Sep 30, 2014

Setting up Snort IDS on Ubuntu 14.04 [1]

Here is my log on how to install and set up the Snort IDS (Intrusion Detection System) on a single server (meaning not for a network) that runs Ubuntu 14.04 on it.

Motivation

I am a PhD student in a small research laboratory, with several server machines for experiments purposes. I am also kind of the admin for these machines, and I have the access to read some log files in /var/log. I noticed several times before that our machines were under constant SSH login attempts. That bothers me and I don't have time to do something until now. So, this time I would like to set up a IDS that helps me detect such attempts and then further devise the reactions. So here I am, installing Snort.

Steps

First, I've tried to use the Ubuntu's repository directly,
"sudo apt-get install snort"
Though everything looks good after installation, I found that the package does not provide a very essential tool: U2SpewFoo, a tool that reads Unified2 files (the default log file for Snort) and dump it to STDOUT. Basically, without it you can't know anything about the IDS results.

To work it around, I need to install it from source. Following the link here https://www.snort.org/#get-started, I encountered some minor problems.
  1. When installing daq, there are two missing packages: bison and flex. Simply install these two can fix the problem.
  2. When installing snort, there is one missing package: dnet header. The ./configure tells me to go to this website for the dnet header https://code.google.com/p/libdnet/.  After download and untar the package, simply make and install will do the trick. (Download link: https://libdnet.googlecode.com/files/libdnet-1.12.tgz)

After that, the Snort should be manually installed on your computer. By the way, "sudo ./configure" is a stupid idea. There is no reason to use sudo for any situation unless it is necessary to do so. For example, when you need to copy the binaries to system path folders.

Though installed, all the configuration files are still missing. Recall that, the only reason I started installing Snort manually is because the u2spewfoo is not there in the package. For now, that software is already there, and I do not want to manually create all the configuration files by myself (at least for now). As a result, I apt-get the snort again. Ignore this step if you're confident or patient enough to set up everything by your own hands.

Understand the log


Now the Snort IDS should be running on your machine as a daemon process. You can check the running status by:
sudo service snort status
Then, you should be able to see something like this:





Now let's look at the events log. For the only several minutes I've been running snort, I've got a pretty impressive amount of events that have been logged into /var/log/snort/snort.log. In order to take a peek at the log, you need this u2spewfoo tool:
sudo u2spewfoo snort.log
The output should look like this:





Future work

In the following blog posts, I will further dig into how to read snort log file, and make sense of it. Most important of all, how can we react to different events. Recall that I took the easy way here by installing all the default rules. From what I can see now, it might be too sensitive, and generating too much "not-important" alerts. As I dig into this tool, we will learn how to tailor the Snort to best fit your needs.

Thanks for reading this post. If you have any comments, please don't hesitate to contact me.

No comments:

Post a Comment