Snort

  • View
    222

  • Download
    0

Embed Size (px)

Text of Snort

  • 7/22/2019 Snort Installation.pdf

    1/21

    MODULE 3 Snort Installation

    About This ModuleThis module covers the entire installation process including some of the additional componentsto better manage, store and receive alert feedback. To make this work properly, severaladditional supporting packages will be installed as well. This installation will be performed ona Linux platform since all ofthe tools required to do an installation are freely available.Module Objectives:o Build a secure OS foundationo Understand the basic installation processo Installing from a combination of RPM packages and source codeo Discuss RPM package update toolso Perform installation and initial configurationo Test the installation

    27

  • 7/22/2019 Snort Installation.pdf

    2/21

    Slide 34

    *w\&*kWSnort lnstallation

    Building a Secure OS FoundationThe platform on which your Snort installation resides is as critical as any component of theinstallation. It is good practice to have the operating system on which you will install Snort andits components prepared and in a secure state. While a precise step-by-step how-to tutorial onbuilding a secure OS is beyond the scope of this class, we will present the fundamentals ofbuilding a secure OS. There are many techniques that can be employed and an equally largenumber of opinions on how to deploy a secure OS, so it is critical that you do some research tocome up with a secure configuration that makes sense for the environment in which you willdeploy your Snort sensors.Major Issues to ConsiderThe list below contains some of the most prominent issues that should be addressed whenconstructing a secure OS platform:r lJnnecessary servicesr Default accounts and settingso Review installation, including OS and installed packages, for security issueso Obtain and install latest security patches. Continuously monitor newsgroups and mailing lists for security information that mightaffect your installation. If applicable, a local firewall is a good idea to block access to ports other than those youintend to use. Check your organization's security policy for guidelines on password usage and accountprivilege administrationClass OS InstallationThe OS platform that has been provided is based on CentOS. It was installed with a minimalset of applications. Basically, there is enough to boot the system and compile and install thesoftware packages we will need to complete our Snort deployment. The local firewall has beenenabled. It has been configured to only allow incoming connections on ports 22 (ssh),80 (http)and 443(ssl). Although, from a security perspective, it makes sense to disable access to port 80once your installation is up and running. This leaves remote access to your sensor onlyavailable via secure, encrypted protocols.

    Slide 35

    Notes:

    28

    sllffiBt&"

  • 7/22/2019 Snort Installation.pdf

    3/21

    Slide 36

    Snort Installation

    Pre- ins tall ation ltemsThe Base OSThe base operating system was prepared to facilitate the installation of Snort and the tools youwill install along side Snort for alert analysis and storage. If you are building an installationfrom scratch, use the following guide lines:

    Since the CentOS linux distribution is largely RPM based, you can take advantage of toolssuch as 'yum' to install andupdate packages as needed.yum is a skaight forward, command line application for managing RPMs. Without anyconfiguration of the tool, it is preconfigured to point to some default RPM repositories, so itcan be used right away. You can configure yum to point to specific repositories, but thatdiscussion goes beyond the scope of this class.yum also has the ability to resolve and fetch package dependencies. This feature will save alot of time and effort over manual package management. To use yum, see the followingexamples:

    yum i-nsta1I - This syntax fetches the package and itsdependencies, if any exist, from the package repository. Note that only the base packagename is necessary; yum will pull down the most up-to-date version.yum update - This syntax can be used to update a previouslyinstalled package.yum list installed - This command lets you see whatpackages are already installed on your system. It also accepts wild card characters whereasthe previous two examples do not.

    yum list avaif abl-e - This queries the yum repositories forpackages available for download. It too accepts wildcards to facilitate you semches.The base OS was initially configured with the following pre-installed:o The Apache web servero MySQL Server- MySQL Database Servero Development Tools - Compilers and other packages need for building Snort

    Notes:

    29

  • 7/22/2019 Snort Installation.pdf

    4/21

    Snort lnstallation

    . Applications added after initial OS configuration:o The MySQL database development libraries - The package listed below was installedwith the following command: yum install

  • 7/22/2019 Snort Installation.pdf

    5/21

    Slide 38Graphical Interface and Alert Analysis ToolsThere are several open source interface options for managing alerts you can choose from. Forclass purposes, BASE is the interface that will be used. The items below represent thepackages needed to run BASE in addition to other graphical tools presented in this module.o base-1.4.5. adodb - Database abstraction libraries for PIIPo Packages to support the charting capabilities of BASE:o Image_Canvas. Image_Coloro Image_GraphPre-installationPrior to perfonning the Snort installation for this module you should familiarize yourself withthe network environment.o Network settings and virtual network topologyo The login credentials for all the deviceso Veri& that all the devices and services you expect are up and runningReviewthe diagram on the following page for details of the virtual network topology and thedevices in your environment.

    Slide 39

    Notes:

    Snort lnstallation

    31

  • 7/22/2019 Snort Installation.pdf

    6/21

    Snort lnstallation

    Notes:

    32

  • 7/22/2019 Snort Installation.pdf

    7/21

    Slide 40

    Snort lnstallation

    About The Virtual NetworkThe virtual network for the class consists offive separate zones. The zones are describedbelow in addition to the hosts located in each:. General Network Environment - This environment consists of the devices connected to

    VMNetl (192.168.133.0 /24)o Student Desktop - The student host os running a variety of toolso Rugila - Linux serverrunning SMTP & IMAP serverI Attila - Linux host with scanners atrd attack toolso DW, - Tlris environment consists of the devices connected to VMNet2 (192.168.10.0/24)o Bleda - Linux server running HTTP & FTP serviceso Lamp - Limx server with MySQL & HTTP serviceso Management Network - This environment consists of the devices connected to VMNet4(192.168.111 .0124).This network segment is used for the management interfaces of yourSnort sensor and DMZ hosts.. snortbox - Your Snort sensor. This host also has a second interface facing the GeneralNetwork zone. This interface has no IP address and will be used as the sensing interfacefor your sensor.o Gateway Zone - This environment consists of the devices connected to VMNetS(192.t68.222.0/24),t router - This device is running the DNS server for the sfsnort.co,m domain. It has 4

    interfaces and serves as the cental point ofingress and egress between the virtualnetwork and the classroom network.o Classroom Network - This environment consists of everything external to VMNetSThe entire infrastructure has been given the domain name sfsnort.com. Since there is a DNSserver servic.ing the network, all of the hosts are reachable by name.T\ehost student desktop can be used as your primary desktop. It contains tools to allow you toremotely shell into snorlbox for the installation labs. Altematively, you can work directly inthe snortbox virtual machine which has a graphical environment installed so you can use theGUI tools that are available.

    Notes:

    33

  • 7/22/2019 Snort Installation.pdf

    8/21

    Slide 41

    Snort lnstallation

    Initializing The Virtual Network InfrastructureThe virtual machines in the training infrastructure as configured as members of a VMWareteam. This will allow you to initialize the devices in tandem rather than as individual virtualmachines.Use the following instructions to start the virfual infrastructure:1. Double click the VMWare application icon on your desktop.2. From the F'ile menu, select Open.3. In the Open dialog box, navigate to the desktop and open the folder called"3D_xxxx_Infrastructure". In that folder, double click the icon called"3D_xxxx_Infrastructure.vmtm ".a. Right click on the 3D2500 virtual machine and select 55Remove from Team". Close the tabcontaining the 3D2500 VM.5. Right click on the DC1000 virtual machine and select "Remove from Team". Close thetab containing the DC1000 VM.6. From the File menu, select Open. From the 663D_xxxx_infrastructure" folder open thesub-folder "Snortbox_4.0. Double click on "Snortbox_3.0.vmx"z. Click the green kiangular icon to start the virtual machines (besure to start the team andSnortbox). Allow at least three minutes for them to initialize. You will note that a tile bardisplays in the VMWare application window where each tile represents one of the virtual

    machines in the infrastructure. One way to tell that the virtual hosts have initialized is towatch for the login prompt in the last tile.

    Exploring The Virtual InfrastructureThe initialization process for the hosts in your virtual irfraskucture should now be complete.You should take some time to login to the various hosts and familiarize yourself with theenvironment. Also, use the diagram at the beginning of this module as a reference to get a feelfor the zones

Search related