Creating a Reactive IDS
Problem
Simple alerting is insufficient; you want to actively respond to an attempt to compromise your security.
Solution
If you want to reset any illegitimate connection attempts, use the resp keyword from Recipe 2.n.
If you want to call on an external program to perform some action, use the unixsock output plug-in from Recipe 2.n.
If you want to use Snort to modify the rules of a firewall to block unwanted traffic, use SnortSAM.
If you want to use Snort as a filter to remove unwanted traffic, you need to run Snort inline. This removes the problem of attacker using an intrusion prevention system to create a denial of service. As it drops only packets that are suspect, it doesn't exclude an entire IP address.
Discussion
The first two options have been discussed earlier; please see the respective recipes for further information.
To create an interface between Snort and a firewall, you can use either the unixsock output plug-in to call a script to modify the firewall, or you can use SnortSAM.
SnortSAM is a plug-in to Snort that interfaces with a number of firewalls, both commercial and open source, to modify the rulesets. The supported firewalls at the time of writing include:
- Checkpoint Firewall-1
- Cisco PIX firewalls
- Cisco routers
- Netscreen firewalls
- Watchguard
- IPTables and IPChains
To install SnortSAM, download the source from http://www.snortsam.net. Unzip and unpack the source, change to the source directory, and make SnortSAM by entering the following commands:
tar xvZf snortsam-src-2.24.tar.gz cd snortsam-src-2.24 ./makesnortsam.sh
When the compile is finished, copy the binary to /usr/local/bin. Or you can download the precompiled versions from the same site for Linux, Windows, and Solaris.
To add the SnortSAM plug-in into Snort, download the snortsam-patch.tar.gz file from the SnortSAM site, decompress and unpack it, and then use it to patch the Snort source using the following commands:
tar xvZf snortsam-patch.tar.gz cd snortsam-patch.tar.gz ./patchsnort.sh /usr/local/src/snort
where /usr/local/src/snort is the path to your Snort source. You then need to recompile Snort as described in Recipe 1.n.
To run SnortSAM, start it with the following command:
snortsam /usr/local/etc/snortsam.conf
where the path is that of the snortsam.conf file. This file contains the configuration options for SnortSAM and an example file is provided. The minimum options are to specify a Snort sensor to listen to and the details of the firewall that is to be modified by SnortSAM. Edit the example file to reflect your requirements.
Once SnortSAM is running, you need to start Snort with a snort.conf file that includes the SnortSAM output plug-in. You can add it by entering the following line in the snort.conf file.
output alert_fwsam: 192.168.0.25
Replace the IP address with the IP of the machine running SnortSAM. Modify your rules by adding the fwsam option, which allows you to specify which IP to block and the duration of the block. For example, to block the source of the packet for a duration of five minutes, add:
fwsam: src, 5 minutes;
For example:
Alert tcp any any -> any 2001 (msg: "Block anyone who tries Port 2001"; fwsam: src, 5 minutes;)
You should examine the SnortSAM documentation to see the exact eccentricities of working with your particular type of firewall.
The big caveat of reactive firewalls is the capability of an attacker to launch a substantial denial of service. If the firewall shuts down any IP address that sends a certain packet, someone can spoof the source address on multiple packets of that type, which would block all those IP addresses. The solution to this issue is to run Snort inline.
To run Snort inline, there are a number of prerequisites and a fair bit of initial setup. The good news is that most of these prerequisites are now standard in the latest releases of most flavors of Linux.
You'll need to download the snort_inline source, which is available online at http://snort_inline.sourceforge.net/. This is a full copy of Snort with the necessary modifications. Decompress the source, change into the source directory, configure, make, and then as root, install the snort_inline binaries by typing the following:
tar xvZf snort_inline-2.1.3b.tgz cd snort_inline-2.1.3b ./configure --enable-inline make su make install
Once this is done, Snort is ready to be run inline. You need to download the rc.firewall script from http://www.honeynet.org/papers/honeynet/tools. This script controls the Snort inline setup and configures all the other necessary things. You will, however, have to modify the script so that the configuration options are right for your system. All the variables are neatly kept at the head of the file in the User Variable section. Relevant variables and the meanings of their possible settings are listed in Table 7-1. If a variable isn't listed here, we recommend that you use the default.
Variable name |
Meaning |
---|---|
MODE = "bridge" | "nat" |
This determines whether the setup is a simple bridge (same IP addresses on both sides) or if it performs nat (network address translation). For the example, this is set to bridge. |
PUBLIC_IP= "192.168.0.8" "192.168.0.9" |
These are the internal IP addresses that you wish to be filtered. If you list more than one IP, they should be separated by spaces. |
INET_IFACE = "eth0" |
This should be the external facing interface. |
LAN_IFACE = "eth1" |
This should be the internal facing interface. |
LAD_BCAST_ADDRESS= "192.168.0.255" |
This is the broadcast address for the internal network. |
QUEUE= "yes" | "no" |
Either enable or disable QUEUE support: this should be set to yes. |
PATH= "/sbin:/usr/sbin" |
Path to check for all requisite programs; the PATH variable should allow for the finding of iptables, brctl, ifconfig, route, and modprobe. |
Once you have made the changes that are necessary to the rc.firewall script. Running the script will cause all the traffic through IPTables to be passed to our snort_inline daemon.
./rc.firewall
Next, the task is to modify the ruleset so that instead of alerting, the packets are dropped. You can download a utility from the Honeynet site mentioned earlier that will do this for you automatically, but it is good practice to know what is going on anyway. The change is straightforward: replace the alert keyword with the drop keyword. This will cause those packets that match the rule to be discarded without a trace.
To start snort_inline so it is listening to the packets passed from IPTables, use the following command:
snort -D -c /etc/snort/snort.conf -Q -l /var/log
Most of the options are standard: -D for daemon mode, -l for log directory, and -c for configuration file. The only different option is -Q, which tells snort_inline to listen to the IPTables queue.
See Also
Snort-inline project (http://snort-inline.sourceforge.net)
guardian from the snort contrib directory
IPS vendors
Monitoring a Network Using Policy Based IDS
|