Professional Documents
Culture Documents
Module Objectives:
e
o
o
371
Snort is designed to produce alerts on network trafiic that matches a pattem as specified by a
rule or on conditions that violate protocol-specific norms. It is up to the administrators of the
Snort sensor to monitor these alerts and take whatever action is appropriate. In other words, in
IDS deployments, it is passive in that it takes no direct action on its own to block, prevent or
actively notiff when such a condition is detected'
Active response is the ability to do something in response to an alert which means some other
tool must be used. There are several you can choose from, but this module will present one
called Swatch (Simple log WAICHeT). With Swatch, you can monitor system log frles and
have it kick off a response ofyour choice based on conditions you configure in the Swatch
configuration file. Some of the actions you can take are listed below:
.
o
o
Send output to
STDOUT
Send an email
kritiate a script
http
:/
/ swaLch.sourceforge . net
Installing Swatch
Slide 235
Swatch requires the installation of several Perl modules before you can install it properly' See
the listing below:
o
r
o
o
o
r
Bit::Vector
I)ate::Calc
Date::Format
File::Tail
Time::IIiRes
Date::Manip
There are a number of methods you can use to install these requisite modules if you choose to
do the installation manually. The lab will provide instructions for a manual Swatch installation,
but the easier method of using yum is preferred since it has the benefit of automatically
resolving package dependencies.
Notes:
SIlffiEEftrm
Configuring Swatch
Slide 236
Swatch is a very flexible application designed to watch your system log file and take some
action that you configure based on what it sees arrive in the log file. To customize the actions
that Swatch can take, you must configure its configuration file to define the conditions it will
look for and what to do if the condition exists.
When you fust install Swatch, no configuration file exists; you must create one yourself. You
can put the Swatch configuration file an).where you want, but for the purposes of this class,
you will put it in the / eLc / snort directory so that it is in the same location as your other
configuration files.
Slide 237
will contain the rules for parsing through the system log frle.
The lines that follow the watchf or keyword define the actions that Swatch should take
the condition configured in the regular expression is met. These actions are defined by
Swatch option keywords. Some examples of option keywords are as follows:
if
Echo - Sends the text of the alert to STDOUT. You can add a color parameter to display
the text in the color ofyour choice.
Exec - This option allows you to execute the script of your choice. As a parameter you
can pass the name of the script and any parameters you wish to invoke with the script.
With this option, Swatch is capable of performing just about any action you can script.
as
follows:
watchfor /pam_unix,/
echo red
mail- addresses:admin\Gdomain.
com, subj
ect:---Swatch Al-ert---
Notes:
373
$lmEff,f".
This rule instructs Swatch to look for the occulrence of the string "pam_unix" in a log entry.
This is likely to happen when a user logs in or out of the system. If the string is seen by Swatch
in a log entry Swatch will output the log entry to the terminal window in which the application
was started in the color red. It will also issue an email with the subject
---swatch A1ert.--- to the user admin@domain.com.
Slide 238
Although the example illustrated in the previous section used a standard system log to trigger a
Swatch response, you can configure Swatch to act on alerts generated by Snort as well. Snort
has the ability to generate syslog output. So, by sending Snort alerts to the system log file, you
can create rules in the Swatch configuration file to trigger on Snort alerts. Another altemative
might be to use Snort's fast alert feature and have Swatch monitor the alert file directly.
In either case, it will be
Create a Swatch rule to identify alerts generated by Snort and perform the desired action
To enable syslog output from Snort, you must update the snort . conf file. Secondly, the
swatch. conf file must be configured with rules to trigger on the Snort alerts of interest to
you. This may require you to get creative with regular expressions so that you will only trigger
on those alerts that are of interest to you and take the appropriate actions based on the context
of the alert.
For example, the priority of a given alert may be the factor that determines what action you
wish to take. You can create a regular expression that looks for high priority alerts which
initiate one set ofactions, and a second regular expression that looks for lower priority alerts
rvhich in turn trigger a different set of actions.
Since regular expressions play such an important role in this process, you may wish to test
your regular expressions in the PCRE test tool presented earlier or the test tool ofyour choice
just to make sure your Swatch rule will work as anticipated prior to putting it into production.
Notes:
374
Lab Exercises
Perform the following lab exercises to install and configrne Swatch to work with Snort.
Login to snortbox and use the following command to install Swatch with yum:
Swatch .
classroom
lnstallation if the
Issue the following command from the / :usr / J.oc:,a1 directory to unpack the Swatch
application.
accessl
IrootGsnortbox
IrootGsnortbox
IrootGsnortbox
lrootGsnortbox
lrootGsnortbox
IrootGsnortbox
lrootGsnortbox
echo red
mail addresses=foot\0 localhost. sr:bject=---Swatch Alert--4. Save your changes and exit the file.
5. Start up Swatch using the following command:
Notes:
375
6.
Login to snortbox.
If you are logging in from a remote host such as student desktop, use the puTTy
terminal emulator to login to snortbox.
If you
are in the snortbox GUI, open a second terminal window and use the following
command to login:
You may be prompted to accept the host as a trusted host. If so, answer yes and press
the Enter key.
r
o
7.
8.
Type
Exit
a message
---Swatch Al-ert---.
.
.
9.
To view the message type the number that corresponds to the message. This is the
number listed in the second column of the mail message listing.
Type the letter
Go to the terrninal window running the Swatch application and hit the
to terminate the Swatch process.
lCtrl
]+[c
keys
This simple test demonstrates some of the functionality of the Swatch application. You were
able to both send output to a terminal window and have an email alert issued for the same
event.
{.
Openthebarnyard2.confftleonsnortbaxandremovethecommentfromthesyslog
output line
Barnyard2.
2. Open the swatch. conf file
Notes:
376
watchfor /\
echo blue
[1 :xxxxxxx
0\] /
mai]- addresses=root\0 ]-oca]-host, sr.rbject=---Snort Alert--Replace the xxxxxxx with the SID of a Snort rule that you can easily trigger. Use
one
of
the rules created on page 239 that can be higgered with the LIDP Flooder. This Swatch rule
.
o
.
file to
When you see alerts arriving tnthe /var / 1oglmessages file, you should see the
alerts appear in blue text in the terminal windowrunning Swatch.
Open a third terminal window and view the mail messages with the mail command. You
should see mail messages with the subject ---Snort Alert---.
In
will kigger
on the new
oothreat'
local]pulledpork . pI -c /
eluc./
snort/pulledpork . conf
-nfH
Notes:
377
.
o
Copythe file
block_ip.pl
fuom
/usr /l-ocal,/src
to
/etc/snort.
that only triggers on [1:2000000:0]. Have the rule excute scripts using
the following commands. This will also echo the alert in red.
Create a Swatch rule
The first action writes the inforrnation from the event to an output file. The second swill
read the data from the outpuffile, logs into the router and creates an entry in IPTables
r
r
o
the /etclsnort
On rouler examine the IPTable entries. The list should be empty. Execute the following
command:
root0router:-# iptables -L
I If there are any entries in the table they may be cleared using i-ptabl-es -E
o An student desktop in the Class Files folder open the tlDP Flooder. Use the following
information:
o
o
.
o
.
o
.
o
.
.
Notes:
378
IP/hostrame: 192.168.10.90
Port: 70
Max Packets: 5
Text: Swatch Test...
an alert.
iptabf es -F
Module Summary
Slide 240
This module demonstrated how you can use other tools in conjunction with Snort to produce
active responses to Snort alerts. Since Snort is does not have this capability natively in IDS
mode, a separate tool must be used. There are several open source tools available that do this,
but in class we focused on a tool called "Swatch" since this tool can be easily implemented on
Linux platforms and has interesting capabilities including the ability to produce text output,
generate emails and execute the script of your choice.
Notes:
379