SmoothSec IDS

I wasn’t planning on doing this section yet, but i wanted to implement the IDS before I finish configuring the reset of the lab and it caused me a few headaches so I relay them here in the hope that others can benefit.

IDS is an Intrusion Detection System. there are many implementations of them, some free some not, and each comes with a variety of features and functions.

The idea is a fairly simple one. If I know what bad things look like, i can write a rule or signature for them. if i then have something on my network looking at all the traffic i can tell it to alert me if it gets a signature match.

An IDS is broken down in to a few different sections:

  • Rules - These are arguably the most important part of the IDS, without them there’s no point deploying an IDS in the first place.
  • Sensors - These are the devices that Plug in to or tap on to the network and collect the raw data for processing.
  • Alert Manager - This is the interface that collate all the rules that have fired (Matched a signature pattern) and displays them to an analyst.

Me I like snort based IDS this is the IDS covered by the SANS 503 Course and the one I use most often.

Rather than build one from scratch I decided to look around for a complete and relatively simple deployment solution. one that ideally wouldn’t cost me anything. I decided to go with SmoothSec, I had read about SmoothSec in a blog post a while back so decided to give it a try.

Here is what i wanted to achieve.

  • An IDS protecting my Home Network.
  • An IDS for the Malware Network
  • A Single Alert Interface.

The best way of deploying a network sensor is via a tap, Active Taps are the best but for this very reason are also the most expensive, passive taps on the other hand are simple, cheap and have a DIY option as well if your feeling that way inclined. Other options include managed switches where you can set up a SPAN port that will mirror all your network traffic.

If your setting this up in a VM  you’re not going to be able to use the TAP method unless you have a spare NIC Card lying around as you need an interface with IP to access the management side, then a second Non IP assigned to monitor. I plan on either getting a managed switch or building my own tap, or perhaps both. but in the mean time I need another method of intercepting all my network traffic that’s where IP Tables come in.

Using IP tables on my router i can copy ALL the network traffic and send it to a specific IP. There are a few downside to this, all the data on my network is being duplicated and will put an extra load on my router. The monitor interface is the same interface as my Management for viewing the web interface which is far from ideal. However this is a quick free and easy method.

I had an old Cisco / Linksys E4200 lying around so i dropped DD-WRT on it and set the following Rules.

iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.0.254 --tee

iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.0.254 --tee

SmoothSec-IPTables

With my data routed let’s get to installing the IDS

First pay a visit to smoothsec.org and get the latest release. The install guide they provide on the wiki is simple enough that anyone should be able to follow. I’ll post a page HERE that shows my installation process in pictures.

Once the installation has completed run the first start script as follows

smoothsec.first.startup

set a strong password

choose eth0 < – you can change this later As I said earlier I prefer snort so choose option one, reboot the machine and wait for it to come back up. SmoothSec will use DHCP by default, we can set a DHCP reservation on our DHCP Server or we can set a static address on the sensor. I prefer the latter. nano /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

#Primary NIC
auto eth0
iface eth0 inet static
        address 192.168.0.254
        netmask 255.255.255.0
        gateway 192.168.0.192

Once you have made the changes shown above making sure to use your own IP Scheme save the file and reboot.

From this point on you can use your fav SSH / SCP clients to connect

before we go any further lets confirm that our monitor interface is receiving data

SSH on to the box

run tcpdump with a filter for an IP address of a local machines and then browse a website

tcpdump -i eth0 not port 22 and src host 192.168.0.146 and dst port 80

SmoothSec-TCPDUMP

You should see traffic that was not destined for your sensor if you’re not seeing any data check your Interfaces and your IPTables are set correctly.

ctrl + c to stop the capture

With data being intercepted lets head over to the Snorby Interface and get things set up there.

point browser to https://your ip here

Log in with

snorby@snorby.org and password snorby

Create a new user by selecting administration -> users and clicking the add user button. When filling in all the details make sure you tick the Administrator tick box!

log out and back in with your new account and remove the default administrator.

You may notice there aren’t any sensors or data on the snorby dashboard. It takes a rule to fire for the snorby workers to pick up the sensor details.

Lets add our own rules to the IDS and make sure that things are working correctly

Adding Your Own Rules

First we need to create out rules file

ssh on to the box and

nano /etc/snort/rules/local.rules

enter your rules one per line

for local.rules you can use SIDS 5000000 - 5999999 all the other sids are reserved

i used this as my test signature

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST RULE"; flow:to_client,established; content:"http://techanarchy.net/wp-admin/admin.php?page=stats&day=2013-07-23"; nocase; classtype:bad-unknown; sid:500000; rev:1;)

now we need to edit the snort conf file to set some variables and to include our new rules

nano /etc/snort/snort.conf

find the line

“ipvar HOME_NET 192.168.1.0/24” and make sure it matches your network I changed mine to read

“ipvar HOME_NET 192.168.0.0/24”

find “include $RULE_PATH/emerging.rules”

add after “include $RULE_PATH/local.rules”

save the file

Pulled Pork is responsible for rule management in this environment, to make sure our custom rules are included properly we need to make a change here as well.

nano /etc/pulledpork/snort/pulledpork.conf

find “#emerging threats rules”

add after “local_rules=/etc/snort/rules/local.rules”

save the file and run the following command

smoothsec.snortrules.update

we should now start to see some rules being alerted. we will need to fine tune these rules to prevent false positives i get a constant stream of policy violation rules like Dropbox, these don’t apply to me at home so I disable them but that will be for another post

You may notice that if you try to view a rule by clicking the view rule button all you get is

Snorby_No_Rules

This is because Snorby doesn’t know where the rules files are, so lets tell it where to find them

nano /var/www/snorby/config/snorby_config.yml

edit the lines under production to suit your needs making sure to change this line

rules:
    - "/etc/snort/rules"

reboot

and now you should see

Snorby_With_Rules

 

That pretty much covers the installation and configuration. Future posts will include more information on Rule Management and Snorby in general.

Questions, Queries, Comments below.

Comments