MODULE 13

Active Respotwe in Snort

About This Module

This module presents information on how to configure your Snort installation with active
response capability. Although Snort, in IDS mode, does not provide this frrnctionality natively,
you can use third party applications to perfonn active responses to Snort-generated alerts.

Module Objectives:

e
o
o

Describe what is meant by 'Active Response"

Present an application that can work with Snort to provide active response capability

Implement active response capability in your Snort installation

371

Active Response in Snort

What is Active Response?

Slide 234

Snort is designed to produce alerts on network trafiic that matches a pattem as specified by a
rule or on conditions that violate protocol-specific norms. It is up to the administrators of the
Snort sensor to monitor these alerts and take whatever action is appropriate. In other words, in
IDS deployments, it is passive in that it takes no direct action on its own to block, prevent or
actively notiff when such a condition is detected'

Active response is the ability to do something in response to an alert which means some other
tool must be used. There are several you can choose from, but this module will present one
called Swatch (Simple log WAICHeT). With Swatch, you can monitor system log frles and
have it kick off a response ofyour choice based on conditions you configure in the Swatch
configuration file. Some of the actions you can take are listed below:

.
o
o

Send output to

STDOUT

terminal window for example

Send an email

kritiate a script

Swatch may be obtained from the following location:

http

:/

/ swaLch.sourceforge . net

Installing Swatch

Slide 235

Swatch requires the installation of several Perl modules before you can install it properly' See
the listing below:

o
r
o
o
o
r

Bit::Vector
I)ate::Calc
Date::Format
File::Tail
Time::IIiRes
Date::Manip

There are a number of methods you can use to install these requisite modules if you choose to
do the installation manually. The lab will provide instructions for a manual Swatch installation,
but the easier method of using yum is preferred since it has the benefit of automatically
resolving package dependencies.

Notes:

SIlffiEEftrm

Active Response in Snort

Configuring Swatch

Slide 236

Swatch is a very flexible application designed to watch your system log file and take some
action that you configure based on what it sees arrive in the log file. To customize the actions
that Swatch can take, you must configure its configuration file to define the conditions it will
look for and what to do if the condition exists.
When you fust install Swatch, no configuration file exists; you must create one yourself. You
can put the Swatch configuration file an).where you want, but for the purposes of this class,
you will put it in the / eLc / snort directory so that it is in the same location as your other

configuration files.

Slide 237

The Swatch configuration file

The rule syntax is as follows:

will contain the rules for parsing through the system log frle.

watchfor <Regular Expression>

(swatch option> <option parameter>
. The watchf or keyrvord begins the rule.
o The watchfor keyrvord is followed by a regular expression

to define what it is that

Swatch should look for in the system log file.

The lines that follow the watchf or keyword define the actions that Swatch should take
the condition configured in the regular expression is met. These actions are defined by
Swatch option keywords. Some examples of option keywords are as follows:

if

Echo - Sends the text of the alert to STDOUT. You can add a color parameter to display
the text in the color ofyour choice.

Mail - This keyword allows you to

Exec - This option allows you to execute the script of your choice. As a parameter you
can pass the name of the script and any parameters you wish to invoke with the script.
With this option, Swatch is capable of performing just about any action you can script.

send message text in the form of an email to the

email account of your choice. The parameters you pass to this option include the email
address of the account you want to receive the message and the text that should appear
in the subject line of the email.

An example of a Swatch rule is

as

follows:

watchfor /pam_unix,/
echo red
mail- addresses:admin\Gdomain.

com, subj

ect:---Swatch Al-ert---

Notes:

373

$lmEff,f".

Active Response in Snort

This rule instructs Swatch to look for the occulrence of the string "pam_unix" in a log entry.
This is likely to happen when a user logs in or out of the system. If the string is seen by Swatch
in a log entry Swatch will output the log entry to the terminal window in which the application
was started in the color red. It will also issue an email with the subject
---swatch A1ert.--- to the user admin@domain.com.

Conliguring Swatch to Work With Snort Alerts

Slide 238

Although the example illustrated in the previous section used a standard system log to trigger a
Swatch response, you can configure Swatch to act on alerts generated by Snort as well. Snort
has the ability to generate syslog output. So, by sending Snort alerts to the system log file, you
can create rules in the Swatch configuration file to trigger on Snort alerts. Another altemative
might be to use Snort's fast alert feature and have Swatch monitor the alert file directly.
In either case, it will be

two step process:

Enable the alert_fast or syslog Snort output plug-in

Create a Swatch rule to identify alerts generated by Snort and perform the desired action

To enable syslog output from Snort, you must update the snort . conf file. Secondly, the
swatch. conf file must be configured with rules to trigger on the Snort alerts of interest to
you. This may require you to get creative with regular expressions so that you will only trigger
on those alerts that are of interest to you and take the appropriate actions based on the context
of the alert.

For example, the priority of a given alert may be the factor that determines what action you
wish to take. You can create a regular expression that looks for high priority alerts which
initiate one set ofactions, and a second regular expression that looks for lower priority alerts
rvhich in turn trigger a different set of actions.
Since regular expressions play such an important role in this process, you may wish to test
your regular expressions in the PCRE test tool presented earlier or the test tool ofyour choice
just to make sure your Swatch rule will work as anticipated prior to putting it into production.

Notes:

374

Active Response in Snort

Lab Exercises
Perform the following lab exercises to install and configrne Swatch to work with Snort.

Lab#l: Install Swatch

Slide 239

Login to snortbox and use the following command to install Swatch with yum:

[rootGsnortbox ]ocal] # yun insta].]- swatc]r

Manual Swatch Installation

Swatch .
classroom

ONLY do the Manual

lnstallation if the

Issue the following command from the / :usr / J.oc:,a1 directory to unpack the Swatch

application.

does not provide intemet

accessl

IrootGsnortbox
IrootGsnortbox
IrootGsnortbox
lrootGsnortbox
lrootGsnortbox
IrootGsnortbox
lrootGsnortbox

1ocal]# tar zxvf src/swatch-3.1.1.tar.92

swatch-3. 1. 1] # cd swatch-3.1.1
swatch-3. 1. 1] # perl Makefile.PL
swatch-3. 1. 1l # nake
swatch-3.1.11# make test
swatch-3.1.1]# rake install
swatch-3.1.11# nake rea]-clean

Lab t{22 Configure Swatch

In this lab, you will create a Swatch configuration file and call that configuration to test your
Swatch rule.

1. Enter the following directory location: / elc/ snort

2. Use a text editor to create a file called swatch. conf . For example, if you were to use the
VI editot the command would be as follows: vim swatch. conf
3. Create a rule in the file as follows:
watchfor /pam_unix,/

echo red

mail addresses=foot\0 localhost. sr:bject=---Swatch Alert--4. Save your changes and exit the file.
5. Start up Swatch using the following command:

Notes:

375

Active Response in Snort

IrootGsnortbox snort] # swatch -c /etc,/snort,/swatctr.conf -t

/var/Log/ secure
This will start the Swatch application in the current terminal window.

6.

Login to snortbox.

If you are logging in from a remote host such as student desktop, use the puTTy
terminal emulator to login to snortbox.

If you

are in the snortbox GUI, open a second terminal window and use the following

command to login:

lrootGsnort.box snortl # ssh localhost

You may be prompted to accept the host as a trusted host. If so, answer yes and press
the Enter key.

r
o
7.
8.

Provide your local login credentials as you normally would.

At this point, you should

see a message appear in red text in the terminal window you

used to start up the swatch application.

Type

Exit

to exit the SSH session.

Type mail at the command prompt to view your mail messages.

You should see

a message

in the list of mail messages with the subject

---Swatch Al-ert---.

.
.
9.

To view the message type the number that corresponds to the message. This is the
number listed in the second column of the mail message listing.
Type the letter

'q' to quit the mail application.

Go to the terrninal window running the Swatch application and hit the
to terminate the Swatch process.

lCtrl

]+[c

keys

This simple test demonstrates some of the functionality of the Swatch application. You were
able to both send output to a terminal window and have an email alert issued for the same
event.

Lab #3: Actively Responding to Snort Alerts with Swatch

In this lab, you will configure Snort to produce syslog output and have the Swatch application
trigger on Snort-generated alerts.

{.

Openthebarnyard2.confftleonsnortbaxandremovethecommentfromthesyslog
output line

output alert syslog.

Barnyard2.
2. Open the swatch. conf file

Notes:

376

Save your changes and exit the file. Restart

and add the following rule to the file:

Active Response in Snort

watchfor /\
echo blue

[1 :xxxxxxx

0\] /

mai]- addresses=root\0 ]-oca]-host, sr.rbject=---Snort Alert--Replace the xxxxxxx with the SID of a Snort rule that you can easily trigger. Use

one

of

the rules created on page 239 that can be higgered with the LIDP Flooder. This Swatch rule

will essentially trigger on that Snort-generated alert.

3.

Start Swatch with the following command:

IrootGsnortbox snort] # swatch -c, /etc,/ snort,/swatch.conf

This runs the Swatch application in the terminal window from which you issued the
command.
4. Use the packet

.
o
.

crafting tool (IDPflooder.exe) oL stadent desktop,trigger the Snort rule.

Open another terminal window andrunthe tail

see Snort alerts going to the system log file.

-f /var / log /messages

file to

When you see alerts arriving tnthe /var / 1oglmessages file, you should see the
alerts appear in blue text in the terminal windowrunning Swatch.
Open a third terminal window and view the mail messages with the mail command. You
should see mail messages with the subject ---Snort Alert---.

Lab #42 Execute a Script with Swatch Responses

a production situation, you may want to take additional action above and beyond simple
alerts or emails. In this exercise we will execute a perl script that will allow us to reconfigure
IPTables otrouteL

In

Create a simple Snort rule that

will kigger

on the new

oothreat'

and add to the sid-msg.map.

Add the following line to local.rules onsnortbox.

a1ert udp $HOf'g_lfeT any -> $EXTERNAI_NET 70 (msg:,,swatch

test" ;sid: 2000000,'content: "swatch test,, ;nocase; )
. Update the sid-msg.odp, Snort and Banryard2 using the following command:
[root@snortbox

local]pulledpork . pI -c /

eluc./

snort/pulledpork . conf

-nfH

Notes:

377

Active Response in Snort

.
o

Copythe file

block_ip.pl

fuom

/usr /l-ocal,/src

to

/etc/snort.

that only triggers on [1:2000000:0]. Have the rule excute scripts using
the following commands. This will also echo the alert in red.
Create a Swatch rule

exec: /bin/echo $_ > out.txt #echo the snort al-ert to a fite

exec: /usr/b1n/per1 block_ip.p1 # call the perl script to read
the flIe and run the ssh commands
echo red

The first action writes the inforrnation from the event to an output file. The second swill
read the data from the outpuffile, logs into the router and creates an entry in IPTables

blocking the source ofthe event.

r
r
o

Review the scriptfile block_ip.pl

Change to

the /etclsnort

directory and start swatch.

On rouler examine the IPTable entries. The list should be empty. Execute the following
command:

root0router:-# iptables -L
I If there are any entries in the table they may be cleared using i-ptabl-es -E
o An student desktop in the Class Files folder open the tlDP Flooder. Use the following
information:

o
o
.
o
.
o
.
o
.
.

Notes:

378

IP/hostrame: 192.168.10.90
Port: 70
Max Packets: 5
Text: Swatch Test...

Hit the Go button on the flooder.

Onsnortbox veriS the eventtriggered

OL roater

an alert.

veriff that a new entry was created in IPTables.

On student desktop can you ping 192.168.10.90?

ClearIPTables oaroater using

Stop swatch on snortbox.

iptabf es -F

Active Response in Snort

Module Summary
Slide 240

This module demonstrated how you can use other tools in conjunction with Snort to produce
active responses to Snort alerts. Since Snort is does not have this capability natively in IDS
mode, a separate tool must be used. There are several open source tools available that do this,
but in class we focused on a tool called "Swatch" since this tool can be easily implemented on
Linux platforms and has interesting capabilities including the ability to produce text output,
generate emails and execute the script of your choice.

Notes:

379