Snort and Iptables firewall linkage

1 Snort Brief

Snort is a powerful lightweight network intrusion detection system that can detect a variety of attacks, attacks in real-time alarm. In addition, Snort has good scalability and portability, and the software follows the GPL, which means that any organization or individual as long as compliance with the GPL are free to use this software.

Snort has the ability to real-time traffic analysis and packet logging IP network, network attacks can be detected quickly, an alarm in a timely manner. Snort alert mechanism is very rich, such as: Syslog, user-specified file, a Unix socket, and use samba protocol issued WinPoup messages to Windows clients. The use of XML plug-in, Snort can use SNML Placing the log to a file or real-time alarm.

Snort can perform protocol analysis, search / match content. Snort can analyze the current agreement are TCP, UDP, ICMP, the future may support ARP, OSPF, IPX, RIP and other protocols, it can detect a variety of attacks and probes ways, for example: buffer overflow, CGI attacks, port brute force, SMB probes and attacks on web applications now also has the support of simple rules. Snort detection rules comes with a limited number of attacks, but Snort supports user-defined rules loaded, this is a good choice for large enterprise IDS capable.

2 Snort Architecture

• Snort works with scenarios
  Snort is a pattern matching network intrusion detection system based, in fact most of the current commercial intrusion detection systems now on the market are based on pattern matching, malicious behavior and malicious code coming into predetermined intrusion signature database rule and then the actual data from the rule base pattern matching to determine if it contains the intrusion.

• The main structure of Snort
  Snort system is generally composed of two parts Snort ruleset and executable programs.

  . 1) sets Snort rules
  Snort rules are set Snort attack signature database, each rule is an identification attacks, Snort attacks by identifying it.

  2) Snort executable
  executable program consists of four major subsystems:
  the data packet capture and decoding subsystem, the pre-processor, the detection engine, log / alarm subsystem.

  Snort overall structure:

  No.	Module Name	The source file name	Remark
  1	The main control module	Snort.c Plugbase.c…	Master module to complete the plug-in management and service functions
  2	Decoding module	Decode.c…	Decoding completion packet, the network packet is decoded into snort Packet structure defined, for subsequent analysis
  3	Rule processing module	Rules.c Parser.c…	Complete all the functions associated with the rule
  4	Preprocessing plug-in module	Spp_defrag.c…	Plug-in simulates tcp, ip stack functions, various decoding plug-in
  5	Processing plug-in module	Sp_IP_fragbits.c…	Assist the completion of the matching process based on rules
  6	Output plug-in module	Spo_alert_fast.c…	Output processing system log and alarm logs
  7	Log module	Logs.c…	Complete all the logging-related functions
  8	Auxiliary Module	Ubi_Bintree.c ...	Accessibility

• Plugin mechanism of Snort
  1) Pretreatment widget
  pretreatment widget run before matching rule, to complete the main function of:
  (1) simulated TCP, ip stack function plug, such as IP fragment reassembly, TCP stream reassembly plug;
  (2) The species decoding plug: http decoding plug, unicode decoding plug, rpc decoding plug, Telnet decoding plug and the like;
  (3) the rule matching plug-ins can not attack detection used: port scan widget, spade anomaly detecting plug, bo detecting plug, etc.

  2) processing plug-in
  processing plug-ins is called parse rule options rule matching phase, supporting the completion of the rule-based matching library. Each rule is a key handler generally corresponds rule options to achieve explanation of this keyword. Its main functions are:
  (1) Check the protocol fields, such as TCPflag, ICMPtype, Fragbits, RPC, Dsize and the like;
  (2) auxiliary functions such as closing the connection, session recording, in response to the attack, etc.
  (3) output card

  3) after the end of the insert and the output matching procedure call rule matching process in order to record logs and alarms.

• The overall flow of
  Snort intrusion detection process is divided into two big step:
  The first step is the parsing process rules, including reading the rules from the file in memory and organizational rules. The procedure is:
  (1) reading rule files;
  (2) sequentially reads each rule;
  (3) parsing rules;
  (4) the rules are organized in memory to create a rule syntax tree;

  The second step is to use these rules to match the invasion process. The procedure for the capture of data from the network each packet and the first step in establishing the rule tree to match, if found there is a rule that matches the packet, it means an attack is detected, then in accordance with the rules of conduct processing; if the search finished all the rules are the rules match is not found, depending on the packet normally.

3 Snort linkage with Iptables

3.1 Overview

Why should Snort and Iptables linked it?

According to the previous description we already know works with the principle of Snort, you must find a clever Snort most fatal weakness - can not block the attack! Snort main role is to play a role in early warning for the entire network, it can be seen from the deployment of bypass mode, it does not block the network attacks. Who can block the attack? --iptables. Iptables why not use it? Because the rules are too fixed Iptables, Iptables and does not recognize the network attacks. That can not be a comprehensive look at the shortcomings they both complement each other's advantages, to achieve the detection of the attack to cut off such an attack connected to effect it. The answer is yes!

Implementation and realization of the principle

Through previous knowledge we learned, Snort has a plugin mechanism provides pre-processing plug-ins and other means. And this is where Snort plug-in support for custom developed and loaded. Thus a first implementation is the development of custom plug-ins, when detecting the call matches the rule corresponding to the remote host or firewall, intrusion will ip and port Iptables rules establish a corresponding drop the connection port for the data packet all packets are dropped or this ip.

Snort with respect to the plug-ins, the second implementation is very simple and easy to implement, it is suitable for this experiment. This way is to use a simple script to read alarm logs in real time, to record the ip and port, create a corresponding rule Iptables, added to the firewall rules or the corresponding remote host, which is the first way to achieve the same the same functionality, although the latter did not first approach in the processing speed, but did not have much difference on the overall defensive capabilities.

Implementation are summarized as follows:

(1) With the extended functionality of Snort, custom development of integrated plug-ins (currently snortsam).
(2) Using Snort alarm log, custom developed scripts. (Used in this experiment, the script for the guardian)

3.2 experimental environment

Server: snort-host (Centos6.5), IP address: 10.1.1.12
Snort Version: 2.9.7.6
Guardian Version: 1.7

Operation Host: host (WinXp), IP address: a random
test machine: test (WinXp), IP Address: Random

3.3 experiment and analysis

Depending on the experiment, record, organize the appropriate command, operation results, etc., including text and a theme. A detailed record of failures and problems during the experiment, and failure analysis, process and methods described troubleshooting.

Step a: Installation Configuration Snort

View Card

# ifconfig

If the card did not start, eth0 network interface, of course, is not necessarily eth0, corresponding to the network interface to your own computer

# ifup eth0

Update System

# yum –y update

Installation snort dependencies

# yum -y install pcre pcre-devel gcc gcc-c++ zlib zlib-devel libpcap libpcap-devel make autoconf flex byacc bison libxml2-devel wget tcpdump

Installation libdnet

# cd /usr/local/src/
# wget http://tools.hetianlab.com/tools/snort+IPtables.tar.gz
# tar zxvf snort+IPtables.tar.gz
# cd /usr/local/src/snort+IPtables

# tar zxvf libdnet-1.12.tgz
# cd libdnet-1.12
# ./configure --with-pic
# make && make install
# cd /usr/local/lib/
# ldconfig -v /usr/local/lib

Installation DAQ

# cd /usr/local/src/snort+IPtables
# tar zxvf daq-2.0.6.tar.gz
# cd daq-2.0.6
# ./configure
# make && make install
# cd /usr/local/lib/
# ldconfig -v /usr/local/lib

Install snort

# cd /usr/local/src/snort+IPtables/
# tar zxvf snort-2.9.7.6.tar.gz
# cd snort-2.9.7.6
# ./configure –enable-sourcefire
# make && make install
# cd /usr/local/lib/
# ldconfig –v /usr/local/lib

Snort configuration

Snort necessary to create a system folder into a rule base, the establishment of a blacklist and whitelist files

# mkdir /etc/snort
# mkdir /var/log/snort
# cd /etc/snort
# cp /usr/local/src/snort+IPtables/snort-2.9.7.6/etc/* . (注意有个点号跟号中间有空格)
# tar zxvf /usr/local/src/snort+IPtables/snortrules-snapshot-2976.tar.gz
# cp ./etc/ .
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules

Add a user and group snort

# groupadd -g 40000 snort
# useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
# cd /etc/snort
# chown -R snort.snort *
# chown -R snort.snort /var/log/snort

Modify the configuration file

vi /etc/snort/snort.conf, it reads as follows:

ipvar HOME_NET 10.1.1.0/24	#（本次实验为此ip段地址）
ipvar EXTERNAL_NET any
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }	#(检测端口扫描，不去注释也可以，去掉注释用nmap扫描即可看到扫描日志)
include $PREPROC_RULE_PATH/preprocessor.rules(注释去掉)
include $PREPROC_RULE_PATH/decoder.rules(注释去掉)
include $PREPROC_RULE_PATH/sensitive-data.rules(注释去掉)

Creating a synchronous link to snort file in another location

# ln -s /usr/local/bin/snort /usr/sbin/snort

Daq modify snort and other related directory and file permissions

# cd /usr/local/src/snort+IPtables
# chown -R snort.snort daq-2.0.6
# chmod -R 700 daq-2.0.6
# chown -R snort.snort snort-2.9.7.6
# chmod -R 700 snort-2.9.7.6
# cd /usr/local/src/
# chown -R snort.snort snort_dynamicsrc
# chmod -R 700 snort_dynamicsrc

# cd /var/log
# chown -R snort.snort snort
# chmod -R 700 snort
# cd /usr/local/bin
# chown -R snort.snort daq-modules-config
# chmod -R 700 daq-modules-config
# chown -R snort.snort u2*
# chmod -R 700 u2*

# cd /etc
# chown -R snort.snort snort
# chmod -R 700 snort

Dynamic configuration rules

# mkdir -p /usr/local/lib/snort_dynamicrules
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/.so /usr/local/lib/snort_dynamicrules (实验环境是64位系统)

If the 32-bit system, and introducing dynamic rules:

# cp /etc/snort/so_rules/precompiled/RHEL-6-0/i386/2.9/*.so /usr/local/lib/snort_dynamicrules/

# cd /usr/local/lib
# chown -R snort.snort snort*
# chmod -R 700 snort*
# chown -R snort.snort pkgconfig
# chmod -R 700 pkgconfig

Export dynamic rule file

# snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules

Such as error, most likely failed to import the corresponding file system architecture rules when importing dynamic rules.

Alarm set file permissions

# touch /var/log/snort/alert
# cd /var/log/snort
# chown snort.snort alert
# chmod 700 alert

Detecting whether the configuration file for errors

# snort -T -c /etc/snort/snort.conf -i eth0 

Start snort

# snort -c /etc/snort/snort.conf -i eth0

Stop snort

# ps -ef | grep snort
# kill -9 pid

Step two: installation configuration guardian

Installation configuration

# cd /usr/local/src/snort+IPtables
# tar zxvf guardian-1.7.tar.gz
# cd guardian-1.7
# touch /etc/snort/guardian.ignore
# touch /etc/snort/guardian.target
# touch /var/log/snort/guardian.log
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort

Edit guardian configuration file, vi /etc/snort/guardian.conf

Interface   eth0
LogFile    /var/log/snort/guardian.log
AlertFile   /var/log/snort/alert             //alert文件的位置
IgnoreFile  /etc/snort/guardian.ignore        //白名单
targetFile   /etc/snort/guardian.target        //黑名单
TimeLimit 120                       //阻断时间,以秒为单位

guardian start

# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf

Guardian stop

# ps -ef|grep guardian
# kill -9 pid

Step three: Test linkage

Iptables and Snort local linkage

Whether to load test rules take effect, vi /etc/snort/rules/local.rules, add the following two rules

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:“OUT”; sid:5000005)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“IN”; sid:5000006)

Rule Description: tcp for all traffic between the external network and internal network alarms, to test your configuration if there are problems snort.conf

Start snort, alert to see if there is a log

# snort -c /etc/snort/snort.conf -i eth0
# cd /var/log/snort
# tail -f alert

If you can see the log, it indicates that the configuration snort.conf no problem, you can proceed to the next test, otherwise check snort.conf configuration, and snort directory and file permissions.

Linkage test

If the previous test correctly, have the /etc/snort/rules/local.rules added two rules you remove or comment. vi /etc/snort/rules/local.rules

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:“OUT”; sid:5000005)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“IN”; sid:5000006)

Log in to another host test windows (Note: If the machine is likely to lead to snort scanning host could not land), open the browser, log http://tools.hetianlab.com/tools/X-Scan-v3.3- cn.rar download x-scan and unzip, double click the file to open the x-scan

Setting scanning parameters

Click "Scan Parameter" button to specify the IP range set your snort host ip address, select the "Select All" in the "Global Settings" and "Scan Module", "plug-in settings" in "SNMP settings", "NETBIOS settings "," vulnerability detection script settings "select all were selected. Click the Start button to start scanning.

Observe whether there is an alarm alert log

# cd /var/log/snort
# tail -f alert

Find alarm log, start guardian linkage with iptables

# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf

Executed on the host snort iptables -Lobserve whether there are rules to join, there are rules that is successful experiment.

We can see, the script is executed iptables_block.sh. On snort host performs, iptables -L to see the new rule added. So far, a single firewall linkage has been successfully achieved.

Extended think --Snort linkage with other hosts or routers

Here are some ideas, if you are interested can go on their own experiments.

A thought:
would snort installed on the host has two network card, the card will be the bridge to make it in transparent mode, Snort series later deployed in the network egress router, you can monitor all network traffic, IPS achieve linkage local firewalls Features.

Thinking two:
to write a script to achieve the following function, the alarm log alarm other hosts, write rules script a corresponding linkage firewall, log snort host after it is stored locally, using the script log on to the host computer to download and execute rules script, The implementation of collaboration. Weakness of this implementation is that the state can not reach a timely response, and the linkage status depends on too many external factors

3.4 Experimental results are summarized

The experimental results were analyzed, the completion of the subject thinking, summed up their feelings and experiences of the experiment, and to suggest improvements experiment.

1, please refer to the relevant information to understand snortsam plug-ins, and briefly analyze the advantages and disadvantages of snortsam and guardian.
2, do you think this way snortsam linkage and guardian What are the drawbacks?

Experience: towards security integration, security product collaborative interaction is the future direction.