Intrusion detection mode
First, find the IP address of the machine running Snort by using ‘ifconfig’ and make a note of it. Now run ‘./start_snort’. Some extra startup information scrolls past as we are now using the Snort configuration file and the rules files that it references.
Simulate an attack (Nmap)
We’ll begin by carrying out a port scan on the machine running Snort using Nmap, a common first step in a typical intrusion attempt. From a different machine on your network, type ‘nmap [IP address of Snort machine]’. A file called ‘alert’ should have appeared in the log folder. Examine it.
Automatically start Snort
The method to launch a script at startup varies between distributions. On Ubuntu, simply add our ‘start_snort’ script to ‘/etc/init’ by typing ‘ln start_snort /etc/init/’. Remember to use fully qualified path names in the script.
Protect the network
Protecting an entire network requires either a dedicated Snort machine or a dedicated network adaptor on your server. This is because the network card must be put into promiscuous mode to capture all traffic being transmitted, and this is the scenario we will work with here. Once you have installed the second card and rebooted the machine, determine the naming of the two network interfaces by typing ‘ifconfig’. In this example, the second network card is called ‘eth1’. Now open ‘/etc/networking/interfaces’ in a text editor.
Configure promiscuous mode
Add the following lines to the file: ‘iface eth1 inet manual’, ‘up ifconfig $IFACE 0.0.0.0 up’, ‘up ip link set $IFACE promisc on’, ‘down ip link set $IFACE promisc off’, ‘down ifconfig $IFACE down’. Type ‘sudo ifup eth1’ to start up the second Ethernet adaptor and physically plug it into your router, hub or spanning switch.
Test promiscuous mode
Type ‘ifconfig’ and eth1 should be listed without an IP address. Now add ‘sudo ifup eth1’ to your Snort startup script along with the flag ‘-i eth1’ on the Snort launch command. When launched, Snort will now monitor all traffic on your network.
Create a simple Snort rule
For the sake of simplicity, we are going to add a rule to the configuration file rather than create a new rule file. As root, open up snort.conf in a text editor. On the final line of the configuration file, add the following line: ‘alert tcp any any -> any 23 ( msg: “telnet alert!”; sid: 1; )’.
Test simple rule
Launch Snort with ‘snort -dev -l ./snort_logs -c /etc/snort.conf’. From another machine, type ‘telnet [IP address of Snort machine]’. If everything has worked, you should now have an update in the alert file. See the Snort manual for a full breakdown, but open the file and check that source IP and destination IP look correct.
Fetch extra rules
Get extra rules from the Snort website (free sign-up required). They belong in ‘/etc/ snort/rules’ and should be enabled using the ‘include’ directive in snort.conf. The comprehensive selection is an excellent starting point for creating your own rules for dealing with, for example, application-specific exploits.
Add CSV output module
Unless you know that you are going to have to use Snort alert logs as input for another networking utility, consider switching it to CSV output so that you can view the data in a spreadsheet. Simply add the line ‘output alert_csv: alert.csv default’ to the end of the configuration file.
Interpreting an attack
When an attack is logged, begin by looking up the IP address with the ‘whois’ command or by using an online geographic IP lookup address. Note the port number of the attack to try to figure out the service or application that is the focus of the attack.
Block an attack (part 1)
Block the IP address of the attacker as reported in the alert file. Obviously, the address can change, but they tend to be fairly static from the most common type of automated attacks. Use the command ‘iptables -A INPUT -s [attacker IP address] -j DROP’.
Block an attack (part 2)
It’s possible that an attack is targeting an unused or unimportant port on your network. Use ‘/iptables -A INPUT -p tcp –destination- port 80 -j DROP’ to block a port, if you have determined that it will not harm the normal function of your system. To unblock a port or IP address, use the ‘-D’ switch instead of ‘-A’.