Sep 30, 2014

Setting up Snort IDS on Ubuntu 14.04 [2]


In the previous post, I've talked about how to install and set up a running intrusion detection system using the tool called "Snort". As I mentioned, the interpretation of the alert log is critical to understanding the situation of your system. Therefore we need a better idea of how the Snort logging system works and how can we read them. I've only worked on this tool for several hours so far, so my understanding may be highly naive. 

OK, let's start.

Snort output configuration


First thing of all, we need to know where are all the configuration files located in our system. For all Snort related config files, they are in /etc/snort folder. Apparently the most important (or useful) file for us is the snort.conf. It contains all the major configurations for Snort. For now, we only need to worry about the output part.

We are going to work on the config file comes with the Ubuntu's Snort package. If you don't see such a file, then it is probably a good time for you to go and [download one](http://books.gigatux.nl/mirror/snortids/0596006616/snortids-APP-B.html) now. Let's now go to the "Step #6: Configure output plugins" of /etc/snort/snort.conf. You will see a recommended method has been enabled, and all others were disabled. We will need to use unified2 binary format for our logging plugin. There is only one thing that I recommend to change. Go use alert and log (two files) for logging, instead of put everything into one gigantic file. Just comment out the 
output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types

and remove the comment mark for the following two lines:
output alert_unified2: filename snort.alert, limit 128, nostampoutput log_unified2: filename snort.log, limit 128, nostamp

After the modification, you should go restart your snort daemon:
sudo service snort restart

As a result, you should be able to see two files in /var/log/snort/ folder, one is snort.alert, and one is snort.log. The snort.alert file will give you a summarized information for what the alerting packet that your machine has received. The snort.log file will give you the actual packet dump for it. 

As I just mentioned, the unified2 file is a binary file, invented for high-performance logging. You need to use a special to in order to read the content. Remember in the last post, we mentioned the tool U2SpewFoo. We went through a lot of hassle just to install it. Here we're going to use it. Run the following command to dump the binary unified2 file into human readable output.
u2spewfoo snort.alert

You should be able to see organized table output as you hit the enter key. See the two figures below:

[snort.alert]


[snort.log]

You can also see why I recommend you to separate the output into two files. In case of some large packet, the output for snort.log for a single packet could be really long. Therefore, if you're only interested in what kind of stuff your machine is going through and not care the exact packet load, our way is best for you.

No comments:

Post a Comment