An introduction on Snort a network intrusion detection & prevention system.

1. Snort
Intrusion Detection & Prevention Software
IDS & IPS

2. Summary
Introduction
1. What is Snort?
2. Implementation
3. Q&A
Conclusion
2

3. Introduction
3

4. Intrusion Detection System IDS
+ Monitors network and system activities
+ Reports any malicious activities or violation policies
+ IDS uses SIEM: Security Information and Event Management
+ IDS Classification: NIDS and HIDS
+ Detection Method: Signature or Anomaly
4
Introduction (1)

5. Intrusion Prevention System IPS
+ Block or Stop malicious activities
+ IPS Classification: NIPS, WIPS, NBA, HIPS
+ Detection Method: Signature, Anomaly, Stateful protocol
5
Introduction
(2)

6. What is Snort
6

7. Snort ...
+ Intrusion Detection & Prevention System
+ Open Source and under GPLV2 License
+ Snort modes:
- Sniffer
- Packet logger
- IDS: Network-based or Host-based
7
What is Snort? (1)

8. Snort as IDPS
+ Real-time traffic analysis
+ Protocol analysis
+ Content Searching/Matching
+ Detect varied types of attacks:
- Buffer overflow
- Stealth port Scans
- CGI attacks
- …
8
What is Snort? (2)

9. Snort as IDPS
+ Mode expansion
+ Inline as IPS
+ Passive IDS
+ Inline-test: monitoring test without affecting
network using --enable-inline-test
9
What is Snort? (3)

10. Snort Architecture
10
Packets
Sniffer Preprocessors
Detection
engine
Output
Logging
and
output
alert
Packet
dropped
Rules
What is Snort? (4)

11. Rules
Rules are:
+ A methodology of performing detection
+ Detect the vulnerability
+ Need an understanding of how vulnerability works
Example:
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1;
sid:10000001; rev:001; classtype:icmp-event;)
11
What is Snort? (4)

12. Implementation
12

13. Configuring Ubuntu Server
Installing Ubuntu Server 16.04 on VirtualBox and setting the network to Bridged
Adapter.
Updating and Upgrading Ubuntu System:
-:~$ sudo apt-get update
-:~$ sudo apt-get -y dist-upgrade
-:~$ sudo apt-get install -y build-essential
-:~$ sudo apt-get install -y openssh-server
13
Implementation (1)

14. Configuring Network Interface
Disabling packet acquisition: Disabling LRO (Large Receive Offload) and GRO (Generic Receive
Offload).
-:~$ sudo nano /etc/network/interfaces
“ #Disabling LRO and GRO for SNORT
post-up ethtool -K ens160 gro off
post-up ethtool -K ens160 lro off ”
Verify that LRO and GRO disabled
-:~$ reboot
-:~$ ethtool -K ens160 | grep receive-offload 14
Implementation (2)

15. -:~$ Sudo apt-get install -y libpcap-dev
-:~$ Sudo apt-get install -y libpcre3-dev
-:~$ Sudo apt-get install -y libdumbnet-dev
-:~$ sudo apt-get install -y bison flex
-:~$ Wget
https://www.snort.org/downloads/snort/daq-
2.0.6.tar.gz
-:~$ tar xfvz daq-2.0.6.tar.gz
Install Snort Pre-requisites
15
-:~$ cd daq-2.0.6/
-:~$ configure
-:~$ make
-:~$ sudo make install
-:~$ sudo apt-get install zlib1g-dev liblzma-
dev openssl libssl-dev -y
Implementation (3)

16. Installing Snort
-:~$ wget
https://www.snort.org/downloads/snort/sno
rt-2.9.8.3.tar.gz
-:~$ tar xfvz snort-2.9.8.3.tar.gz
-:~$ cd snort-2.9.8.3
-:~$ ./configure --enable-sourcefire
-:~$ make
-:~$ sudo make install
-:~$ Sudo ldconfig #check for updates
-:~$ sudo ln -s /usr/local/bin/snort
/usr/sbin/snort #symbolic link
-:~$ sudo groupadd snort-test
-:~$ sudo useradd snort-test -r -s
/sbin/nologin -C SNORT_IDS -g snort-test
Files and Folders
16
Implementation (4)

17. Folders and Permissions
-:~$ sudo mkdir -p /etc/snort/rules/iplists
-:~$ sudo mkdir /etc/snort/preproc_rules
-:~$ sudo mkdir
/usr/local/lib/snort_dynamicrules
-:~$ sudo mkdir /etc/snort/so_rules
-:~$ sudo mkdir -p /var/log/snort/archived_logs
-:~$ sudo touch
/etc/snort/rules/iplists/black_list.rules
-:~$ sudo touch
/etc/snort/rules/iplists/white_list.rules
-:~$ sudo touch /etc/snort/rules/local.rules
-:~$ sudo touch /etc/snort/sid-msg.map
-:~$ sudo chmod -R 5775 /etc/snort
-:~$ sudo chmod -R 5775 /var/log/snort
-:~$ sudo chmod -R 5775
/usr/local/lib/snort_dynamicrules
-:~$ sudo chown -R snort:snort /etc/snort
-:~$ sudo chown -R snort:snort /var/log/snort
-:~$ sudo chown -R snort:snort
/usr/local/lib/snort_dynamicrules 17
Implementation (5)

18. Snort as a Sniffer
-:~$ sudo snort -v #TCP/IP headers
-:~$ sudo snort -vd #TCP/IP UDP and ICMP headers
-:~$ sudo snort -vde #Displaying with link headers
18
Implementation (6)

19. Snort as a Packet Logger mode
-:~$ sudo snort -dev -l path/to/log #log into the specified path
-:~$ sudo snort -dev -l path/to/log -h 192.168.2.0 #Logging will be devided into
subdirectories for each IP address
-:~$ sudo snort -b# For binary logging
-:~$ sudo snort -dbr path/to/binary/log # pust snort on playback and gets the logs
readable
-:~$ sudo snort -dbr path/to/binary/log ICMP # Displays only the ICMP packtes.
19
Implementation (7)

20. Snort configuration (NIDS)
-:~$ sudo sed -i "s/include $RULE_PATH/#include $RULE_PATH/" /etc/snort/snort.conf
-:~$ sudo vim /etc/snort/snort.conf #change according to folders path
-:~$ sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i
enp0s3
20
Implementation (8)

21. Additional features: Barnyard2
+ open source interpreter of snort binary file. (github: firnsy/barnyard2)
+ can log the data into different: files or database
+ Log files extension is u2
21
Implementation (9)

22. Additional features PulledPork
+ Helper Script written in Perl
+ Downloads and updates rules from snort official website
+ PulledPork needs a token by registering in snort (www.snort.org) called
oinkcode
+ In this implementation, my oinkcode is 33955f002653e33fb94156457ad9bbe3d2e940c5
+ Make changes in PulledPork
22
Implementation
(10)

23. Question & Answers
23

24. Conclusion
24

25. Thank you
25
Fadwa Gmiden & Oussema Hidri