Friday, March 26, 2010

snort client setup

So. You want to set up a snort client for your distributed snort network on a scad of Ubuntu boxes?  It is pretty easy, once you've done it three or four times.

1. Pre-tasks.


Uncomment the line beginning with: deb cdrom

This will configure the dpkg package system to NOT look for packages on the cdrom.

Then we want to update our sources and upgrade our binaries to the latest:
# apt-get update
# apt-get upgrade
If ssh is not already installed, install it:

# apt-get install ssh
We're going to roll our own snort; install all required packages:
# apt-get -s install mysql-client libnet1 libnet1-dev libpcre3 libpcre3-dev libmysqlclient15-dev \
autoconf automake1.9 libpcap libpcap-dev libpcap0.8 libpcap0.8-dev libpcre-dev libmysqlclient15-dev gcc \
make libtool libssl-dev gcc-4.1 g++ libpcap-dev build-essential
Does everything look fine?
# apt-get install mysql-client libnet1 libnet1-dev libpcre3 libpcre3-dev libmysqlclient15-dev \
autoconf automake1.9 libpcap libpcap-dev libpcap0.8 libpcap0.8-dev libpcre-dev libmysqlclient15-dev gcc \
make libtool libssl-dev gcc-4.1 g++ libpcap-dev build-essential

2. Compile & install Snort, then add the snort user & group.


This step involves installing snort, adding the snort user & group, then installing the detection rules.
We're installing the latest snort as found on the snort site.
# cd /usr/local/src
# wget http://snort.org/dl/snort-2.8.3.2.tar.gz

# tar xvzf snort-2.8.3.2.tar.gz
# cd snort-2.8.3.2 (take the time to read the doc/INSTALL file)
# ./configure --with-mysql --enable-dynamicplugin
# make
# make install
# ln -s /usr/local/src/snort-2.8.3.2 ./snort
Next, run the following commands:
# mkdir /etc/snort
# mkdir /var/log/snort
# groupadd snort
# useradd -g snort -d /etc/snort snort
# chown snort:snort /var/log/snort ; chown snort:snort /etc/snort
If you have a pre-compiled version of snort, you may wish to do the following:
# ldd /usr/local/bin/snort

And you'll see what libraries are lacking on your system. The following is from client; looks like all we need is libmysql15off:
root@client: bin# ldd snort
        linux-gate.so.1 =>  (0xb7f50000)
        libmysqlclient.so.15 => not found
        libpthread.so.0 => /lib/libpthread.so.0 (0xb7f32000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7f04000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7eef000)
        libpcre.so.3 => /usr/lib/libpcre.so.3 (0xb7ec8000)
        libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0xb7e9d000)
        libm.so.6 => /lib/libm.so.6 (0xb7e78000)
        libnsl.so.1 => /lib/libnsl.so.1 (0xb7e61000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7e5d000)
        libc.so.6 => /lib/libc.so.6 (0xb7d29000)
        /lib/ld-linux.so.2 (0xb7f51000)

3. Get initial set of rules.


Note: central repository for rules is on server.
# cd /etc/snort
# scp -r root@server:/etc/snort/rules ./rules

4. Configure and start the Snort program.


# cp /usr/local/src/snort/etc/*.conf* .
# cp /usr/local/src/snort/etc/*.map .

Now it is time to configure and start snort.

First, we need to edit the main configuration file:
# pico -w /etc/snort/snort.conf
To get change these lines to match environment:
var RULE_PATH /etc/snort/rules
var HOME_NET 192.168.1.0/24

var EXTERNAL_NET !$HOME_NET
Add the following:
portvar SSH_PORTS 22
The snort pre-processor throws a lot of false positives; disable some options by unhashing:
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts

Let's see if snort works by editing local rules:
# pico -w /etc/snort/rules/local.rules
Make a simple rule for testing:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; \
dsize:8; itype:8; sid:10000001;)
Or to a whole lot of alerts, make this local rule:

alert tcp any any -> any any (msg:"test"; sid:1000002;)
Now we can start snort:
# /usr/local/bin/snort -Dq -u snort -g snort -c /etc/snort/snort.conf
snort should initialize successfully. Look at /var/log/syslog for  a line that looks like this:

snort[12991]: Snort initialization completed successfully (pid=12991)
If not already enabled, bring up "sniffing" interface:
# ifconfig eth1 up
Use the snort startup commands above along with the -i option to call an interface you would like to sniff from. (i.e. -i eth1).   Remember to kill the existing snort process first before you start a new one.

5. Set up remote logging.


Check if snort user via the remote client can connect to the snort database on central snort server.
# mysql -h server -u snort -p -D snort
If the connection is rejected, check the DB table permissions.

Uncomment and edit this line:
output database: log, mysql, user=snort password=password dbname=snort host=localhost sensor_name=ww.xx.yy.zz

For server logging:
output database: log, mysql, user=snort password=supersecretpassword dbname=snort host=server sensor_name=client
Note: For mysql clients with rev less than 5.0 , please see old mysql client setup.

10. Keep rules up to date with Oinkmaster.


# cd /usr/local/src
# wget http://internap.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-2.0.tar.gz

# tar xvzf oinkmaster-2.0.tar.gz
# ln -s /usr/local/src/oinkmaster-2.0 ./oinkmaster
# cd oinkmaster-2.0
# cp oinkmaster.pl /usr/local/bin
# mkdir /usr/local/etc
# cp oinkmaster.conf /usr/local/etc
# ln -s /usr/local/etc/oinkmaster.conf /etc/oinkmaster.conf
# mkdir /etc/snort/rules.hold ; mkdir /etc/snort/backup
# mkdir /var/run/oinkmaster ; chmod 775 /var/run/oinkmaster
Since this is a slave server, we're going to edit oinkmaster.conf to grab rules from a directory to be rsynced from the central repository and then process those rules. Our repository is server.
# pico -w /usr/local/etc/oinkmaster.conf
Note this section of the configuration file and edit:

url = dir:///etc/snort/rules.hold
tmpdir = /tmp
We're going to have to do some more initial legwork by creating an oinkmaster user, gen pubkeys. Yeah.
# groupadd oinkmaster
# useradd -d /opt/oinkmaster -g oinkmaster -G snort -s /bin/bash oinkmaster
# mkdir /opt/oinkmaster ; chown oinkmaster:oinkmaster /opt/oinkmaster
# chown oinkmaster:snort /etc/snort/rules.hold
# su - oinkmaster
~ ssh-keygen -t rsa -b 2048

note:  Double-check if oinkmaster is permitted to ssh into the system:

# less /etc/ssh/sshd_config
AllowUsers root oinkmaster
If not, add the user and re-start ssh daemon.

As oinkmaster user on client:
~ ssh -l root server "sudo bash -c \"cat /opt/oinkmaster/.ssh/id_rsa.pub\"" > \
/opt/oinkmaster/.ssh/authorized_keys2
Do a test ssh connection from repository to see if pubkey authentication is working properly. From repository as oinkmaster user:

oinkmaster@server:~$ ssh oinkmaster@client
Then...
The authenticity of host 'client' can't be established.
RSA key fingerprint is bb:e4:31:de:9a:04:0a:1d:56:2b:62:c5:dd:4d:72:18.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'client' (RSA) to the list of known hosts.

oinkmaster@client:~$
Push the initial set of rules from repository to client. On repository:
# su - oinkmaster
~ pico -w /opt/oinkmaster/scripts/pushsnortrules-test.sh

Add the following line:
rsync -c --delete -r -H -p -z -o -g -t -e 'ssh -i /opt/oinkmaster/.ssh/id_rsa' \
/etc/snort/rules client:/etc/snort/rules.hold
What the above specifies is that rsync will use the oinkmaster key to connect to the client and will delete all and replace the rules in the rules.hold directory. The client's oinkmaster.conf has defined the rules.hold directory to be used for new rules to be loaded into snort.

Run pushsnortrules-test.sh on the repository as oinkmaster:

~ ./opt/oinkmaster/scripts/pushsnortrules-test.sh
After the rules have been rsynced with success, add the same line to pushsnortrules.sh . Test oinkmaster.pl on client:
# mkdir /tmp/oinktest
# /usr/local/bin/oinkmaster.pl -o /tmp/oinktest
Take a look in /tmp/oinktest to see if the rules are in place:
# ls -lah /tmp/oinktest/
Once it has been determined that the rules updated correctly, run oinkmaster.pl with the production output location as defined in the configuration file.

Note: The -o switch tells oinkmaster to override the output directory in the configuration file; the -b switch will make oinkmaster back up the current rules in the location before doing the actual update; play with this is so desired; the /etc/snort/backup directory is created for this purpose.

11. Set up configuration files and init scripts.


On repository, there are init scripts and configuration files. scp them over to client sensor and place thusly:

/etc/snort/snort.scripts/oinkoink.sh -> /root/scripts/oinkoink.sh
/etc/snort/snort.scripts/snort.debian.conf -> /etc/snort/snort.debian.conf
/etc/snort/snort.scripts/snort.default -> /etc/default/snort
/etc/snort/snort.scripts/snort.initd -> /etc/init.d/snort

The above should be configured to match specific sensor environment. The /etc/default/snort file works will with the init.d script and will override settings in /etc/snort/snort.conf ; snort.debian.conf is good for determining specifying the interface and settings debian specific. Please be reminded to check the path for the snort binary in the init.d script.

After chmod +x /etc/init.d/snort

Make init script an init script, do:
# update-rc.d snort defaults 95
Or use sysvconfig...

12. Set up cron jobs for oinkmaster running & auto email.


Set up favorite email daemon to send mail, then, in /etc/crontab add the following (if mail isn't set up, set it up):
# snort
49 5    * * *   root    /root/scripts/oinkoink.sh
50 5    * * *   root    /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o \
/etc/snort/rules | mail -s "oinkmaster client" youyesyou@somewherenothere.com
10 6    * * *   root    /etc/init.d/snort restart >> /dev/null 2>&1

Just to be safe, check if commandline mailing works:
echo testing | mail -s testorama youyesyou@somewherenothere.com

13. Start snort daemon


You're ready to start IDSing. Or something. On the client, execute:
# /etc/init.d/snort start

To watch snort start, stare at the appropriate syslog:
# tail -n 30 -f /var/log/syslog
Go to the repository webconsole and examine away once you've installed base... you have done that, right?

No comments: