Build an intrusion detection system (IDS) using snort in Centos

Introduction to snort

Snort is a packet sniffing Based on libpcap and can be used as a lightweight network intrusion detection system (NIDS ). The so-called lightweight means that the normal operations of the network are affected as low as possible during detection. An excellent lightweight NIDS should have cross-System Platform operations, it has the least impact on the system and allows administrators to perform real-time security response by modifying the configuration in a short time. More importantly, it can become an important member of the overall security structure.

Snort Working Mode

Snort has three working modes: sniffer, data packet recorder, and network intrusion detection system.

The sniffing mode only reads data from the network and displays the data as continuous streams on the terminal;

The data packet recorder mode records the data packets to the hard disk;

The network intrusion detection mode is the most complex and configurable. We can allow snort to analyze network data streams to match user-defined rules and take certain actions based on the detection results.

Lab environment:

Snort HOST: 192.168.101.90

Simulate intrusion into the host: 192.168.101.108

Note: snort must communicate with the internet.

1. Install snort and rules

Yuminstallphpphp-gdphp-pearphp-mysqlmysql-serverhttpdlibpcap

Yumlocalinstall -- nogpgchecksnort-2.8.6.1snort-mysql-2.8.0.1-1.RH5.i386.rpm

Tar-zxvfsnortrules-snapshot...-C/etc/snort

Modify Environment Variables

[Root @ readhat ~] # ExportPCAP_FRAMES = max

Enable Service

[Root @ readhathtml] # servicehttpdstart & chkconfighttpdon

[Root @ readhathtml] # servicemysqldstart & chkconfigmysqldon

Ii. mysql Configuration

[Root @ readhathtml] # mysqladmin-urootpassword "123"

Create a database

Createdatabasesnort;

Usesnort;

Source/usr/share/snort-2.8.0.1/schemas/create_mysql; import the template and generate a data table

3. Install adodb

Export root@readhathtml##unzipadodb514.zip-d/var/www/html/

[Root @ readhathtml] # cd/var/www/html/

[Root @ readhathtml] # mvadodb5/adodb

Iv. base installation and configuration

[Root @ readhathtml] # tar-zxvf/root/base-1.4.5.tar.gz-C/var/www/html/

[Root @ readhathtml] # cd/var/www/html/

[Root @ readhathtml] # mvbase-1.4.5/base

Pearinstall -- forcePEAR-1.8.1

Pearupgradepear

[Root @ readhathtml] # pearinstallImage_Graph-alphaImage_Canvas-alphaImage_ColorNumbers_RomanMail_MimeMail

[Root @ readhathtml] # cd/var/www/html/base

Export root@readhatbase=export cpworld_map6.pngworld_map6.txt/usr/share/pear/Image/Graph/Images/Maps/

Add writable attributes to the base directory,

[Root @ readhathtml] # chmodo + wbase

Modify symbolic links in the base

[Root @ readhathtml] # ln-s/etc/snort/doc/signatures/var/www/html/base/signatures

Access http: // 192.168.101.90/base

Edit the php configuration file

Vim/etc/php. ini

Error_reporting = E_ALL

Change

Error_reporting = E_ALL &~ E_NOTICE

Normal again

5. base webpage Configuration

Select the language format and the directory where adodb is stored,

Set database attributes,

Create an administrator role,

Related tables and table options are created successfully,

Base reads data from mysql, but does not configure how sort outputs information to mysql.

Configuration association between snort and mysql

[Root @ readhat ~] # Vim/etc/snort. conf

[Root @ readhat ~] # Snort-v-c/etc/snort. conf &>/dev/null &

[1] 28542

[Root @ readhathtml] # jobs

[1] + Runningsnort-v-c/etc/snort. conf> &/dev/null &

View scan status

Simulates attacks in the LAN for port scanning

View status again

Detailed data format

Appendix:

Simple compilation of snort working modes and rules

1. sniffing mode

The so-called sniffing mode means that snort reads data packets from the network and displays them on your console. First, let's start with the basic usage. If you only need to print the TCP/IP header information on the screen, you only need to enter the following command:

# Snort-v

Using this command, only the IP address and TCP/UDP/ICMP packet header information are output by snort. If you want to see data at the application layer, you can use:

# Snort-vd

This command enables snort to display packet data while outputting packet header information. If you want to display the data link layer information, use the following command:

# Snort-vde

Note that these option switches can also be written separately or any combination of them. For example, the following command is equivalent to the last command above:

# Snort-d-v-e

2. Data Packet RECORDER:

If you want to record all packages to the hard disk, You need to specify a log directory, and snort will automatically record the data packets:

Snort-dev-l./log

Of course, the./log directory must exist. Otherwise, snort reports an error message and exits. When snort runs in this mode, it records all the packets that are seen and puts them in a directory named after the IP address of the destination host of the data packet, for example: 192.168.10.1

If you only specify the-l command switch without setting the directory name, snort sometimes uses the remote host IP address as the directory, and sometimes uses the local host IP address as the directory name. To only log on the local network, you need to provide the local network:

Snort-dev-l./log-h192.168.1.0/24

This command tells snort to record the data links, TCP/IP, and application layer of all packets entering class C network 192.168.1.

Note: The generated data file is in tcpdump format. You can use "# snort-r Data File Name" to view the file.

If your network speed is fast or you want to compress logs for future analysis, you should use the binary log file format. The so-called binary log file format is the format used by the tcpdump program. Use the following command to record all packages to a single binary file:

Snort-l./log-B

3. Intrusion Detection System:

The most important use of snort is as a network intrusion detection system (NIDS). Use the following command line to start this mode:

Snort-dev-l./log-h192.168.1.0/24-c/etc/snort. conf

Snort. conf is the rule set file. Snort matches each package with the rule set. If such a package is found, the corresponding action is taken. If you do not specify the output directory, snort will output it to the/var/log/snort directory.

Note: If you want to use snort as your intrusion detection system for a long time, you 'd better not use the-v option. With this option, snort outputs some information to the screen, which greatly reduces the processing speed of snort and discards some packets when outputting data to the monitor.

In addition, in most cases, there is no need to record the header of the data link layer, so the-e option can also be used:

Snort-d-h192.168.1.0/24-l./log-c/etc/snort. conf

This is the most basic form of network intrusion detection system using snort. The logs conform to the rules and are saved in a hierarchical directory structure in ASCII format.

Compile snort rules

Snort uses a simple and lightweight Rule Description Language, which is flexible and powerful. Remember several simple principles when developing snort rules.

First, most snort rules are written on a single row, or are separated by/at the end of a row. The Snort rule is divided into two logical parts: Rule header and rule options. The rule header contains the rule action, protocol, source IP address and network mask, and source and target port information. The rule option part contains the alarm message content and the specific part of the package to be checked.
The following is an example of a rule:

Alerttcpanyany-> 192.168.1.0/24111 (content: "| 000186a5 |"; msg: "mountdaccess ";)

Rule Action protocol source IP address source port number> Target IP address destination port number (Rule option)

The first section is the rule header, and the section in the brackets is the rule options ). The word before the colon in the Rule option section is called the option keyword (optionkeywords ). Note that not all rules must contain the rule option section to make the definition of the packets to be collected, alarms, or discarded more strict. All elements that constitute a rule must be true for the specified action to be taken. When multiple elements are put together, they can be considered as a logical AND (AND) statement. At the same time, different rules in the snort rule repository file can be considered as a large logical OR (OR) statement.

Rule Action:

The rule header contains the who, where, and what information for defining a package, and actions to be taken when all the attributes defined by the rule are included. The first item of a rule is "rule action". "rule action" tells snort what to do when a rule-matching package is found. There are five actions in snort: alert, log, pass, activate, and dynamic.

1. Alert-generate an alarm using the selected Alarm Method and record the packet.
2. Log-record this package.
3. Pass-Discard (ignore) this package.
4. activate-alarm and activate another dynamic rule.
5. dynamic-remain idle until it is activated by an activate rule. Once activated, it is executed as a log rule.

This article from "Liu Yuan's blog" blog, please be sure to keep this source http://liuyuan51.blog.51cto.com/5971950/1137198