Snort intrusion prevention Linux installation and configuration

Intrusion Detection System (IDS) is a computer and network systems of the malicious use of resources to identify and respond to acts of the processing system, such as radar warning, as it will not be affected, under the premise of network performance on network security, detection, from the computer A number of key points of the network to gather information, through


Analysis of this information to see whether there is any breach of network security strategy and the signs of attack, which extends the system administrator's security management capabilities, improved information security and integrity of infrastructure. In general, IDS is added as a firewall, the IDS is generally behind a firewall, network activity can be detected in real time, and according to the circumstances and the prohibition of network activity records.

IDS Intrusion Detection System based on the focus of the work different, can be divided into host-based intrusion detection system and network-based intrusion detection system. Constitutes a general intrusion detection system is divided into two parts one part is part of detection (Sensor), part of the police to deal with the results of the console. Different composition of the intrusion detection in general is not the same as the console and the Sensor are two basic parts, host-based intrusion detection in most of the host agent is installed on a system to collect information to report to the Sensor.
Detection of Intrusion Detection System through its own sources of information are part of Sensor Detection received.

Network-based intrusion detection, mainly through the interception of network packet analysis to find offensive and undesirable characteristics of the data packet attempts. In network-based Intrusion Detection System Sensor part of the testing are generally arranged in a mirror-port switch (or a common arbitrary port HUB), flows through the network to listen to all packets, the packets to find matches to be invaded source of information.

Host-based Intrusion Detection System Sensor can not direct access to information from the system, it is to do a good job through an agent prior procedures, installed on the host where the need to detect these agents the main collection system and network log files, directories and files do not expect a change in procedures do not expect the implementation of the act, the physical form of intrusion information.

Network-based Intrusion Detection System Sensor detection side are generally arranged in the core network switches, switch or exchange of the mirror port (to take the core of the Sensor switch on the device or the mirror port mirroring switch ports sector, mainly by the network the volume and the number of clients, as well as intrusion detection and network processing capability of the attack to set the frequency) of the machines in the network, Intrusion Detection System installed on the console, do the police deal with the server or in an important there is a need to install client agent to gather system and network logs and other system information to find the offensive characteristics of the packet. Technical personnel from the host and network test and monitoring information for analysis.

Snort is one of the most widely used IDS products, it has been positioned as a lightweight Intrusion Detection System, which has the following characteristics:
(1) It is a lightweight network intrusion detection system, the so-called lightweight means running the software only takes up very little when the network resources, the original network performance has little effect.
(2) from the data source view, it is a network-based intrusion detection software, that is, as a sniffer on the same network to a host of other traffic capture, and then analyzed.
(3) the use of its misuse detection model, that is, first of all to establish the characteristics of intrusions to cry, and then in the detection process, the collected data packets and compare the characteristics of the code r in order to arrive at the conclusion whether or not the invasion.
(4) c it is open source language network intrusion detection system. Its source code can be freely read, dissemination and revision of, any programmer can add features to its free to amend the error, any dissemination. This makes it able to improve and promote the rapid development of applications.
(5) It is a cross-platform software, supported by a very wide range of operating systems, such as windows, linux, sunos have support. Installed in the windows is relatively simple: First, download the windows under the network packet capture tools winpcap (www.winpcap.org), and then download the snort installation package, you can double-click the installation directly.
(6) Snort has three main modes: packet sniffer, packet logger, or intrusion detection systems mature.
Some of the features of Snort:
 Real-time traffic analysis and packet records.
 payload packaging inspection.
 query protocol analysis and content matches.
 detect buffer overflow, port scan secret, CGI attacks, SMB detection, operating system, the invasion attempt.
 log on the system, the specified file, Unix socket or through the Samba for real-time alarm winpopus.

Snort can work in three kinds of model are as follows:
1) sniffer sniffer:
Command: snort-v [-d] [-X]

Snort use Libpcap packet capture library, that library use TCPDUMP. In this mode, Snort to use the promiscuous mode network interface to read and parse the network packet channel sharing. BPF expressions can be used to filter traffic.
-v verbose
-d Dump application layer data
-X began to dump from the link layer of the original package
2) packet log mode
Command: snort-l dir [-h hn] [-b]
This mode records in ASCII format for analysis of the division.
-l directory snort will log on in this directory
set-h X.X.X.X its local subnet
-b log format to use binary TCPDUMP
3) Intrusion Detection mode
Command: snort-c snort.conf [-l dir]
Rule base can be loaded into the intrusion detection model. That is,
#. / snort-c snort.conf
Add snort will report to the police information / var / log / snort directory, you can use-l option to change the directory.

When we use our intrusion detection mode, the rules must be included in the Treasury in order to detect, after loading the rule base, snort network data sets and pattern matching rules in order to detect possible intrusion attempts.

This article on the Linux platform (this is redhat 9.0) under the snort installation and configuration, the final configuration for a snort of web invasion ACID analysis console database. Environment in the Linux pre-installed by the need to build a supportive environment for a wide range of software in order to use snort. Table 1 lists the software and their role.
Table 1 to install the necessary software snort

The name of the role of the software download site
Aapche under the Apache http://httpd.apache.org/ Linux server
PHP http://php.net/ PHP scripting support
Database support for MySQL http://www.mysql.cn/
libpcap http://www.tcpdump.org/ network capture tools
Snort http://www.snort.org Windows installation package under the Snort
ACID http://www.cert.org/kb/acid Intrusion Detection PHP-based database analysis console
ADOdb http://adodb.sourceforge.net for PHP to provide a unified database connection function
JpGraph http://www.aditus.nu/jpgraph PHP graphics library used by


1. Zlib1.1.4 installation
Tar-xzvf zlib-xx.tar.gz
Cd zlib-xx
/ Configure;
Make install
Cd ..
2. LibPcap0.7.2 installation
tar-xzvf libpcap.tar.gz
cd libpcap-xx
/ configure
Make
make install
cd ..
3. MySQL4.0.12 installation
tar-xzvf mysql-xx.tar.gz
cd mysql-xx
/ configure - prefix = / usr / local / mysql
Make
make install
cd scripts
/ mysql_install_db
chown-R root / usr / local / mysql
chown-R mysql / usr / local / mysql / var
chgrp-R mysql / usr / local / mysql
cd. / support-files / my-medium.cnf / etc / my.cnf
To / etc / ld.so.conf to add two lines: / usr / local / mysql / lib / mysql
/ usr / local / lib
Load library, the implementation of
ldconfig-v
Test whether or not the work of mysql:



4. Apache2.0.45 and install PHP4.3.1
tar-zxvf httpd-2.0.xx.tar.gz
cd httpd_2.xx.xx
/ configure - prefix = / www - enable-so
Make
make install
cd ..
tar-zxvf php-4.3.x.tar.gz
cd php-4.3.x
/ configure - prefix = / www / php - with-apxs2 = / www / bin / apxs - with-config-filepath = / www / php - enable-sockets - with-mysql = / usr / local / mysql - with-zlibdir = /
usr / local - with-gd
cp php.ini-dist / www / php / php.ini
Edit httpd.conf (/ www / conf):
By adding two lines of
LoadModule php4_module modules/libphp4.so
AddType application / x-httpd-php. Php
relevant httpd.conf as follows:
#
# LoadModule foo_module modules / mod_foo.so
LoadModule php4_module modules/libphp4.so
# AddType allows you to tweak mime.types without actually editing it, or? $
# Make certain files to be certain types.
#
AddType application / x-tar. Tgz
AddType image/x- icon. Ico
AddType application / x-httpd-php. Php
To test Apache and PHP:




5. Snort2.0 installation
5.1 the establishment of snort configuration file and log directory
mkdir / etc / snort
mkdir / var / log / snort
tar-zxvf snort-2.x.x.tar.gz
cd snort-2.x.x
/ configure - with-mysql = / usr / local / mysql
Make
make install
5.2 installation rules and configuration files
cd rules (in the snort installation directory)
cp * / etc / snort
cd. / etc
cp snort.conf / etc / snort
cp *. config / etc / snort
5.3 modify snort.conf (/ etc / snort / snort.conf)
var HOME_NET 10.2.2.0/24
var RULE_PATH. / rules be amended as var RULE_PATH / etc / snort /
Database change log records:
output database: log, mysql, user = root password = your_password
dbname = snort host = localhost
5.4 set up for self-starting snort:
Snort installed in the directory
cd / contrib.
cp S99snort / etc / init.d / snort
vi / etc / init.d / snort
Snort modified as follows:
CONFIG = / etc / snort / snort.conf
# SNORT_GID = nogroup (commented out)
# 8194; $ SNORT_PATH / snort-c? $ CONFIG-i? $ IFACE? $ OPTIONS
Chmod 755 / etc / init.d / snort
cd / etc/rc3.d
ln-s / etc / init.d / snort S99snort
ln-s / etc / init.d / snort K99snort
cd / etc/rc5.d
ln-s / etc / init.d / snort S99snort
ln-s / etc / init.d / snort K99snort
6 in the mysql database to create a snort, the results are as follows:



7. ADOdb installation
cp adodb330.tgz / www / htdocs /
cd / www / htdocs
tar-xzvf adodb330.tgz
rm-rf adodb330.tgz
8. JgGraph installation
cp jpgraph-1.11.tar.gz / www / htdocs
cd / www / htdocs
tar-xzvf jpgraph-1.xx.tar.gz
rm-rf jpgrap-1.xx.tar.gz
cd jpgraph-1.11
rm-rf README
rm-rf QPL.txt
9. Installed the console configuration data ACID
cp acid-0.0.6b23.tar.gz / www / htdocs
cd / www / htdocs
tar-xvzf acid-0.9.6b23.tar.gz
rm-rf acid-0.9.6b23.tar.gz
cd / www / htodcs / acid /
Editor acid_conf.php, to amend the relevant configuration is as follows:
# 8194; $ DBlib_path = "/ www / htdocs / adodb";
# 8194; $ alert_dbname = "snort";
# 8194; $ alert_host = "localhost";
# 8194; $ alert_port = "";
# 8194; $ alert_user = "root";
# 8194; $ alert_password = "Your_Password";
/ * Archive DB connection parameters * /
# 8194; $ archive_dbname = "snort";
# 8194; $ archive_host = "localhost";
# 8194; $ archive_port = "";
# 8194; $ archive_user = "root";
# 8194; $ archive_password = "Your_Password";
And a little further down
# 8194; $ ChartLib_path = "/ www/htdocs/jpgraph-1.11/src";
/ * File format of charts ( 'png', 'jpeg', 'gif') * /
# 8194; $ chart_file_format = "png";
Into the web interface:
http://yourhost/acid/acid_main.php



Point "Setup Page" link -> Create Acid AG
ACID visit http://yourhost/acid will see the interface.




Snort Rules

Snort rule base is constantly updated, you can download www.snort.org to the latest snort rule base. snrot the use of a simple rule lightweight description language to describe the rules of its configuration information, it is flexible and powerful. Prior to version 1.8 in the snort rule must be written in a one-way, in the current version can be used '\' to be folding line.

Snort rules are divided into two logical parts: the rules and regulations the first option. Rules contained in the rules of the first action, agreements, source and destination ip address and network mask, as well as the source and destination port information; rule option section contains alert messages and to check the specific part of the package. The following is an example of a rule:
alert tcp any any -> 192.168.1.0/24 111 (content: "| 00 01 86 a5 |"; msg: "mountd access";)

Brackets before the first part of the rules, the part in brackets is the rule option. Options section of the rules of the word before the colon is called option keywords. Note: Not all rules are the rules must include the option of the option is only in order to want to collect or report to the police, or discarded by a more rigorous definition of package. Composed of all the elements of a rule for the specified action to be taken must be true. When the number of elements together, you think that they formed a logical and (AND) statements. At the same time, snort rules library file can be different rules that form a large logical or (OR) statement.

The following map is downloaded from the official website of http://www.snort.org the Community-Rules-2.4 in
mysql.rules part of the rules. We see one of them is as follows:
alert tcp $ EXTERNAL_NET any -> $ SQL_SERVERS 3306 (msg: "MYSQL root
login attempt "; flow: to_server, established; content:" | 0A 00 00 01 85 04 00 00
80 | root | 00 | "; classtype: protocol-command-decode; sid: 1775; rev: 2;)

It said that from the external network to any port visit to mysql server at port 3306, if the data stream

Matched to the content in 0A 00 00 01 85 04 00 00 80 root 00 (which indicates that 2-byte hexadecimal
Code), then report to the police in the record or "MYSQL root login attempt".

Snort rules of analysis, we can see that, in fact, in addition to snort rules ip address and port number, the most important thing is the contents of pattern matching, that is, content in the keyword content. Vulnerability we have to submit code and tools to be used in line with the snort format at the time of detection of the characteristics of the network, should attack code is characteristic of the field.

Rules, as well as through online information on the characteristics of the analysis, we found the characteristics of the field, run the attack code used ethreal or other sniffer tools to intercept data packets, and then decode the data package content, to analyze the characteristics of the field, and then to write snort rules . In the "principle of using Snort detected from the MS05-051 attack" a text, the author is given for how the MS05-051 vulnerability by attacking coding rules to detect attacks and steps. As can be seen from the text, is mainly used after ethreal intercepted data packets, extracting the main points of matching, and then use keywords to snort to write the rules, so that has been characteristic of the snort rules.

This paper describes the system under linux installation and configuration of snort and snort on the rules of the relevant knowledge base, as well as how to write our own rules in line with the snort database format, hope that we learn and understand snort helpful.