Build a secure Linux server using Snort

Snort is a well-known free and powerful lightweight intrusion detection system. it features easy to use, lightweight, and high blocking efficiency, this article describes how to use Snort to ensure the security of the Internet host from the perspective of practical operations. Intrusion detection technology is a traditional security technology, such as anti-fire wall and data encryption.

Snort is a well-known free and powerful lightweight intrusion detection system. it features easy to use, lightweight, and high blocking efficiency, this article describes how to use Snort to ensure the security of the Internet host from the perspective of practical operations.

Intrusion detection technology is the "anti-DDoS" technology

A new generation of security technologies after traditional security measures such as fire wall and data encryption. It identifies and responds to malicious use of computers and network resources. it not only detects external intrusions, but also monitors unauthorized activities of internal users. Moreover, with the increasing security requirements of network servers, it is of great practical significance to defend against hacker intrusion and attacks in Linux to ensure the security of servers.

Snort is a powerful lightweight and free network intrusion detection system with the following features:

1. Lightweight network intrusion detection system: Although Snort is powerful, its code is very concise and short, and the source code compressed package is more than 1.8M.

2. good portability of Snort: Snort provides excellent cross-platform performance. Currently, server systems such as Linux, Solaris, Freebsd, Irix, HP-ux, and Microsoft Windows are supported.

3. the Snort function is very powerful.

With the ability to analyze real-time traffic and log IP network packets, Snort can quickly detect network attacks and send alarms in a timely manner. Using the XML plug-in, Snort can use SNML (simple network flag language) to place logs into a file or trigger alarms in a timely manner. Snort supports protocol analysis and content search/Matching. Currently, Snort can analyze TCP, UDP, and ICMP protocols. in the future, Snort may support ARP, IPX, and other protocols. It can detect various attacks and detection methods, such as buffer overflow, secret port scanning, CGI attacks, SMB detection, and attempts to detect system fingerprint features. The Snort log format can be either tcpdump binary format or ASC Ⅱ character format, which is easier for users, especially new users. Using the database output plug-in, Snort can record logs into the database. Using the TCP stream plug-in, Snort can reorganize TCP packets.

4. better scalability of Snort, rapid response to new attacks

As a lightweight network intrusion detection system, Snort has enough scalability. It uses a simple rule description language. the most basic rule only contains four domains: processing actions, protocols, directions, and ports for attention, for example, "log tcp any-> 192.168.0.1/24 79 ". After discovering a new attack, you can quickly find the pattern and write detection rules based on the "bugtraq" email list. Because the rule language is simple, it is easy to get started and saves training costs.

5. compliance with the public general license GPL: Snort complies with the general public license GPL, so as long as compliance with the GPL, any organization or individual can use it freely.

Snort architecture

Package decoding Snort supports ethernet, SLIP, and PPP media. Package decoding is used to prepare data for the detection engine. the function is to capture data transmitted over the network and parse data packets at different levels of the TCP/IP protocol. Snort uses the libpcap library function for data collection. this library function can provide an interface function for applications to capture data packets directly from the link layer, and set a data packet filter to capture specified data. The network data collection and resolution mechanism is the basis for the implementation of the entire NIDS. The most important thing is to ensure high-speed and low packet loss rates, which not only depends on the software efficiency but also the hardware processing capability. For the parsing mechanism, the diversity of data packet types that can be processed is equally important.

The detection engine is the heart of Snort. it is mainly responsible for analyzing each packet according to the rules loaded at startup. The detection engine breaks down the Snort rules into linked list headers and linked list options for reference. The linked list header is identified by common information such as the source/target IP address and port number. the linked list option defines more detailed information such as the TCP flag, ICMP code type, specific content type, and load capacity. The detection engine analyzes each data packet in sequence according to the rules defined in the Snort rule file. The first rule that matches the data in the data packet triggers the action specified in the rule definition. all data packets that do not match the rule are discarded.

Log recording/alarm system alarms and logs are two separate subsystems. Logs allow you to record the information collected by packet decoding in readable or tcpdump format. You can configure an alarm system to send the alarm information to syslog, flat file, Unix socket, or database. Alarms can also be turned off during testing or during intrusion learning. By default, all logs are written to the/var/log/Snort folder, and the alarm file is written to the/var/log/Snort/alerts file. The Snort data packet recorder subsystem provides the following methods: "Fast Model", which records information in tcpdump format; "Readable Model", which records data in protocol format and is easy for users to view; "Alert to syslog" to send alarm information to syslog; "Alert to text file" to record alarm information in plaintext.

It is worth noting that when users need high performance, Snort can compress the data packet information so as to enable quick alarms.

How to use Snort

Install Snort

Snort is based on libpcap. generally, libpcap is installed by default when the operating system is installed.

You can download the installation from the http://www.tcpdump.org. The Snort installation procedure is as follows:

1. run the command mkdir Snortinstall and cd Snortinstall respectively;

2. download snort-2.0.0.tar.gzand snortrules.tar. tz from www.Snort.org to the new directory, which can be downloaded through a browser or wget;

3. execute the following commands respectively: tar-zxvf Snort-2.0.0.tar.gz; cd Snort-2.0.0;

./Configure; make install.

Use Snort

Here, we use the common Ping command to check whether the host is alive to introduce the specific use of Snort. Run the "./Snort-v" command to run Snort and display the IP address and TCP/UDP/ICMP header information. Run the following command: "ping 192.168.0.1:

06/10-10:21:13. 884925 192.168.0.2-> 192.168.0.1

Icmp ttl: 64 TOS: 0x0 ID: 4068

ID: 20507 Seq: 0 ECHO

06/10-10:21:13. 885081 192.168.0.1-> 192.168.0.2

Icmp ttl: 128 TOS: 0x0 ID: 15941

ID: 20507 Seq: 0 ECHO REPLY

06/10-10:21:14. 884874 192.168.0.2-> 192.168.0.1

Icmp ttl: 64 TOS: 0x0 ID: 4069

ID: 20507 Seq: 256 ECHO

06/10-10:21:14. 885027 192.168.0.1-> 192.168.0.2

Icmp ttl: 128 TOS: 0x0 ID: 15942

ID: 20507 Seq: 256 ECHO REPLY

To decode the application layer, run the "Snort-d" command and ping 192.168.0.1 to display the following information:

06/10-10:26:39. 894493 192.168.0.2-> 192.168.0.1

Icmp ttl: 64 TOS: 0x0 ID: 4076

ID: 20763 Seq: 0 ECHO

58 13 42 39 E0 BB 05 00 08 09 0A 0B 0C 0D 0E 0F X. b9 ............

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................

20 21 22 23 24 25 26 28 29 2A 2B 2C 2D 2E 2F! "# $ % & () * + ,-./

30 31 32 33 34 35 36 37 01234567

06/10-10:26:39. 894637 192.168.0.1-> 192.168.0.2

Icmp ttl: 128 TOS: 0x0 ID: 15966

ID: 20763 Seq: 0 ECHO REPLY

58 13 42 39 E0 BB 05 00 08 09 0A 0B 0C 0D 0E 0F X. b9 ............

10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................

20 21 22 23 24 25 26 28 29 2A 2B 2C 2D 2E 2F! "# $ % & () * + ,-./

30 31 32 33 34 35 36 37 01234567

To view more detailed information about the Ethernet frame header, run the "Snort-vde" command and then run "ping 192.168.0.1" to display the corresponding information.

Compiling Snort rules

Snort has received wide attention. On the one hand, due to its lightweight features, it consumes less system resources, and on the other hand, it is dynamic and programmable. However, this is difficult for the majority of network users, because they must have the corresponding network protocol analysis knowledge and security knowledge. Fortunately, this software has a rule repository that can be downloaded from the internet in real time (www.Snort.org). you can download it directly, therefore, this article does not describe too many rules to write norms, but just provides a few simple examples:

● SMB alarm configuration: output alert_smb: workstation. list;

● Port scan detection module configuration: prepro

Cessor portscan: 192.168.1.0/24 5 7/var/log/portscan. log;

● Block packets with unhealthy information: alert tcp any <> 192.168.1.0/24 80 (content-list: "adults"; msg: "Not for children! "; React: block, msg ).