Community

Blog
×
Community Blog How Secure Your Linux Server Using Snort NIDS

How Secure Your Linux Server Using Snort NIDS

In this tutorial, we will learn how to install and configure Snort NIDS on an Alibaba Cloud ECS Ubuntu 16.04 instance.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Snort is a free, open source and one of the most commonly used signature-based network intrusion detection system (NIDS) that monitors the package data sent and received through a specific network interface. Snort performs protocol analysis, content searching and matching, real-time traffic analysis and packet logging on Internet Protocol (IP) networks. You can determine the most recent strikes, malware infections, compromised systems, and community policy violations using Snort. Snort comes with a powerful set of features like, detection of buffer overflow, stealth port scan, CGI Attacks and other thousands of worms and vulnerability attempts. Snort is lightweight, so you can easily installed it on the smallest cloud server instances.

In this tutorial, we will going to learn how to install and configure Snort NIDS on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 instance.

Prerequisites

  1. A fresh Alibaba cloud instance with Ubuntu 16.04 server installed.
  2. A static IP address 192.168.0.103 is configured on the instance.
  3. A root password is setup on the server.

Launch an Alibaba Cloud ECS Instance

First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Required Packages

Next, install all the dependencies required to install Snort with the following command:

apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev -y

Next, you will also need to install DAQ (Data Acquisition Package) to your system. First, download the latest version of the DAQ using the following command:

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

Once the DAQ is downloaded, extract the downloaded file using the following command:

tar -xvzf daq-2.0.6.tar.gz

Next, change the directory to the daq-2.0.6 and run the following command to compile and install DAQ:

cd daq-2.0.6
./configure
make
make install

Once DAQ is installed, you can proceed to install Snort.

Install Snort

By default, the latest version of the Snort is not available in the Ubuntu 16.04 repository. So, you will need to download Snort source and compile it.

First, download Snort source code using the following command:

wget https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz

Next, extract the downloaded file with the following command:

tar -xvzf snort-2.9.11.1.tar.gz

Next, change the directory to the snort-2.9.11.1 and compile it with the following command:

cd snort-2.9.11.1
./configure --enable-sourcefire
make
make install

Next, update the shared libraries with the following command:

ldconfig

Next, create a symbolic link of Snort binary using the following command:

ln -s /usr/local/bin/snort /usr/sbin/snort

Finally, check the Snort with the following command:

snort -V

If everything is ok, you should see the following output:

,,_     -*> Snort! <*-
  o"  )~   Version 2.9.11.1 GRE (Build 268) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.38 2015-11-23
           Using ZLIB version: 1.2.8

Configure Snort

Snort can be configured in three modes:

Sniffer Mode: In this mode, output will dump to the terminal. You can see packets in continuous flow in live mode.

Packet Logger Mode: In this mode, output will be stored in the disk. You can monitor it later.

Network IDS Mode: In this mode, some parameters are configured that allow snort to match defined parameters while scanning the network.

In this tutorial, we will configure Snort for Network IDS (NIDS) Mode.

First, you will need to create a directory structure for Snort. You can do this by running the following command:

mkdir /etc/snort /etc/snort/preproc_rules /etc/snort/rules /var/log/snort /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules

Next, give proper permissions to all the directories:

chmod -R 5775 /etc/snort/ /var/log/snort/ /usr/local/lib/snort /usr/local/lib/snort_dynamicrules/

Next, copy all the configuration files from Snort source:

cd /root/snort-2.9.11.1/etc
cp -avr .conf .map .dtd .config /etc/snort/
cp -avr /root/snort-2.9.11.1/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/

Next, comment out all rulesets with the following command:

sed -i "s/include &dollar;RULE\_PATH/#include \$RULE_PATH/" /etc/snort/snort.conf

Next, you will need to configure Snort configuration file. You can do this using the following command:

nano /etc/snort/snort.conf

Make the following changes:

Save and close the file, when you are finished. Then, validate the configuration file with the following command:

snort -T -i eth0 -c /etc/snort/snort.conf

You should see the following output:

Snort successfully validated the configuration!
Snort exiting

Test Snort

Snort is now installed and configured, it's time to test Snort.

First, create a rule for (FTP, ICMP, Web and SSH) Snort. This rules will generate an alert, when someone tries to make Ping, SSH, FTP and Web connection attempt. You can do this by editing following file:

nano  /etc/snort/rules/local.rules

Add the following lines:

alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1000001; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"Web connection attempt"; sid:1000003; rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"SSH connection attempt"; sid:1000004; rev:1;)

Save and close the file, when you are finished.

Now, start Snort daemon in Network IDS mode from the terminal and tell it to output any alert to the console:

snort -A console -q -c /etc/snort/snort.conf -i eth0

Snort is now up and listening on interface eth0.

Next, from the remote machine. Make the SSH, FTP, ICMP and Web connection attempt with the following command:

ssh 192.168.0.103
ping 192.168.0.103
telnet 192.168.0.103 21

Note: 192.168.0.103 is the IP address of the Snort server.

On the Snort server, you should see the following output:

05/15-21:26:43.359463  [] [1:1000004:1] SSH connection attempt [] [Priority: 0] {TCP} 192.168.0.105:59099 -> 192.168.0.103:22
05/15-21:30:07.863475 [] [1:1000001:1] FTP connection attempt [] [Priority: 0] {TCP} 192.168.0.105:35850 -> 192.168.0.103:21
05/15-21:27:59.090364 [] [1:1000002:1] ICMP connection attempt [] [Priority: 0] {ICMP} 192.168.0.105 -> 192.168.0.103

You can stop Snort at any time by pressing Ctrl+C from your keyboard.

Create Snort Upstart Script

You will also need to create an Upstart script for Snort to start Snort at boot time. You can do this by creating following file:

nano /lib/systemd/system/snort.service

Add the following lines:

 [Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0
[Install]
WantedBy=multi-user.target

Save the file, when you are finished, then start Snort service and enable it to start on boot time with the following command:

systemctl start snort
systemctl enable snort

You can check the status of the Snort using the following command:

systemctl status snort

You should see the following output:

snort.service - Snort NIDS Daemon
   Loaded: loaded (/lib/systemd/system/snort.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-05-15 21:31:31 IST; 8s ago
 Main PID: 29884 (snort)
   CGroup: /system.slice/snort.service
           └─29884 /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0

May 15 21:31:31 Node1 systemd[1]: Started Snort NIDS Daemon. 

You can also check the connection attempt on Snort server later using the following command:

tcpdump -r /var/log/snort/snort.log*

Output:

21:42:56.618502 IP 192.168.0.105.58491 > 192.168.0.103.ssh: Flags [P.], seq 5800:5856, ack 221657, win 1444, options [nop,nop,TS val 1074792 ecr 968798], length 56
21:42:56.621801 IP 192.168.0.105.58491 > 192.168.0.103.ssh: Flags [.], ack 221745, win 1444, options [nop,nop,TS val 1074792 ecr 969065], length 0
21:47:11.333431 IP 192.168.0.105.35886 > 192.168.0.103.ftp: Flags [.], ack 35, win 229, options [nop,nop,TS val 1138471 ecr 1032743], length 0
21:47:11.335842 IP 192.168.0.105.35886 > 192.168.0.103.ftp: Flags [F.], seq 0, ack 36, win 229, options [nop,nop,TS val 1138471 ecr 1032744], length 0

Congratulations! You have successfully installed and configured Snort NIDS on Ubuntu 16.04 server. You can now monitor any connection attempt made to your server.

Related Alibaba Cloud Products

Alibaba Cloud Anti-DDoS Basic is a cloud-based security service that integrates with Alibaba Cloud ECS instances to safeguard your data and applications from DDoS attacks, and provides increased visibility and control over your security measures.

As an Alibaba Cloud global service, Anti-DDoS Basic enables you to meet stringent security requirements for your cloud hosting architecture without any investment. This service is available to all Alibaba Cloud users free of charge.

Alibaba Cloud Server Guard protects servers from various malicious attacks by installing a lightweight agent on the server that provides cloud threat information linkage. It also provides real-time alerts in case of suspicious logins, and safeguards the servers from the website backdoor attacks.

The product is easy to use and setup, and provides you with complete overview and analysis of your website and systems. This helps you increase the efficiency of your mission critical applications.

CloudMonitor is a flexible monitoring service that provides in-depth insights into your cloud deployments. CloudMonitor provides advanced analytics on critical metrics such as CPU utilization, latency and also lets you customize metrics specific to business requirements.

You can closely monitor your resources in real time including ECS (Elastic Compute Service), RDS (Relational Database Service), Server Load Balancer, Block Storage volumes and tweak deployments to optimize performance and save on operational costs.

CloudMonitor also provides a solution that adds another layer of security to your cloud deployments as it can detect intrusions and security breaches according to the metrics you define. This can raise an alarm that you set through Social Networking Service (SNS), Social Messaging Service (SMS), Instant Messenger (Ali Trade Manager only) and/or email.

0 0 0
Share on

Alibaba Clouder

602 posts | 67 followers

You may also like

Comments