the specifies folder as it uses different Apache version .
sudo mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo gedit /var/www/html/base/base_conf.php
Now make the following edits to base_conf.php:
$BASE_urlpath = '/base';
$DBlib_path = '/var/adodb/';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_user = 'snort';
$alert_password = ‘Password';
Restart the apache2 service after all the above steps execution without error: sudo service apache2 restart The final step of configuring BASE is done via http:
• From the browser go to the link http://127.0.0.1/base/index.php and click on “setup page”
• On the upper right of the page click on “Create BASE AG”
• Click on “Main page”
Bodgeit store is a vulnerable web application which is used for penetration testing. It was created by Psiion and consists of variety of web vulnerabilities. Therefore, this website is not hosted on a production environment. The following are some of the characteristics of bodgeit store.
• Easy to install
• Self-contained
• Cross platform
• Open source
• Does not require any additional db to run
Before bodgeit store is installed on the ubuntu 12.04 machine, pre-requisites like Jdk and jre are installed on the victim machine before setting up the bodgeit. Jdk and jre are setup using the following commands.
sudo apt install default-jdk
sudo apt install default-jre
Tomcat 7 is installed using the following command.
sudo apt-get install tomcat7
One interface adapter is installed for the victim machine. The interface is configured by editing the interface file using the following command.
sudo nano /etc/network/interfaces
Edit the interfaces file with the following code
auto lo
iface lo inet loopback
auth eth0
iface eth0 inet static
address 192.168.248.2
netmask 255.255.255.0
gateway 192.168.248.1
Once the network is configured, the interface is tested using ifconfig command.
To install bodgeit on the ubuntu, boodgeit.1.4.0.zip is downloaded from the following website.
https://code.google.com/archive/p/bodgeit/downloads
Once the file is downloaded, bodgeit.war file is extracted from the zip file and copied to webapps folder of the tomcat directory.
/var/lib/tomcat/webapps
Once the file is copied, bodgeit is tested in the browser using the url 127.0.0.1:8080/bodgeit.
For demonstrating attacks on the bodgeit store, kali linux machine is used. Attacks like sql injections and cross site scripting are made on the bodgeit store.
One interface adapter is installed for the attacking machine machine. The interface is configured by editing the interface file using the following command.
sudo nano /etc/network/interfaces
Edit the interfaces file with the following code
auto lo
iface lo inet loopback
auth eth0
iface eth0 inet static
address 192.168.232.2
netmask 255.255.255.0
gateway 192.168.232.1
Once the network is configured, the interface is tested using ifconfig command.
To prevent the above demonstrated attacks, snort is setup to run in the inline mode. The inline mode running of snort is used for prevention of the attacks.
Specific rules are configured to analyze the packets captured and prevent the attacks.
The following are the rules that makes snort prevent the above demonstrated attacks.
reject tcp !$HOME_NET any -> 192.168.248.2 $HTTP_PORTS (msg:"SQL meta characters detected";pcre:"/(\%3D)|(=)[^\n]*(\%27)|(\')|(\-\-)|(\%3B)/i"; classtype:Web-application-attack; sid:1000049; rev:5;)
The above rule detect if any meta characters are present that are used for sql injections. This is done by using the pcre keyword on the rule options. The pcre keyword allows rules to be written using perl compatible regular expressions. The above code checks for the following regular expression.
(\%3D)|(=) [^\n]* ‘=’ sign or its hex equivalent %3D. It then allows for zero or more non-newline characters
(\%27)|(\') ubiquitous single quote or its hex equivalent
(\-\-) check for double dash
(\%3B)/ checks for semicolon or its hex equivalent
alert tcp !$HOME_NET any -> 192.168.248.2 $HTTP_PORTS (msg:"SQL injection attack Attempted";pcre:"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix"; classtype:Web-application-attack; sid:1000050; rev:5;)
The above rules detect sql injections. This is done by using the pcre keyword on the rule options. The above code checks for the following regular expression.
\w* zero or more alphanumeric or underscore characters
(\%27)|(\') ubiquitous single quote or its hex equivalent
(\%6F)|o|(\%4F))((\%72)|r|(\%52) the word ‘or’ with various combinations of its upper and lower case hex equivalents
alert tcp !$HOME_NET any -> 192.168.248.2 $HTTP_PORTS (msg:"CSS Attack Attempted";pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i"; classtype:Web-application-attack; sid:1000051; rev:5;)
The above rules detect if any css attacks is being performed. This is done by using the pcre keyword on the rule options. The above code checks for the following regular expression.
(\%3C)|<) check for opening angle bracket or its hex equvalent
(\%2F)|\/)* the forward slash for closing tag or its hex equivalent
[a-z0-9\%]+ check for alphanumeric string inside the tag or hex representation of those
((\%3E)|>) check for closing angle bracket or hex equivalent
To run snort in inline mode the following command is used. snort -Q -c /etc/snort/snort.conf -i eth0:eth1
-Q run snort in inline mode
-c config-file. Use the rules located in file /etc/snort/snort.conf.
-I -i interface. Sniff packets on interface eth0 and eth1.
Banyard is also started to log the data from snort to database using the following command
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo
With snort IDPS setup to monitor the attacks on the website, it prevents or logs any attacks that is being performed on the victim machine. Network-based Intrusion Detection Systems uses raw packets that is captured from the network and analyzes them. Snort is a type of IDS which uses some build in rules and user customized rules for prevention of any intrusion attempts on the network. The report discusses the snort installations and other components that work with snort. These demonstrations are performed on linux systems and generated alerts based on the rules.