Creating a Intrusion Prevention System (IPS) using Snort and SnortSam

This article discusses how to use Snort and SnortSam to create a intrusion prevention system. Normally Snort is referenced as a IDS Intrusion Detection System, but you can use snort to actually stop attacks on the server. Snort is a very popular application which uses rules to monitor network traffic. If alerts are triggered they can be sent to syslog or to a database. Snort is a vital tool to have on your server. It's important to see what kinds of attacks are being launched so your can weigh your own vulnerability assessment.

Snort has two different rule collection. The core rules can be downloaded at Snort.org, which contains rules ranging from web application attacks to corporate policies. The other ruleset is from BleedingThreats.net. These rules are more experimental, but they contain many great web application rules as well as D-Shield blacklists and SpamHaus blacklists for mail.

This how-to will assume that you have a working Snort installation. I might put together a Snort install how-to down the road. I currently use Gentoo as my distro of choice, so my how-to will have Gentoo specific procedures. If you're not running Gentoo, you can get source code for snortsam from SnortSam, but check your package manager first.

Gentoo's portage lists net-analyzer/snortsam-2.30 as the stable version of this package of the time of this tutorial.

emerge -pv snortsam

You will need to make sure that you have the snortsam USE flag enabled in snort. If you do not, add it to you /etc/make.conf and re-emerge snort (this is very important!).

My snort install has the following USE flags:

[ebuild   R   ] net-analyzer/snort-2.4.5  USE="mysql snortsam ssl -flexresp -inline -odbc -postgres -prelude (-selinux) -sguil" 3,568 kB

After snort and snortsam have been installed, it's time to configure snortsam.

vi /etc/snortsam

Start with the following configurations

defaultkey somethingsecrethere
accept localhost
keyinterval 30 minutes
dontblock xxx.xxx.xxx.xxx       # home network
dontblock xxx.xxx.xxx.xxx      # dns server
dontblock xxx.xxx.xxx.xxx       # dns server
rollbackhosts 50
rollbackthreshold 20 / 30 secs
rollbacksleeptime 1 minute
logfile /var/log/snortsam.log
loglevel 3
daemon
nothreads
email mail.domain.com alert@domain.com
iptables eth0 LOG

Item to pay attention to is the dontblock segment. To prevent DoS (Denial of Service) on yourself, it's good to add your DNS servers and your home or trusted networks. SnortSam has handling in place to prevent DoS of large IP blocks (rollback items). Also change your email value so you'll get alerts when SnortSam is triggered.

Please review documentation at SnortSam.net: http://www.snortsam.net/documentation.html

Snortsam is a plugin that Snort uses. Based off of our rules, Snort will talk to SnortSam and create an action. SnortSam will have the ability to add and remove iptables rules on the fly. This is what causes the intruder block, and releases based off of a specific Snort signature.

After SnortSam has been configured, start the daemon. Just type:

snortsam

This will launch the daemon. Make sure it's running and listening:

netstat -lnp | grep snortsam
tcp        0      0 0.0.0.0:898             0.0.0.0:*               LISTEN      26723/snortsam

Next we need to tie SnortSam to Snort. Edit /etc/snort/snort.conf. Look for the output section of the config.

output alert_fwsam: localhost:898/somethingsecrethere

Notice, we need to put our default key we set in /etc/snortsam.conf. With this piece we've let Snort know about our new plugin. It's now time to configure a snort rule to cause a reaction.

My example will be using a Bleeding rule:

bleeding-virus.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS PHPInclude.Worm Inbound Attack"; flow: to_server,established; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; classtype: trojan-activity; sid: 2001614; rev:12;)

I would like to block this attack for 15 minutes since this will most likely be a automated script. We need to add the following to the end of the rule:

fwsam: src, 15 minutes;

This will tell Snort to pass this to SnortSam and to block for 15 minutes. Your updated rule should look like this:

bleeding-virus.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS PHPInclude.Worm Inbound Attack"; flow: to_server,established; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; classtype: trojan-activity; sid: 2001614; rev:12;  fwsam: src, 15 minutes;)

Now, restart snort.

/etc/init.d/snort restart; tail -f /var/log/messages

Make sure you see: Snort initialization completed successfully

SnortSam does not come with init script (for Gentoo anyway). To have this start at boot, add the following to /etc/conf.d/local.start:

/usr/bin/snortsam

I also mentioned that we modified a snort rule, make sure you add it to oinkmaster.conf (if you're automatically pulling rules every night). You can configure to re-write the rule and append our fwsam call in the rule. If you don't do this the rule will be set back to its' default state.

If you have problems with block rules or SnortSam is not starting, make sure you look at the logs at /var/log/snortsam.log.

Hope this helps!