Snort IDS/IPS

Tools needed: LAMP server Snort ACID/BASE VM Environment: INSTALLATION CONFIGURATION: IDS VM (interface 0 NAT) TESTING CONFIGURATION: IDS VM (interface0 - Host-only, interface1 - intnet) WinXP SP2 VM (interface0 - intnet)

Step 1 Lamp Server Install

LAMP Server will be used as back-end database for snort, as well as for ACID/BASE administration interface. You will be asked to enter a root password for MySql service, we will be using the same password as the system root (secure?) for simplicity. This is not recommended for environments outside of the security lab. From a terminal enterIDS#sudo tasksel install lamp-server Enter: secure? (for the MySQL root password). You will be prompted to confirm password.

Step 2 Snort Db configuration

From the terminal enter: IDS#mysql -u root -p IDS mysql#create database snort; IDS mysql#GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'root'@'localhost' IDENTIFIED BY 'secure?'; IDS mysql#FLUSH PRIVILEDGES; IDS mysql#quit

Step 3 Snort Installation

To install snort type: IDS#sudo apt-get install snort-mysql

Enter your internal network's network address

Do not setup Db with snort install. We'll configure snort.conf file to connect to the database we created in step 2.

The following error may be displayed: /etc/snort/db-pending-config file found Snort will not start as its database is not yet configured. Please configure the database as described in /usr/share/doc/snort-mysql/README-database.Debian and then remove /etc/snort/db-pending-config * Stopping Network Intrusion Detection System snort * No running snort instance found Any errors will be corrected once we configure snort to use the database setup in step 2.

Step 4 Snort initial configuration

Update our snort database with the snort table structure From the terminal: IDS#cd /usr/share/doc/snort-mysql decompress file (create db schema) IDS#sudo zcat create_mysql.gz | mysql -u root -p -D snort Configure snort.conf file for db use: IDS#sudo gedit /etc/snort/snort.conf Disable/Comment out this line out: #output log_tcpdump: tcpdump.log Uncomment the following line (insert correct values for user/pwd/db): output database: log, mysql, user=root password=secure? dbname=snort host=localhost Remove the pending conf. file (will overwrite our configuration otherwise): IDS#sudo rm -rf /etc/snort/db-pending-config Check that mysql and apache are running, else start the services IDS#sudo service apache2 status IDS#sudo service mysql status Start snort IDS#sudo service snort start Verify snort daemon started succesfully IDS#sudo /etc/init.d/snort status IDS#sudo tail /var/log/daemon.log The following is displayed if snort started successfully: May 23 10:46:31 infwarfare snort[4261]: --== Initialization Complete ==-May 23 10:46:31 infwarfare snort[4261]: Snort initialization completed successfully (pid=4261) May 23 10:46:31 infwarfare snort[4261]: Not Using PCAP_FRAMES

Step 5 ACID installation

ACID/BASE is a web front used to monitor snort's logs. To install acidbase type: IDS#sudo apt-get install acidbase

Configure acid to use mysql db: Select YES to configure database. Select MYSQL as database type.

Type in the mysql root password (should be: secure?), you will be prompted to confirm.

Will be asked to create a mysql password for acid base to connect to db. In this lab we are using secure? password for simplicity. At this point, the Acid/BASE setup done.

Next we configure the Acid/BASE installation to use our snort database and setup the Acid/BASE tables in the snort database that will allow Snort and Acid/BASE to communicate.

To configure Acid/BASE: Open a web browser, and navigate to the following URL: http://localhost/acidbase Navigate to the Setup Page: Click on setup page to configure Acid/BASE Create Acid/BASE tables in snort database: Click on Create BASE AG button

Successfully created 'acid_ag' Successfully created 'acid_ag_alert' Successfully created 'acid_ip_cache' Successfully created 'acid_event' Successfully created 'base_roles' Successfully INSERTED Admin role Successfully INSERTED Authenticated User role Successfully INSERTED Anonymous User role Successfully INSERTED Alert Group Editor role Successfully created 'base_users' The above message should be displayed. click on HOME button to return to main page.

Step 6 TEST IDS

Shutdown any VMs that are currently running. Restart the VMs in the TESTING configuration outlined at the beginning of the lab. Enable ip_forwarding on IDS VM. Verify the Apache, Mysql, and Snort services' status.

Verify the XP VM is routing through the IDS VM (set as its default gateway). Verify HOST machine can route packets to the 10.0.0.0/24 network through the IDS VM. From HOST: sudo nmap -sV -sS -O <XP-VM's-IP> Snort should alert on scan.

Turn In
Export the alert log from snort, or a screen-shot of the attempted attack logged by snort.

Extended Learning
Attempt the ftp exploit we did in lab2. Start XP VM in internal network, add the route for the GW VM as its default gateway. Uncomment the rule bellow from the snort.conf file. include /etc/snort/rules/ftp.rules Run the exploit. Snort should display an attack alert.