IMPLEMENTING SNORT AS IPS ON RASPBERRY PI

SYED MOHAMMAD IDRUS BIN SYED OTHMAN

BACHELOR OF COMPUTER SCIENCE

(COMPUTER NETWORK AND SECURITY) WITH

HONOURS

UNIVERSITI SULTAN ZAINAL ABIDIN

2018

i

IMPLEMENTING SNORT AS IPS IN RASPBERRY PI

SYED MOHAMMAD IDRUS BIN SYED OTHMAN

Bachelor of Computer Science (Computer Network Security) with Honours

Faculty of Informatics and Computing

Universiti Sultan Zainal Abidin, Terengganu, Malaysia

MAY 2017

ii

DECLARATION

I hereby declare that this report is based on my original work except for quotations and

citations, which have been duly acknowledged. I also declare that it has not been

previously or concurrently submitted for any other degree at Universiti Sultan Zainal

Abidin or other institutions.

______________________________

Name : Syed Mohammad Idrus Bin Syed

Othman

Date : ..................................................

iii

LIST OF FIGURES

FIGURE PAGE

Figure 1: Agile Development 19

Figure 2: Framework 23

Figure 3: System Flow 25

Figure 4: IP Addresses 33

Figure 5: Snort Directory and Files 36

Figure 6: Snort Version Check 37

Figure 7: Snort File Configuration 39

Figure 8: Snort File Configuration 30

Figure 9: Snort File Configuration 41

Figure 10: Snort File Configuration 42

Figure 11: Snort File Configuration 43

Figure 12: Snort File Configuration 44

Figure 13: Snort File Configuration 45

Figure 14: Snort File Configuration 46

Figure 15: Snort File Configuration 47

Figure 16: Classification.config file 49

Figure 17: Snort local.rules file 50

Figure 18: Rules Validation 51

Figure 19: SSH Attack From Outside Network 53

Figure 20: Snort Responses on SSH Attack 54

iv

Figure 21: DDoS Attack from Outside Network 55

Figure 22: Snort Responses on DDoS Attack 56

Figure 23: SSH Attack from Inside Network 57

Figure 24: Snort Responses on SSH Attack 58

Figure 25: DDoS Attack from Inside Network 59

Figure 26: Snort Responses on DDoS Attack 60

v

LIST OF ABBREVIATIONS

IPS Intrusion Prevention System

IDS Intrusion Detection System

ARM Advanced RISC Machine

RISC Reduced Instruction-Set Cycle

vi

ABSTRACT

Nowadays, the usage of the Internet is almost compulsory in our daily life. From

school to work, the Internet had become a medium of communication involving many

parties. For example, the use of Skype for video broadcasting. The Internet shares and

transmits data in form of packets. Each type of communication has different size of

packets. The speed of transmission depends on the type of connection used by user, for

instance, fiber internet. However, users are not aware of the malicious packets in their

network environment. Attackers use these malicious packets to upload viruses or harmful

program in order to steal or damage user’s devices or data. To solve these problems, users

can install an Intrusion Prevention System (IPS) in their home network. IPS is an advance

Intrusion Detection System (IDS) which is added a new function instead of monitor,

detect and alert user about malicious packets detected. IPS can also prevent the malicious

packet by dropping it. IPS needs only medium level performance computer to operate and

in this case, we can implement IPS is a pocket-sized computer called Raspberry Pi 3

Model B. This device is now widely used in many fields and it also can be a network

security system. Application used for IPS is Snort, which is an open source intrusion

detection and prevention system which operates by a set of rules. These rules can be

customized by user or can be downloaded directly from Snort website. This type of IPS is

a mobile IPS which can be used in many computers. Instead of installing the IPS in the

computer, the user can just plug in the Raspberry Pi and surf the Internet securely.

vii

ABSTRAK

Kini, penggunaan Internet telah menjadi satu kewajiban dalam hidup kita. Dari

sekolah hingga ke alam pekerjaan, Internet telah menjadi perantaraan antara satu sama

lain. Internet turut menjadi medan bagi kita berkomunikasi serta berkongsi pendapat

antara rakan-rakan kita termasuk keluarga. Namun begitu, pengguna Internet tidak

memberi perhatian terhadap pengguna yang berniat jahat terhadap mereka. Pengguna

tersebut mungkin boleh memuatnaik atau menghantar virus atau ‘software’ yang boleh

mencuri data ataupun merosakkan elektronik dalam rangkaian pengguna. Oleh sebab itu,

pengguna Internet di rumah boleh menggunakan Intrusion Prevention System (IPS). IPS

merupakan satu sistem pencegahan pencerobohan siber yang di cipta bagi memelihara

rangkaian Internet di rumah. Sistem tersebut mampu untuk mengenal pasti paket-paket

yang keluar dan masuk dari rangkaian Internet di rumah. IPS kini boleh beroperasi pada

komputer mikro seperti Raspberry Pi. Contoh bagi IPS adalah Snort. Snort merupakan

satu software yang fleksible dan beroperasi menggunakan garis panduan atau “rules” yang

boleh di muat turun atau di tetapkan oleh pengguna. Tambahan pula, IPS yang di

beroperasi di Raspberry Pi merupakan IPS yang mudah alih, dan boleh menjalankan tugas

sebaik sahaja alat tersebut disambung ke rangkaian Internet di rumah.

viii

CONTENTS

PAGE

DECLARATION ii

LIST OF FIGURES iii-iv

LIST OF ABBREVIATIONS v

ABSTRACT vi

ABSTRAK vii

CONTENTS viii-xi

CHAPTER I INTRODUCTION

1.1 Background 1-2

1.2 Problem Statement 3

1.3 Objectives 4

1.4 Scope of Project 5

1.5 Limitations 6

CHAPTER II LITERATURE REVIEW

2.1 Introduction 7

ix

2.2 Intrusion Prevention System 7

2.2.1 Rule-Based Detection 8

2.3 Snort 8

2.3.1 Snort Signatures 9

2.3.2 Snort Rules 9

2.4 Raspberry Pi 10

2.4.1 Raspberry Pi Model 2 11

2.4.2 Raspberry Pi Model 3 B 11 – 12

2.5 ArchLinux ARM Edition 13

2.6 ARM Processors by ARM HOLDINGS 13

2.7 Snort as IPS Inline on Linux 14

2.8 Raspberry Pi Firewall and Intrusion Detection System 15

2.9 Comparison between IDS, IPS and Firewall 16

2.9 Best Intrusion Prevention System for Home PC 17

CHAPTER III METHODOLOGY

3.1 Introduction 18 - 19

3.2 Planning 20

x

3.3 Requirements 20 - 21

3.4 Design 22

3.4.1 Framework 23 - 24

3.4.2 Flow of System 25

3.5 Configuration 26 - 28

3.6 Implementation 28

3.7 Testing 28

3.8 Deployment 29

CHAPTER IV IMPLEMENTATION AND

TESTING

4.1 Introduction 30

4.2 Installation 31

4.2.1 Operating System 31

4.2.2 Updating and Configuring 32 - 33

IP Address

4.2.3 Snort Installation and Directory 34 - 37

Configuration

4.3 IPS Configuration 38 - 47

xi

4.4 Writing Snort Rules 48 - 60

Summary 60

CHAPTER V DISCUSSION AND CONCLUSION

5.1 Introduction 61

5.2 System Contribution 61

5.3 Obstacle/Problems 62

5.4 Future Works 62

5.5 Conclusion 63

REFERENCES 64 - 66

1

CHAPTER I

INTRODUCTION

1.1 Background

The Internet nowadays had become one of the most important platform for all

human. The Internet is used as a medium for communication, learning, broadcasting,

business and many more. However, ever human creation has its own vulnerabilities. For

the Internet, it is the security of data. Attackers will try to breach any home or company

networks by all means if the data they intended to steal may benefits them. Larger

network means larger intrusion potential. As day passes, a lot of precaution steps had

been taken in improvising network security weaknesses. These steps had been taken in

order to patch or prevent intrusion of malicious packets into the network. However, most

of these steps only been applied in large companies. A small home network are less being

paid attention to. In addition, they did not know how the malicious packets may enter

their network. Therefore, it is crucial to take a closer look at how home users can protect

their network and data.

2

In order to overcome the network intrusion effectively, users need to apply an

Intrusion Prevention System (IPS) in their home network. An IPS is an advanced version

of IDS (Intrusion Detection System), with several additional capabilities like dropping

and blocking malicious packets. An IPS is also a real time monitoring system, which

starts its work immediately after it had been configured properly. However, most people

think that IPS may only suitable to be used in large companies as the companies may

provide resources and IT consultant to do services and maintenance.

Thanks to the invention of new technologies in this modern world, nowadays, IPS

can be implemented in a home network environment by using open-source software. For

example, Snort and Bro Intrusion Detection and Prevention System. In addition, the

software can be installed in a compact computer which is Raspberry Pi which can be

obtained at an affordable price with high flexibility in setting the rules for the software.

With these characteristics, a secure home network environment can be achieved

efficiently at low-cost.

3

1.2 Problem Statement

Nowadays, many cases regarding cyber-crime has been reported. In fact, most of

them involves intrusion, data theft and exploitation. With several contemporary security

measures developed, these cases can be reduced, but the steps needed requires a lot of

resources. Although there are several software that offers capability of detecting intrusion,

attacker are freely to do anything once they had entered the network. With IPS, a real-

time protection is enforced and thus IPS is capable of blocking and dropping any

malicious packets from attacker.

With recent development of new and advance computer like Raspberry Pi, these

low-cost precaution method can be taken by home users to secure their home network.

Raspberry Pi also supports different type of operating system and open source software.

4

1.3 Objectives

There are 3 objectives need to be achieved in this project. The objectives are as follows:

a. To study applicability of Raspberry Pi as an Intrusion Prevention System (IPS).

b. To configure Raspberry Pi and implement Intrusion Prevention System in

Raspberry Pi

c. To test the performance of IPS that previously developed in real home network

environment for personal use

5

1.4 Scope of Project

This project covers the scope of designing an Intrusion Prevention System (IPS) that

operates in real time in home network environment. The IPS will monitor, alert, prevent

malicious packets from outside and inside the network and also sends a report log to the

user. These are several scopes of this project:

a. To configure and run Raspberry Pi correctly and ensure it runs smoothly as

expected

b. To configure SNORT for detecting and prevent malicious packets from entering

home network environment

c. To install open-source operating system and IPS on the Raspberry Pi

6

1.5 Limitation

There are several limitations in this project. Firstly, Raspberry Pi is a device that

relies on power for it to run perfectly. The usage of battery is not suitable because IPS

needs high CPU power for the software to run smoothly. Therefore, user may need to use

USB cable to supply sufficient electrical energy to Raspberry Pi. Next limitation is Snort

is a system that does not have interface. All the processes and commands needs to be done

in Terminal or Command Prompt. Lastly, Snort stores the log file in hard disk rather than

database. Therefore, a slight data redundancy may occur if the time and date is not

configured properly.

7

CHAPTER II

LITERATURE REVIEW

2.1 Introduction

In this section, we will discuss existing journal and articles that supports this

project. The information found provides further understanding, advantages and

disadvantages of the project. This chapter also provides information about software and

hardware that will be used in this project.

2.2 Intrusion Prevention System (IPS)

IPS is a software or tool that are developed to detect and prevent malicious

packets to enter and going out either computer or network [9]. IPS also used to prevent

vulnerabilities exploit. IPS is an active software which can act according to the rules or

methods used to detect intrusion. IPS also can monitor, detect, block and log actions taken

to the users [8]. Methods in detecting intrusion is very flexible, as each attacks has its own

pattern. Therefore, most IPS comes with default detection method, but users can

customize them for detecting and preventing possible unknown attacks. [9]

8

2.2.1 Rule Based Intrusion Detection

Rule Based Intrusion Detection is a technique of detecting intrusion based on a

predefined rules set by developer of intrusion system or can be created by users [9]. In

this type, there are anomaly detection and penetration identification. Anomaly detection

detects attacks and intrusion based of their behavior and signature, and also from previous

attacks patterns [3]. The penetration identification requires security expert. The security

expert will set up some rules to search for malicious software or abnormal behavior of

packet in the network [2].

2.3 Snort

Snort is an open source software which function as IDS and also IPS [2]. It was

created by Martin Roesch. It supports most of the operating system but works perfectly

with Linux operating system. Snort is a very handy software which is user-friendly and

capable to provide real-time protection [2]. It has a capability to monitor and analyze

network traffics in a single device or even a whole network. It can also sniff packets that

makes it a powerful intrusion detection system. It also has some function to block packets

or devices from accessing the network. It applies signatures and rules to monitor network

traffic [10].

9

2.3.1 Snort Signatures

Signatures in snort are rules collected from previous attacks. Those patterns are

recorded and stored in a database or memory of snort application. The signatures recorded

are then used by snort to identify future attacks [3]. However, this type of approach only

applies to known attacks only. If the attack uses a new type or pattern of attacks, Snort

will not be able to take action [2].

2.3.2 Snort Rules

Rules in Snort are predefined rules set by user or can be downloaded from Snort

website. The rules will be enforced once it was saved and validated in Snort configuration

file [3]. Unlike signatures, rules does not requires previous attack patterns but it requires

deep analyzation of packet contents and types [2]. In other words, this type of detection

requires user to know the types of packets to allow or block in the network. This type of

detection is more efficient from detection that uses signatures since signatures are more

exposed to new unidentified malicious packets [6].

10

2.4 Raspberry Pi

Raspberry Pi is a series of small single board computer developed in United

Kingdom by Raspberry Pi Foundation to promote the teaching of computer science in

developed countries [5]. It was first introduced in February 2015 which is the Raspberry

Pi Model Zero [5]. Raspberry Pi was used in many field nowadays, from for learning

purposes to business, theft detection and aiding people in life [7]. Its processor was

developed by ARM Holdings which are suitable for small compact devices and also

equipped with on-chip graphic processing unit. It performance varies and the fastest

processing power for Raspberry Pi is 1.4 GHz with 1 GB RAM [4]. The first and the

second generation of Raspberry Pi are not compatible with operating system other than

Raspbian. However, the third generation which is Raspberry Pi 3 Model B are able to run

different operating system and other open source software. This gives the user a wider

usage of the device [6].

11

2.4.1 Raspberry Pi Model 2

Raspberry Pi 2 Model B was introduced in February 2014. It comes with a

powerful ARM v7 Cortex processor with a speed of 900MHz. It has 4 USB ports, 1

HDMI port and can use a plugged in mini USB power source up to 1.2 Ampere [5]. It also

has a microSD slot which can be inserted up to 32 GB. Its RAM is 1 GB which is quite

high for a small computer. The previous model, which is Raspberry Pi 1, are mostly used

in creating robots and other micro devices. This model has a wider capabilities and even

can be a main PC for a user since it has high performance [7]. However, there are only 3

operating system which are compatible with this minicomputer which is Windows 10,

Ubuntu and Raspbian [7].

2.4.2 Raspberry Pi 3 Model B

In year 2016, Raspberry introduced a new and enhanced model of Raspberry Pi,

which is Raspberry Pi 3 Model B. It has ARM 8th version of Cortex processor which is

consider one of the most powerful microprocessor produced by ARM Holdings [4]. It is a

quad-core processor which clock at speed 1.2GHz with 1GB RAM [7]. This model has

capability to operate most of a normal computer operation. It even has a wireless LAN

adapter card or WIFI card. Other component are the same as the previous model except it

can support power source up to 2.5A. In terms of software, it can support several open-

12

source and paid operating system such as Ubuntu, KALI, and Windows. Furthermore,

most innovation of software and usage of microcomputers were done by using this

version of Raspberry Pi [5].

13

2.5 ArchLinux Arm Edition

Arch Linux is a Linux based distributed operating system for computers. Arch

Linux was introduced in March 2002 [15]. It was described as “Keep It Simple, Stupid”

operating system. Furthermore, it is suitable for ARM microprocessor since its instruction

set is simple and versatile [15]. Lastly, Arch Linux gives total user control [15]. This

characteristics enable users to allocate amount of RAM, disk usage and GPU usage

specifically according to their own desire. In fact, this type of operating system succeed in

becoming a platform of software to detect intrusion in a network.

2.6 ARM Processors by ARM Holdings

Advanced RISC Machine (ARM) was a holdings that develops microprocessor

since 2011 [4]. ARM processor are fast since its architecture is simple and it reduces

transistors in its motherboard despite from other type of processors [4]. The Cortex

version of ARM processor are the most widely used in mobile phones, microcomputers,

embedded systems, laptops and tablet [4]. It also has capability to reduced heat produced

by processor and maximize CPU speed since its architecture is simple. Lastly, android

also had been proven to be works perfectly with ARM processors [4].

14

2.7 Snort as IPS Inline on Linux

Snort are mostly used as IDS and only to monitor, detect and alert user about

malicious packets detected in a network. However, it can be modified into IPS which is

active and has action to be made if it detects network intrusion. Firstly, the network card

of device should be configured and tested to that Snort can run smoothly [3]. Next,

modify several of the Snort rules to make it an IPS [3]. If any malicious packets detected,

it can drop or block the packet and also alert you about the action taken. However, it

setting the rules, you should be specific and careful to prevent any false alarm. It would

be a waste if Snort detected a false intrusion. Therefore, you should specify the type of

packets, size, priority, and even the behavior of the packets so that Snort will be able to

identify intrusion [3].

15

2.8 Raspberry Pi Firewall and Intrusion Detection System

Nowadays, home users are not aware of intrusion and hijacking within

their network. People mostly have their own home network and equipped with high speed

internet. However, the term ‘Home Network’ makes the users do not pay attention to

viruses or malicious packets entering their network since they thought there are no

sensitive or critical files stored [11]. Mostly, IPS and IDS are widely used only in large

company since the setup of the system requires a lot of resources including money,

technician and also services and maintenance [9]. However, thanks to several advanced

and affordable technologies developed, you can now secure your home network. You will

need a Raspberry Pi Model 3 B, Snort software, internet connection and a few electronic

devices to set up your network protection [14]. The steps of configuring your IPS in home

network is easy and it takes at most a day to complete your network protection [12]. By

doing this, you can protect your network from intrusion and saves your devices from

being hijacked by irresponsible hackers. The IPS can also alert you about any detection

about malicious packets. Now, you can protect your network efficiently without spending

a lot of money.

16

2.9 Comparison between IDS, IPS and Firewall

Intrusion Detection System, Intrusion Prevention System and Firewall are three

systems that are share some characteristics but differ in the way they work [10]. IDS is a

passive system that monitors content and header packets in a network and detects

intrusion from rules or signatures of attacks [9]. It only will alert users about any intrusion

and log the alert in a file. IPS is an active system, work basically like IDS, except for

which will act on the behalf of user to block or allow any packets entering the network

[9]. IPS will also alert users at the same time logging the actions in a file. Next, firewall is

a first line of defense and it monitors packets based on policy [9]. If the packets do not

match the policy, it will be rejected. In short, firewall only monitor packet headers and

does not care about content of the packets. So, in a network, there should be both IPS and

Firewall. We don’t need IDS since IPS is an advanced version of IDS.

17

2.9 Best Intrusion Prevention System for Home PC

IPS are created by developers around the world in order to answer the attacking of

PC in a network to hijack, steal and damage files of users [10]. It is quite similar to

Firewall, except for it can detects and block packets from outside or inside the network.

Now, you can protect your PC from unwanted malicious packets. Here are one of the best

IPS recommended for you, which is Snort. Snort is one of the best open source software

created for detecting and blocking malicious packets [8]. It can monitors traffic in real

time, detects variety of attacks based on rules or signatures and users can even customize

the rules according to their needs [8]. Snort also can log the attacks and actions taken in a

file. Snort also can be used as sniffer, which functions to sniff ports or packets which are

vulnerable to attacks [8]. Sniffing using snort also has a log which created as evidence.

18

CHAPTER III

METHODOLOGY

3.1 Introduction

The development of this project is based on the methodology of Agile

Development. This model is chosen because there are several steps which are repeated.

The repetition are made to enable several modifications to the project if necessary. The

phases of this project are as follows; Planning, Requirement Analysis, Design,

Implementation, Testing and Deployment. The figure below shows the steps based on

Agile Development:

19

Figure 1 Phases of Agile Development Cycle

20

3.2 Planning

Planning is the initial step of carrying out this project. The idea is given to the

supervisor and brief discussions were made so that this project can be continued to the

next phase. Planning is very important because it gives imagination about the system.

Planning also gives picture on how IPS works, what does it monitor, how does it alert

user and what action can be taken by IPS.

3.3 Requirements

In this stage, requirements of this project is studied briefly. Information about this

project are gathered from the literature review. Example of the requirements can be

divided into two big classes, which is software and hardware. In literature review,

information about how to program the snort also included. This information is important

because it enables developer to understand well about capabilities and limitation of the

project. Below are the lists of software and hardware used in this project.

21

a) Hardware

Raspberry Pi Model 3 B

A High Performance Ethernet Cable

MicroUSB Cable

16 GB MicroSD card

USB Keyboard and Mouse

HDMI Monitor

High Performance HDMI Cable

b) Software

Win32 Disk Imager/UnetBootIn

ArchLinux ARM Image

Notepad++

Microsoft Office

22

3.4 Design

The next step is design. The process of designing the system is done after all

requirements are gathered properly. In addition, a framework is created as a guideline and

imagination for developer on the scope of the project. In the framework, the flow of the

system is shown. This includes what does the Snort monitor, what power source does it

uses and how does it logs the packets monitored. Lastly, the configuration of Snort and

Raspberry Pi are also shown in this phase.

23

3.4.1 Framework

Figure 2 Framework of the system

Router

Devices connected to

the network

1. Raspberry Pi

with Snort

Installed

2. Connected To

Router

4. Snort

Monitors the

Network based

on Rules Set by

User. If Any

Malicious

Packets

Detected, It can

Alert User and

also record

actions taken in

a log file stored

in Raspberry Pi

Memory Card

3. Devices

will connect

to the network

24

Referring to the proposed framework, Snort in Raspberry Pi will perform real time

monitoring in a home network environment. One Raspberry Pi with Snort IPS installed in

it with ArchLinux operating software must be connected to the router in order to start

monitor. Once Snort has been started, users can start surfing the Internet. If any malicious

packets are detected, Snort will enforces the rules set and act exactly like it was

programmed. Any actions taken will be recorded in log file and also can be displayed to

user. If user wishes to stop the monitoring process, he/she will just have to turn off the

Raspberry Pi.

25

3.4.2 Flow of System

Figure 3 Framework of the system

Raspberry Pi, Installed

with Snort will

connect to the router

either via WIFI or

Ethernet cable

Snort will start monitor

the packets going in and

out of the network

If Snort detects

malicious

packets, it will

alert the user

and block the

packets. Any

action taken will

be recorded in a

log file

Rules created in Snort are flexible.

Snort either can allow or block

packets based on packet type, size,

priority and severity. In short, several

rules must be created to prevent false

alarm.

26

3.5 Configuration

The Raspberry Pi and Snort configuration is the most crucial steps in this project.

The installation of ArchiLinux Arm Image must be done using any software like

uNetBootin, Rufus or Win32 Disk Imager. The Archilinux should also be updated to the

latest version. Next, Snort must also be able to download from the Archilinux operating

system. Steps of downloading Snort are as follows:

1. Firstly download Snort from the command prompt of ArchLinux by using

command: “Sudo pacman –S Snort

2. Modify the file etc/snort/snort.conf with specifications according to Raspberry Pi

3. The file includes insertion of IP address, file path to the rules and also which rule

to enforce when running Snort

4. A set of updated rules should also be downloaded from Snort website

5. Create the following files and directories:

var RULE_PATH/etc/snort/rules

var SO_RULES_PATH../so_rules

var PREPROC_RULE_PATH ../preproc_rules

var WHITE_LIST_PATH $RULE_PATH

var WHITE_LIST_PATH $RULE_PATH

27

For the custom rules set, here are some examples of rules created specifically

based on packet types, size, and severity, priority and packet source.

Alert tcp any any 23 -> any any (msg:”Caution! TCP Ping Detected!”;

sid:100001; priority:0)

This rule will trigger alert if any tcp ping are detected in the network.

However, the user can specify destination and source of attack. Just replace

the “any any -> any any” with “(destination IP) -> (source IP). The number

23 shows which port the user wishes Snort to monitor.

Drop udp any any -> any any (msg:”Malicious UDP packet Detected,

successfully blocked and logged”; priority:01; sid:100002)

This rule will trigger alert and drop the packet. Same as the above, source

and destination can be specified. For the above rule, priority is set by 01 as

malicious packets will be prioritize first by Snort.

Pass any any -> any any (dsize:12000)

To prevent false alarm, another rule is added to Snort. This rule will gives

Snort to allow packets entering and going out the network. The source and

destination can be specified by replacing “any any -> any any”. Packet

sizes will also be specified by the command “dsize:(packet size)”.

Normally, malicious packet’s sizes are bigger than normal harmless

packets.

28

Lastly, Snort will be configured to be running on start up. Then, the system will be

ready for implementation and testing phase.

3.6 Implementation

Implementation is a phase where all the gathered information and tools will be

developed. This stage is crucial for applying the methods and design built specifically for

this project. However, if any changes need to be made, it will be done in this phase.

3.7 Testing

The system will be tested and measured based on several achievements. If those

achievements can be completed without error, this system will be deployed. If there are

errors or any modifications, the flow of this project must be studied in order to make it

work as expected. The achievements are listed below:

Raspberry Pi can run Snort in real-time network monitoring

Snort are able to take actions if any malicious packets detected

Snort are able to auto start

29

3.8 Deployment

In this phase, the deployment of this system is done. The deployment done only if

the system has no errors and works according to these three basic expectations:

The system can monitor the network

The system can enforce the rule set by User. For example, if any de-

authentication packets send by attacker, Snort can block it. De-authentication

packets are attempt to disconnect devices connected to particular network.

The commands are: “drop tcp any any -> 192.168.43.73 (msg:”De-

authentication packet dropped”; sid: 100002; severity: deaunthepacket;

priority: 2)

The system can log the files

30

CHAPTER IV

IMPLEMENTATION AND TESTING

4.1 Introduction

In the previous chapter, it has been briefly discussed and listed the framework,

what tools to use and method of research. In this chapter, all of the procedures and step

mentioned in the previous chapter will be implemented and tested. If any errors occurred,

we will make a few changes.

31

4.2 Installation

4.2.1 Operating System

The installation process began with installation of operating system in Raspberry

Pi 3. The proposed operating system was Archlinux at first but the changed to Raspbian.

This is because there are several complications and errors in Archlinux in partitioning the

SD card. Archlinux actually works well with HDD type disc but requires several specific

customization in SD card. As a result, Raspbian was installed using NOOBS. NOOBS is a

package which provides several trusted and working operating systems that is compatible

with Raspberry Pi. The installation only takes 30 minutes to complete.

32

4.2.2 Updating and Configuring IP Address

Raspbian operating system uses Linux commands/language exactly like Ubuntu.

Firstly, the command “sudo apt-get update –y” was typed to make sure operating system

is up-to-date. The command “sudo apt-get dist-upgrade” also was typed to upgrade any

packages that requires upgrade. After the process of update and upgrade completed, the

device was rebooted to apply all the updates and changes.

Next is to check the IP address of the devices. When connected to any WiFi

network, type in ifconfig to make terminal shows IP addresses for the device. If the

internet were connected through WiFi, the name of network card should be under wlan0.

If were connected through Ethernet, the network card should be eth0. When the IP

addresses are properly configured, the device is ready for the next steps.

33

Figure 4 Raspberry Pi IP Address

34

4.2.3 Snort Installation and Configuration of Directory

Firstly, there are several libraries which are required for snort to run. Type in the

command “sudo apt install -y gcc libpcre3-dev zlib1g-dev libpcap-dev openssl libssl-dev

libnghttp2-dev libdumbnet-dev bison flex libdnet”. All these packages are the

perquisites/plugins for Snort to run properly. The installation of Snort begins by creating a

temporary snort directory, “sudo mkdir ~/snort_src” and enter the directory by entering

“cd ~/snort_src”. Download DAQ files which are needed for packet monitoring with

command “wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz . Extract the files

and run the command “./configure && make && sudo make install”. Next is to download

Snort. Start by downloading from Snort website by entering command “wget

https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz”. Extract the files and enter

command to complete the installation “./configure --enable-sourcefire && make && sudo

make install”

By default, Snort will be installed in directory /etc/ so the directory of Snort is

/etc/snort. Next is to create a few new files and directories. The directories are:

sudo mkdir /etc/snort/rules

sudo mkdir /var/log/snort

Files to be created are as follows:

https://www.snort.org/downloads/snort/daq-2.0.6.tar.gzhttps://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz

35

touch /etc/snort/rules/local.rules

Lastly, change the permission and move configuration files from the temporary

folder ~/snort_src. Permission changed are:

sudo chmod –R 5775 /etc/snort

sudo chmod –R 5775 /varl/log/snort

sudo cp ~/snort_src/snort-2.9.11.1/etc/*.conf* /etc/snort

sudo cp ~/snort_src/snort-2.9.11.1/etc/*.map /etc/snort

36

Figure 5 Snort Directory and Configuration Files

37

Figure 6: Checking Snort Version

38

4.3 IPS Configuration

Snort by default can be used in many modes. In this project, snort will be

configured to be in inline mode. Inline mode is the difference of IPS and IDS. It gives

Snort authority to take action while monitoring the network. Below are list of lines that

are modified:

1. At line 45, ipvar HOME_NET was set to the Raspberry Pi IP which is

172.20.10.3/28 to run Snort as IPS.

2. At line 163 & 164, daq type and mode was specified, which is afpacket.

3. At line 187, the snort log file was set to save in the directory /var/log/snort

4. From line 540, comment # at all path specified except for “include

$RULE_PATH/local.rules”

39

Figure 7: Snort Configuration File [1]

40

Figure 8: Snort Configuration File [2]

41

Figure 9: Snort Configuration File [3]

42

Figure 10: Snort Configuration File [4]

43

Figure 11: Snort Configuration File [4]

44

Figure 12: Snort Configuration File [4]

45

Figure 13: Snort Configuration File [4]

46

Figure 14: Snort Configuration File [4]

47

Figure 15: Snort Configuration File [4]

48

4.4 Writing Snort Rules

This project will use rule-based Intrusion Prevention System. In addition, the rules

used are custom instead of downloading rules set created by Snort. The rules that were

created were stored in “local.rules” file. The purpose is local rules helps to identify and

trace new pattern of attack rather than the normal rules, which were taken from known

attacks. The rules are specified based on protocol layer, packet type, priority, source and

destination. Before writing rules, open the classification.config for reference on priority.

Type in “sudo /nameofeditor/ /etc/snort/classification.config”. Figure 16 shows

classification.config file.

49

Figure 16: Classification.config file

50

Figure 17: Snort local.rules file

51

Before running Snort, we need to flush/verify the file local.rules. At the terminal, type in

command “sudo snort –T –c /etc/snort/snort.conf –Q –i wlan0:eth0. The output is shown

in figure 18 below:

Figure 18: Snort Rules Validation

Snort was then started by typing the command “sudo snort –A console –Q –c

/etc/snort/snort.conf –i wlan0:eth0”.

52

Rules are created based on research done on securing home network. From the

research, it was found that home network are exposed to three main attacks, which are

SSH, DDoS attack and Ftp attacks. SSH attacks were created in order to gain access to

devices in the network. So the first rule is to block any SSH attempt from outside the

network. The rule is “drop tcp any any -> 172.20.10.3 22 (msg:"SSH rejected"; GID:

10003; rev: 003; sid: 4000003; classtype: attempted-user; priority: 1)”. However, if admin

needs SSH in network, we should command Snort to allow it by specifying admin IP

address. The rule is “pass tcp 172.20.10.2 any -> 172.20.10.3 22 (msg:"SSH From

Admin"; sid: 4000006; GID: 10006)”. This rule will allow admin to do SSH to devices in

the network without being blocked. Example of this rule works is shown below in the

screenshot.

53

Figure 19: SSH attempt from attacker pc, which is unsuccessful

54

Figure 20: The figure above shows Snort enforces the rule created, and also shows

type of attack. Snort also specifies destination, source of packets and type

55

The next rule is regarding blocking DDoS attack from outside the network. DDoS

attack are harmful because it prevents our device to serve and provides services. It may

also corrupt the memory or processor of devices since it has to deal with numerous counts

of DDoS ping. The rule to block DDoS was “drop tcp any any -> 172.20.10.3 80 (flags:

S; msg: "TCP packets rejected, DDOS Attack from outside!”; flow: stateless; sid:

4000001; GID: 10001; classtype: attempted-dos; priority: 2 ;)”.

Figure 21: The figure above shows DDoS attempt. The attack was

unsuccessful, because Snort blocked the attack. The proof is 100% packet

loss, which means no packets arrived at the destination

56

Figure 22: The figure shows Snort blocked the DDoS attempt.

57

Furthermore, blocking attack from outside is not enough to secure a home

network. Therefore, some rules were created to prevent attack from inside the network. In

this case, the raspberry pi were used as an attacker. This simulates an attack if the attacker

has access to the user’s network and try to use it to attack others. The first attack is SSH

from inside network to the outside. The rule is “drop tcp 172.20.10.3 any -> any 22 (msg:

"SSH Rejected, Attempted from Inside"; GID: 10008; sid: 40000008; classtype:

attempted-user; priority: 1)”.

Figure 23: The figure shows a failed SSH attempt from Raspberry Pi to other

device

58

Figure 24: The figure above shows Snort blocked the SSH attempt from

inside the network to other devices

59

Next rule is to block DDoS attack from inside the network to outside. The rule are

as follow: drop tcp 172.20.10.3 any -> any 80 (flags: S; msg: "TCP packets rejected,

DDOS Attack from inside!”; flow: stateless; sid: 4000009; GID: 10009; classtype:

attempted-dos; priority: 2). This rule will prevent any attempt from devices in the network

to start a DDoS attack.

Figure 25: Figure above shows DDoS attempt which is unsuccessful

60

Figure 26: Figure above shows Snort blocked the DDoS attempt from inside

the network

Summary

In short, the Snort IPS was tested and ran as expected. Snort was able to detect and

monitor the network. Snort also was able to prevent the attacks launched. Lastly, the alert

and action taken was shown by the Snort console to enable user to identify attacks

detected.

61

CHAPTER V

DISCUSSION AND CONCLUSION

5.1 Introduction

This section describes some contributions of this project. Next, the

problems/obstacles were also discussed in this section. Lastly, several improvements to

this system is added in this section for future developments.

5.2 Contributions and Significance of Work

This system will be used by end users. It is suitable for those who desires to secure

their home network environment from malicious attacks. In addition, the rules created

help users to identify various attack pattern that differs from the downloaded rules. This

system also helps user to be aware of attacks and also helps user to understand the

importance of network security. Lastly, the rules created are based on a proper research

on vulnerabilities in home network, which is SSH, DDoS and Ftp.

62

5.3 Obstacle/Problem of current work

There is only one problem faced during the development of this project. Firstly,

the proposed system was supposed to use Archlinux as operating system. However, due to

incapability of Archlinux to configuring partition for SD card, Raspbian was used.

Raspbian is much easier to configure as it was built specifically for Raspberry Pi.

Furthermore, Archlinux works well with embedded drive rather than external storage. The

partition of the SD card cannot be fully used and after several configurations, the problem

still cannot be solved. Therefore the solution is to swap with Raspbian operating system.

5.4 Recommendations for Future Works

This project could be upgraded in several ways. Firstly, Snort can be configured to

also send alert to user’s email about attacks occurred in the network. Next, Snort also can

be reconfigured to make it as a package, which means that Snort is able to run without

operating system. This is essential because Snort would have full access to the device and

the system would be more powerful in securing home network. Lastly, this project could

be upgraded by creating a database to store Snort logs. The storage through database is

much more efficient and proper rather than storing in pcap format in disk.

63

5.5 Conclusion

This project aims to provide a secure network by Implementing Snort IPS in

Raspberry Pi in a Home Network. By having an IPS at reasonable price, the user can

secure and monitor their network without spending unnecessary resources to buy

company grade IPS only for home purposes. Lastly, this project will provide knowledge

of attack patterns, open source software and network security information to home user. It

is hoped that users would be aware about attacks that occur at this era.

64

REFERENCES

1. Methods of Securing Home Network, NCSA TEAM, October 2012

www.indestructibles.com/securinghomenetwork

2. Understanding and Configuring Snort Rules, Rapid7 Blogs, 9 December 2016

www.blog.rapid7.com/understanding-and-configuring-snort-rules

3. Simple IPS Configuration On Linux, IBM TEAM, 14 September 2012

www.ibm.com/developments/works/IPS

4. ARM Processor Specifications and Capabilities, ARM Holdings

www.arm.com

5. Raspberry Pi Comparisons, the Mag Pi

www.raspberrypi.org/magpi

6. Snort Manuals On Writing Rules and Commands Definitions

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node1.html

7. Comparisons Of Raspberry Pi Model

http://socialcompare.com/en/comparison/raspberrypi-models-comparison

http://www.indestructibles.com/securinghomenetworkhttp://www.blog.rapid7.com/understanding-and-configuring-snort-ruleshttp://www.ibm.com/developments/works/IPShttp://www.arm.com/http://www.raspberrypi.org/magpihttp://manual-snort-org.s3-website-us-east-1.amazonaws.com/node1.htmlhttp://socialcompare.com/en/comparison/raspberrypi-models-comparison

65

8. Best IPS for Home Network

https://www.pcworld.com/article/2466120/startup-builds-intrusion-prevention-system-

for-home-networks.html

9. IDS and IPS Comparisons

https://www.rokasecurity.com/ids-vs-ips/

10. Importance of Securing Home Network

a. https://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/

b. https://searchsecurity.techtarget.com/Do-you-need-an-IDS-or-IPS-or-both

11. Home Network Vulnerabilities

a. https://www.computerweekly.com/feature/The-security-dangers-of-home-networks

b. https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-

hacking-us-government-warns

c. https://www.techrepublic.com/article/why-companies-should-worry-about-network-

vulnerabilities-following-employees-home/

12. Importance of Network Security Knowledge

a. https://www.herzing.edu/blog/what-network-security-and-why-it-important

https://www.pcworld.com/article/2466120/startup-builds-intrusion-prevention-system-for-home-networks.htmlhttps://www.pcworld.com/article/2466120/startup-builds-intrusion-prevention-system-for-home-networks.htmlhttps://www.rokasecurity.com/ids-vs-ips/https://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/https://searchsecurity.techtarget.com/Do-you-need-an-IDS-or-IPS-or-bothhttps://www.computerweekly.com/feature/The-security-dangers-of-home-networkshttps://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warnshttps://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warnshttps://www.techrepublic.com/article/why-companies-should-worry-about-network-vulnerabilities-following-employees-home/https://www.techrepublic.com/article/why-companies-should-worry-about-network-vulnerabilities-following-employees-home/https://www.herzing.edu/blog/what-network-security-and-why-it-important

66

b. https://www.information-age.com/importance-creating-cyber-security-culture-

123465778/

c. https://www.newhorizons.com/resources/article/articleid/40166038/title/why-a-lack-

of-network-security-knowledge-could-be-your-companys-cyber-blind-spot

13. Common Cyber Attacks

a. https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/

b. https://www.rapid7.com/fundamentals/types-of-attacks/

c. https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-

attack-youre-most-likely-to-face.html

14. Raspberry Pi Intrusion Detection System and Firewall

http://www.instructables.com/id/Raspberry-Pi-Firewall-and-Intrusion-Detection-Syst/

15. Archlinux Arm Specifications, Reviews and Guides

https://www.archlinux.com/Raspberry-Pi-3/description-guides

https://www.information-age.com/importance-creating-cyber-security-culture-123465778/https://www.information-age.com/importance-creating-cyber-security-culture-123465778/https://www.newhorizons.com/resources/article/articleid/40166038/title/why-a-lack-of-network-security-knowledge-could-be-your-companys-cyber-blind-spothttps://www.newhorizons.com/resources/article/articleid/40166038/title/why-a-lack-of-network-security-knowledge-could-be-your-companys-cyber-blind-spothttps://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/https://www.rapid7.com/fundamentals/types-of-attacks/https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.htmlhttps://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.htmlhttp://www.instructables.com/id/Raspberry-Pi-Firewall-and-Intrusion-Detection-Syst/https://www.archlinux.com/Raspberry-Pi-3/description-guides