The topic for today kiddies is "Snort". This is the sound that a pig makes, I know, because I have been to the county fair, and I've heard it myself. In addition, I have neighbors across the street that raise and show pigs, and I've asked them, and they concur.
Snort is ALSO the "defacto" standard IDS for enterprise, and not-so enterprise networks. What is an IDS you ask?, well, I'm here to tell you. IDS stands for "Intrusion Detection System". This is not to be confused with a firewall.
What the IDS does is basically review all the traffic passing around your network, and compare them against known rules looking for violations of those rules. This is called "Real Time Traffic Analysis". In addition, it can do all sorts of other things security wise, and best of all, it's FREE.
You do need a subscription if you want rules as soon as they come out, otherwise you'll have to wait 30 days for them to be generally released. It's a very well supported product with complete documentation for a variety of platforms, however, it is LINUX. There is a Windoze version too, but I'll leave that to someone else.
OK, so I decided to put in an IDS, Snort specifically. My first question was what distro?. If you remember from prior blogs, "distro" means "Distribution of Linux". I considered a few, for a variety of reasons, and settled on Fedora. Why?, well, obviously, the best installation guide I found was written as a RedHat/Fedora install, that made it easy. Secondly, Fedora is a very well known, stable and highly supported distro, so you'll have no problem finding the applications and libraries needed to install it.
Now for full disclosure; I installed Snort 4 times, and wiped out and re-installed Fedora once before I got it right. I had trouble with the installation a couple of times, and because of my OCD nature, once I figured it out, I wanted a totally clean installation, hence the reinstall of Fedora.
You will need the following:
- A computer (duh), not a super computer, but something reasonable. I'm actually running it on a old Dell 4100 with a PIII, a half a meg of memory and junky video card and it runs great!
- A distro. I'd recommend; Fedora, Red Hat, anything Debian based or Gentoo. I was going to use SmartCom Enterprise, but I got cold feet.
- Supporting software
- Snort (www.snort.org)
- Apache (web server, usually installed by default in most Linux Distro's if you choose "server configuration" if not, you can install it in the terminal)
- SSL (secure sockets layer, also installed by default)
- PHP (I'm not sure about the leading "P", but the rest means "hypertext processor) You will need to install PHP if it's not pre-installed. After the Linux install, open a terminal window and type "php -v", if you get an error, or nothing happens, you need it.
- MySQL (My "SQL" or Structured Query Language). Again, MySQL is usually installed, but check (type "mysql -v) to see if it's installed.
- BASE (Basic Analysis and Security Engine, get it from SourceForge, click here.)
- Abobe Reader Install this right away.
Now, for those of you who don't know how to install software on linux, there's a few ways. There are "package managers" which give you a GUI method. All distros have one, depending on yours it will be "Synaptic", "Kpackage" or something else. You'll find it on your menu as "Add/Remove Software", probably under "system". The other way, which *I* prefer, is in the terminal. Depending again on your distribution, you'll use "apt-get" or "yum". Both are the command version of the GUI, so if you have "Synaptic" open, you'll get an error if you try and use "apt-get".
Fedora uses "yum", but the commands are more or less interchangeable for our purposes. For instance, if you did as I said, and found out "Apache" was not installed, you would need to install it. Here's the rub; it's not called "Apache", it's called "hpptd". A quick "how the heck do I install Apache" Google helped me with that.
So, in the terminal, you would type "yum install hpptd". You'll probably get an error, because to be allowed to install software, you need to have "root" privileges. When you set up Linux, you created a "root" user and a password. You can do two things now, either switch to the root account (which is never recommended, but I find it easier, provided you do it safely), or issue a root level command such as "sudo". Sudo is "Super User Do". It will look like this;
"sudo yum install httpd" You will be asked for the root password, then off you go. Do the same for anything else that's missing.
Now, I'm NOT going to get into the step by step installation, because someone else already did and it's great. One word of caution; Follow it step by step. Do NOT proceed from one step to the next unless you are sure you've done the step accurately and it works properly. This will save you a world of hurt.
Another thing, EXPECT a little frustration. It won't be so bad, it's fun. The biggest headache I had was that I was missing quite a few things. I kept getting "This won't work because you don't have this installed" and "this other thing won't work because it's missing stuff too" so to get thing one to play with thing two, you'll be typing a lot of "yums" or "apt-get's".
I recommend you go HERE for the installation guide. Of all of them, I found it to be the most complete.
Once you get started, you'll be doing some text editing. His examples use the "vi" editor, which I personally hate. I'm a command line guy and I've used terminal editors and control codes, but "vi" sucks. Hate me if you will, but all I want to do is change a line or to and not learn an archaic interface to do it.
I use "kedit" because I have the KDE interface. Your's may be different.
editorial note: I installed KDE from Synaptic because I prefer it over Gnome. Choose what you want, but I am used to KDE. It's like the whole "Windows/Apple" thing - users use what they're comfortable with, and defend it to the bone.
Anyways.....
You'll be editing configuration files (like snort.conf) a lot. You will also be deleting things that need root approval, which gets to be a hassle. I would get "thunar", with is a very straightforward file manager without the glitz (get the "archive" funtions to while your at it). It's great for this kind of stuff. My two favorite commands when doing this sort of thing are; "kdesu kedit" and "kdesu thunar". Both allow me to manipulate files at will, but BE SURE WHAT YOUR DOING BEFORE YOU DO IT.
Before you get started in the nitty gritty, do yourself a favor and make sure you have Adobe Reader. You'll need it to read the manual I pointed you to. There are .pdf readers installed in Linux already, but Adobe lets you copy/paste text, which is a life saver. Simply highlight the command from the guide, insert it into your terminal window and hit enter. shweeeeet.
Another thing, you'll see "tar.gz" alot, think "zip file", it's the same thing for the most part. to "untar" a file, you'll either use the default file expander that came with your distro, or the command line which I prefer. The syntax is: "tar -xzvf FileYourExpanding.tar.gz".
It will unwrap it into a folder beneath the one you're in, named after the filename including all the .1.2.3 stuff.
The rest is pretty self-explanatory.
I'll tell you what, Snort is cool, and it works. The guide give you a little test, a MySql statement to push into the database to see if the BASE system works. If you want to see any real activity, add this line to your "local.rules" file:
"alert tcp any any -> any any (msg:"test"; sid:1000002;)" This will generate notices right-quick. Be sure to remove it once you know everything works.
Finally, I would recommend a real test. Go to www.nessus.org and get "Tenable Nessus for Windows", install it and fire off a scan at your new box. You'll see the alerts pile up and you'll get a great report as to the vulnerably of your box.
There are other great supporting products for Snort such as Guardian, a tool to add bad IP's Snort finds to your firewall automagically, and the "Bleeding Edge Threats" rules website as well as others. Google "snort add-on"
Have fun, and happy hunting!!!!..
(Snort... Snort... Snort...)
