Snort IDS lab

Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
Tonight I set up a lab for experimenting with Snort. For this lab I used:

Lab:

3550 switch
4 hosts
1 vlan
1 EasyIDS server

Setup

EasyIDS:

Download EasyIDS from EasyIDS
Install on a piece of hardware or in a VM with two NICs
Follow instructions on the site the download resides on
Make sure you place the sensor NIC in promiscuous mode (ifconfig eth1 promisc) from EasyIDS root

Network:

a. Create VLAN 10 and make an SVI with the gateway IP address 192.168.30.1 /24
b. place all four hosts into VLAN 10
c. configure all hosts with the default gateway of the VLAN 10 SVI
d. In the switch, configure a VSPAN port and mirror the traffic to the port which the EasyIDS server is plugged into.
e. Go hog wild with scanners, exploits, and packet generators
f. Watch snort alerts in BASE to ensure that Snort is operational

Figure 1: Out of the box alerts from running a port scan against the IDS sensor's listening interface:
snort_alerts.png

This is a basic install of EasyIDS and a test for functionality. Through the next few months I'll be updating this with more in-depth labs such as custom rules, rule tuning, and alerting options.
CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
[email protected]
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    I sense a Snort technote in the making. ;)

    I have got to try Snort in a VM in VMware ESXi 4.0. I'll bet I can get that sucker Snorting a full, 56-port vSwitch.

    How ever will I sort through all that data...icon_lol.gif
  • carboncopycarboncopy Member Posts: 259
    The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?

    In a home environment if you just wanted to experiment, would it suffice to have EasyIDS on a computer with 2 interfaces, one interface connected to the modem and the other to your wireless router for example?

    That should be able to catch all traffic coming from the internet to your network.... right?
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    JDMurray wrote: »
    I have got to try Snort in a VM in VMware ESXi 4.0. I'll bet I can get that sucker Snorting a full, 56-port vSwitch.

    You may know this already, but for the benefit of others that may want to try something like this in ESX/ESXi. If you go to the properties of your vSwitch, then edit the vSwitch, you can set Promiscuous Mode to Accept on the Security tab. After this has been set, any vNIC set to promiscuous mode (for example, by Wireshark or Snort) will receive all traffic on the vSwitch. Pretty handy for labbing.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    "Hog wild" was a terrible pun dude ncool.gif

    I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.
  • carboncopycarboncopy Member Posts: 259
    dynamik wrote: »
    "Hog wild" was a terrible pun dude ncool.gif

    I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.

    That's what I was referring to. I've had this on hold for so long now and haven't had time to implement icon_sad.gif
  • Deadly,

    Was planning on setting up a box with Snort and SnortSnarf.
    "There are 3 types of people in this world, those who can count and those who can't"
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    carboncopy wrote: »
    The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?
    Yes, exactly. Red Team/Blue Team VMs going back-and-forth at each other, and a White Team VM running Snort having a look at it all.
    kalebksp wrote: »
    You may know this already, but for the benefit of others that may want to try something like this in ESX/ESXi. If you go to the properties of your vSwitch, then edit the vSwitch, you can set Promiscuous Mode to Accept on the Security tab. After this has been set, any vNIC set to promiscuous mode (for example, by Wireshark or Snort) will receive all traffic on the vSwitch. Pretty handy for labbing.
    I know about it, but haven't tried it yet. I've noticed some virtual router software doesn't work unless the vSwitch is in promiscuous mode.
    dynamik wrote: »
    I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.
    I've also been wanting to hang a bunch of VM honeypots off my DMZ to see what bad stuff is typically blocked by my firewall. The tough part is the postmortem analysis of the VMs to find out what has happened to them.
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    dynamik wrote: »
    "Hog wild" was a terrible pun dude ncool.gif

    Yeah you like that huh?

    Good idea on installing Snort on your external network. You'll definitely see a ton of random crap. It's a great way to learn rule tuning. I just bought an older Netgear 10/100 hub on ebay to use as a ghetto ethernet tap on my external network. Cable modem -> 2621 -> hub with IDS -> Raver Router (oontz oontz)
    carboncopy wrote: »
    The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?

    Using a switch is actually a disadvantage because switches break up broadcast domains, making it difficult to see traffic being sent to all hosts. Typically in a switched environment an IDS will only see broadcast traffic if plugged into a standard switchport. To mitigate this I created a VLAN for the hosts that I wanted to monitor then created a SPAN port on that VLAN. The VSPAN port mirrors all of the traffic on that VLAN to a copy port that the IDS is plugged into. This allows the IDS to see all of the traffic to the systems configured in the VLAN which is being monitored.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    Paul Boz wrote: »
    To mitigate this I created a VLAN for the hosts that I wanted to monitor then created a SPAN port on that VLAN. The VSPAN port mirrors all of the traffic on that VLAN to a copy port that the IDS is plugged into. This allows the IDS to see all of the traffic to the systems configured in the VLAN which is being monitored.
    But how much traffic can a single SPAN port handle before it starts dropping packets? A single 1000BaseT port can be overwhelmed by the traffic from a couple of dozen 100BaseT ports in the same VLAN on a very busy network.
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    JDMurray wrote: »
    But how much traffic can a single SPAN port handle before it starts dropping packets? A single 1000BaseT port can be overwhelmed by the traffic from a couple of dozen 100BaseT ports in the same VLAN on a very busy network.

    It depends on how you intend to use the IDS. A single span port as you said can support at least a couple dozen 100base T ports. The most common method of deployment for an IDS is on the DMZ or core network. These types of networks usually support under 20 systems, making a single span port on a decent switch sufficient. You can also either have multiple span ports or use a span port with higher bandwidth.

    It really comes down to placement choice. Where you place the IDS determines what monitoring options you have.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • carboncopycarboncopy Member Posts: 259
    Paul Boz wrote: »
    The most common method of deployment for an IDS is on the DMZ or core network.

    It really comes down to placement choice. Where you place the IDS determines what monitoring options you have.

    Since you mentioned DMZ. If your computer only has one interface, it can be placed in the DMZ and it should still be able to catch everything right?
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    carboncopy wrote: »
    Since you mentioned DMZ. If your computer only has one interface, it can be placed in the DMZ and it should still be able to catch everything right?
    Yes, assuming your DMZ is directly between your computer and your outside router in a dual-firewall setup. If you have only a single firewall, and your router sends all DMZ traffic to a different network on a separate port, you won't be monitoring the actual traffic that gets to your computer. Two Snort boxes--one on the outside of the outer router/firewall and one just on the inside--would show you what is and isn't getting inside your network using either firewall configuration.
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    Quick solution to that is to clone the VM image of EasyIDS once you've set it up then install it in a different VM. Map to a different NIC and you're set. Just have each VM monitoring the specific subnets you wish to view.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • carboncopycarboncopy Member Posts: 259
    JDMurray wrote: »
    Yes, assuming your DMZ is directly between your computer and your outside router in a dual-firewall setup. If you have only a single firewall, and your router sends all DMZ traffic to a different network on a separate port, you won't be monitoring the actual traffic that gets to your computer. Two Snort boxes--one on the outside of the outer router/firewall and one just on the inside--would show you what is and isn't getting inside your network using either firewall configuration.

    Ok cool!

    I went ahead and did this when I got home in the morning. I have EasyIDS running on a Dell Inspiron 4100.

    I placed it in the DMZ and everything is working fine :)
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    Awesome, glad to see others using this awesome technology :)
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    Ah I love snort. I've built a couple production snort boxes. BASE is about the best front end for Snort you can find. Prelude is also another log management system that is pretty good for multiple snort boxes. If you are a subscriber to the rule sets you may want to check out Oinkmaster. It gives you the option to pull rule updates from Snort as well as 3rd party rules (emergingthreats.net). You can run the perl script as needed, or set it up as a cron job.

    I agree with you Paul that a spanned port on a core switch is about the easiest way to do one. Snort also can be placed inline. I don't know if this has improved any, but for a while it wasn't a very good option.

    My Snort setups were usually as follows:
    Dedicated Appliance with 2 NICS (one to sniff, one for management)
    CentOS Linux
    Base web management
    Oinkmaster for rule updates (do yourself a favor and get the Emerging Threats rule set)
    I bring nothing useful to the table...
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    I need to give my finances another look, but I think I'm going to order that little box on Friday and then give this a shot: EnigmaCurry
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    Snort also can be placed inline. I don't know if this has improved any, but for a while it wasn't a very good option.

    My Snort setups were usually as follows:
    Dedicated Appliance with 2 NICS (one to sniff, one for management)
    CentOS Linux
    Base web management
    Oinkmaster for rule updates (do yourself a favor and get the Emerging Threats rule set)

    Snort inline isn't something that I want to do, mostly for the reasons which you described. If the device does not need to take action on the packets it shouldn't have to touch them. The EasyIDS .iso I used is built on CentOS, BASE, and has oink code support for automatic updates. It's a pretty slick interface.
    dynamik wrote: »
    I need to give my finances another look, but I think I'm going to order that little box on Friday and then give this a shot: EnigmaCurry

    Why spend money on a new box? Just virtualize it and map a snort interface to a real NIC.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Because none of my USB NICs work with Vista/7 icon_sad.gif

    It'd take much less electricity to keep a little Celeron box on compared to my main system too.
  • carboncopycarboncopy Member Posts: 259
    I am curious as to what is my cheapest option as far as hardware that I can use to make a remote sensor. The cheapest thing I have found the Acer Aspire Revo for $200. Anyone else know of anything cheaper that I can use?

    Newegg.com - Acer Aspire Revo AR1600-U910H Intel Atom 230(1.6GHz) 1GB DDR2 160GB NVIDIA ION LE graphics Windows XP Home - Desktop PCs
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    You can use any older pc just to make a small lab sensor. As long as it had like 512mb of ram and let's say 40gb of hard drive it would work fine for a lab.
    I bring nothing useful to the table...
  • carboncopycarboncopy Member Posts: 259
    You can use any older pc just to make a small lab sensor. As long as it had like 512mb of ram and let's say 40gb of hard drive it would work fine for a lab.

    I already have several old laptops that I can use. I was wondering if I ended up needing another one, what could be recommended. Something cheap and small that I can use.

    Unfortunately I was running my setup on a P3, 128MB ram laptop and it would not last 1 day running because it would run out of ram and shutdown. That same laptop used to be my PDC about 2 years ago and ran fine icon_neutral.gif
  • carboncopycarboncopy Member Posts: 259
    Paul Boz wrote: »
    Why spend money on a new box? Just virtualize it and map a snort interface to a real NIC.

    How do I go about mapping a snort interface to the real NIC? Right now the EasyIDS VM has 2 NICs. Both are set to NAT. What should they be changed to?
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    carboncopy wrote: »
    How do I go about mapping a snort interface to the real NIC? Right now the EasyIDS VM has 2 NICs. Both are set to NAT. What should they be changed to?

    Um, bridged would probably be best.

    I built one of these: EnigmaCurry

    And then bonded two USB NICs in CENTOS 5 on an old Dell 600M laptop.

    Network Card Bonding On CentOS | HowtoForge - Linux Howtos and Tutorials

    http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    carboncopy wrote: »
    I already have several old laptops that I can use. I was wondering if I ended up needing another one, what could be recommended. Something cheap and small that I can use.

    Unfortunately I was running my setup on a P3, 128MB ram laptop and it would not last 1 day running because it would run out of ram and shutdown. That same laptop used to be my PDC about 2 years ago and ran fine icon_neutral.gif

    pm'd you a couple ideas on your set up.
    I bring nothing useful to the table...
  • carboncopycarboncopy Member Posts: 259
    dynamik wrote: »
    Um, bridged would probably be best.

    I built one of these: EnigmaCurry

    And then bonded two USB NICs in CENTOS 5 on an old Dell 600M laptop.

    Network Card Bonding On CentOS | HowtoForge - Linux Howtos and Tutorials

    http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php

    I am using going to try and set it up using VMware workstation. One question I would like to have answered is if I had a VM with EasyIDS installed on it. If I connected my laptop directly to the modem. Would both the host OS (Windows XP) and the EasyIDS VM use the Public IP? I am thinking that I would have to avoid NAT to get this to work.

    Is there a way for the VM to receive the Public IP instead of the host? What would happen if I connect the computer directly to the modem, and set the VM to bridged networking? I would think that it would not use NAT because I don't have a device to do the NAT.

    It would be much easier if I tried this at home, but I don't have my laptop with me at the moment icon_sad.gif
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    It would be software NAT; you wouldn't need another device. And that's not what you want to use since unsolicited traffic will get discarded.

    Do you have another public IP you can assign to the bridged interface?
  • Paul BozPaul Boz Member Posts: 2,621 ■■■■■■■■□□
    I'm getting this set up again, but this time I'm going to try to use one of my company's old scanner appliances. They're 512mb micro-ATX boards in 1u rackmount chassis. Some of them have two nics and they have USB, so I can install easyIDS without any problems.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • carboncopycarboncopy Member Posts: 259
    Paul Boz wrote: »
    I'm getting this set up again, but this time I'm going to try to use one of my company's old scanner appliances. They're 512mb micro-ATX boards in 1u rackmount chassis. Some of them have two nics and they have USB, so I can install easyIDS without any problems.

    I got my final setup done about a month ago. I am using two Compaq tablets. One for the IDS and the other using Zeroshell as a router/dns/dhcp, etc... Seems to be working pretty good.

    I purchased a small 4 port netgear switch that has port mirroring. Gets the job done :)
Sign In or Register to comment.