Support This Project

  1. Snort
    1. Compilation and Installation
    2. Configuration
  2. Snort-Inline (with NFQUEUE)
    1. Compilation
    2. Installation
    3. Configuration
      1. Rulesets
      2. Installation Path
      3. Snort-inline rules
      4. Iptables Configuration
      5. Test snort inline
  3. Rulesets
  4. Notes

Here is a short howto for using snort with prelude.

Snort

Compilation and Installation

Note: the debian packages for snort are now compiled with prelude support, so there is no need to re-compile snort for recent versions.

Uncompress snort sources, and configure snort, enabling prelude: 

./configure --enable-prelude [..other arguments..]
make
sudo make install

Configuration

Before using snort, you need to add a prelude profile for snort. Snort will send alerts to the prelude manager, so we will register a sensor with write permission, and profile name 'snort': 

prelude-admin register snort "idmef:w" x.x.x.x --uid=0 --gid=0

and follow the instructions.

Note: uid and gid are those of the user which will run snort (here, root). x.x.x.x is the ip address for your prelude-manager.

For more information on the registration process, see the Prelude-etch howto or the Prelude Handbook.

Edit snort configuration file snort.conf: 

output alert_prelude: profile=snort

If the prelude-manager installation is not on the same host, you have to edit the profile configuration and edit the server address. Generally, this configuration file is /etc/prelude/default/client.conf: 

server-addr = x.x.x.x

That's all ! Just run snort as usual, and watch prelude for the alerts.

Snort-Inline (with NFQUEUE)

While standard snort packages have inline support, they still use IPQUEUE, while NFQUEUE is a better choice.

Compilation

Get snort-inline sources from the snort-inline site.

Install required packages for compilation: 

apt-get install libpcap-dev libpcre3-dev libdumbnet-dev libprelude-dev libnetfilter-queue-dev

On a debian installation, the compilation fails because libdumbnet was renamed. The following patch was needed: dumbnet.diff

Apply the patch: 

cd snort_inline-2.6.1.5
patch -p1 < ../dumbnet.diff
./autojunk.sh

Configure the package, then build it: 

./configure  --enable-nfnetlink  --prefix=/opt/snort-inline --enable-prelude   --enable-inline-init-failopen --with-dumbnet
make

Installation

sudo make install
sudo mkdir /etc/snort_inline
sudo cp etc/* /etc/snort_inline
sudo mkdir /etc/snort_inline/rules
sudo cp etc/{classification,reference}.config /etc/snort_inline/rules/
sudo mkdir /var/log/snort/
sudo touch /var/log/snort/snort_inline-full

Configuration

Edit /etc/snort_inline/snort_inline.conf.

Rulesets

var RULE_PATH /etc/snort_inline/rules
...
# IMPORTANT: suppress 'enforce_state drop' from the stream4 preprocessor:
preprocessor stream4:   disable_evasion_alerts, \
                        stream4inline, \
                        memcap 134217728, \
                        timeout 3600, \
                        truncate, \
                        window_size 3000
...

include $RULE_PATH/bleeding-all.rules

Installation Path

var INSTALL_PATH /opt/snort
...
dynamicpreprocessor directory $INSTALL_PATH/lib/snort_dynamicpreprocessor/
dynamicengine $INSTALL_PATH/lib/snort_dynamicengine/libsf_engine.so

Snort-inline rules

The rules are the same as snort, except that you can use drop instead of alert. For ex, to reject everything in destination of port 80: 

drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80 connection initiated"; sid:12342003507; rev:1;)

Iptables Configuration

You need to send to the NFQUEUE target both directions of the connection you want to filter, and you must not use rules for ESTABLISHED or RELATED (snort needs to be able to re-assemble the entire connection).

For ex: 

iptables -A INPUT -p tcp --dport 80 -j NFQUEUE
iptables -A OUTPUT -p tcp --sport 80 -j NFQUEUE

If you are on a gateway, use FORWARD instead of INPUT and OUTPUT.

Test snort inline

/opt/snort-inline/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -H 0 -Q -v

With the previous rules, file /var/log/snort/snort_inline-fast will contain the following line: 

08/09-16:51:50.402907  [Drop] [**] [1:2147483647:1] Port 80 connection initiated [**] [Classification: Attempted User Privilege Gain] \
[Priority: 1] {TCP} 192.168.33.181:49691 -> 192.168.33.145:80

Rulesets

Get rules, and install them in etc/snort_inline/rules. For ex:

Notes

  • The RPC decoder for snort has security problems (it had a remote security exploit) and is still not secure, it is better to disable it: 
    preprocessor rpc_decode: 111 32771
  • In production, snort has proved to be quite unstable .. A script was needed to watch for the snort process, and re-start it after a segmentation fault.

Written by Pierre Chifflier on 2008/01/08

Attachments