snort (app) setup?

Dear Opensuse users: The only manual I could find on setting up Snort on opensuse was one which assumed you built it yourself from source - it was basically a guide to building snort. But there is a repo version of snort and pulledpork, so the question is, has anyone gotten this to work? I keep getting a weird error which I can’t google… it throws errors on every line in community.rules which doesn’t start with # (I assume commented-out).

linux-l8th:/home/patti # snort -c /etc/snort/rules/community.rules -i wlo1
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/community.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /etc/snort/rules/community.rules(389) Undefined variable in the string: $SQL_SERVERS.
Fatal Error, Quitting..
linux-l8th:/home/patti # 

Hi
Where did these community rules come from, they are not part of the package from what I can see?

What is at line 389? Are you running some sql server, if so then I would imagine you need to relevant snort-somedb package instead of plain snort?

Hi Malcom: The rules come from the snort site. I think the Snort package comes ready to simply sniff packets. But if you want to listen specifically for evidence of packets from known malware, then you have to have a database of rules. That’s the community.rules package, as far as I understand it. I’m not running an sql server as far as I know. I was trying to follow the steps on the Snort.org website. For instance, Krebs gives the snort associated signature of the malware that took out Sony:

http://krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data/#more-28882

The windows snort version has a more integrated setup, and I get further, but still not a fully functional system.

So I guess I am trying to set up a “targeted” intrusion detection system - using the community signatures. But there’s something I’m not “getting” about setting up snort. I can sniff packets fine, but can’t seem to grok the rules setup aspect… :\ Basically, I guess I don’t trust virus/malware/rootkit checkers to catch everything…

Hi
OK, so have you observed any malicious attacks on your system? Turned of unnecessary services? Restricted physical access? :wink:

I would guess you just need to go through the rules and weed out what you don’t need?

Doing everything I can. But not being a Wizard guarantees I will have issues at some point :slight_smile: Also, it’s sort of interesting. I have maybe 20 or so systems and have unplugged most from the LAN and instead do sneakernet, but one Win7 system stays internet-facing (with McAfee). I did see a hit or two on rkhunter on my main opensuse system. I lock all opensuse systems and have strong passwords. But the bad guys are getting sneakier and sneakier, and the antivirus people are pretty much using the same old technologies… So, learning more is usually a good idea. Hence the interest in snort. I’ve been saved before by being proactive with malware… :slight_smile:

    
    /usr/bin/lastlog                                          OK ]
    /usr/bin/ldd                                              Warning ]
    /usr/bin/less                                             OK ]
    /usr/bin/logger                                           OK ]
 

    /sbin/ifstatus                                            OK ]
    /sbin/ifup                                                Warning ]
    /sbin/init                                                OK ]
    /sbin/insmod                                              OK ]
    /sbin/ip                                                  OK ]

Often folks are on linux anyway as a way to avoid the hackability of ms. So rkhunter/snort/etc. are great to have around.

Performing system configuration file checks
    Checking for an SSH configuration file                    Found ]
    Checking if SSH root access is allowed                    Warning ]
    Checking if SSH protocol v1 is allowed                    Warning ]
    Checking for a running system logging daemon              Found ]
    Checking for a system logging configuration file          Found ]
    Checking if syslog remote logging is allowed              Not allowed ]
  Performing filesystem checks
    Checking /dev for suspicious file types                   Warning ]
    Checking for hidden files and directories                 Warning ]


Though it’s not always clear what these results mean… :slight_smile:

Hi
So configure /etc/ssh/sshd_config as required to only use V2 and disable root logins, make users login as a user first, then su - (or configure sudo as required) to root. Maybe if you need ssh, then only use keys rather than passwords?

There are always .files and .directories maybe you need to see what it’s on about? Again for /dev what it’s finding as suspicious.

rkhunter is only an indicator and does spit out it’s fair share of false positives. maybe you would be better of running Nessus https://en.wikipedia.org/wiki/Nessus_(software)

If your really paranoid, maybe run a live system or use something like tails linux derivative…

Well windows is windows to the rest of the worlds users… :slight_smile:

On 2014-12-07 03:26, PattiMichelle wrote:

> Hi Malcom: The rules come from the snort site. I think the Snort
> package comes ready to simply sniff packets. But if you want to listen
> specifically for evidence of packets from known malware, then you have
> to have a database of rules. That’s the community.rules package, as far
> as I understand it.

Interesting. I didn’t know snort could do this.

I have seen powerful, proprietary, systems routinely doing this on
Windows networks. They listen for traffic patterns, warning the
administrator, that then goes to the local machine and looks further.

I also have seen other tools that actively scan the network, seeking
“targets” and what known holes are open. For instance, machine on that
IP, named so, has windows that version, with service that version
running, that has this known hole. Or it has this version patch applied.
Not only windows holes, but Linux holes. Unfortunately, I forgot the
name of the program. It can be a double edge tool, of course.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Thanks Again, Malcom - that Nessus looks good, but it looks like it doesn’t do intrusion detection. It’s good for hardening a system, though. Everyone seems to think in terms of hardening systems. But the whole area of intrusion detection is pretty important given the fact that most folks haven’t got a clue about cybercrime (so they leave their systems unpatched, etc.). The A/V community seems to be overwhelmed and it seems like it’s going to get much worse. Intrusion detection is sort of like setting up security cameras in your yard, rather than waiting until someone tries to actually break into your house… :expressionless:

Even though there’s an opensuse Snort package in the repo - I guess I’ll need to join the snort mailserver to get a working ids going. Really, that’s just malware scanner on the LAN, which uses traffic-detection rather than codebase-detection.

I was surprised I couldnt’ get any hits on the Forums under “snort” in the last year, other than my post

Thanks! Patti

On Sun 07 Dec 2014 05:36:02 PM CST, PattiMichelle wrote:

Thanks Again, Malcom - that Nessus looks good, but it looks like it
doesn’t do intrusion detection. It’s good for hardening a system,
though. Everyone seems to think in terms of hardening systems. But the
whole area of intrusion detection is pretty important given the fact
that most folks haven’t got a clue about cybercrime (so they leave their
systems unpatched, etc.). The A/V community seems to be overwhelmed and
it seems like it’s going to get much worse. Intrusion detection is sort
of like setting up security cameras in your yard, rather than waiting
until someone tries to actually break into your house… :expressionless:

Even though there’s an opensuse Snort package in the repo - I guess I’ll
need to join the snort mailserver to get a working ids going. Really,
that’s just malware scanner on the LAN, which uses traffic-detection
rather than codebase-detection.

I was surprised I couldnt’ get any hits on the Forums under “snort” in
the last year, other than my post

Thanks! Patti

Hi
OK, so you do need to be running a database…
http://www.andrew.cmu.edu/user/rdanyliw/snort/snortdb/snortdb_install.html

Then also install the snort-somedatabase package…

If you running services, eg apache php etc then sure, average desktop
user on linux… browser hijacking and events like that, windows viri
in email, infected docs and pdf’s… all part of life these days.

At the end of the day, it’s all PEBKAC + Social engineering…
cleaned three windows machines (well factory re-installs) yesterday all had
viruses, no running AV…

In your situation, better to have clean images and PXE booting or
provide thin clients… or get Mac’s…


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.28-4-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

The snort package in 13.2 is completely fubar and doesn’t do anything by default. If you download the snortrules-snapshot-xxx.tar.gz package from the Snort website you need to do some adjustments before it’ll work.

I might do a howto or a step-by-step how to fix the snort but right now I don’t have the time. Essentially you need to decompress the snapshot rules, copy the snort/* and rules to /etc/snort, then adjust the snort.conf included with the snapshot to point to the right libdir (it points to local when it should be lib64/snort), create empty black_list.rules and white_list.rules, remove dynamicdetection since its not used…

Yeah I think I’ll just do a write up on this tomorrow seeing as it has a few steps.

Thanks for the wordness, Tsu! I got as far as trouble loading the libraries. Apparently there are a lot of them. I got the rules into /etc/snort/rules (but that doesn’t matter too much since you can fire it up with a command line path to the .rules). The libdirs was a problem, but also snort didn’t know how to interpret the rules in community.rules. That may be a library problem, or maybe related to those other missing files you mention. The Snort documents tell you how to sniff, as well as how to set up an automated, proactive IDS system, but sort of skip over how to simply sniff for known “bad” packets (packets from malware) and only log those (ignoring others). - a “passive” IDS…

I also didn’t see how to configure the system firewall for snort - there were hints that is automatic… But I also saw an implication that you have to leave all ports open. That can’t be right! In order to do that, you would have to run Snort in a VM or something to protect the host OS. I guess I still don’t have an integrated picture of how this network stuff works - more reading needed!

Thanks Again,
Patricia

On 12/06/2014 09:56 PM, PattiMichelle wrote:
>
> malcolmlewis;2681252 Wrote:
>> Hi
>> OK, so have you observed any malicious attacks on your system? Turned of
>> unnecessary services? Restricted physical access? :wink:
>>
>> I would guess you just need to go through the rules and weed out what
>> you don’t need?
>
> Doing everything I can. But not being a Wizard guarantees I will have
> issues at some point :slight_smile:

Even “Wizards” had to go to school at some point, just at Harry Potter. :slight_smile:

Ken

On Mon 08 Dec 2014 02:43:16 PM CST, Ken Schneider wrote:

On 12/06/2014 09:56 PM, PattiMichelle wrote:
>
> malcolmlewis;2681252 Wrote:
>> Hi
>> OK, so have you observed any malicious attacks on your system?
>> Turned of unnecessary services? Restricted physical access? :wink:
>>
>> I would guess you just need to go through the rules and weed out what
>> you don’t need?
>
> Doing everything I can. But not being a Wizard guarantees I will have
> issues at some point :slight_smile:

Even “Wizards” had to go to school at some point, just at Harry
Potter. :slight_smile:

Ken

Yup
Head to snortwarts via geeko station platform 13.2… :wink:


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.28-4-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

That was Miuku’s suggestions… :slight_smile:

FYI -
Personally,nowadays I’m less satisfied with running traditional IDS like Snort because I really have no idea how effective it is at actually finding anything. It’s still important as a kind of “security blanket” – In some companies it’s important to demonstrate you’ve done all you can if there is an incident, but it can contribute to a false sense of security (could this be part of Sony’s problem which besides the landmark hacking in the news today has a long history of various networking and coding incidents?)

So, my personal 2-pronged strategy today is

  • Using Big Data type tools (Hadoop type) to collect and analyze data. Only this kind of data collection can store the enormous amounts of data for adequate detection and analysis, no traditional normalized database can hold this kind of quantity and perform search/analysis adequately. The problem today is that although you can search for anything you want to, that requires fore-knowledge. If you <really> want to extract information about the data you need to perform analysis and today the tools are in the process of being built, nothing is really ready for prime time yet. But, we’re getting there… similar analysis discovering financial fraud going over a decade or more of historical data can be re-applied to network analysis. The diff between this and something like snort is that you might or might not write rules, you can also ask the analysis engine to mine for new patterns (rules) on its own.

  • Nowadays, I put more faith in pen(atration) testing. This requires knowledge and deep understanding of the network, content on the network and applications (services). From that, you can do targeted investigations for vulnerabilities. Instead of sniffing and filtering all network traffic, the pen tester methodically hardens parts of the network.

I’m not saying that snort should not be used, it’s a practical solution for those on a budget and maybe also a good backstop for things that may be overlooked. At least if it catches something in progress you hopefully would catch the problem in a timely manner instead of discovering what has happened only after your entire company has been emptied like Sony.

TSU

Hi Miuku - did you ever write that up? :slight_smile:

Personally,nowadays I’m less satisfied with running traditional IDS like Snort because I really have no idea how effective it is at actually finding anything. It’s still important as a kind of “security blanket” – In some companies it’s important to demonstrate you’ve done all you can if there is an incident, but it can contribute to a false sense of security (could this be part of Sony’s problem which besides the landmark hacking in the news today has a long history of various networking and coding incidents?)

Thank you very much, Tsu. I sort of agree from the Network Security Professional (which I’m not) point of view - I’m just a user. But we did have one corporate run in with a virus (or something) which shut down the company for a few days. Back in those days, folks used to turn off their Norton Antivirus to gain performance. I never turned mine off because of paranoia - so my computer actually caught the virus and sequestered it so I was protected. Most folks were not. So my motto now is to use all available background protection systems. Snort is basically an antivirus-like-thing that listens to the network, which McAffe does not. The more senses you have, the better. Also, Krebs mentioned the Snort signature of the bot which emptied Sony. That’s a pretty big vote on Snort, in my eyes.

So, my personal 2-pronged strategy today is

  • Using Big Data type tools (Hadoop type) to collect and analyze data. Only this kind of data collection can store the enormous amounts of data for adequate detection and analysis, no traditional normalized database can hold this kind of quantity and perform search/analysis adequately. The problem today is that although you can search for anything you want to, that requires fore-knowledge. If you <really> want to extract information about the data you need to perform analysis and today the tools are in the process of being built, nothing is really ready for prime time yet. But, we’re getting there… similar analysis discovering financial fraud going over a decade or more of historical data can be re-applied to network analysis. The diff between this and something like snort is that you might or might not write rules, you can also ask the analysis engine to mine for new patterns (rules) on its own.
  • Nowadays, I put more faith in pen(atration) testing. This requires knowledge and deep understanding of the network, content on the network and applications (services). From that, you can do targeted investigations for vulnerabilities. Instead of sniffing and filtering all network traffic, the pen tester methodically hardens parts of the network.

I’m not saying that snort should not be used, it’s a practical solution for those on a budget and maybe also a good backstop for things that may be overlooked. At least if it catches something in progress you hopefully would catch the problem in a timely manner instead of discovering what has happened only after your entire company has been emptied like Sony.

TSU

I think this is a great idea, but I have nowhere near enough technical skills to do this. :frowning: I’m a scientist, not IT. I am guessing this is what my IT department is doing. If I never find anything with Snort, that is great! :slight_smile: But after taking graduate level classes in crypto and cybercrime, I realized it would be remiss of me not to run Snort on LANs I access. So I content myself with being backstop and maybe, just maybe, finding that one small thing which was overlooked. :slight_smile:

I remember reading about hadoop. It came up in our cyberecrime class. But the bad guys are now doing “big data” and corporate organization - whereas the McAffe’s are still stuck doing essentially the same things they did in the 90’s. The main goal for Snort is my home LAN, but if I can figure out how to get it going, I’d prolly run it on the work LAN also. That’s how torpig was found, yes? (small time folks stumbling onto something unknown). My main goal is to avoid being botted/rootkitted - and that sort of thing is most likely coming to Linux in a big way in the future, although I’ve seen recent writeups that the bad guy’s tactics seem to be shifting again… this time toward money-starved server systems and abandoned IPs.

A battle is a-brewing. We need a good way to deny resources to the bad guys before they get so big that they take over the key organizations. History has shown over and over that denial of resources is a good way to “contain” the bad guys’ ability to do bad.

Patricia

Head to snortwarts via geeko station platform 13.2… :wink:

:confused: … Ummmm … :confused: :shame:

Even “Wizards” had to go to school at some point, just at Harry Potter. :slight_smile:

Ken

Hah - you’re right. But there’s a significant nonlinearity here. You cannot properly climb a tree unless you first find the trunk. I just jumped across to a *nix branch from a nearby tree. rotfl!

On Tue 16 Dec 2014 06:06:01 PM CST, PattiMichelle wrote:

Head to snortwarts via geeko station platform 13.2… :wink:

:confused: … Ummmm … :confused: :shame:

The openSUSE mascot ‘geeko’ and the Harry Potter reference…


Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.28-4-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!

LOL! - so are you saying I should upgrade to 13.2 (e.g., to make the snort thing easier)? :slight_smile: