Snort IDS lab

I sense a Snort technote in the making.

I have got to try Snort in a VM in VMware ESXi 4.0. I'll bet I can get that sucker Snorting a full, 56-port vSwitch.

How ever will I sort through all that data...

The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?

In a home environment if you just wanted to experiment, would it suffice to have EasyIDS on a computer with 2 interfaces, one interface connected to the modem and the other to your wireless router for example?

That should be able to catch all traffic coming from the internet to your network.... right?

kalebksp

JDMurray wrote: »

I have got to try Snort in a VM in VMware ESXi 4.0. I'll bet I can get that sucker Snorting a full, 56-port vSwitch.

You may know this already, but for the benefit of others that may want to try something like this in ESX/ESXi. If you go to the properties of your vSwitch, then edit the vSwitch, you can set Promiscuous Mode to Accept on the Security tab. After this has been set, any vNIC set to promiscuous mode (for example, by Wireshark or Snort) will receive all traffic on the vSwitch. Pretty handy for labbing.

"Hog wild" was a terrible pun dude

I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.

dynamik wrote: »

"Hog wild" was a terrible pun dude

I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.

That's what I was referring to. I've had this on hold for so long now and haven't had time to implement

ConstantlyLearning

Deadly,

Was planning on setting up a box with Snort and SnortSnarf.

carboncopy wrote: »

The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?

Yes, exactly. Red Team/Blue Team VMs going back-and-forth at each other, and a White Team VM running Snort having a look at it all.

kalebksp wrote: »

You may know this already, but for the benefit of others that may want to try something like this in ESX/ESXi. If you go to the properties of your vSwitch, then edit the vSwitch, you can set Promiscuous Mode to Accept on the Security tab. After this has been set, any vNIC set to promiscuous mode (for example, by Wireshark or Snort) will receive all traffic on the vSwitch. Pretty handy for labbing.

I know about it, but haven't tried it yet. I've noticed some virtual router software doesn't work unless the vSwitch is in promiscuous mode.

dynamik wrote: »

I just configured a micro-ATX Celeron system on NewEgg for $180. I might order that next pay day and place it right off my cable modem. I think it'd be much more interesting to see what's coming in than just working with my own traffic.

I've also been wanting to hang a bunch of VM honeypots off my DMZ to see what bad stuff is typically blocked by my firewall. The tough part is the postmortem analysis of the VMs to find out what has happened to them.

dynamik wrote: »

"Hog wild" was a terrible pun dude

Yeah you like that huh?

Good idea on installing Snort on your external network. You'll definitely see a ton of random crap. It's a great way to learn rule tuning. I just bought an older Netgear 10/100 hub on ebay to use as a ghetto ethernet tap on my external network. Cable modem -> 2621 -> hub with IDS -> Raver Router (oontz oontz)

carboncopy wrote: »

The advantage of having the switch would be to see the traffic for all internal workstations? Like if one workstation was being attacked internally, snort would pick it up?

Using a switch is actually a disadvantage because switches break up broadcast domains, making it difficult to see traffic being sent to all hosts. Typically in a switched environment an IDS will only see broadcast traffic if plugged into a standard switchport. To mitigate this I created a VLAN for the hosts that I wanted to monitor then created a SPAN port on that VLAN. The VSPAN port mirrors all of the traffic on that VLAN to a copy port that the IDS is plugged into. This allows the IDS to see all of the traffic to the systems configured in the VLAN which is being monitored.

Paul Boz wrote: »

To mitigate this I created a VLAN for the hosts that I wanted to monitor then created a SPAN port on that VLAN. The VSPAN port mirrors all of the traffic on that VLAN to a copy port that the IDS is plugged into. This allows the IDS to see all of the traffic to the systems configured in the VLAN which is being monitored.

But how much traffic can a single SPAN port handle before it starts dropping packets? A single 1000BaseT port can be overwhelmed by the traffic from a couple of dozen 100BaseT ports in the same VLAN on a very busy network.

JDMurray wrote: »

But how much traffic can a single SPAN port handle before it starts dropping packets? A single 1000BaseT port can be overwhelmed by the traffic from a couple of dozen 100BaseT ports in the same VLAN on a very busy network.

It depends on how you intend to use the IDS. A single span port as you said can support at least a couple dozen 100base T ports. The most common method of deployment for an IDS is on the DMZ or core network. These types of networks usually support under 20 systems, making a single span port on a decent switch sufficient. You can also either have multiple span ports or use a span port with higher bandwidth.

It really comes down to placement choice. Where you place the IDS determines what monitoring options you have.

Paul Boz wrote: »

The most common method of deployment for an IDS is on the DMZ or core network.

It really comes down to placement choice. Where you place the IDS determines what monitoring options you have.

Since you mentioned DMZ. If your computer only has one interface, it can be placed in the DMZ and it should still be able to catch everything right?

carboncopy wrote: »

Since you mentioned DMZ. If your computer only has one interface, it can be placed in the DMZ and it should still be able to catch everything right?

Yes, assuming your DMZ is directly between your computer and your outside router in a dual-firewall setup. If you have only a single firewall, and your router sends all DMZ traffic to a different network on a separate port, you won't be monitoring the actual traffic that gets to your computer. Two Snort boxes--one on the outside of the outer router/firewall and one just on the inside--would show you what is and isn't getting inside your network using either firewall configuration.

Quick solution to that is to clone the VM image of EasyIDS once you've set it up then install it in a different VM. Map to a different NIC and you're set. Just have each VM monitoring the specific subnets you wish to view.

JDMurray wrote: »

Yes, assuming your DMZ is directly between your computer and your outside router in a dual-firewall setup. If you have only a single firewall, and your router sends all DMZ traffic to a different network on a separate port, you won't be monitoring the actual traffic that gets to your computer. Two Snort boxes--one on the outside of the outer router/firewall and one just on the inside--would show you what is and isn't getting inside your network using either firewall configuration.

Ok cool!

I went ahead and did this when I got home in the morning. I have EasyIDS running on a Dell Inspiron 4100.

I placed it in the DMZ and everything is working fine

Awesome, glad to see others using this awesome technology

L0gicB0mb508

Ah I love snort. I've built a couple production snort boxes. BASE is about the best front end for Snort you can find. Prelude is also another log management system that is pretty good for multiple snort boxes. If you are a subscriber to the rule sets you may want to check out Oinkmaster. It gives you the option to pull rule updates from Snort as well as 3rd party rules (emergingthreats.net). You can run the perl script as needed, or set it up as a cron job.

I agree with you Paul that a spanned port on a core switch is about the easiest way to do one. Snort also can be placed inline. I don't know if this has improved any, but for a while it wasn't a very good option.

My Snort setups were usually as follows:
Dedicated Appliance with 2 NICS (one to sniff, one for management)
CentOS Linux
Base web management
Oinkmaster for rule updates (do yourself a favor and get the Emerging Threats rule set)

I need to give my finances another look, but I think I'm going to order that little box on Friday and then give this a shot: EnigmaCurry

L0gicB0mb508 wrote: »

Snort also can be placed inline. I don't know if this has improved any, but for a while it wasn't a very good option.

My Snort setups were usually as follows:
Dedicated Appliance with 2 NICS (one to sniff, one for management)
CentOS Linux
Base web management
Oinkmaster for rule updates (do yourself a favor and get the Emerging Threats rule set)

Snort inline isn't something that I want to do, mostly for the reasons which you described. If the device does not need to take action on the packets it shouldn't have to touch them. The EasyIDS .iso I used is built on CentOS, BASE, and has oink code support for automatic updates. It's a pretty slick interface.

dynamik wrote: »

I need to give my finances another look, but I think I'm going to order that little box on Friday and then give this a shot: EnigmaCurry

Why spend money on a new box? Just virtualize it and map a snort interface to a real NIC.

Because none of my USB NICs work with Vista/7

It'd take much less electricity to keep a little Celeron box on compared to my main system too.

I am curious as to what is my cheapest option as far as hardware that I can use to make a remote sensor. The cheapest thing I have found the Acer Aspire Revo for $200. Anyone else know of anything cheaper that I can use?

Newegg.com - Acer Aspire Revo AR1600-U910H Intel Atom 230(1.6GHz) 1GB DDR2 160GB NVIDIA ION LE graphics Windows XP Home - Desktop PCs

L0gicB0mb508

You can use any older pc just to make a small lab sensor. As long as it had like 512mb of ram and let's say 40gb of hard drive it would work fine for a lab.

L0gicB0mb508 wrote: »

You can use any older pc just to make a small lab sensor. As long as it had like 512mb of ram and let's say 40gb of hard drive it would work fine for a lab.

I already have several old laptops that I can use. I was wondering if I ended up needing another one, what could be recommended. Something cheap and small that I can use.

Unfortunately I was running my setup on a P3, 128MB ram laptop and it would not last 1 day running because it would run out of ram and shutdown. That same laptop used to be my PDC about 2 years ago and ran fine

Paul Boz wrote: »

Why spend money on a new box? Just virtualize it and map a snort interface to a real NIC.

How do I go about mapping a snort interface to the real NIC? Right now the EasyIDS VM has 2 NICs. Both are set to NAT. What should they be changed to?

carboncopy wrote: »

How do I go about mapping a snort interface to the real NIC? Right now the EasyIDS VM has 2 NICs. Both are set to NAT. What should they be changed to?

Um, bridged would probably be best.

I built one of these: EnigmaCurry

And then bonded two USB NICs in CENTOS 5 on an old Dell 600M laptop.

Network Card Bonding On CentOS | HowtoForge - Linux Howtos and Tutorials

http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php

L0gicB0mb508

carboncopy wrote: »

I already have several old laptops that I can use. I was wondering if I ended up needing another one, what could be recommended. Something cheap and small that I can use.

Unfortunately I was running my setup on a P3, 128MB ram laptop and it would not last 1 day running because it would run out of ram and shutdown. That same laptop used to be my PDC about 2 years ago and ran fine

pm'd you a couple ideas on your set up.

dynamik wrote: »

Um, bridged would probably be best.

I built one of these: EnigmaCurry

And then bonded two USB NICs in CENTOS 5 on an old Dell 600M laptop.

Network Card Bonding On CentOS | HowtoForge - Linux Howtos and Tutorials

http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php

I am using going to try and set it up using VMware workstation. One question I would like to have answered is if I had a VM with EasyIDS installed on it. If I connected my laptop directly to the modem. Would both the host OS (Windows XP) and the EasyIDS VM use the Public IP? I am thinking that I would have to avoid NAT to get this to work.

Is there a way for the VM to receive the Public IP instead of the host? What would happen if I connect the computer directly to the modem, and set the VM to bridged networking? I would think that it would not use NAT because I don't have a device to do the NAT.

It would be much easier if I tried this at home, but I don't have my laptop with me at the moment

It would be software NAT; you wouldn't need another device. And that's not what you want to use since unsolicited traffic will get discarded.

Do you have another public IP you can assign to the bridged interface?

I'm getting this set up again, but this time I'm going to try to use one of my company's old scanner appliances. They're 512mb micro-ATX boards in 1u rackmount chassis. Some of them have two nics and they have USB, so I can install easyIDS without any problems.