Snort as Packet Logger. This runs Snort in descriptive verbose mode and logs all its findings to the directory called log under the Snort installation directory. The individual packets are filed in hierarchical directories based on the IP address from where the packet was received.
Several command-line switches are specific to logging and output, including the ability to log all packets to a single binary file. Play around with those as needed. Try the following command:. Replace x with the number of the NIC which snort will use. So, make sure to use the right number of NIC when running snort. When running as a service, a valid and appropriate NIC number also must be specified. Snowl is a modern web-based GUI graphical user interface for snort.
Interactive Realtime Dashboard Monitor summary information about the main things on the start-up screen. Powerful and Flexible Filtration System Search for attacks based on different indicators and their combinations. Different Ways of Displaying Attacks Select the displaying method: in the form of an interactive table or in the form of graphs and diagrams.
The following instructions have to be followed on the PC where Snowl graphical interface will be installed. A web server is required for operation of Snowl. It can be Apache or Nginx. Select and install one of them, for example, Apache.
The following instructions have to be followed on the PC on which Snowl sensor will be installed. At the first stage, install Snort deb-packages and dependencies.
Unfortunately, only Snort 2. RPC can enable remote code execution and is often used in Trojans and exploits. Track use of various remote services programs, such as rlogin and rsh.
These are insecure services in general, but if you have to use them, they can be tracked closely with this rule set. Alert you to use of port scanning programs. Ports scans are a good indication of illicit activity. If you use port scanners, you will want to either turn off Snort during those times or disable the particular rule for your scanner machine. This class looks for packets containing assembly code, low-level commands also known as shell code.
These commands are often integral to many exploits such as buffer overflows. Catching a chunk of shell code flying by is often a pretty good indication that an attack is underway.
Govern alerts for mail server use on the LAN. This section will need some fine-tuning, as many normal mail server activities will set off rules in this section.
Rules for various SQL database programs. If you don't run any databases you can turn these off, but it's not a bad idea to leave them on just in case there are SQL databases running that you don't know about. Track Telnet use on the network. Telnet is often used on routers or other command line devices, so it is a good thing to track even if you don't run Telnet on your servers.
It can be used to upload new configurations and therefore is worth keeping an eye on. Contain signatures of some common worms and viruses. This list is not complete and is not maintained regularly. It is not a replacement for virus scanning software but can catch some network-aware worms.
All these classes refer to various kinds of suspicious Web activity. Some are generic, such as the web-attacks class. Others, like web-iis and web-frontpage, are specific to a particular Web server platform.
However, even if you don't think you run a Microsoft Web server or use PHP, it is worth leaving them all running to uncover any of this kind of activity on your LAN you may be unaware of. You will have to do some fine-tuning of the rule sets, especially if your Web servers are in active development. One way to do this is to have a little script that runs Snort with the command line parameters in your startup routines. In Linux, you can place a line in the rc. An example is:. You can also run Snort as a service using the service snort start command.
Doing all the configuration for Snort from the command line can get a little tedious. While there isn't a native graphical interface for Snort yet, there is a module for the popular Web management tool Webmin. This lets you do all of your fine-tuning and configuration from any Web browser.
Some of the benefits of this system are:. User access levels that allow you to set up different users with different rights. Chapter 3 covered loading Webmin for your firewall administration. You can also use this add-on module to configure Snort. Refer back to Chapter 3 if you haven't loaded Webmin yet.
The Snort module requires version 0. The location to get the software is:. Figure 7. Webmin Snort Module [View full size image]. Once you log onto the Snort page, you can see it has each major section of the config file, such as network settings, preprocessor settings, and your logging options, at the top of the screen.
By clicking on any of the configuration options, you can enter your information in a form and Webmin will make the changes to the appropriate Snort configuration files. All the rule sets are listed below that, and you can see which ones are enabled or disabled.
Those with a check are currently enabled and those with an X mark are disabled. You can easily disable the entire rule set by double-clicking on the Action field. If you want to view that rule set and modify an individual rule, click on the blue underlined text and it will take you to the Edit Ruleset page see Figure 7.
Here you can see all the active rules within that set. You can also take actions on each rule such as disabling, enabling, or deleting it from the rule set.
If there are any references to external databases within the alert, such as Common Vulnerability or Exploit CVE numbers, you can click a hyperlink to take you to more detail on what that alert does. Using this interface can make fine-tuning your alert rule set much easier.
With the Webmin Snort module, you can also control which users can access which settings see Figure 7. On the Webmin users page you can set a variety of options for each user assuming you are the administrator on Webmin. You can give certain users access to edit rules but not to edit configuration files. You can control which configuration files they can access. Or you can just let them view the files without editing or disabling them.
As you can see, the Webmin Snort module gives you very granular access control so that you can delegate daily tuning duties to a lower-level technician while retaining configuration and change control. For those of you who can't or won't install the UNIX version of Snort, thankfully there is a fully supported version for the Windows platform.
It also allows you to take advantage of point-and-click installation as well as some of the other niceties in Windows and XP such as built-in IPSec support. It's nice to see an open source project that realizes there are many Windows-only based companies that would still like to take advantage of this great open source IDS.
You will also need the WinPcap libraries installed. If you loaded them for a program described earlier in this book, such as Ethereal or WinDump, then you are all set. Otherwise, you can get them at:. You will also want the MySQL database if you plan on importing your results into a database. A MHz machine is the minimum, and you'll probably do better with a processor in the gigahertz range. You will also want to make sure your Windows server is locked down appropriately with a minimum of services running, taking extra care to uninstall processor hogs such as IIS.
Use the Services window under Administrative tools to make sure you aren't running anything you absolutely don't need to. Double-click on it and it will automatically install for you. It prompts you to choose if you want certain database or add-on modules such as the flexresponse module. All the config and rules files are in the same relative subdirectories as the UNIX version. Go into the Snort.
Make the changes and edits to the snort. Then go into the rules files and make your changes there. Then you are ready to run Snort. Fine-tuning and placement rules of thumb are also the same as the native UNIX version.
While the standard rule sets that Snort comes with provide adequate protection from known attack signatures, you can craft some custom rules specific to your network to get the most out of your IDS. You can write rules to:. Snorts rule writing is fairly easy to learn and allows you to quickly add functionality to the program without a lot of programming knowledge.
0コメント