Snort Snort.....

The topic for today kiddies is "Snort". This is the sound that a pig makes, I know, because I have been to the county fair, and I've heard it myself. In addition, I have neighbors across the street that raise and show pigs, and I've asked them, and they concur.

Snort is ALSO the "defacto" standard IDS for enterprise, and not-so enterprise networks. What is an IDS you ask?, well, I'm here to tell you. IDS stands for "Intrusion Detection System". This is not to be confused with a firewall.

What the IDS does is basically review all the traffic passing around your network, and compare them against known rules looking for violations of those rules. This is called "Real Time Traffic Analysis". In addition, it can do all sorts of other things security wise, and best of all, it's FREE.

You do need a subscription if you want rules as soon as they come out, otherwise you'll have to wait 30 days for them to be generally released. It's a very well supported product with complete documentation for a variety of platforms, however, it is LINUX. There is a Windoze version too, but I'll leave that to someone else.

OK, so I decided to put in an IDS, Snort specifically. My first question was what distro?. If you remember from prior blogs, "distro" means "Distribution of Linux". I considered a few, for a variety of reasons, and settled on Fedora. Why?, well, obviously, the best installation guide I found was written as a RedHat/Fedora install, that made it easy. Secondly, Fedora is a very well known, stable and highly supported distro, so you'll have no problem finding the applications and libraries needed to install it.

Now for full disclosure; I installed Snort 4 times, and wiped out and re-installed Fedora once before I got it right. I had trouble with the installation a couple of times, and because of my OCD nature, once I figured it out, I wanted a totally clean installation, hence the reinstall of Fedora.

You will need the following:

1. A computer (duh), not a super computer, but something reasonable. I'm actually running it on a old Dell 4100 with a PIII, a half a meg of memory and junky video card and it runs great!
2. A distro. I'd recommend; Fedora, Red Hat, anything Debian based or Gentoo. I was going to use SmartCom Enterprise, but I got cold feet.
3. Supporting software

• Snort (www.snort.org)
• Apache (web server, usually installed by default in most Linux Distro's if you choose "server configuration" if not, you can install it in the terminal)
• SSL (secure sockets layer, also installed by default)
• PHP (I'm not sure about the leading "P", but the rest means "hypertext processor) You will need to install PHP if it's not pre-installed. After the Linux install, open a terminal window and type "php -v", if you get an error, or nothing happens, you need it.
• MySQL (My "SQL" or Structured Query Language). Again, MySQL is usually installed, but check (type "mysql -v) to see if it's installed.
• BASE (Basic Analysis and Security Engine, get it from SourceForge, click here.)
• Abobe Reader Install this right away.
  

Now, for those of you who don't know how to install software on linux, there's a few ways. There are "package managers" which give you a GUI method. All distros have one, depending on yours it will be "Synaptic", "Kpackage" or something else. You'll find it on your menu as "Add/Remove Software", probably under "system". The other way, which *I* prefer, is in the terminal. Depending again on your distribution, you'll use "apt-get" or "yum". Both are the command version of the GUI, so if you have "Synaptic" open, you'll get an error if you try and use "apt-get".

Fedora uses "yum", but the commands are more or less interchangeable for our purposes. For instance, if you did as I said, and found out "Apache" was not installed, you would need to install it. Here's the rub; it's not called "Apache", it's called "hpptd". A quick "how the heck do I install Apache" Google helped me with that.

So, in the terminal, you would type "yum install hpptd". You'll probably get an error, because to be allowed to install software, you need to have "root" privileges. When you set up Linux, you created a "root" user and a password. You can do two things now, either switch to the root account (which is never recommended, but I find it easier, provided you do it safely), or issue a root level command such as "sudo". Sudo is "Super User Do". It will look like this;

"sudo yum install httpd" You will be asked for the root password, then off you go. Do the same for anything else that's missing.

Now, I'm NOT going to get into the step by step installation, because someone else already did and it's great. One word of caution; Follow it step by step. Do NOT proceed from one step to the next unless you are sure you've done the step accurately and it works properly. This will save you a world of hurt.

Another thing, EXPECT a little frustration. It won't be so bad, it's fun. The biggest headache I had was that I was missing quite a few things. I kept getting "This won't work because you don't have this installed" and "this other thing won't work because it's missing stuff too" so to get thing one to play with thing two, you'll be typing a lot of "yums" or "apt-get's".

I recommend you go HERE for the installation guide. Of all of them, I found it to be the most complete.

Once you get started, you'll be doing some text editing. His examples use the "vi" editor, which I personally hate. I'm a command line guy and I've used terminal editors and control codes, but "vi" sucks. Hate me if you will, but all I want to do is change a line or to and not learn an archaic interface to do it.

I use "kedit" because I have the KDE interface. Your's may be different.

editorial note: I installed KDE from Synaptic because I prefer it over Gnome. Choose what you want, but I am used to KDE. It's like the whole "Windows/Apple" thing - users use what they're comfortable with, and defend it to the bone.

Anyways.....

You'll be editing configuration files (like snort.conf) a lot. You will also be deleting things that need root approval, which gets to be a hassle. I would get "thunar", with is a very straightforward file manager without the glitz (get the "archive" funtions to while your at it). It's great for this kind of stuff. My two favorite commands when doing this sort of thing are; "kdesu kedit" and "kdesu thunar". Both allow me to manipulate files at will, but BE SURE WHAT YOUR DOING BEFORE YOU DO IT.

Before you get started in the nitty gritty, do yourself a favor and make sure you have Adobe Reader. You'll need it to read the manual I pointed you to. There are .pdf readers installed in Linux already, but Adobe lets you copy/paste text, which is a life saver. Simply highlight the command from the guide, insert it into your terminal window and hit enter. shweeeeet.

Another thing, you'll see "tar.gz" alot, think "zip file", it's the same thing for the most part. to "untar" a file, you'll either use the default file expander that came with your distro, or the command line which I prefer. The syntax is: "tar -xzvf FileYourExpanding.tar.gz".

It will unwrap it into a folder beneath the one you're in, named after the filename including all the .1.2.3 stuff.

The rest is pretty self-explanatory.

I'll tell you what, Snort is cool, and it works. The guide give you a little test, a MySql statement to push into the database to see if the BASE system works. If you want to see any real activity, add this line to your "local.rules" file:

"alert tcp any any -> any any (msg:"test"; sid:1000002;)" This will generate notices right-quick. Be sure to remove it once you know everything works.

Finally, I would recommend a real test. Go to www.nessus.org and get "Tenable Nessus for Windows", install it and fire off a scan at your new box. You'll see the alerts pile up and you'll get a great report as to the vulnerably of your box.

There are other great supporting products for Snort such as Guardian, a tool to add bad IP's Snort finds to your firewall automagically, and the "Bleeding Edge Threats" rules website as well as others. Google "snort add-on"

Have fun, and happy hunting!!!!..

(Snort... Snort... Snort...)

Installing Act! on Linux..... or therebouts..

This is a very long but it's not complicated. I just didn't know your level of Linux knowledge, so it's very step-by-step.

Act 6.0 runs on Linux under WINE. In Mepis, you need to have root privileges, and you install WINE using Synaptic and/or KPackage, or apt-get. I prefer the command line myself, but other people like a GUI interface.

Typically, you would either fire up Synaptic, or KPackage (probably under the system menu item as Add/Remove Software) enter the ROOT user's password and when it opens do a search on the word WINE. You should see the wine package (currently at wine-0.942.1). Once you find it, click to install it, and hit apply and wait till it's done. No need to re-boot after installing like Windows does.

Next, you would put your ACT! CD in your drive. Here's the tricky part; You need to figure out what the operating system uses to refer to the CD ROM drive. In my case (Fedora), I had to open the home folder, then the device list, and click on "media:, which showed me the device name of the CD by clicking on it. In my case, the "device name" was "/media/040723_1329/". WINE needs the long filename and path, in the same proper case as it is on the CD. i.e. Act is not the same as act.

If you look on the desktop, after putting in the CD (mounting it), a CD Icon will appear on the desktop too, the title under the CD is the ID that Linux will use too.

Since I don't have an ACT! cd anymore, I'm installing Fireworks as I do this on Fedora.

Once you know what the installation filename is i.e. SETUP.EXE or ACTSETUP.EXE, open up a terminal window. You'll find terminal in the menu under utilities probably. You will see a prompt like "[tom@linuxbox -] $", this is your command line.

In the terminal window, type "wine /media/040723_1329/Fireworks2.exe" in my case, your's will be different. Use the path to the CD ROM drive, and the actual Act! setup filename you found earlier.

Hit Enter, If all goes well, you should see something like the following:

"wine: creating configuration directory '/home/tom/.wine'... "
"wine: '/home/tom/.wine' created successfully"

Then the standard windows installation screen will open with the Act setup running. Follow the steps and install Act as you normally would. Once the install is complete, the window should close.

One thing to note, if you look at the "wine" directory name above, you'll notice it's called "./wine" with a leading period, not "/wine". This is because it's a HIDDEN directory. The only way to get there is to specifically move there. In other words, if you typed "cd /home/{your home name}/wine", you would get an error. If you typed "cd /home/{your home name}./wine" you would go there.

WINE creates what is called a "Virtual Environment" on your Linux PC. It's a fully encapsulated version of Windows (95 or 98, not sure) in your Linux Home folder. In the terminal window, type "cd /home/{your home directory name}" to go to your home folder.

Here's a trick, Linux will complete the command if you hit the "tab" button. SO, if you type "CD Doc" then hit TAB, it will auto complete it (provided the directory exists) and it will say "CD Documents", just hit enter. You need enough letters to distinguish it from any other directory name.

This is a life saver when Linux program names are a mile long.

So, from your home prompt ([tom@linux ~]$ the tilde signifies you're home) type "CD .wine" and you'll see "[tom@linux .wine]$" You're in your Windows folder.

Type "ls" (same as "dir" in windows) and you see the file list. There are 3 .reg files (basically Windows registry files), and 2 folders; "dosdevices" and "drive_c". Type "cd dr" then hit tab, it will autocomplete the "drive_c", then hit enter.

Do an "ls" again, you'll see 2 folders; "Program Files" and "windows". "Program Files" is where your programs go, "windows" is all the system stuff. CD to "Program Files". If you "ls", You should see an "Act" folder, CD to that, and do an "ls", and make note of the Act filename (probably act.exe or actw.exe). If it's not there, poke around until you find it.

NOW, here's another trick. You can use the "pwd" command to figure out where you are. This will save a lot of time. Once you are in the folder that has the " Act.exe" program, type "pwd" and hit enter. You will see the entire path to that file. Simply highlight it and right click, "copy" and you'll have the whole path saved.

Do yourself a favor now, and paste this path into your command window, then add the "wine" in front of it, and the " act.exe" to the end, to see if it actually works. It will look something like this:

"[tom@linuxbox Act]$ wine /home/tom/.wine/drive_c/Program\ Files/Act/Act.exe"

Then hit enter. If Act does not start, fiddle with the command until it does. Once it works, quit Act, then hit the arrow up in the terminal window, it will show you the last command you entered; the one you used to launch Act. again, highlight the whole thing and copy it.

Another Note... the Linux command line does not like spaces. (niether does Windows). In a Windows DOS prompt, the directory "Program Files" is referred to as "Progra~1". In Linux, it is written as "Program\ Files" (there is a space between "Program\ and Files).

Once the install program is complete, you need to make a shortcut to the program. Linux will NOT add it to your menu, as it doesn't know what it is, or what it's for. If this was a Linux app, the installer would know where to put it, including the category. You need to add the shortcut by hand.

On the Desktop, right click, and select "Create new" and "Link to application". In the "General" tab, type the name of the program i.e "Act 6 for Windows" or something. In the "Application" tab, add the description, and in the "Command" section, paste the launch string you copied earlier, then hit save.

You will see a new icon for Act. Try it out. If it works, let me know. I can IM over Yahoo or whatever if you need help. If it works, awsum. It should behave just like the windows version I'm pretty sure. I'd restore a back up and work concurrently with the Windows version until you're sure you like it.

Good Luck!

Tom