Snort

Snort 2.9.1 mit DAQ Libs compilieren ???
für 64 BIT (auf die x64 Pfade achten besonders bei /usr/lib64)

SLES 11 SP3
libpcap:
	"wget http://www.tcpdump.org/release/libpcap-1.5.2.tar.gz"
	"tar -xvzf libpcap-1.5.2.tar.gz"
	"cd libpcap-1.5.2"
	"./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include" ab openSUSE 13.2 "--enable-bluetooth=no"
	"make"
	"make install"
	
Ab snort 2.9.4 muss noch "libnfnetlink" und "libnetfilter_queue" mitintsalliert werden da "ip_queue (ipq)" nicht mehr für Kernel 3.6 unterstützt wird ???
libnfnetlink:
	"wget http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2"
	"tar -xf libnfnetlink-1.0.1.tar.bz2"
	"cd libnfnetlink-1.0.1"
	"./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include"
	"make"
	"make install"
	
libnetfilter_queue:
	"wget http://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.2.tar.bz2"
	"tar -xf libnetfilter_queue-1.0.2.tar.bz2"
	"cd libnetfilter_queue-1.0.2"
	"./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include"
	"make"
	"make install"
	
IPtables:
"./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include --enable-devel --enable-libipq"

libdnet:
	"http://libdnet.sourceforge.net/" "wget http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Flibdnet.sourceforge.net%2F&ts=1387628978&use_mirror=cznic"
	"tar -xvzf libdnet-1.11.tar.gz"
	"cd libdnet-1.11"
	"./configure" oder bei SuSE "./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include CFLAGS=-fPIC"
	"make"
	"make install"
	
DAQ:
"wget snort.org"
"tar -xzf daq-0.6.1.tar.gz"
"cd daq-0.6.1"
Bei daq 2 und OpenSUSE 42.1 ist es nicht mehr notwendig zu editieren !!!
"cp -frv /usr/lib64/libdnet.so.1.1 /usr/local/lib/" oder "cp -frv /usr/lib64/libdnet.so* /usr/local/lib/" oder "cp -frv /usr/lib64/libdnet* /usr/local/lib/"
"cat README"
    "ln -s libdnet.1.1 libdnet.so.1.1" oder "ln -s /usr/lib64/libdnet.1.1 /usr/lib64/libdnet.so.1.1"
    "ldconfig -Rv /usr/local/lib 2>&1 | grep dnet"
			(Adding /usr/local/lib/libdnet.so.1.1) ????
"./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include "CFLAGS=-fPIC -g -O2" 	"
"make"
ggf. "ln -s /usr/lib64/libdnet.1.0.1 /usr/lib64/libdnet.so.1.1"
"make install"
"mkdir /etc/snort"
"mkdir /var/log/snort/"
"touch /var/log/snort/alert"

snort code tuning:
Problem: 
	Bei snort 2.9.9 notwendig
	"2016-08-02T17:51:18.128515+02:00 web-proxy snort[32803]: FATAL ERROR: /etc/snort/emerging_threat/rules/emerging-trojan.rules(5743) The number of flowbit IDs in the current ruleset exceeds the maximum number of IDs that are allowed (1024)."
Lösung:
	"vi ~/temp/snort-2.9.7.3/src/detection-plugins/sp_flowbits.c" ->
		/*
		if(flowbits_count > giFlowbitSize)
		{
			ParseError("The number of flowbit IDs in the "
					"current ruleset exceeds the maximum number of IDs "
					"that are allowed (%d).", giFlowbitSize);
		}
		*/
	"vi ~/temp/snort-2.9.7.3/src/parser.c" -> 
		ca. in Zeile 99: Wert von "#define MAX_RULE_OPTIONS     256" auf "#define MAX_RULE_OPTIONS   32768" ändern.
"./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/snort --libdir=/usr/lib64 --includedir=/usr/include --enable-pthread --enable-prelude --enable-sourcefire --enable-stream4udp --enable-memory-cleanup --enable-decoder-preprocessor-rules --enable-targetbased --enable-timestats --enable-ruleperf --enable-ppm --enable-linux-smp-stats --enable-flexresp2 --enable-gre --enable-mpls --enable-inline-init-failopen --enable-prelude --enable-pthread --enable-reload --enable-reload-error-restart --enable-perfprofiling --enable-ppm-test --enable-aruba --enable-react --disable-static-daq --enable-ipv6"
AB 2.9.4 "./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/snort --libdir=/usr/lib64 --includedir=/usr/include --enable-control-socket --enable-linux-smp-stats --enable-inline-init-failopen --enable-sourcefire --enable-shared-rep --enable-large-pcap --with-daq-includes=/usr/include --with-daq-libraries=/usr/lib64/daq "
"make"
"make install"
"snort --daq-list"
"/usr/bin/snort -c /etc/snort/etc/snort.conf -A full -I -l /var/log/snort/ -s -D -Q -x --daq ipq"	(ohne -x falls viele duplicated SID) oder "/usr/bin/snort -c /etc/snort/etc/snort.conf -A full -I -l /var/log/snort/ -s -D -Q -x --daq nfq"
"open-nogpl" ruleset verwenden.

Ab Version 2.9.4 muss das Rate Limit im rsyslog erhöht werden bzw. abgeschaltet werden.
Fehlermeldung: "Dec 14 14:11:30 wdf-crmfe03 rsyslogd-2177: imuxsock begins to drop messages from pid 30360 due to rate-limiting" und snort stürtzt beim laden ab
Lösung: "vi /etc/rsyslog.conf" ->
	#$RepeatedMsgReduction   on
	$SystemLogRateLimitInterval 0
	$RepeatedMsgContainsOriginalMsg off
	$RepeatedMsgReduction off

Oinkmaster:
"wget http://oinkmaster.sourceforge.net"
vi create-sidmap.pl -> print "WARNING: duplicate SID: $sid (discarding old)\n" damit der in die Datei schreibt.

iptables -A INPUT -s 0/0 -p tcp --dport 80 -j QUEUE
iptables -A INPUT -s 0/0 -p tcp --dport 80 -j LOG --log-level 7 --log-prefix "snort LOG: "
iptables -A INPUT -s 0/0 -p tcp --sport 80 -j QUEUE
iptables -A INPUT -s 0/0 -p tcp --sport 80 -j LOG --log-level 7 --log-prefix "snort LOG: "

iptables -A INPUT -s 0/0 -p icmp -j QUEUE
##########################################################################
#Automatic Rule Changer
change_rules
Syntax des Files
Regelname mit Speicherort <TAB> (optional Info) <TAB> veränderte Regel

z.B.
/etc/snort/rules/policy-other.rules                                                                     #drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Remote non-JavaScript file found in script tag src attribute"; flow:to_client,established; file_data; content:"<script"; content:"src="; within:30; isdataat:100,relative; content:!"|2E|js"; within:100; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-6345; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-065; classtype:policy-violation; sid:32481; rev:2;)
oder
/etc/snort/rules/browser-other.rules                                                            #drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER local loopback address in html"; flow:to_client,established; file_data; content:"http|3A 2F 2F|127."; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:url,tools.ietf.org/html/rfc990; classtype:unknown; sid:26879; rev:6;)
oder
/etc/snort/emerging_threat/rules/emerging-exploit.rules ändern          drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; file_data; content:"BM";  depth:2; byte_test:4,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:10;)

##########################################################################
#snort.conf########################################################################## Auskommentieren # path to dynamic rules libraries #dynamicdetection directory /usr/local/lib/snort_dynamicrules # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ entfernen #whitelist $WHITE_LIST_PATH/white_list.rules, \ entfernen #blacklist $BLACK_LIST_PATH/white_list.rules dynamicpreprocessor directory /usr/lib64/snort_dynamicpreprocessor/ dynamicengine /usr/lib64/snort_dynamicengine/libsf_engine.so webroot no \ # decompress_swf { deflate lzma } \ decompress_pdf { deflate } config daq: pcap config daq_dir: /usr/lib64/daq/ config daq_mode: inline include /etc/snort/etc/classification.config include /etc/snort/etc/reference.config include /etc/snort/etc/threshold.conf ### Regelreihenfolge in der snort.conf /etc/snort/rules /etc/snort/so_rules/ /etc/snort/preproc_rules /etc/snort/emerging_threat/rules/ /etc/snort/community-rules/ /etc/snort/bleeding/ ### Damit die regeln einfacher eingefügt werden können "ls -al /etc/snort/rules/*.rules | awk -F " " '{print $9}' | awk -F " " '{print $1}' | xargs -l echo "include" >> /etc/snort/etc/snort.conf" "ls -al /etc/snort/so_rules/*.rules | awk -F " " '{print $9}' | awk -F " " '{print $1}' | xargs -l echo "include" >> /etc/snort/etc/snort.conf" "ls -al /etc/snort/preproc_rules/*.rules | awk -F " " '{print $9}' | awk -F " " '{print $1}' | xargs -l echo "include" >> /etc/snort/etc/snort.conf" "ls -al /etc/snort/emerging_threat/rules/*.rules | awk -F " " '{print $9}' | awk -F " " '{print $1}' | xargs -l echo "include" >> /etc/snort/etc/snort.conf" "ls -al /etc/snort/community-rules/*.rules | awk -F " " '{print $9}' | awk -F " " '{print $1}' | xargs -l echo "include" >> /etc/snort/etc/snort.conf" "ls -al /etc/snort/bleeding/*.rules | awk -F " " '{print $9}' | awk -F " " '{print $1}' | xargs -l echo "include" >> /etc/snort/etc/snort.conf" ############################################################################################ Info: The rulesets are now available in multiple versions on multiple engines. please visit http://rules.emergingthreats.net/ to browse all available files for the platform and engine you desire. The open directory has the open Emerging Threats ruleset, the best of the old Community Ruleset (now defunct) and the best of the old Snort GPL sigs (sids 3464 and earlier) all combined using their original sids. Do not combine this ruleset with any other, you may have sid duplication. The open-nogpl directory has ONLY the open Emerging Threats ruleset. The blockrules directory has all of our dynamic IP list based rulesets for blocking known bad hosts. The fwrules directory has all of our dynamic IP list based rulesets in firewall formats for blocking known bad hosts. Last Daily Change Summaries SidAllocation Emerging Threats CVS Web Interface -- Now defunct but here for historical reference ############################################################################################ #SSL Decryption #Besser über mod_proxy aufbrechen (httpS-->HTTP-->snort-->webserver_HTTP) libdssl: "git config --global http.sslVerify false" "git clone https://github.com/plashchynski/libdssl" "cd libdssl" "./autogen.sh" "./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include" "make all" "make install" ViewSSLd: "git clone https://github.com/plashchynski/viewssld" "cd viewssld/" "./autogen.sh" "./configure --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/usr/lib64 --includedir=/usr/include" ############################################################################################## Snort Rule Set. Stand 30.9.14 https://www.snort.org/downloads/community/community-rules.tar.gz https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz ############################################################################################## ############################################################################################## Troubleshooting Error: Feb 5 16:59:13 web kernel: [1635662.949974] nf_queue: full at 1024 entries, dropping packets(s) Lösung: "cat /proc/net/netfilter/nfnetlink_queue" ??? Snort restarten oder "snort ... --daq-var queue_len=4096" ("time /usr/bin/snort -c /etc/snort/etc/snort.conf -A full -I -l /var/log/snort/ -s -D -Q --daq nfq --daq-var queue_len=4096") ############################################################################################## Error: FATAL ERROR: /etc/snort/emerging_threat/rules/emerging-web_client.rules(217) : pcre compile of "(obj.data|\object.data).+file\x3A\x2F\x2F127\x2E[0-9]" failed at offset 11 : missing opening brace after \o Lösung: Die entsprechnede Regel deaktivieren #################################################################################### Vorgehensweise bei Rules die nicht über den msg Text zu finden sind. Über die ID suchen Log Output: "2016-08-03T10:38:15.401213+02:00 web-proxy snort[107567]: [129:18:1] Data sent on stream after TCP Reset received [Classification: Potentially Bad Traffic] [Priority: 2] <> {TCP} 172.17.190.10:80 -> 172.17.190.47:58508" Gleich zu Anfang steht die ID: "[129:18:1]" das bedeutet "sid: 18; gid: 129; rev: 1" und nach dem Pattern kann man nun greppen. "grep -iR "sid: 18; gid: 129; rev: 1" /etc/snort/* " -> "/etc/snort/preproc_rules/preprocessor.rules:drop ( msg: "STREAM5_DATA_AFTER_RST_RCVD"; sid: 18; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" und dann dementsprechend auskommentieren. ################################ #Kommandos "cat var/log/snort/alert | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | grep -vE '8.8.8.8|172.17' | sort -u | xargs -l nslookup | grep -i "name =" " = snort alert log nslookupen.

Post Revisions: