IMPLEMENTING SNORT AS IPS ON RASPBERRY PI
SYED MOHAMMAD IDRUS BIN SYED OTHMAN
BACHELOR OF COMPUTER SCIENCE
(COMPUTER NETWORK AND SECURITY) WITH
HONOURS
UNIVERSITI SULTAN ZAINAL ABIDIN
2018
i
IMPLEMENTING SNORT AS IPS IN RASPBERRY PI
SYED MOHAMMAD IDRUS BIN SYED OTHMAN
Bachelor of Computer Science (Computer Network Security) with Honours
Faculty of Informatics and Computing
Universiti Sultan Zainal Abidin, Terengganu, Malaysia
MAY 2017
ii
DECLARATION
I hereby declare that this report is based on my original work except for quotations and
citations, which have been duly acknowledged. I also declare that it has not been
previously or concurrently submitted for any other degree at Universiti Sultan Zainal
Abidin or other institutions.
______________________________
Name : Syed Mohammad Idrus Bin Syed
Othman
Date : ..................................................
iii
LIST OF FIGURES
FIGURE PAGE
Figure 1: Agile Development 19
Figure 2: Framework 23
Figure 3: System Flow 25
Figure 4: IP Addresses 33
Figure 5: Snort Directory and Files 36
Figure 6: Snort Version Check 37
Figure 7: Snort File Configuration 39
Figure 8: Snort File Configuration 30
Figure 9: Snort File Configuration 41
Figure 10: Snort File Configuration 42
Figure 11: Snort File Configuration 43
Figure 12: Snort File Configuration 44
Figure 13: Snort File Configuration 45
Figure 14: Snort File Configuration 46
Figure 15: Snort File Configuration 47
Figure 16: Classification.config file 49
Figure 17: Snort local.rules file 50
Figure 18: Rules Validation 51
Figure 19: SSH Attack From Outside Network 53
Figure 20: Snort Responses on SSH Attack 54
iv
Figure 21: DDoS Attack from Outside Network 55
Figure 22: Snort Responses on DDoS Attack 56
Figure 23: SSH Attack from Inside Network 57
Figure 24: Snort Responses on SSH Attack 58
Figure 25: DDoS Attack from Inside Network 59
Figure 26: Snort Responses on DDoS Attack 60
v
LIST OF ABBREVIATIONS
IPS Intrusion Prevention System
IDS Intrusion Detection System
ARM Advanced RISC Machine
RISC Reduced Instruction-Set Cycle
vi
ABSTRACT
Nowadays, the usage of the Internet is almost compulsory in our daily life. From
school to work, the Internet had become a medium of communication involving many
parties. For example, the use of Skype for video broadcasting. The Internet shares and
transmits data in form of packets. Each type of communication has different size of
packets. The speed of transmission depends on the type of connection used by user, for
instance, fiber internet. However, users are not aware of the malicious packets in their
network environment. Attackers use these malicious packets to upload viruses or harmful
program in order to steal or damage user’s devices or data. To solve these problems, users
can install an Intrusion Prevention System (IPS) in their home network. IPS is an advance
Intrusion Detection System (IDS) which is added a new function instead of monitor,
detect and alert user about malicious packets detected. IPS can also prevent the malicious
packet by dropping it. IPS needs only medium level performance computer to operate and
in this case, we can implement IPS is a pocket-sized computer called Raspberry Pi 3
Model B. This device is now widely used in many fields and it also can be a network
security system. Application used for IPS is Snort, which is an open source intrusion
detection and prevention system which operates by a set of rules. These rules can be
customized by user or can be downloaded directly from Snort website. This type of IPS is
a mobile IPS which can be used in many computers. Instead of installing the IPS in the
computer, the user can just plug in the Raspberry Pi and surf the Internet securely.
vii
ABSTRAK
Kini, penggunaan Internet telah menjadi satu kewajiban dalam hidup kita. Dari
sekolah hingga ke alam pekerjaan, Internet telah menjadi perantaraan antara satu sama
lain. Internet turut menjadi medan bagi kita berkomunikasi serta berkongsi pendapat
antara rakan-rakan kita termasuk keluarga. Namun begitu, pengguna Internet tidak
memberi perhatian terhadap pengguna yang berniat jahat terhadap mereka. Pengguna
tersebut mungkin boleh memuatnaik atau menghantar virus atau ‘software’ yang boleh
mencuri data ataupun merosakkan elektronik dalam rangkaian pengguna. Oleh sebab itu,
pengguna Internet di rumah boleh menggunakan Intrusion Prevention System (IPS). IPS
merupakan satu sistem pencegahan pencerobohan siber yang di cipta bagi memelihara
rangkaian Internet di rumah. Sistem tersebut mampu untuk mengenal pasti paket-paket
yang keluar dan masuk dari rangkaian Internet di rumah. IPS kini boleh beroperasi pada
komputer mikro seperti Raspberry Pi. Contoh bagi IPS adalah Snort. Snort merupakan
satu software yang fleksible dan beroperasi menggunakan garis panduan atau “rules” yang
boleh di muat turun atau di tetapkan oleh pengguna. Tambahan pula, IPS yang di
beroperasi di Raspberry Pi merupakan IPS yang mudah alih, dan boleh menjalankan tugas
sebaik sahaja alat tersebut disambung ke rangkaian Internet di rumah.
viii
CONTENTS
PAGE
DECLARATION ii
LIST OF FIGURES iii-iv
LIST OF ABBREVIATIONS v
ABSTRACT vi
ABSTRAK vii
CONTENTS viii-xi
CHAPTER I INTRODUCTION
1.1 Background 1-2
1.2 Problem Statement 3
1.3 Objectives 4
1.4 Scope of Project 5
1.5 Limitations 6
CHAPTER II LITERATURE REVIEW
2.1 Introduction 7
ix
2.2 Intrusion Prevention System 7
2.2.1 Rule-Based Detection 8
2.3 Snort 8
2.3.1 Snort Signatures 9
2.3.2 Snort Rules 9
2.4 Raspberry Pi 10
2.4.1 Raspberry Pi Model 2 11
2.4.2 Raspberry Pi Model 3 B 11 – 12
2.5 ArchLinux ARM Edition 13
2.6 ARM Processors by ARM HOLDINGS 13
2.7 Snort as IPS Inline on Linux 14
2.8 Raspberry Pi Firewall and Intrusion Detection System 15
2.9 Comparison between IDS, IPS and Firewall 16
2.9 Best Intrusion Prevention System for Home PC 17
CHAPTER III METHODOLOGY
3.1 Introduction 18 - 19
3.2 Planning 20
x
3.3 Requirements 20 - 21
3.4 Design 22
3.4.1 Framework 23 - 24
3.4.2 Flow of System 25
3.5 Configuration 26 - 28
3.6 Implementation 28
3.7 Testing 28
3.8 Deployment 29
CHAPTER IV IMPLEMENTATION AND
TESTING
4.1 Introduction 30
4.2 Installation 31
4.2.1 Operating System 31
4.2.2 Updating and Configuring 32 - 33
IP Address
4.2.3 Snort Installation and Directory 34 - 37
Configuration
4.3 IPS Configuration 38 - 47
xi
4.4 Writing Snort Rules 48 - 60
Summary 60
CHAPTER V DISCUSSION AND CONCLUSION
5.1 Introduction 61
5.2 System Contribution 61
5.3 Obstacle/Problems 62
5.4 Future Works 62
5.5 Conclusion 63
REFERENCES 64 - 66
1
CHAPTER I
INTRODUCTION
1.1 Background
The Internet nowadays had become one of the most important platform for all
human. The Internet is used as a medium for communication, learning, broadcasting,
business and many more. However, ever human creation has its own vulnerabilities. For
the Internet, it is the security of data. Attackers will try to breach any home or company
networks by all means if the data they intended to steal may benefits them. Larger
network means larger intrusion potential. As day passes, a lot of precaution steps had
been taken in improvising network security weaknesses. These steps had been taken in
order to patch or prevent intrusion of malicious packets into the network. However, most
of these steps only been applied in large companies. A small home network are less being
paid attention to. In addition, they did not know how the malicious packets may enter
their network. Therefore, it is crucial to take a closer look at how home users can protect
their network and data.
2
In order to overcome the network intrusion effectively, users need to apply an
Intrusion Prevention System (IPS) in their home network. An IPS is an advanced version
of IDS (Intrusion Detection System), with several additional capabilities like dropping
and blocking malicious packets. An IPS is also a real time monitoring system, which
starts its work immediately after it had been configured properly. However, most people
think that IPS may only suitable to be used in large companies as the companies may
provide resources and IT consultant to do services and maintenance.
Thanks to the invention of new technologies in this modern world, nowadays, IPS
can be implemented in a home network environment by using open-source software. For
example, Snort and Bro Intrusion Detection and Prevention System. In addition, the
software can be installed in a compact computer which is Raspberry Pi which can be
obtained at an affordable price with high flexibility in setting the rules for the software.
With these characteristics, a secure home network environment can be achieved
efficiently at low-cost.
3
1.2 Problem Statement
Nowadays, many cases regarding cyber-crime has been reported. In fact, most of
them involves intrusion, data theft and exploitation. With several contemporary security
measures developed, these cases can be reduced, but the steps needed requires a lot of
resources. Although there are several software that offers capability of detecting intrusion,
attacker are freely to do anything once they had entered the network. With IPS, a real-
time protection is enforced and thus IPS is capable of blocking and dropping any
malicious packets from attacker.
With recent development of new and advance computer like Raspberry Pi, these
low-cost precaution method can be taken by home users to secure their home network.
Raspberry Pi also supports different type of operating system and open source software.
4
1.3 Objectives
There are 3 objectives need to be achieved in this project. The objectives are as follows:
a. To study applicability of Raspberry Pi as an Intrusion Prevention System (IPS).
b. To configure Raspberry Pi and implement Intrusion Prevention System in
Raspberry Pi
c. To test the performance of IPS that previously developed in real home network
environment for personal use
5
1.4 Scope of Project
This project covers the scope of designing an Intrusion Prevention System (IPS) that
operates in real time in home network environment. The IPS will monitor, alert, prevent
malicious packets from outside and inside the network and also sends a report log to the
user. These are several scopes of this project:
a. To configure and run Raspberry Pi correctly and ensure it runs smoothly as
expected
b. To configure SNORT for detecting and prevent malicious packets from entering
home network environment
c. To install open-source operating system and IPS on the Raspberry Pi
6
1.5 Limitation
There are several limitations in this project. Firstly, Raspberry Pi is a device that
relies on power for it to run perfectly. The usage of battery is not suitable because IPS
needs high CPU power for the software to run smoothly. Therefore, user may need to use
USB cable to supply sufficient electrical energy to Raspberry Pi. Next limitation is Snort
is a system that does not have interface. All the processes and commands needs to be done
in Terminal or Command Prompt. Lastly, Snort stores the log file in hard disk rather than
database. Therefore, a slight data redundancy may occur if the time and date is not
configured properly.
7
CHAPTER II
LITERATURE REVIEW
2.1 Introduction
In this section, we will discuss existing journal and articles that supports this
project. The information found provides further understanding, advantages and
disadvantages of the project. This chapter also provides information about software and
hardware that will be used in this project.
2.2 Intrusion Prevention System (IPS)
IPS is a software or tool that are developed to detect and prevent malicious
packets to enter and going out either computer or network [9]. IPS also used to prevent
vulnerabilities exploit. IPS is an active software which can act according to the rules or
methods used to detect intrusion. IPS also can monitor, detect, block and log actions taken
to the users [8]. Methods in detecting intrusion is very flexible, as each attacks has its own
pattern. Therefore, most IPS comes with default detection method, but users can
customize them for detecting and preventing possible unknown attacks. [9]
8
2.2.1 Rule Based Intrusion Detection
Rule Based Intrusion Detection is a technique of detecting intrusion based on a
predefined rules set by developer of intrusion system or can be created by users [9]. In
this type, there are anomaly detection and penetration identification. Anomaly detection
detects attacks and intrusion based of their behavior and signature, and also from previous
attacks patterns [3]. The penetration identification requires security expert. The security
expert will set up some rules to search for malicious software or abnormal behavior of
packet in the network [2].
2.3 Snort
Snort is an open source software which function as IDS and also IPS [2]. It was
created by Martin Roesch. It supports most of the operating system but works perfectly
with Linux operating system. Snort is a very handy software which is user-friendly and
capable to provide real-time protection [2]. It has a capability to monitor and analyze
network traffics in a single device or even a whole network. It can also sniff packets that
makes it a powerful intrusion detection system. It also has some function to block packets
or devices from accessing the network. It applies signatures and rules to monitor network
traffic [10].
9
2.3.1 Snort Signatures
Signatures in snort are rules collected from previous attacks. Those patterns are
recorded and stored in a database or memory of snort application. The signatures recorded
are then used by snort to identify future attacks [3]. However, this type of approach only
applies to known attacks only. If the attack uses a new type or pattern of attacks, Snort
will not be able to take action [2].
2.3.2 Snort Rules
Rules in Snort are predefined rules set by user or can be downloaded from Snort
website. The rules will be enforced once it was saved and validated in Snort configuration
file [3]. Unlike signatures, rules does not requires previous attack patterns but it requires
deep analyzation of packet contents and types [2]. In other words, this type of detection
requires user to know the types of packets to allow or block in the network. This type of
detection is more efficient from detection that uses signatures since signatures are more
exposed to new unidentified malicious packets [6].
10
2.4 Raspberry Pi
Raspberry Pi is a series of small single board computer developed in United
Kingdom by Raspberry Pi Foundation to promote the teaching of computer science in
developed countries [5]. It was first introduced in February 2015 which is the Raspberry
Pi Model Zero [5]. Raspberry Pi was used in many field nowadays, from for learning
purposes to business, theft detection and aiding people in life [7]. Its processor was
developed by ARM Holdings which are suitable for small compact devices and also
equipped with on-chip graphic processing unit. It performance varies and the fastest
processing power for Raspberry Pi is 1.4 GHz with 1 GB RAM [4]. The first and the
second generation of Raspberry Pi are not compatible with operating system other than
Raspbian. However, the third generation which is Raspberry Pi 3 Model B are able to run
different operating system and other open source software. This gives the user a wider
usage of the device [6].
11
2.4.1 Raspberry Pi Model 2
Raspberry Pi 2 Model B was introduced in February 2014. It comes with a
powerful ARM v7 Cortex processor with a speed of 900MHz. It has 4 USB ports, 1
HDMI port and can use a plugged in mini USB power source up to 1.2 Ampere [5]. It also
has a microSD slot which can be inserted up to 32 GB. Its RAM is 1 GB which is quite
high for a small computer. The previous model, which is Raspberry Pi 1, are mostly used
in creating robots and other micro devices. This model has a wider capabilities and even
can be a main PC for a user since it has high performance [7]. However, there are only 3
operating system which are compatible with this minicomputer which is Windows 10,
Ubuntu and Raspbian [7].
2.4.2 Raspberry Pi 3 Model B
In year 2016, Raspberry introduced a new and enhanced model of Raspberry Pi,
which is Raspberry Pi 3 Model B. It has ARM 8th version of Cortex processor which is
consider one of the most powerful microprocessor produced by ARM Holdings [4]. It is a
quad-core processor which clock at speed 1.2GHz with 1GB RAM [7]. This model has
capability to operate most of a normal computer operation. It even has a wireless LAN
adapter card or WIFI card. Other component are the same as the previous model except it
can support power source up to 2.5A. In terms of software, it can support several open-
12
source and paid operating system such as Ubuntu, KALI, and Windows. Furthermore,
most innovation of software and usage of microcomputers were done by using this
version of Raspberry Pi [5].
13
2.5 ArchLinux Arm Edition
Arch Linux is a Linux based distributed operating system for computers. Arch
Linux was introduced in March 2002 [15]. It was described as “Keep It Simple, Stupid”
operating system. Furthermore, it is suitable for ARM microprocessor since its instruction
set is simple and versatile [15]. Lastly, Arch Linux gives total user control [15]. This
characteristics enable users to allocate amount of RAM, disk usage and GPU usage
specifically according to their own desire. In fact, this type of operating system succeed in
becoming a platform of software to detect intrusion in a network.
2.6 ARM Processors by ARM Holdings
Advanced RISC Machine (ARM) was a holdings that develops microprocessor
since 2011 [4]. ARM processor are fast since its architecture is simple and it reduces
transistors in its motherboard despite from other type of processors [4]. The Cortex
version of ARM processor are the most widely used in mobile phones, microcomputers,
embedded systems, laptops and tablet [4]. It also has capability to reduced heat produced
by processor and maximize CPU speed since its architecture is simple. Lastly, android
also had been proven to be works perfectly with ARM processors [4].
14
2.7 Snort as IPS Inline on Linux
Snort are mostly used as IDS and only to monitor, detect and alert user about
malicious packets detected in a network. However, it can be modified into IPS which is
active and has action to be made if it detects network intrusion. Firstly, the network card
of device should be configured and tested to that Snort can run smoothly [3]. Next,
modify several of the Snort rules to make it an IPS [3]. If any malicious packets detected,
it can drop or block the packet and also alert you about the action taken. However, it
setting the rules, you should be specific and careful to prevent any false alarm. It would
be a waste if Snort detected a false intrusion. Therefore, you should specify the type of
packets, size, priority, and even the behavior of the packets so that Snort will be able to
identify intrusion [3].
15
2.8 Raspberry Pi Firewall and Intrusion Detection System
Nowadays, home users are not aware of intrusion and hijacking within
their network. People mostly have their own home network and equipped with high speed
internet. However, the term ‘Home Network’ makes the users do not pay attention to
viruses or malicious packets entering their network since they thought there are no
sensitive or critical files stored [11]. Mostly, IPS and IDS are widely used only in large
company since the setup of the system requires a lot of resources including money,
technician and also services and maintenance [9]. However, thanks to several advanced
and affordable technologies developed, you can now secure your home network. You will
need a Raspberry Pi Model 3 B, Snort software, internet connection and a few electronic
devices to set up your network protection [14]. The steps of configuring your IPS in home
network is easy and it takes at most a day to complete your network protection [12]. By
doing this, you can protect your network from intrusion and saves your devices from
being hijacked by irresponsible hackers. The IPS can also alert you about any detection
about malicious packets. Now, you can protect your network efficiently without spending
a lot of money.
16
2.9 Comparison between IDS, IPS and Firewall
Intrusion Detection System, Intrusion Prevention System and Firewall are three
systems that are share some characteristics but differ in the way they work [10]. IDS is a
passive system that monitors content and header packets in a network and detects
intrusion from rules or signatures of attacks [9]. It only will alert users about any intrusion
and log the alert in a file. IPS is an active system, work basically like IDS, except for
which will act on the behalf of user to block or allow any packets entering the network
[9]. IPS will also alert users at the same time logging the actions in a file. Next, firewall is
a first line of defense and it monitors packets based on policy [9]. If the packets do not
match the policy, it will be rejected. In short, firewall only monitor packet headers and
does not care about content of the packets. So, in a network, there should be both IPS and
Firewall. We don’t need IDS since IPS is an advanced version of IDS.
17
2.9 Best Intrusion Prevention System for Home PC
IPS are created by developers around the world in order to answer the attacking of
PC in a network to hijack, steal and damage files of users [10]. It is quite similar to
Firewall, except for it can detects and block packets from outside or inside the network.
Now, you can protect your PC from unwanted malicious packets. Here are one of the best
IPS recommended for you, which is Snort. Snort is one of the best open source software
created for detecting and blocking malicious packets [8]. It can monitors traffic in real
time, detects variety of attacks based on rules or signatures and users can even customize
the rules according to their needs [8]. Snort also can log the attacks and actions taken in a
file. Snort also can be used as sniffer, which functions to sniff ports or packets which are
vulnerable to attacks [8]. Sniffing using snort also has a log which created as evidence.
18
CHAPTER III
METHODOLOGY
3.1 Introduction
The development of this project is based on the methodology of Agile
Development. This model is chosen because there are several steps which are repeated.
The repetition are made to enable several modifications to the project if necessary. The
phases of this project are as follows; Planning, Requirement Analysis, Design,
Implementation, Testing and Deployment. The figure below shows the steps based on
Agile Development:
19
Figure 1 Phases of Agile Development Cycle
20
3.2 Planning
Planning is the initial step of carrying out this project. The idea is given to the
supervisor and brief discussions were made so that this project can be continued to the
next phase. Planning is very important because it gives imagination about the system.
Planning also gives picture on how IPS works, what does it monitor, how does it alert
user and what action can be taken by IPS.
3.3 Requirements
In this stage, requirements of this project is studied briefly. Information about this
project are gathered from the literature review. Example of the requirements can be
divided into two big classes, which is software and hardware. In literature review,
information about how to program the snort also included. This information is important
because it enables developer to understand well about capabilities and limitation of the
project. Below are the lists of software and hardware used in this project.
21
a) Hardware
Raspberry Pi Model 3 B
A High Performance Ethernet Cable
MicroUSB Cable
16 GB MicroSD card
USB Keyboard and Mouse
HDMI Monitor
High Performance HDMI Cable
b) Software
Win32 Disk Imager/UnetBootIn
ArchLinux ARM Image
Notepad++
Microsoft Office
22
3.4 Design
The next step is design. The process of designing the system is done after all
requirements are gathered properly. In addition, a framework is created as a guideline and
imagination for developer on the scope of the project. In the framework, the flow of the
system is shown. This includes what does the Snort monitor, what power source does it
uses and how does it logs the packets monitored. Lastly, the configuration of Snort and
Raspberry Pi are also shown in this phase.
23
3.4.1 Framework
Figure 2 Framework of the system
Router
Devices connected to
the network
1. Raspberry Pi
with Snort
Installed
2. Connected To
Router
4. Snort
Monitors the
Network based
on Rules Set by
User. If Any
Malicious
Packets
Detected, It can
Alert User and
also record
actions taken in
a log file stored
in Raspberry Pi
Memory Card
3. Devices
will connect
to the network
24
Referring to the proposed framework, Snort in Raspberry Pi will perform real time
monitoring in a home network environment. One Raspberry Pi with Snort IPS installed in
it with ArchLinux operating software must be connected to the router in order to start
monitor. Once Snort has been started, users can start surfing the Internet. If any malicious
packets are detected, Snort will enforces the rules set and act exactly like it was
programmed. Any actions taken will be recorded in log file and also can be displayed to
user. If user wishes to stop the monitoring process, he/she will just have to turn off the
Raspberry Pi.
25
3.4.2 Flow of System
Figure 3 Framework of the system
Raspberry Pi, Installed
with Snort will
connect to the router
either via WIFI or
Ethernet cable
Snort will start monitor
the packets going in and
out of the network
If Snort detects
malicious
packets, it will
alert the user
and block the
packets. Any
action taken will
be recorded in a
log file
Rules created in Snort are flexible.
Snort either can allow or block
packets based on packet type, size,
priority and severity. In short, several
rules must be created to prevent false
alarm.
26
3.5 Configuration
The Raspberry Pi and Snort configuration is the most crucial steps in this project.
The installation of ArchiLinux Arm Image must be done using any software like
uNetBootin, Rufus or Win32 Disk Imager. The Archilinux should also be updated to the
latest version. Next, Snort must also be able to download from the Archilinux operating
system. Steps of downloading Snort are as follows:
1. Firstly download Snort from the command prompt of ArchLinux by using
command: “Sudo pacman –S Snort
2. Modify the file etc/snort/snort.conf with specifications according to Raspberry Pi
3. The file includes insertion of IP address, file path to the rules and also which rule
to enforce when running Snort
4. A set of updated rules should also be downloaded from Snort website
5. Create the following files and directories:
var RULE_PATH/etc/snort/rules
var SO_RULES_PATH../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH $RULE_PATH
var WHITE_LIST_PATH $RULE_PATH
27
For the custom rules set, here are some examples of rules created specifically
based on packet types, size, and severity, priority and packet source.
Alert tcp any any 23 -> any any (msg:”Caution! TCP Ping Detected!”;
sid:100001; priority:0)
This rule will trigger alert if any tcp ping are detected in the network.
However, the user can specify destination and source of attack. Just replace
the “any any -> any any” with “(destination IP) -> (source IP). The number
23 shows which port the user wishes Snort to monitor.
Drop udp any any -> any any (msg:”Malicious UDP packet Detected,
successfully blocked and logged”; priority:01; sid:100002)
This rule will trigger alert and drop the packet. Same as the above, source
and destination can be specified. For the above rule, priority is set by 01 as
malicious packets will be prioritize first by Snort.
Pass any any -> any any (dsize:12000)
To prevent false alarm, another rule is added to Snort. This rule will gives
Snort to allow packets entering and going out the network. The source and
destination can be specified by replacing “any any -> any any”. Packet
sizes will also be specified by the command “dsize:(packet size)”.
Normally, malicious packet’s sizes are bigger than normal harmless
packets.
28
Lastly, Snort will be configured to be running on start up. Then, the system will be
ready for implementation and testing phase.
3.6 Implementation
Implementation is a phase where all the gathered information and tools will be
developed. This stage is crucial for applying the methods and design built specifically for
this project. However, if any changes need to be made, it will be done in this phase.
3.7 Testing
The system will be tested and measured based on several achievements. If those
achievements can be completed without error, this system will be deployed. If there are
errors or any modifications, the flow of this project must be studied in order to make it
work as expected. The achievements are listed below:
Raspberry Pi can run Snort in real-time network monitoring
Snort are able to take actions if any malicious packets detected
Snort are able to auto start
29
3.8 Deployment
In this phase, the deployment of this system is done. The deployment done only if
the system has no errors and works according to these three basic expectations:
The system can monitor the network
The system can enforce the rule set by User. For example, if any de-
authentication packets send by attacker, Snort can block it. De-authentication
packets are attempt to disconnect devices connected to particular network.
The commands are: “drop tcp any any -> 192.168.43.73 (msg:”De-
authentication packet dropped”; sid: 100002; severity: deaunthepacket;
priority: 2)
The system can log the files
30
CHAPTER IV
IMPLEMENTATION AND TESTING
4.1 Introduction
In the previous chapter, it has been briefly discussed and listed the framework,
what tools to use and method of research. In this chapter, all of the procedures and step
mentioned in the previous chapter will be implemented and tested. If any errors occurred,
we will make a few changes.
31
4.2 Installation
4.2.1 Operating System
The installation process began with installation of operating system in Raspberry
Pi 3. The proposed operating system was Archlinux at first but the changed to Raspbian.
This is because there are several complications and errors in Archlinux in partitioning the
SD card. Archlinux actually works well with HDD type disc but requires several specific
customization in SD card. As a result, Raspbian was installed using NOOBS. NOOBS is a
package which provides several trusted and working operating systems that is compatible
with Raspberry Pi. The installation only takes 30 minutes to complete.
32
4.2.2 Updating and Configuring IP Address
Raspbian operating system uses Linux commands/language exactly like Ubuntu.
Firstly, the command “sudo apt-get update –y” was typed to make sure operating system
is up-to-date. The command “sudo apt-get dist-upgrade” also was typed to upgrade any
packages that requires upgrade. After the process of update and upgrade completed, the
device was rebooted to apply all the updates and changes.
Next is to check the IP address of the devices. When connected to any WiFi
network, type in ifconfig to make terminal shows IP addresses for the device. If the
internet were connected through WiFi, the name of network card should be under wlan0.
If were connected through Ethernet, the network card should be eth0. When the IP
addresses are properly configured, the device is ready for the next steps.
33
Figure 4 Raspberry Pi IP Address
34
4.2.3 Snort Installation and Configuration of Directory
Firstly, there are several libraries which are required for snort to run. Type in the
command “sudo apt install -y gcc libpcre3-dev zlib1g-dev libpcap-dev openssl libssl-dev
libnghttp2-dev libdumbnet-dev bison flex libdnet”. All these packages are the
perquisites/plugins for Snort to run properly. The installation of Snort begins by creating a
temporary snort directory, “sudo mkdir ~/snort_src” and enter the directory by entering
“cd ~/snort_src”. Download DAQ files which are needed for packet monitoring with
command “wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz . Extract the files
and run the command “./configure && make && sudo make install”. Next is to download
Snort. Start by downloading from Snort website by entering command “wget
https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz”. Extract the files and enter
command to complete the installation “./configure --enable-sourcefire && make && sudo
make install”
By default, Snort will be installed in directory /etc/ so the directory of Snort is
/etc/snort. Next is to create a few new files and directories. The directories are:
sudo mkdir /etc/snort/rules
sudo mkdir /var/log/snort
Files to be created are as follows:
https://www.snort.org/downloads/snort/daq-2.0.6.tar.gzhttps://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz
35
touch /etc/snort/rules/local.rules
Lastly, change the permission and move configuration files from the temporary
folder ~/snort_src. Permission changed are:
sudo chmod –R 5775 /etc/snort
sudo chmod –R 5775 /varl/log/snort
sudo cp ~/snort_src/snort-2.9.11.1/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.11.1/etc/*.map /etc/snort
36
Figure 5 Snort Directory and Configuration Files
37
Figure 6: Checking Snort Version
38
4.3 IPS Configuration
Snort by default can be used in many modes. In this project, snort will be
configured to be in inline mode. Inline mode is the difference of IPS and IDS. It gives
Snort authority to take action while monitoring the network. Below are list of lines that
are modified:
1. At line 45, ipvar HOME_NET was set to the Raspberry Pi IP which is
172.20.10.3/28 to run Snort as IPS.
2. At line 163 & 164, daq type and mode was specified, which is afpacket.
3. At line 187, the snort log file was set to save in the directory /var/log/snort
4. From line 540, comment # at all path specified except for “include
$RULE_PATH/local.rules”
39
Figure 7: Snort Configuration File [1]
40
Figure 8: Snort Configuration File [2]
41
Figure 9: Snort Configuration File [3]
42
Figure 10: Snort Configuration File [4]
43
Figure 11: Snort Configuration File [4]
44
Figure 12: Snort Configuration File [4]
45
Figure 13: Snort Configuration File [4]
46
Figure 14: Snort Configuration File [4]
47
Figure 15: Snort Configuration File [4]
48
4.4 Writing Snort Rules
This project will use rule-based Intrusion Prevention System. In addition, the rules
used are custom instead of downloading rules set created by Snort. The rules that were
created were stored in “local.rules” file. The purpose is local rules helps to identify and
trace new pattern of attack rather than the normal rules, which were taken from known
attacks. The rules are specified based on protocol layer, packet type, priority, source and
destination. Before writing rules, open the classification.config for reference on priority.
Type in “sudo /nameofeditor/ /etc/snort/classification.config”. Figure 16 shows
classification.config file.
49
Figure 16: Classification.config file
50
Figure 17: Snort local.rules file
51
Before running Snort, we need to flush/verify the file local.rules. At the terminal, type in
command “sudo snort –T –c /etc/snort/snort.conf –Q –i wlan0:eth0. The output is shown
in figure 18 below:
Figure 18: Snort Rules Validation
Snort was then started by typing the command “sudo snort –A console –Q –c
/etc/snort/snort.conf –i wlan0:eth0”.
52
Rules are created based on research done on securing home network. From the
research, it was found that home network are exposed to three main attacks, which are
SSH, DDoS attack and Ftp attacks. SSH attacks were created in order to gain access to
devices in the network. So the first rule is to block any SSH attempt from outside the
network. The rule is “drop tcp any any -> 172.20.10.3 22 (msg:"SSH rejected"; GID:
10003; rev: 003; sid: 4000003; classtype: attempted-user; priority: 1)”. However, if admin
needs SSH in network, we should command Snort to allow it by specifying admin IP
address. The rule is “pass tcp 172.20.10.2 any -> 172.20.10.3 22 (msg:"SSH From
Admin"; sid: 4000006; GID: 10006)”. This rule will allow admin to do SSH to devices in
the network without being blocked. Example of this rule works is shown below in the
screenshot.
53
Figure 19: SSH attempt from attacker pc, which is unsuccessful
54
Figure 20: The figure above shows Snort enforces the rule created, and also shows
type of attack. Snort also specifies destination, source of packets and type
55
The next rule is regarding blocking DDoS attack from outside the network. DDoS
attack are harmful because it prevents our device to serve and provides services. It may
also corrupt the memory or processor of devices since it has to deal with numerous counts
of DDoS ping. The rule to block DDoS was “drop tcp any any -> 172.20.10.3 80 (flags:
S; msg: "TCP packets rejected, DDOS Attack from outside!”; flow: stateless; sid:
4000001; GID: 10001; classtype: attempted-dos; priority: 2 ;)”.
Figure 21: The figure above shows DDoS attempt. The attack was
unsuccessful, because Snort blocked the attack. The proof is 100% packet
loss, which means no packets arrived at the destination
56
Figure 22: The figure shows Snort blocked the DDoS attempt.
57
Furthermore, blocking attack from outside is not enough to secure a home
network. Therefore, some rules were created to prevent attack from inside the network. In
this case, the raspberry pi were used as an attacker. This simulates an attack if the attacker
has access to the user’s network and try to use it to attack others. The first attack is SSH
from inside network to the outside. The rule is “drop tcp 172.20.10.3 any -> any 22 (msg:
"SSH Rejected, Attempted from Inside"; GID: 10008; sid: 40000008; classtype:
attempted-user; priority: 1)”.
Figure 23: The figure shows a failed SSH attempt from Raspberry Pi to other
device
58
Figure 24: The figure above shows Snort blocked the SSH attempt from
inside the network to other devices
59
Next rule is to block DDoS attack from inside the network to outside. The rule are
as follow: drop tcp 172.20.10.3 any -> any 80 (flags: S; msg: "TCP packets rejected,
DDOS Attack from inside!”; flow: stateless; sid: 4000009; GID: 10009; classtype:
attempted-dos; priority: 2). This rule will prevent any attempt from devices in the network
to start a DDoS attack.
Figure 25: Figure above shows DDoS attempt which is unsuccessful
60
Figure 26: Figure above shows Snort blocked the DDoS attempt from inside
the network
Summary
In short, the Snort IPS was tested and ran as expected. Snort was able to detect and
monitor the network. Snort also was able to prevent the attacks launched. Lastly, the alert
and action taken was shown by the Snort console to enable user to identify attacks
detected.
61
CHAPTER V
DISCUSSION AND CONCLUSION
5.1 Introduction
This section describes some contributions of this project. Next, the
problems/obstacles were also discussed in this section. Lastly, several improvements to
this system is added in this section for future developments.
5.2 Contributions and Significance of Work
This system will be used by end users. It is suitable for those who desires to secure
their home network environment from malicious attacks. In addition, the rules created
help users to identify various attack pattern that differs from the downloaded rules. This
system also helps user to be aware of attacks and also helps user to understand the
importance of network security. Lastly, the rules created are based on a proper research
on vulnerabilities in home network, which is SSH, DDoS and Ftp.
62
5.3 Obstacle/Problem of current work
There is only one problem faced during the development of this project. Firstly,
the proposed system was supposed to use Archlinux as operating system. However, due to
incapability of Archlinux to configuring partition for SD card, Raspbian was used.
Raspbian is much easier to configure as it was built specifically for Raspberry Pi.
Furthermore, Archlinux works well with embedded drive rather than external storage. The
partition of the SD card cannot be fully used and after several configurations, the problem
still cannot be solved. Therefore the solution is to swap with Raspbian operating system.
5.4 Recommendations for Future Works
This project could be upgraded in several ways. Firstly, Snort can be configured to
also send alert to user’s email about attacks occurred in the network. Next, Snort also can
be reconfigured to make it as a package, which means that Snort is able to run without
operating system. This is essential because Snort would have full access to the device and
the system would be more powerful in securing home network. Lastly, this project could
be upgraded by creating a database to store Snort logs. The storage through database is
much more efficient and proper rather than storing in pcap format in disk.
63
5.5 Conclusion
This project aims to provide a secure network by Implementing Snort IPS in
Raspberry Pi in a Home Network. By having an IPS at reasonable price, the user can
secure and monitor their network without spending unnecessary resources to buy
company grade IPS only for home purposes. Lastly, this project will provide knowledge
of attack patterns, open source software and network security information to home user. It
is hoped that users would be aware about attacks that occur at this era.
64
REFERENCES
1. Methods of Securing Home Network, NCSA TEAM, October 2012
www.indestructibles.com/securinghomenetwork
2. Understanding and Configuring Snort Rules, Rapid7 Blogs, 9 December 2016
www.blog.rapid7.com/understanding-and-configuring-snort-rules
3. Simple IPS Configuration On Linux, IBM TEAM, 14 September 2012
www.ibm.com/developments/works/IPS
4. ARM Processor Specifications and Capabilities, ARM Holdings
www.arm.com
5. Raspberry Pi Comparisons, the Mag Pi
www.raspberrypi.org/magpi
6. Snort Manuals On Writing Rules and Commands Definitions
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node1.html
7. Comparisons Of Raspberry Pi Model
http://socialcompare.com/en/comparison/raspberrypi-models-comparison
http://www.indestructibles.com/securinghomenetworkhttp://www.blog.rapid7.com/understanding-and-configuring-snort-ruleshttp://www.ibm.com/developments/works/IPShttp://www.arm.com/http://www.raspberrypi.org/magpihttp://manual-snort-org.s3-website-us-east-1.amazonaws.com/node1.htmlhttp://socialcompare.com/en/comparison/raspberrypi-models-comparison
65
8. Best IPS for Home Network
https://www.pcworld.com/article/2466120/startup-builds-intrusion-prevention-system-
for-home-networks.html
9. IDS and IPS Comparisons
https://www.rokasecurity.com/ids-vs-ips/
10. Importance of Securing Home Network
a. https://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/
b. https://searchsecurity.techtarget.com/Do-you-need-an-IDS-or-IPS-or-both
11. Home Network Vulnerabilities
a. https://www.computerweekly.com/feature/The-security-dangers-of-home-networks
b. https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-
hacking-us-government-warns
c. https://www.techrepublic.com/article/why-companies-should-worry-about-network-
vulnerabilities-following-employees-home/
12. Importance of Network Security Knowledge
a. https://www.herzing.edu/blog/what-network-security-and-why-it-important
https://www.pcworld.com/article/2466120/startup-builds-intrusion-prevention-system-for-home-networks.htmlhttps://www.pcworld.com/article/2466120/startup-builds-intrusion-prevention-system-for-home-networks.htmlhttps://www.rokasecurity.com/ids-vs-ips/https://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/https://searchsecurity.techtarget.com/Do-you-need-an-IDS-or-IPS-or-bothhttps://www.computerweekly.com/feature/The-security-dangers-of-home-networkshttps://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warnshttps://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warnshttps://www.techrepublic.com/article/why-companies-should-worry-about-network-vulnerabilities-following-employees-home/https://www.techrepublic.com/article/why-companies-should-worry-about-network-vulnerabilities-following-employees-home/https://www.herzing.edu/blog/what-network-security-and-why-it-important
66
b. https://www.information-age.com/importance-creating-cyber-security-culture-
123465778/
c. https://www.newhorizons.com/resources/article/articleid/40166038/title/why-a-lack-
of-network-security-knowledge-could-be-your-companys-cyber-blind-spot
13. Common Cyber Attacks
a. https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/
b. https://www.rapid7.com/fundamentals/types-of-attacks/
c. https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-
attack-youre-most-likely-to-face.html
14. Raspberry Pi Intrusion Detection System and Firewall
http://www.instructables.com/id/Raspberry-Pi-Firewall-and-Intrusion-Detection-Syst/
15. Archlinux Arm Specifications, Reviews and Guides
https://www.archlinux.com/Raspberry-Pi-3/description-guides
https://www.information-age.com/importance-creating-cyber-security-culture-123465778/https://www.information-age.com/importance-creating-cyber-security-culture-123465778/https://www.newhorizons.com/resources/article/articleid/40166038/title/why-a-lack-of-network-security-knowledge-could-be-your-companys-cyber-blind-spothttps://www.newhorizons.com/resources/article/articleid/40166038/title/why-a-lack-of-network-security-knowledge-could-be-your-companys-cyber-blind-spothttps://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/https://www.rapid7.com/fundamentals/types-of-attacks/https://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.htmlhttps://www.csoonline.com/article/2616316/data-protection/the-5-types-of-cyber-attack-youre-most-likely-to-face.htmlhttp://www.instructables.com/id/Raspberry-Pi-Firewall-and-Intrusion-Detection-Syst/https://www.archlinux.com/Raspberry-Pi-3/description-guides