Build a small network defense system with snort and PHP

This paper builds a small network defense system with snort and iptables in Linux environment, provides a remote management tool from PHP page, and gives the implementation and explanation of key program.

Introduction

Snort is currently a very popular light intrusion detection system. However, at present, the processing of snort detection results mostly stay in the log or simply notify the network administrator, the administrator of the audit to determine the stage of the network defense strategy. Snort's detection results are not used in time to protect against network intrusion. This paper provides a service listener program for Snort's alarm output module, obtains snort's alarm information in time and analyzes it, adds corresponding firewall rules to iptables according to the analytic result, achieves the goal of preventing network attack in real time. The service program also listens for management requests from PHP and operates accordingly. Because the service program runs independently of Snort, it does not affect the efficiency of snort running. The administrator can monitor and manage the host blocked by the service program through the PHP page, such as viewing the current blocked host IP address, event occurrence time, blocking time, blocking reason, modifying blocking time, etc.

General idea

Snort's output plugin provides us with a wealth of alarm output methods: Output to files, syslog, database, UNIX domain sockets and so on. When the snort alarm output to the UNIX domain socket, the output module is equivalent to an alert client, snort users can write the server-side code, get snort alarm output messages, and based on these messages to take appropriate countermeasures. Based on this idea, and using the firewall iptables under Linux, this paper constructs a network defense system, the overall structure of the system is as follows:

The service handler is the core part of the system, including the alarm output processing subroutine (Ao_handler) and the PHP request processing subroutine (Web_handler) two parts. The alarm output processing subroutine is mainly responsible for receiving the snort alarm, parsing the alarm information and blocking the attacking host by the way of iptables plus rules, and the PHP request processing subroutine is mainly responsible for communicating with the PHP management page, and making the corresponding processing according to the request of the page.

The Service program maintains a table of rule-related information, which is organized by the data structure of queues (alarm queues and blocking queues), in which the alert queue records the attack host information that is parsed by the snort alarm output (that is, the alarm node, generated by Ao_handler), The blocking queue records the attack host information that is being blocked (that is, the blocking node). If the alarm node is not in the blocking queue, the program blocks the host represented by the node and joins the node in the blocking queue. For each blocking operation, the blocking node is set to an expiration date, and when the blocking time exceeds this expiration, the program deletes the blocking node from the blocking queue and deletes the corresponding blocking rule in the iptables to release the blocking host. The use of two queues to maintain alert and blocking information prevents the program from adding repeated blocking rules when it receives multiple alerts about the same host address, resulting in confusion for rule management and unblocking operations. In addition, the maintenance of blocking information enables the program to provide end users with all the information of the host that is currently blocked by the system: alarm time, blocking time, blocking reason, etc., which provides the interface for the user to understand and manage this information.

Concrete implementation

How the service program is implemented

The service program needs to handle three kinds of events simultaneously: monitor the snort alarm output, maintain the rule-related information table (that is, alert queues and blocking queues), and process requests from PHP pages. Therefore, the service program uses multithreaded concurrency mode. The main thread listens to the alarm data from snort, resolves the data, creates the alarm node and adds it to the alarm queue, and the main thread also executes the initialization of the service program; two threads are dedicated to maintaining the rules-related information table, and one thread (Alerthandler) is used to detect alert queues, When a required alarm node is in place, it is added to the blocking queue, the blocking operation is performed, and the other (Blockhanlder) is used to monitor the blocking queue to remove the blocking node from which the blocking validity period is reached; for requests from PHP pages, the service program uses a thread pool approach, To the PHP request, such as: the list block host, delete a blocking host, modify blocking effective time, and so on.

The main thread and the rule maintenance threads form the alarm output processing subroutine, and the PHP request processing thread forms the PHP request processing subroutine. Because these threads involve reading and writing to the rule-related information table, a certain synchronization mechanism is needed to ensure the correctness of the operation. The procedure in this paper uses the method of establishing mutual exclusion lock and conditional variable to achieve this goal. Program main data structure by default, snort's alert sockets send alert data to path-/var/log/snort_alert UNIX domain sockets in datagram mode, and the alarm data is encapsulated in a ALERTPKT structure (in the Snort source package SPO defined in _alert_unixsock.h), the ALERTPKT is defined as follows:

typedef struct _Alertpkt
{
u_int8_t alertmsg[ALERTMSG_LENGTH]; /* 报警消息 */
struct pcap_pkthdr pkth;
u_int32_t dlthdr;　　　 /* datalink header offset. (ethernet, etc.. ) */
u_int32_t nethdr;　　　 /* network header offset. (ip etc...) */
u_int32_t transhdr;　　 /* transport header offset (tcp/udp/icmp ..) */
u_int32_t data;
u_int32_t val;　/*指出有效的字段*/
……
Event event; /* 报警事件的相关信息 */
} Alertpkt;