Snort IDS lab
Paul Boz
Member Posts: 2,620 ■■■■■■■■□□
Tonight I set up a lab for experimenting with Snort. For this lab I used:
Lab:
3550 switch
4 hosts
1 vlan
1 EasyIDS server
Setup
EasyIDS:
Download EasyIDS from EasyIDS
Install on a piece of hardware or in a VM with two NICs
Follow instructions on the site the download resides on
Make sure you place the sensor NIC in promiscuous mode (ifconfig eth1 promisc) from EasyIDS root
Network:
a. Create VLAN 10 and make an SVI with the gateway IP address 192.168.30.1 /24
b. place all four hosts into VLAN 10
c. configure all hosts with the default gateway of the VLAN 10 SVI
d. In the switch, configure a VSPAN port and mirror the traffic to the port which the EasyIDS server is plugged into.
e. Go hog wild with scanners, exploits, and packet generators
f. Watch snort alerts in BASE to ensure that Snort is operational
Figure 1: Out of the box alerts from running a port scan against the IDS sensor's listening interface:
This is a basic install of EasyIDS and a test for functionality. Through the next few months I'll be updating this with more in-depth labs such as custom rules, rule tuning, and alerting options.
Lab:
3550 switch
4 hosts
1 vlan
1 EasyIDS server
Setup
EasyIDS:
Download EasyIDS from EasyIDS
Install on a piece of hardware or in a VM with two NICs
Follow instructions on the site the download resides on
Make sure you place the sensor NIC in promiscuous mode (ifconfig eth1 promisc) from EasyIDS root
Network:
a. Create VLAN 10 and make an SVI with the gateway IP address 192.168.30.1 /24
b. place all four hosts into VLAN 10
c. configure all hosts with the default gateway of the VLAN 10 SVI
d. In the switch, configure a VSPAN port and mirror the traffic to the port which the EasyIDS server is plugged into.
e. Go hog wild with scanners, exploits, and packet generators
f. Watch snort alerts in BASE to ensure that Snort is operational
Figure 1: Out of the box alerts from running a port scan against the IDS sensor's listening interface:
This is a basic install of EasyIDS and a test for functionality. Through the next few months I'll be updating this with more in-depth labs such as custom rules, rule tuning, and alerting options.
CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/
Comments
-
JDMurray Admin Posts: 13,101 AdminI sense a Snort technote in the making.
I have got to try Snort in a VM in VMware ESXi 4.0. I'll bet I can get that sucker Snorting a full, 56-port vSwitch.
How ever will I sort through all that data... -
carboncopy Member Posts: 259The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?
In a home environment if you just wanted to experiment, would it suffice to have EasyIDS on a computer with 2 interfaces, one interface connected to the modem and the other to your wireless router for example?
That should be able to catch all traffic coming from the internet to your network.... right? -
kalebksp Member Posts: 1,033 ■■■■■□□□□□I have got to try Snort in a VM in VMware ESXi 4.0. I'll bet I can get that sucker Snorting a full, 56-port vSwitch.
You may know this already, but for the benefit of others that may want to try something like this in ESX/ESXi. If you go to the properties of your vSwitch, then edit the vSwitch, you can set Promiscuous Mode to Accept on the Security tab. After this has been set, any vNIC set to promiscuous mode (for example, by Wireshark or Snort) will receive all traffic on the vSwitch. Pretty handy for labbing. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□"Hog wild" was a terrible pun dude
I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic. -
carboncopy Member Posts: 259"Hog wild" was a terrible pun dude
I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.
That's what I was referring to. I've had this on hold for so long now and haven't had time to implement -
ConstantlyLearning Member Posts: 445Deadly,
Was planning on setting up a box with Snort and SnortSnarf."There are 3 types of people in this world, those who can count and those who can't" -
JDMurray Admin Posts: 13,101 Admincarboncopy wrote: »The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?You may know this already, but for the benefit of others that may want to try something like this in ESX/ESXi. If you go to the properties of your vSwitch, then edit the vSwitch, you can set Promiscuous Mode to Accept on the Security tab. After this has been set, any vNIC set to promiscuous mode (for example, by Wireshark or Snort) will receive all traffic on the vSwitch. Pretty handy for labbing.I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□"Hog wild" was a terrible pun dude
Yeah you like that huh?
Good idea on installing Snort on your external network. You'll definitely see a ton of random crap. It's a great way to learn rule tuning. I just bought an older Netgear 10/100 hub on ebay to use as a ghetto ethernet tap on my external network. Cable modem -> 2621 -> hub with IDS -> Raver Router (oontz oontz)carboncopy wrote: »The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?
Using a switch is actually a disadvantage because switches break up broadcast domains, making it difficult to see traffic being sent to all hosts. Typically in a switched environment an IDS will only see broadcast traffic if plugged into a standard switchport. To mitigate this I created a VLAN for the hosts that I wanted to monitor then created a SPAN port on that VLAN. The VSPAN port mirrors all of the traffic on that VLAN to a copy port that the IDS is plugged into. This allows the IDS to see all of the traffic to the systems configured in the VLAN which is being monitored.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
JDMurray Admin Posts: 13,101 AdminTo mitigate this I created a VLAN for the hosts that I wanted to monitor then created a SPAN port on that VLAN. The VSPAN port mirrors all of the traffic on that VLAN to a copy port that the IDS is plugged into. This allows the IDS to see all of the traffic to the systems configured in the VLAN which is being monitored.
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□But how much traffic can a single SPAN port handle before it starts dropping packets? A single 1000BaseT port can be overwhelmed by the traffic from a couple of dozen 100BaseT ports in the same VLAN on a very busy network.
It depends on how you intend to use the IDS. A single span port as you said can support at least a couple dozen 100base T ports. The most common method of deployment for an IDS is on the DMZ or core network. These types of networks usually support under 20 systems, making a single span port on a decent switch sufficient. You can also either have multiple span ports or use a span port with higher bandwidth.
It really comes down to placement choice. Where you place the IDS determines what monitoring options you have.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
carboncopy Member Posts: 259The most common method of deployment for an IDS is on the DMZ or core network.
It really comes down to placement choice. Where you place the IDS determines what monitoring options you have.
Since you mentioned DMZ. If your computer only has one interface, it can be placed in the DMZ and it should still be able to catch everything right? -
JDMurray Admin Posts: 13,101 Admincarboncopy wrote: »Since you mentioned DMZ. If your computer only has one interface, it can be placed in the DMZ and it should still be able to catch everything right?
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□Quick solution to that is to clone the VM image of EasyIDS once you've set it up then install it in a different VM. Map to a different NIC and you're set. Just have each VM monitoring the specific subnets you wish to view.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
carboncopy Member Posts: 259Yes, assuming your DMZ is directly between your computer and your outside router in a dual-firewall setup. If you have only a single firewall, and your router sends all DMZ traffic to a different network on a separate port, you won't be monitoring the actual traffic that gets to your computer. Two Snort boxes--one on the outside of the outer router/firewall and one just on the inside--would show you what is and isn't getting inside your network using either firewall configuration.
Ok cool!
I went ahead and did this when I got home in the morning. I have EasyIDS running on a Dell Inspiron 4100.
I placed it in the DMZ and everything is working fine -
Paul Boz Member Posts: 2,620 ■■■■■■■■□□Awesome, glad to see others using this awesome technologyCCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
L0gicB0mb508 Member Posts: 538Ah I love snort. I've built a couple production snort boxes. BASE is about the best front end for Snort you can find. Prelude is also another log management system that is pretty good for multiple snort boxes. If you are a subscriber to the rule sets you may want to check out Oinkmaster. It gives you the option to pull rule updates from Snort as well as 3rd party rules (emergingthreats.net). You can run the perl script as needed, or set it up as a cron job.
I agree with you Paul that a spanned port on a core switch is about the easiest way to do one. Snort also can be placed inline. I don't know if this has improved any, but for a while it wasn't a very good option.
My Snort setups were usually as follows:
Dedicated Appliance with 2 NICS (one to sniff, one for management)
CentOS Linux
Base web management
Oinkmaster for rule updates (do yourself a favor and get the Emerging Threats rule set)I bring nothing useful to the table... -
dynamik Banned Posts: 12,312 ■■■■■■■■■□I need to give my finances another look, but I think I'm going to order that little box on Friday and then give this a shot: EnigmaCurry
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□L0gicB0mb508 wrote: »Snort also can be placed inline. I don't know if this has improved any, but for a while it wasn't a very good option.
My Snort setups were usually as follows:
Dedicated Appliance with 2 NICS (one to sniff, one for management)
CentOS Linux
Base web management
Oinkmaster for rule updates (do yourself a favor and get the Emerging Threats rule set)
Snort inline isn't something that I want to do, mostly for the reasons which you described. If the device does not need to take action on the packets it shouldn't have to touch them. The EasyIDS .iso I used is built on CentOS, BASE, and has oink code support for automatic updates. It's a pretty slick interface.I need to give my finances another look, but I think I'm going to order that little box on Friday and then give this a shot: EnigmaCurry
Why spend money on a new box? Just virtualize it and map a snort interface to a real NIC.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Because none of my USB NICs work with Vista/7
It'd take much less electricity to keep a little Celeron box on compared to my main system too. -
carboncopy Member Posts: 259I am curious as to what is my cheapest option as far as hardware that I can use to make a remote sensor. The cheapest thing I have found the Acer Aspire Revo for $200. Anyone else know of anything cheaper that I can use?
Newegg.com - Acer Aspire Revo AR1600-U910H Intel Atom 230(1.6GHz) 1GB DDR2 160GB NVIDIA ION LE graphics Windows XP Home - Desktop PCs -
L0gicB0mb508 Member Posts: 538You can use any older pc just to make a small lab sensor. As long as it had like 512mb of ram and let's say 40gb of hard drive it would work fine for a lab.I bring nothing useful to the table...
-
carboncopy Member Posts: 259L0gicB0mb508 wrote: »You can use any older pc just to make a small lab sensor. As long as it had like 512mb of ram and let's say 40gb of hard drive it would work fine for a lab.
I already have several old laptops that I can use. I was wondering if I ended up needing another one, what could be recommended. Something cheap and small that I can use.
Unfortunately I was running my setup on a P3, 128MB ram laptop and it would not last 1 day running because it would run out of ram and shutdown. That same laptop used to be my PDC about 2 years ago and ran fine -
carboncopy Member Posts: 259Why spend money on a new box? Just virtualize it and map a snort interface to a real NIC.
How do I go about mapping a snort interface to the real NIC? Right now the EasyIDS VM has 2 NICs. Both are set to NAT. What should they be changed to? -
dynamik Banned Posts: 12,312 ■■■■■■■■■□carboncopy wrote: »How do I go about mapping a snort interface to the real NIC? Right now the EasyIDS VM has 2 NICs. Both are set to NAT. What should they be changed to?
Um, bridged would probably be best.
I built one of these: EnigmaCurry
And then bonded two USB NICs in CENTOS 5 on an old Dell 600M laptop.
Network Card Bonding On CentOS | HowtoForge - Linux Howtos and Tutorials
http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php -
L0gicB0mb508 Member Posts: 538carboncopy wrote: »I already have several old laptops that I can use. I was wondering if I ended up needing another one, what could be recommended. Something cheap and small that I can use.
Unfortunately I was running my setup on a P3, 128MB ram laptop and it would not last 1 day running because it would run out of ram and shutdown. That same laptop used to be my PDC about 2 years ago and ran fine
pm'd you a couple ideas on your set up.I bring nothing useful to the table... -
carboncopy Member Posts: 259Um, bridged would probably be best.
I built one of these: EnigmaCurry
And then bonded two USB NICs in CENTOS 5 on an old Dell 600M laptop.
Network Card Bonding On CentOS | HowtoForge - Linux Howtos and Tutorials
http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php
I am using going to try and set it up using VMware workstation. One question I would like to have answered is if I had a VM with EasyIDS installed on it. If I connected my laptop directly to the modem. Would both the host OS (Windows XP) and the EasyIDS VM use the Public IP? I am thinking that I would have to avoid NAT to get this to work.
Is there a way for the VM to receive the Public IP instead of the host? What would happen if I connect the computer directly to the modem, and set the VM to bridged networking? I would think that it would not use NAT because I don't have a device to do the NAT.
It would be much easier if I tried this at home, but I don't have my laptop with me at the moment -
dynamik Banned Posts: 12,312 ■■■■■■■■■□It would be software NAT; you wouldn't need another device. And that's not what you want to use since unsolicited traffic will get discarded.
Do you have another public IP you can assign to the bridged interface? -
Paul Boz Member Posts: 2,620 ■■■■■■■■□□I'm getting this set up again, but this time I'm going to try to use one of my company's old scanner appliances. They're 512mb micro-ATX boards in 1u rackmount chassis. Some of them have two nics and they have USB, so I can install easyIDS without any problems.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
carboncopy Member Posts: 259I'm getting this set up again, but this time I'm going to try to use one of my company's old scanner appliances. They're 512mb micro-ATX boards in 1u rackmount chassis. Some of them have two nics and they have USB, so I can install easyIDS without any problems.
I got my final setup done about a month ago. I am using two Compaq tablets. One for the IDS and the other using Zeroshell as a router/dns/dhcp, etc... Seems to be working pretty good.
I purchased a small 4 port netgear switch that has port mirroring. Gets the job done