Understanding the Snort architecture

Snort first started as a packet sniffer. Another common example of a packet sniffer is tcpdump, or its graphical big brother Wireshark. In order to evolve into the IDS software that it is today, Snort added a few things in its architecture. It currently functions as a core with plug-ins system, where its primal component (the sniffer) is the core and the other elements act as plug-ins. Continue reading “Understanding the Snort architecture”

SmoothSec vs SecurityOnion

While looking for the Snort GUI that will suit my needs, i came across various software and linux distros. Two of these distros are SmoothSec and SecurityOnion. Both of them are IDS/IPS linux distribution equipped with all sorts of tools that one would find necesary for NSM.

Continue reading “SmoothSec vs SecurityOnion”

Professional Special Subject – w5 log

This week i’ve understood that an out of the box deployment is never what you want. Especially for an NSM solution. Tunning Snort accordingly to your needs is the key to a succesfull deployment and to stopping attackers.

I’ve managed to place a SmoothSec running machine in a class, attached to a switch that will mirror all the traffic to it. The reason for this is to see how is it managing with traffic coming from more than 1-2 PCs and what kind of alerts does it generate. It is also a good testing ground for new rules. The following network diagram shows the system and how can i connect to the monitoring server. Continue reading “Professional Special Subject – w5 log”

Snort tunning

It is basically useless to run great pieces of software if they are not configured according to user/system needs. An out of the box deployment of Snort will most likely be something that you don’t want. What you do want is to configure your deployment like you need to. Baisc Snort deployment issues:

  1. outdated rules
  2. “noisy” logs and alerts

Continue reading “Snort tunning”

Professional Special Subject – w4 log

Week4 was all about digging into how Snort works, Snort rules and IT security lecturing. I had some resources prepared for this, so i started reading on Snort Intrusion Detection and Prevention Toolkit by Jay Beale.

I’ve managed to understand the basics of Snort rules and to create my first rule. For IT security lecturing i’ve used some interesting IT Security/Networking resources that i came across. One of them is the 10 rules of information security.

On Snorby custom PDF generating, there wasn’t so much progress because of the lack of documentation.

Plan for next week:

  • dig more into Snorby custom PDF generating, i’ll probably have to do some hardcoding and i’ve never programmed in ruby+rails
  • make a list for what kind of rules in would need in my system
  • implement as many rules as posible

This is part of a series of blogposts that serve as my weekly log for my professional special subject project. It has documentation purposes and it is a nice way to present your work to the teachers. For further information about my work and what i’ve learned and did follow the inbound/outbound links within these posts.

10 rules of information security

While googling for resources related to my profesional special subject project, i came across some nice IT Security/Networking related websites, including DigitalThreat, and a cool post on the rules of information security. Continue reading “10 rules of information security”

Creating your first Snort rule

I’ve talked about understading the basics of a Snort rule before, now i’m going to create my first rule and add it to Snort.

Before making the rule, i started thinking about what i want and why i want it.

Short scenario – you are a copyright freak and you want to know when somebody on your network (maybe a school network) is trying to download something by accessing The Pirate Bay.

Based on the short scenario i want my rule to send an alert (generate an event) whenever somebody is accessing The Pirate Bay website or a group of related websites. This is definately not the best way to stop people from downloading stuff on your network, but it’s just a simple scenario that will help me create my first rule.

I fired up Wireshark to see how that packet would so that i know what options i can set for my rule. I used my IP and the HTTP protocol as filters so i’ll spot the packet faster. Continue reading “Creating your first Snort rule”

Basic understanding of Snort rules

An IDS, such as Snort, is practically useless without a strong and up-to-date set of rules of signatures. It is the same thing as running an antivirus with outdated virus signatures. You just think you are protected. I tried to understand what is rule and what is it composed of.

A rule or signature is basically a piece of text/code that describes a state and then an action that is to be performed if that state is true. Continue reading “Basic understanding of Snort rules”

Professional Special Subject – w3 log

Week 3 is also developing-related. As the ACIDBASE front-end for Snort proved to be useless and time-wasting for me and the project i’ve decided to try out other front-ends to see what i can do there. On the Snort blog there is a post with all kind of GUIs so i decided i should start from there.

I’ve decided on Snorby and other software required (pulledpork, barnyard2) to have a nice database-updating-GUI to Snort. It turned out that is way too much hastle to install each of them separatly ( you can read a walkthrough on this here ) so i decided to use something faster – a linux distro called SmoothSec that has all the tools that i was thinking and some others already deployed and ready to use. To understand how a network security monitoring system works, check out my other post.

I wouldn’t recommend for anybody to try installing/compiling/building them separately, regardless of the level of linux-know-how because it’s just too much time consuming and you’ll most likely stuck on issues related to linux distros, architecture, missing libraries, different library and software versions and so on.

My next plan is to:

  • set up a real test environment (that should have been done a week or 2 ago, but thats it)
  • dig into Snort rules and create my own rules based on my needs
  • dig into the Snorby code so that i can display the PDF reports that i want

This is part of a series of blogposts that serve as my weekly log for my professional special subject project. It has documentation purposes and it is a nice way to present your work to the teachers. For further information about my work and what i’ve learned and did follow the inbound/outbound links within these posts.

Understanding network security monitoring (NSM)

When i was trying to install a nice GUI for Snort, i figured that im going to need something else to do what i exactly want – and that is to actually see alerts and events in the GUI dashboard. I was thinking that i just install and IDS and a front-end and that’s all, but it’s not. Continue reading “Understanding network security monitoring (NSM)”