Eclectic Security

In this how to I’m going to show the way to compile install Snort 2.9.0.3 with in-line mode capabilities. Tested on Debian Lenny 32 bit. Precompiled .deb packages are available on my git repository, get them with:

” git clone git://gitorious.org/snort/snort2903_debianlenny.git “.

Snort Release Notes:
2010-12-20 – Snort 2.9.0.3

[*] Improvements
* Fixed an issue where “uricontent” didn’t behave correctly with
“depth”, “offset”, “distance”, and “within” modifiers.

* Fixed overlapping flags in the Shared Object rule API.

* Improved error checking for invalid combinations of “depth”, “offset”,
“distance”, and “within” modifiers in rules. Rules that mix relative
and non-relative options on the same content will now cause errors.

* Updated the documentation to fix some inconsistencies.

wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz
tar xvfz libpcap-1.0.0.tar.gz
cd libpcap-1.0.0
./configure
make
checkinstall
dpkg -i /root/libpcap-1.0.0/libpcap_1.0.0-1_i386.deb

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

wget http://www.snort.org/downloads/630
tar xvfz 630
cd daq-0.5/
./configure

make
checkinstall
dpkg -i /root/daq-0.5/daq_0.5-1_i386.deb

wget http://www.snort.org/downloads/637
tar xvfz 637
cd snort-2.9.0.3/

./configure --with-mysql --enable-build-dynamic-examples --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib --enable-active-response --enable-react --enable-flexresp3 --with-libpcap-libraries=/usr/local/lib/
make
checkinstall
dpkg -i /root/snort-2.9.0.3/snort_2.9.0.3-1_i386.deb
ldconfig

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0.3 with with in-line mode capabilities . Tested on Ubuntu Server 10.04 32bit

Release Notes:
2010-12-20 – Snort 2.9.0.3

[*] Improvements
* Fixed an issue where “uricontent” didn’t behave correctly with
“depth”, “offset”, “distance”, and “within” modifiers.

* Fixed overlapping flags in the Shared Object rule API.

* Improved error checking for invalid combinations of “depth”, “offset”,
“distance”, and “within” modifiers in rules. Rules that mix relative
and non-relative options on the same content will now cause errors.

* Updated the documentation to fix some inconsistencies.

apt-get install flex bison  build-essential checkinstall libpcap0.8-dev libnet1-dev  libpcre3-dev libmysqlclient15-dev  libnetfilter-queue-dev iptables-dev

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

wget http://www.snort.org/downloads/630
tar xvfz 630
cd daq-0.5/
./configure

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : yes
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

make
checkinstall
dpkg -i /root/daq-0.5/daq_0.5-1_i386.deb

wget http://www.snort.org/downloads/637
tar xvfz 637
cd snort-2.9.0.3/
./configure --with-mysql --enable-build-dynamic-examples  --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib --enable-active-response --enable-react --enable-flexresp3

make
checkinstall
dpkg -i /root/snort-2.9.0.3/snort_2.9.0.3-1_i386.deb
ldconfig

snort  -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 GRE (Build 98)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3.3

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0.1 from the source code.

Installation tested on Ubuntu Server 10.04 32bit

Data AcQuisition library

apt-get install flex bison  build-essential checkinstall libpcap0.8-dev libnet1-dev
wget --no-check-certificate   http://www.snort.org/downloads/363
tar xvfz 363
cd daq-0.3/
./configure
make
checkinstall
dpkg -i daq_0.3-1_i386.deb

Libdnet

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Snort

apt-get install libpcre3-dev libmysqlclient15-dev

wget --no-check-certificate http://www.snort.org/downloads/369

tar xvfz 369
cd snort-2.9.0.1/
./configure --with-mysql --enable-build-dynamic-examples  --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib
make
checkinstall
dpkg -i snort_2.9.0.1-1_i386.deb
ldconfig

At this point you need to configure the snort.conf file according to your environment.

Main features introduced in 2.9.0.1:

* Fixed maximum flowbits configuration parsing to specify the number
of bits in accordance with the Snort manual, rather than number of
bytes.  If you have ‘config flowbits_size’ in your snort.conf,
double check that it has the correct setting.

* Fixed a packet size issue with the IPQ and NFQ DAQs.

* Updated the version of LibPCRE bundled with the Windows installer.
This update fixes a bug that caused some PCRE matches to fail on Windows.

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP net-works. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks  and  probes,  such  as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has three primary uses.  It can be used as a straight packet sniffer like tcpdump , a packet logger  , or as a full blown network intrusion detection/prevention system system. A few days ago a new version of Snort was released, in this version some things about compiling  have slightly changed, the libdnet and the Data AcQuisition library (DAQ) must be compiled separately. In this post I’m going only to illustrate how to compile and install Snort 2.9.0 from the source code.

Installation tested on Ubuntu Server 10.04 32bit

Data AcQuisition library

apt-get install flex bison  build-essential checkinstall libpcap0.8-dev libnet1-dev
wget --no-check-certificate   http://www.snort.org/downloads/263
tar xvfz 263
cd daq-0.2/
./configure
make
checkinstall
dpkg -i daq_0.2-1_i386.deb

Libdnet

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xvfz libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
dpkg -i libdnet_1.12-1_i386.deb
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Snort

apt-get install libpcre3-dev libmysqlclient15-dev
wget --no-check-certificate  http://www.snort.org/downloads/269
tar xvfz 269
cd snort-2.9.0
./configure --with-mysql --enable-build-dynamic-examples  --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib
make
checkinstall
dpkg -i snort_2.9.0-1_i386.deb

ldconfig

At this point you need to configure the snort.conf file according to your environment.

Main features introduced in 2.9.0:

* Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
* Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
* A new rule option ‘byte_extract’ that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
* Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
* Ability to “test” drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
* Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
* Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
* Added a new pattern matcher that supports Intel’s Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort’s integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.
* Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.

Inundator is and IDS evasion tool that can generate  an overwhelming number of false positives while you are performing the attack in order to minimize the detection. One of the main features of inundator is the possibility to send  false attacks anonymously via SOCKS proxy, the use  of Tor is strongly recommended. Other features are  multithread, queue-driven and multiple targets support. The concept beyond Inundator is to read the snort rules and generate packets or traffic from each rule previously parsed, the key of success is the IDS configuration on the target machine, a good configuration will determine if our false attacks are detected or not.

to get and install Inundator go to inundator.sourceforge.net

I tried Inundator against Suricata, and I was amazed to see the false positive attacks filling the Suricata IDS log.

Example:

inundator -r /etc/snort/rules   -p localhost:9050  victim_ip

where -r is the path to the snort rules location
where -p is the SOCKS proxy configuration
and the last argument is the victim ip

On the suricata IDS sensor:

[1:2001219:18] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

[1:2002995:6] ET SCAN Rapid IMAPS Connections – Possible Brute Force Attack
[**] [Classification: Misc activity]
[Priority: 3] {6}  173.244.197.210:27041  -> victim_ip

[1:2002911:4] ET SCAN Potential VNC Scan 5900-5920
[**] [Classification: Attempted Information Leak]
[Priority: 3] {6} 173.244.197.210:27041 -> victim_ip

Just to double check that the attack was coming from a TOR
exit node i searched the ip 173.244.197.210 on this list.

Not always is a good idea to be quiet.