Sep 30, 2014

Setting up Snort IDS on Ubuntu 14.04 [2]


In the previous post, I've talked about how to install and set up a running intrusion detection system using the tool called "Snort". As I mentioned, the interpretation of the alert log is critical to understanding the situation of your system. Therefore we need a better idea of how the Snort logging system works and how can we read them. I've only worked on this tool for several hours so far, so my understanding may be highly naive. 

OK, let's start.

Snort output configuration


First thing of all, we need to know where are all the configuration files located in our system. For all Snort related config files, they are in /etc/snort folder. Apparently the most important (or useful) file for us is the snort.conf. It contains all the major configurations for Snort. For now, we only need to worry about the output part.

We are going to work on the config file comes with the Ubuntu's Snort package. If you don't see such a file, then it is probably a good time for you to go and [download one](http://books.gigatux.nl/mirror/snortids/0596006616/snortids-APP-B.html) now. Let's now go to the "Step #6: Configure output plugins" of /etc/snort/snort.conf. You will see a recommended method has been enabled, and all others were disabled. We will need to use unified2 binary format for our logging plugin. There is only one thing that I recommend to change. Go use alert and log (two files) for logging, instead of put everything into one gigantic file. Just comment out the 
output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types

and remove the comment mark for the following two lines:
output alert_unified2: filename snort.alert, limit 128, nostampoutput log_unified2: filename snort.log, limit 128, nostamp

After the modification, you should go restart your snort daemon:
sudo service snort restart

As a result, you should be able to see two files in /var/log/snort/ folder, one is snort.alert, and one is snort.log. The snort.alert file will give you a summarized information for what the alerting packet that your machine has received. The snort.log file will give you the actual packet dump for it. 

As I just mentioned, the unified2 file is a binary file, invented for high-performance logging. You need to use a special to in order to read the content. Remember in the last post, we mentioned the tool U2SpewFoo. We went through a lot of hassle just to install it. Here we're going to use it. Run the following command to dump the binary unified2 file into human readable output.
u2spewfoo snort.alert

You should be able to see organized table output as you hit the enter key. See the two figures below:

[snort.alert]


[snort.log]

You can also see why I recommend you to separate the output into two files. In case of some large packet, the output for snort.log for a single packet could be really long. Therefore, if you're only interested in what kind of stuff your machine is going through and not care the exact packet load, our way is best for you.

Setting up Snort IDS on Ubuntu 14.04 [1]

Here is my log on how to install and set up the Snort IDS (Intrusion Detection System) on a single server (meaning not for a network) that runs Ubuntu 14.04 on it.

Motivation

I am a PhD student in a small research laboratory, with several server machines for experiments purposes. I am also kind of the admin for these machines, and I have the access to read some log files in /var/log. I noticed several times before that our machines were under constant SSH login attempts. That bothers me and I don't have time to do something until now. So, this time I would like to set up a IDS that helps me detect such attempts and then further devise the reactions. So here I am, installing Snort.

Steps

First, I've tried to use the Ubuntu's repository directly,
"sudo apt-get install snort"
Though everything looks good after installation, I found that the package does not provide a very essential tool: U2SpewFoo, a tool that reads Unified2 files (the default log file for Snort) and dump it to STDOUT. Basically, without it you can't know anything about the IDS results.

To work it around, I need to install it from source. Following the link here https://www.snort.org/#get-started, I encountered some minor problems.
  1. When installing daq, there are two missing packages: bison and flex. Simply install these two can fix the problem.
  2. When installing snort, there is one missing package: dnet header. The ./configure tells me to go to this website for the dnet header https://code.google.com/p/libdnet/.  After download and untar the package, simply make and install will do the trick. (Download link: https://libdnet.googlecode.com/files/libdnet-1.12.tgz)

After that, the Snort should be manually installed on your computer. By the way, "sudo ./configure" is a stupid idea. There is no reason to use sudo for any situation unless it is necessary to do so. For example, when you need to copy the binaries to system path folders.

Though installed, all the configuration files are still missing. Recall that, the only reason I started installing Snort manually is because the u2spewfoo is not there in the package. For now, that software is already there, and I do not want to manually create all the configuration files by myself (at least for now). As a result, I apt-get the snort again. Ignore this step if you're confident or patient enough to set up everything by your own hands.

Understand the log


Now the Snort IDS should be running on your machine as a daemon process. You can check the running status by:
sudo service snort status
Then, you should be able to see something like this:





Now let's look at the events log. For the only several minutes I've been running snort, I've got a pretty impressive amount of events that have been logged into /var/log/snort/snort.log. In order to take a peek at the log, you need this u2spewfoo tool:
sudo u2spewfoo snort.log
The output should look like this:





Future work

In the following blog posts, I will further dig into how to read snort log file, and make sense of it. Most important of all, how can we react to different events. Recall that I took the easy way here by installing all the default rules. From what I can see now, it might be too sensitive, and generating too much "not-important" alerts. As I dig into this tool, we will learn how to tailor the Snort to best fit your needs.

Thanks for reading this post. If you have any comments, please don't hesitate to contact me.

Smarter core for the Internet

Since "the Internet is far too large to sustain the concept of a flag day for deployment of any technology", according to Geoff Huston, we need to be really smart at designing new technologies if the deployment is part of the goal (of course it is :D).

Therefore, instead of frying your brain and looking for a ``best'' solution for gradual deployment, I'd like to see a smarter Internet that can incorporate both new and old technologies. One way to achieve this goal is to design or improve a smarter core of the Internet.

You may wonder, the Internet is supposed to be a flat design from the ISP level (or other coarser granularities), but that does not stop us from designing something like a next-gen Internet Exchange Point that applies the most tolerant and intelligent algorithms on it. The of the this kind of IXP is:
  • allow different versions of the routing protocol to run in the same environment without requiring ubiquitous deployment.
  • enable monitoring systems to play and get the most of it to protect the current Internet. For example, a Buddyguard system that is deployed in an IXP can absorb the most accurate and up-to-date information to learn the best ``normalities'' from the BGP updates. So does I-seismograph. In other words, a playground for different monitoring systems could be a big beneficial point for both the maintenance of the Internet, and the progression of the future protocols.
  • a smarter IXP could also be used as an super learning source for the future of the artificial intelligence. However, this is only my own ambitious vision, which may not have any academical goods.