Lab 3

Using Snort to detect intrusions.

Goal:

  • To set up a complete Snort IDS system on Linux with a full rule set.
  • To test the rule set against a varity of penetration tests.
  • To describe the meanings of the rules triggered.
Though each person will set up their own Snort system on Ubuntu, and each will creat their own lab report, you should work in teams. You will need to use a second computer to test your IDS system.

Lab Steps

Step 1 - Setup Snort

Install a complete Snort with database storage and a full ruleset. Refer the the instructions on the page: Install and Configure a Ubuntu 11.04 Snort-MySQL Honeypot

Notes:

  1. Before starting, you will need to install "tasksel". Do a sudo apt-get -install tasksel.
  2. Install as given on the referenced article. Make you SQL username root, and your SQL root password "snortsql".
Once Snort is setup you make view the log information in SQL with the command:

echo "select * from signature;" | mysql -u root -p snort

you will need to type in the root mysql password each time.

Step 2 - simple penetration tests

- Test some simplTest the the IDS system from another system using the following tools:

  1. A normal ping.
  2. A large ping (65500)
  3. Several different types of NMAP scans.
For each one above, report the output from the snort log (if any) and explain it.
Step 3 - crafting your own packets with hping3

The classic ping command has served the IT community well. But with the never ending escalation of security and the blocking of most ICMP traffic at both the border as well as the host, the plain old ping command is no longer enough to accomplish even the simplest of network administrative tasks. This is exactly where a handy tool named hping2 comes into the fold to lift the capabilities of ping to heights it never imagined.

For a specific definition of what exactly hping3 is, here is an excerpt from http://www.hping.org:

Hping3 is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired by the ping(8) Unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covert channel, and many other features. All header fields can be modified and controlled using the command line. A good understanding of IP and TCP/UDP is mandatory to use and understand the utility. While hping2 was mainly used as a security tool in the past, it can be used in many ways. Below is a subset of the stuff you can do using hping2:

  • Firewall testing

  • Advanced port scanning

  • Network testing, using different protocols, TOS, fragmentation

  • Manual path MTU discovery

  • Advanced traceroute, under all the supported protocols

  • Remote OS fingerprinting

  • Remote uptime guessing

  • TCP/IP stacks auditing

  • hping can also be useful to students that are learning TCP/IP.

Step 4 - Install hping3

Use command sudo hping3 --faster -S 192.168.200.45

Step 5 - Using hping 3 to build packets, and test the IDS

For each of the tests below run run Wireshark to capture the packet sent, and any packet the is sent is response. then do the following

  1. Run the test, capturing the packets on the sending computer with Wireshark.
  2. Check the Snort log. Describe the what was logged, and give the message. Find the triggered rule(s) in the rules file, and show it.
  3. Examine and describe what happened in the Wireshark capture
Crafting TCP packets is the default behavior of Hping. By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets.

-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)

Before we start throwing packets all over the lab network, you should be aware that when you do not specify a destination port on the targeted computer it will default to 0. Also if you do not specify a source port it will use a random ephemeral port and go up numerically from there.

-S (SYN) Packet

The first packet we are going to send is the –S Syn packet. Here the tarket computer is 192.168.0.105. Replace this with the address of your Snort system.

sudo hping3 -S 192.168.0.100

-R (RST) Packet

The next packet we are going to send is the –R Reset (RST) packet. The reset packet is used to reset a connection. As you can see the command syntax is very similar. The only change is in the actual switch itself. Instead of -S it is -R.

"The RST packet is often used to perform what is known as inverse mapping. What this means is that RST packets are sent out and the response received is what will tell you if the host exists or not. If you send out a RST scan you would get one of two things. You will either get no response which indicates to you that the host is probably alive or you’ll receive an ICMP host unreachable message. This would indicate that the host does not exist. This is what is known as inverse mapping. Some IDS systems will not log RST packets/scans due to the sheer multitude of them. This is why the inverse scan is popular." [1]

sudo hping3 -R 192.168.0.100

-F (FIN) Packet

The FIN packet is used to close an established connection. It is also used to conduct a FIN Scan. When a closed port receives a FIN packet, it should respond with a RST packet while an open port should do nothing (ignore the packet).

sudo hping3 -F 192.168.0.100

Now try it with port 135

sudo hping3 -F 192.168.0.100 -p 135

ICMP Packets

Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping3 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping3, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS

sudo hping3 -1 192.168.0.100

UDP Packets

Like I already mentioned, the default protocol for hping3 is the TCP. But just like with ICMP, if you want to send a UDP packet you can with hping2. We send UDP scans using the -2 (two) mode. Basically the syntax will be hping3 -2 IPADDRESS. UDP Scans can be useful when probing UDP services like NETBIOS, NFS, DNS, & NIS.

sudo hping2 -2 192.168.0.100

-S SYN Scan and Specifying Ports

Now we are going to start seeing the power of hping3 a little more. We are going to direct a SYN packet at a specified port, in this case port 135. To send a SYN packet at a specific port requires a few more switches. We are going to send a SYN (-S) packet to 192.168.0.100 specifically on port 135 by putting in the (-p) switch. The –p switch allows you to specify the destination port. To specify the source port on your machine you want the packet to go out on, you would use the -s switch followed by a port number just as the destination port example below.

sudo hping3 -S 192.168.0.100 -p 135

Step 6 - Install and test Snort Mysql Base

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

BASE Website

Do the install

Start by switching to root because it's tedious to keep retyping sudo.

Code:

sudo -i

Update your system. I had 60+ packages to update and it took about 10min or so.

Code:

apt-get update apt-get upgrade

Install Snort with Mysql support.

Code:

apt-get install snort-mysql

It will ask about configuring snort to detect a certain network. Replace this with any and it will inspect all the packets the sensor receives. I'll show you later where you can change this in the future if you needed to. Next it'll ask about setting up a database, just say no and we'll do it by hand later.

Before testing snort lets go ahead and install oinkmaster. Oinkmaster is a cool tool which keeps your snort rules updated.

Code:

apt-get install oinkmaster

Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.
Replace

Code:

url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz

with
url

Code:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fab9a70e2a4/snortrules-snapshot-2.3.tar.gz

Make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code and pay attention to which snort version your using. In my example my snort is version 2.3.
To find your snort version.

Code:

snort -V

Update the snort rules.

Code:

oinkmaster -o /etc/snort/rules/

I recommend creating a crontab so your rules automatically update.

Lets take a look at the snort.conf file

Code:

nano -w /etc/snort/snort.conf

var HOME_NET any
Is what we configured early during the snort install. Make sure you have a line that isn't commented (meaning no # in the front of it)

Code:

output log_tcpdump: tcpdump.log

See if snort is running

Code:

pgrep -l snort

If it's not start it with

Code:

/etc/init.d/snort start

If you get an error about a db-pending-config then

Code:

rm /etc/snort/db-pending-config

Lets see if snort is working properly by tailing the log file. If you see it change or any logs at all then snort should be working fine.

Code:

tail -f /var/log/snort/alert

Windows PCs on the same network triggered my snort but you could always do a port scan from another computer using nmap (it won't do anything to run nmap on it's self.)

Code:

nmap -sX your_snort_ip_address

I believe this only works if you have at least one open port. For this I installed ssh.

Code:

apt-get install ssh

The alert file should say something about an XMAS scan. Press ctrl + c to kill the tail command.

Lets install msyql, it'll take a few minutes.

Code:

apt-get install mysql-server

Edit the snort.conf

Code:

nano -w /etc/snort/snort.conf

Comment out the output log_tcmpdump: tcpdump.log so it looks like

Code:

# output log_tcpdump: tcpdump.log

Change

Code:

# output database: log, mysql, user=root password=test dbname=db host=localhost

to, make sure you use something other then SNORT_PASSWORD, we'll set it in a minute. And pay attention tot he dbname=snort.

Code:

output database: log, mysql, user=snort password=SNORT_PASSWORD dbname=snort host=localhost

I followed Patrick's Centos guide for the following because I barely understand mysql. You can find his guide here. Good info, even if your not using centos.

Code:

http://www.snort.org/docs/setup_guides/snort_base_SSL.pdf

Code:

mysql -u root 
set password for root@localhost=password('PICK_A_PASSWORD');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWORD_SNORT_CONF');
grant create,delete,insert,select,update on snort.* to snort@localhost; g
rant create,delete,insert,select,update on snort.* to snort;
exit

Lets setup the database for snort by uncompressing it and then importing it

Code:

gunzip /usr/share/doc/snort-mysql/create_mysql.gz 
mysql -u root -p < /usr/share/doc/snort-mysql/create_mysql snort

Restart Snort

Code:

/etc/init.d/snort restart

Now lets grab what we need for BASE such as apache & php.

Code:

apt-get install apache2 php5-mysql libphp-adodb

Download the latest version of BASE from
http://base.secureideas.net/
Extract BASE & Move BASE

Code:

tar -xvzf /home/username/Desktop/base-1.3.6.tar.gz 
mv base-1.3.6 /var/www/base

Copy & Edit the BASE config

Code:

cd /var/www/base 
cp base_conf.php.dist base_conf.php
nano -w base_conf.php

Look for these lines and change so their similiar

Code:

$Base_urlpath = “/base” 
$Dblib_path = “/usr/share/php/adodb/”;
$alert_dbname = 'snort';
$alert_password = 'SNORT_PASSWORD';

I had to restart apache before getting to BASE

Code:

/etc/init.d/apache2 restart 
Open firefox & goto localhost/base

Click on the setup page link and then the Create BASE AG button
BASE should be working now.

Lets get the graphing to work (This step is optional, I couldn't get it to work)

Code:

apt-get install php5-gd php-pear 
pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

(End optional)

Restart apache

Code:

/etc/init.d/apache2 restart

One more thing to look at before your done is the /etc/snort/threshold.conf. This file can be used to limit and suppress alerts you don't want to see. I get a lot of false positives from samba and normal windows traffic. I'm not worried about local traffic so I can suppress my network but still generate alerts if someone out side was connecting by adding a line like so. The config should be self explanatory.

Code:

suppress gen_id 1 sig_id 2466, track by_src, ip 192.168.1.0/24

Step 7 - Use BASE

Connect into the BASE from a remote system. Do the following:

  1. Use BASE to display today's unique ALERTS. Paste a screen shot into the lab report.
  2. Use BASE to display a list of today's ALERTS.
  3. Find the Large Ping packet. View the packet, and take and save a screen shot.

Step 8 - Reflection

  1. What did you think of this lab, was it helpful in learning to setup and use these tools?
  2. What didn't you like about this lab, how could it be improved?
References
-- JimSkon - 2012-03-08
Topic revision: r6 - 2012-03-09 - JimSkon
 
This site is powered by the TWiki collaboration platformCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback