Nowadays, cyber attack has been increasing rapidly. All refferences had told us about the magnification. Thus, by protecting conventionally only is not enough, it needs more sophisticated actions for detecting the attack. One of the action is by implementing Network IDS/IPS within the infrastructure.
At this article, we will share one of the most usage network IDS/IPS. It is Snort. Snort is the most widely-used Network IDS/IPS that detects and prevent attacks by searching protocol, content analysis, and another pre-processors. Snort provides a bulk of features, such as buffer overflow, stealth port scans, and CGI attacks. Snort works to detect malicious activity, denial of service attacks, and port scans by monitoring network traffic. Generally, It’s divided into five major parts such as Packet decoder, Preprocessor, Detection engine, Logging and Alerting system, and Output modules.
Install Required Dependencies
Beforehand installing Snort, we have to install several packets which is required like:
apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
Also, in order to facilitate operation on a variety of hardware and software interfaces without requiring changes to Snort, we need install Data Acquisition Library or DAQ.
tar -zxvf daq-2.0.6.tar.gz
Next, we change to daq-2.0.6 directory and compile it for installing daq like below:
$ sudo su
# ./configure && make && make install
After we installed the prerequisite packages, now we can install snort either downloads manually or install through the ubuntu packages. Nevertheless, I choose to install it by downloading manually from the source page.
After the download has been completed, extract the file like below:
tar -xvzf snort-2.9.12.tar.gz
Then go to the Directory snort-2.9.12 and compile the package for installing Snort like below:
sudo ./configure --disable-open-appid --enable-sourcefire && make && make install
According to the Rapid7’s Post , next we need to update the shared libraries, in order to prevent getting an error when we run Snort with command like below:
Then, instead of having two copies of the same files/directories of Snort, we create a symlink to the folder on one location so both paths refer to the same batch of files and we only have to update one set with command like below:
ln -s /usr/local/bin/snort /usr/sbin/snort
Finally, we can verify the installation and configuration with the following command:
Beforehand, we need to create a user and group “snort”, who will run and create files required by a snort.
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
mkdir /etc/snort mkdir /etc/snort/preproc_rules mkdir /etc/snort/rules mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules touch /etc/snort/rules/white_list.rules touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/local.rules
Next we set proper permission for the following directories like below:
chmod -R 5775 /etc/snort/
chmod -R 5775 /var/log/snort/
chmod -R 5775 /usr/local/lib/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules/
Next, we have to copy the configuration files from snort source directory we have extracted before like below:
cp -avr *.conf* *.map *.dtd /etc/snort
We also need to copy the dynamic preprocessors files with following command:
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
Thus, our Snort has been ready, the only way should we do in the next is configure the configuration files by defining the rules we need for inspecting our network traffic. For the first time, we can comment out the configuration within the file snort.conf, then we can adjust manually for each rules.
sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
Then we adjust the configuration snort.conf like below:
#Configure the network address interface which will want to intercept :
ipvar HOME_NET 192.168.100.0/24
#Define the path rules which will be reffered to:
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules var BLACK_LIST_PATH /etc/snort/rules include $RULE_PATH/local.rules
Finally, nect we validate the configuration file with the following command:
snort -T -i eth0 -c /etc/snort/snort.conf
Next step is how to setup the snort in order starting up automatically when the server is booting up. So, we create a startup script to run Snort at boot time which is “snort.service” like below:
write in the file with the following script:
[Unit] Description=Snort NIDS Daemon After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i ens33 [Install] WantedBy=multi-user.target
then we can activate the script to run at boot time with the following command:
systemctl enable snort
systemctl start snort
Let’s see the status of the snort with the following command:
systemctl status snortThus we have built the Network IDS/IPS, at the next we will show you how to make rules that detect and prevent attacks on the web server DVWA.