Friday, August 04, 2006

Snort 2.6.0 on FreeBSD

I've talked about Snort 2.6 twice before. I wanted to give 2.6 a try using the FreeBSD ports tree, but the security/snort port still offers only 2.4.5.

I looked for a problem report and found this one. It provided patches against the 2.4.5 port for 2.6.0. I decided to duplicate the /usr/ports/security/snort directory as /usr/ports/security/snort-2.6, and create Makefile.patch, distinfo.patch, and pkg-plist.patch files using the information in the PR.

Next I patched each of the 2.4.5 files.

orr:/usr/ports/security/snort-2.6# patch -p0 < Makefile.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- /usr/ports/security/snort/Makefile Sat Jun 10 13:26:30 2006
|+++ ./snort/Makefile Thu Jul 6 17:34:13 2006
--------------------------
Patching file /usr/ports/security/snort/Makefile using Plan A...
Hunk #1 succeeded at 6.
Hunk #2 succeeded at 15.
Hunk #3 succeeded at 38.
Hunk #4 succeeded at 46.
Hunk #5 succeeded at 110.
done

orr:/usr/ports/security/snort-2.6# patch -p0 distinfo < distinfo.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- /usr/ports/security/snort/distinfo Sat Jun 10 13:26:30 2006
|+++ ./snort/distinfo Mon Jun 12 17:03:32 2006
--------------------------
Patching file distinfo using Plan A...
Hunk #1 succeeded at 1.
done

orr:/usr/ports/security/snort# patch -p0 < pkg-plist.patch
Hmm... Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- /usr/ports/security/snort/pkg-plist Sat Jun 10 13:26:30 2006
|+++ ./snort/pkg-plist Thu Jul 6 17:33:06 2006
--------------------------
Patching file /usr/ports/security/snort/pkg-plist using Plan A...
Hunk #1 succeeded at 1.
Hunk #2 succeeded at 7.
Hunk #3 succeeded at 23.
done

Now I was ready to run make.

orr:/usr/ports/security/snort-2.6# make
===> Found saved configuration for snort-2.4.4
=> snort-2.4.5.tar.gz is not in /usr/ports/security/snort-2.6/distinfo.
=> Either /usr/ports/security/snort-2.6/distinfo is out of date, or
=> snort-2.4.5.tar.gz is spelled incorrectly.
*** Error code 1

Stop in /usr/ports/security/snort-2.6.

Shoot, what is that? It looked like I had a saved configuration from the last time I installed Snort. I tried to think how to fix that, then I remembered blogging it last year. I needed to eliminate the old /var/db/ports/snort/options configuration file.

orr:/var/db/pkg# cd /var/db/ports
orr:/var/db/ports# ls -al
total 6
drwxr-xr-x 3 root wheel 512 Mar 8 19:22 .
drwxr-xr-x 10 root wheel 512 Aug 4 09:49 ..
drwxr-xr-x 2 root wheel 512 Mar 8 19:22 snort
orr:/var/db/ports# cd snort
orr:/var/db/ports/snort# ls -al
total 6
drwxr-xr-x 2 root wheel 512 Mar 8 19:22 .
drwxr-xr-x 3 root wheel 512 Mar 8 19:22 ..
-rw-r--r-- 1 root wheel 239 Mar 8 19:22 options
orr:/var/db/ports/snort# cat options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for snort-2.4.4
_OPTIONS_READ=snort-2.4.4
WITHOUT_FLEXRESP=true
WITHOUT_MYSQL=true
WITHOUT_ODBC=true
WITHOUT_POSTGRESQL=true
WITHOUT_PRELUDE=true

I decided to move the old directory to a new name.

orr:/var/db/ports# mv snort/ snort-2.4.x/

With that done, I ran make.

orr:/usr/ports/security/snort-2.6# make

I saw this menu next.



I accepted the defaults and hit ok. Make then continued,

===> Found saved configuration for snort-2.6.0
=> snort-2.6.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from http://www.snort.org/dl/current/.
snort-2.6.0.tar.gz 44% of 3244 kB 230 kBps
...truncated...

Make completed without any problems, so I ran make install. I include all of the output here because the PR noted making some changes regarding file installation locations.

orr:/usr/ports/security/snort-2.6# make install
===> Installing for snort-2.6.0
===> snort-2.6.0 depends on shared library: pcre.0 - found
===> Generating temporary packing list
===> Checking if security/snort-2.6 already installed
...edited...
Libraries have been installed in:
/usr/local/lib/snort_dynamicpreprocessor

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
Making install in dynamic-examples
make install-recursive
Making install in dynamic-preprocessor
make install-am
Making install in dynamic-rule
make install-am
test -z "/usr/local/bin" || /bin/sh ../mkinstalldirs "/usr/local/bin"
/bin/sh /usr/local/bin/libtool --mode=install install -s -o root -g wheel -m 555 'snort'
'/usr/local/bin/snort'
install -o root -g wheel -m 555 -s snort /usr/local/bin/snort
Making install in doc
Making install in etc
Making install in templates
Making install in contrib
Making install in schemas
Making install in rpm
Making install in m4
test -z "/usr/local/man/man8" || /bin/sh ./mkinstalldirs "/usr/local/man/man8"
install -o root -g wheel -m 444 './snort.8' '/usr/local/man/man8/snort.8'
[ -d /usr/local/etc/snort ] || /bin/mkdir -p /usr/local/etc/snort
[ -d /usr/local/share/examples/snort ] || /bin/mkdir -p /usr/local/share/examples/snort
[ -d /usr/local/etc/snort/rules ] || /bin/mkdir -p /usr/local/etc/snort/rules
[ -d /var/log/snort ] || /bin/mkdir -p /var/log/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/classification.config
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/classification.config
/usr/local/share/examples/snort/classification.config-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/gen-msg.map /usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/gen-msg.map
/usr/local/share/examples/snort/gen-msg.map-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/generators
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/generators
/usr/local/share/examples/snort/generators-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/reference.config
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/reference.config
/usr/local/share/examples/snort/reference.config-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid
/usr/local/share/examples/snort/sid-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid-msg.map
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/sid-msg.map
/usr/local/share/examples/snort/sid-msg.map-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/snort.conf
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/snort.conf
/usr/local/share/examples/snort/snort.conf-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/threshold.conf
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/threshold.conf
/usr/local/share/examples/snort/threshold.conf-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/unicode.map
/usr/local/etc/snort
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/etc/unicode.map
/usr/local/share/examples/snort/unicode.map-sample
install -o root -g wheel -m 444
/usr/ports/security/snort-2.6/work/snort-2.6.0/schemas/create*
/usr/local/share/examples/snort
cd /usr/ports/security/snort-2.6/work/snort-2.6.0 &&
install -o root -g wheel -m 444 RELEASE.NOTES doc/AUTHORS doc/BUGS doc/CREDITS
doc/README* doc/USAGE doc/*.pdf /usr/local/share/doc/snort
=========================================================================
Snort uses rcNG startup script and must be enabled via /etc/rc.conf
Please see /usr/local/etc/rc.d/snort.sh
for list of available variables and their description.
Configuration files are located in /usr/local/etc/snort directory.

NOTE: Starting with Snort 2.4.0 (released on 2005-04-22)
the rules are no longer included with the distribution.
Please download them from http://www.snort.org/rules/.
You might consider installing security/oinkmaster port to simplify
rules downloads and updates.
=========================================================================
===> Installing rc.d startup script(s)
===> Compressing manual pages for snort-2.6.0
===> Registering installation for snort-2.6.0

Let's see what happened to the configuration files.

orr:/usr/ports/security/snort-2.6# cd /usr/local/etc/snort
orr:/usr/local/etc/snort# ls -al
total 646
drwxr-xr-x 3 root wheel 512 Aug 4 09:59 .
drwxr-xr-x 12 root wheel 1536 Aug 4 09:59 ..
-r--r--r-- 1 root wheel 3455 Aug 4 09:59 classification.config
-r--r--r-- 1 root wheel 9822 Aug 4 09:59 gen-msg.map
-r--r--r-- 1 root wheel 1906 Aug 4 09:59 generators
-r--r--r-- 1 root wheel 548 Aug 4 09:59 reference.config
drwxr-xr-x 2 root wheel 512 Aug 4 09:59 rules
-r--r--r-- 1 root wheel 5 Aug 4 09:59 sid
-r--r--r-- 1 root wheel 519377 Aug 4 09:59 sid-msg.map
-r--r--r-- 1 root wheel 34080 Aug 4 09:59 snort.conf
-r--r--r-- 1 root wheel 2319 Aug 4 09:59 threshold.conf
-r--r--r-- 1 root wheel 53841 Aug 4 09:59 unicode.map

Those are all new. With Snort installed, I decided to test it with the -V flag.

orr:/usr/ports/security/snort-2.6# rehash
orr:/usr/ports/security/snort-2.6# snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 59) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

So far so good. Now I needed rules. For Snort 2.4, unregistered users can download snortrules-pr-2.4.tar.gz. Those should work with Snort 2.6 also. However, Sourcefire says the following:

These VRT Certified rulesets were released on 7/27/05 and will be updated at the time of the next major Snort release.

To me, that implies there should be a snortrules-pr-2.6.tar.gz archive available for unregistered users. I spoke to someone from Sourcefire and they said they expect to produce one shortly, once the Snort 2.4.x line is retired.

Because I am a registered Snort user, I downloaded and extracted snortrules-snapshot-CURRENT.tar.gz. This is what I found.

orr:/usr/local/etc/snort# ls rules/
VRT-License.txt local.rules smtp.rules
attack-responses.rules misc.rules snmp.rules
backdoor.rules multimedia.rules snort.conf
bad-traffic.rules mysql.rules spyware-put.rules
chat.rules netbios.rules sql.rules
classification.config nntp.rules telnet.rules
ddos.rules oracle.rules tftp.rules
deleted.rules other-ids.rules threshold.conf
dns.rules p2p.rules unicode.map
dos.rules policy.rules virus.rules
experimental.rules pop2.rules web-attacks.rules
exploit.rules pop3.rules web-cgi.rules
finger.rules porn.rules web-client.rules
ftp.rules reference.config web-coldfusion.rules
generators rpc.rules web-frontpage.rules
icmp-info.rules rservices.rules web-iis.rules
icmp.rules scan.rules web-misc.rules
imap.rules shellcode.rules web-php.rules
info.rules sid-msg.map x11.rules

You'll notice several files that are not rules.

orr:/usr/local/etc/snort# ls | grep -v rules
classification.config
doc
gen-msg.map
generators
reference.config
sid
sid-msg.map
snort.conf
threshold.conf
unicode.map

Looking at these, I found zero or no important differences for classification.config, reference.config, threshold.conf, and unicode.map. There is no gen-msg.map file in the rules/ directory.

The rules/sid-msg map is much different.

orr:/usr/local/etc/snort# diff sid-msg.map rules/sid-msg.map | head
2c2
< 104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 ||
url,www.tlsecurity.net/backdoor/Dagger.1.4.html
---
> 104 || DELETED BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 ||
url,www.tlsecurity.net/backdoor/Dagger.1.4.html
4c4
< 106 || BACKDOOR ACKcmdC trojan scan || arachnids,445
---
> 106 || DELETED BACKDOOR ACKcmdC trojan scan || arachnids,445
6,7c6,7
< 108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775

Therefore, use, the sid-msg map file packaged with the rule set, and not the one shipped with Snort.

I also looked for differences in the snort.conf shipped with Snort and the version shipped with the rules.

orr:/usr/local/etc/snort# diff snort.conf rules/snort.conf
2c2
< # http://www.snort.org Snort 2.6.0 config file
---
> # http://www.snort.org Snort current Ruleset
5c5
< # $Id$
---
> # $Id: snort.conf,v 1.167 2006/06/09 15:14:08 mwatchinski Exp $
111c111
< var RULE_PATH ./rules
---
> var RULE_PATH ../rules
852c852
< include $RULE_PATH/virus.rules
---
> # include $RULE_PATH/virus.rules
855a856
> # include $RULE_PATH/spyware-put.rules

The new file has a different RULE_PATH to point to the directory where the snort.conf and rules files reside. The new snort.conf also disables the virus.rules set, and the new spyware-put.rules set.

With these changes in mind, I ran Snort in test mode using the -T switch.

orr:/usr/local/etc/snort# snort -T -c rules/snort.conf
Running in Test mode with config file: rules/snort.conf
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file rules/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 3 chars, value = any
Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any
Var 'SQL_SERVERS' defined, value len = 3 chars, value = any
Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any
Var 'SNMP_SERVERS' defined, value len = 3 chars, value = any
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,
205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,
205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 8 chars, value = ../rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Server Data Inspection Limit: -1
WARNING rules/snort.conf(408) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: rules/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900

4655 Snort rules read...
4655 Option Chains linked into 206 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Tagged Packet Limit: 256

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60
| gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 seconds=2
| gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60
| gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->pass->drop->alert->log
Log directory = /var/log/snort
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
FTPTelnet Config:
GLOBAL CONFIG
Inspection Type: stateful
Check for Encrypted Traffic: YES alert: YES
Continue to check encrypted data: NO
TELNET CONFIG:
Ports: 23
Are You There Threshold: 200
Normalize: YES
FTP CONFIG:
FTP Server: default
Ports: 21
Check for Telnet Cmds: YES alert: YES
Identify open data channels: YES
FTP Client: default
Check for Bounce Attacks: YES alert: YES
Check for Telnet Cmds: YES alert: YES
Max Response Length: 256
SMTP Config:
Ports: 25
Inspection Type: STATEFUL
Normalize Spaces: YES
Ignore Data: NO
Ignore TLS Data: NO
Ignore Alerts: NO
Max Command Length: 0
Max Header Line Length: 0
Max Response Line Length: 0
X-Link2State Alert: YES
Drop on X-Link2State Alert: NO
Verifying Preprocessor Configurations!
Warning: flowbits key 'realplayer.playlist' is checked but not ever set.
Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set.
Warning: flowbits key 'dce.isystemactivator.bind.call.attempt' is set but not ever checked.
Warning: flowbits key 'dce.bind.veritas' is set but not ever checked.
Warning: flowbits key 'http.jpeg' is checked but not ever set.
Decoding LoopBack on interface NULL

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.6.0 (Build 59) FreeBSD
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.5
Preprocessor Object: SF_SMTP Version 1.0
Preprocessor Object: SF_FTPTELNET Version 1.0

Snort sucessfully loaded all rules and checked all rule chains!
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead blocks: 1 Could Hold: (0)
IPV4 count: 0 frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s
finds: 0 reversed: 0(%0.000000)
find_success: 0 find_fail: 0
percent_success: (%0.000000) new_flows: 0
Snort exiting

That looked fine as well. At this point I was ready to see if Snort detected a simple activity that it believes is an attack. I always recommend running Snort like this before installing Sguil, BASE, or any other product. Get Snort to work in its simplest mode first -- write pcap data to a snort.log.TIMESTAMP file and alerts to an alert text file.

orr:/usr/local/etc/snort# snort -i ndis0 -c rules/snort.conf -l .

I then connected via netcat to port 22 TCP on a system Snort would see, and typed the string GOBBLES.

orr:/home/richard$ nc -v 192.168.2.12 22
Connection to 192.168.2.12 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
GOBBLES
Protocol mismatch.

Sure enough, Snort provided the following alert.

orr:/usr/local/etc/snort# cat alert
[**] [1:1812:6] EXPLOIT gobbles SSH exploit attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/04-10:32:58.288723 192.168.2.5:61827 -> 192.168.2.12:22
TCP TTL:64 TOS:0x0 ID:8266 IpLen:20 DgmLen:60 DF
***AP*** Seq: 0x501CCD3D Ack: 0x80C794DE Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3931737 3840029448
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0639][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0390][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=11031][Xref =>
http://www.securityfocus.com/bid/5093]

It also logged the offending packet.

orr:/usr/local/etc/snort# tcpdump -n -r snort.log.1154701968 -X
reading from file snort.log.1154701968, link-type EN10MB (Ethernet)
10:32:58.288723 IP 192.168.2.5.61827 > 192.168.2.12.22:
P 1344064829:1344064837(8) ack 2160563422 win 33304
0x0000: 4500 003c 204a 4000 4006 9510 c0a8 0205 E..<.J@.@.......
0x0010: c0a8 020c f183 0016 501c cd3d 80c7 94de ........P..=....
0x0020: 8018 8218 0b38 0000 0101 080a 003b fe59 .....8.......;.Y
0x0030: e4e2 3308 474f 4242 4c45 530a ..3.GOBBLES.

This verifies Snort is working properly.

While Snort was running I checked its memory usage.

20329 root 1 -58 0 227M 226M bpf 0:05 21.38% snort

227 MB is much greater than my experience with Snort 2.4.x, where around 63 MB was the norm.

73920 sguil 1 -58 0 63772K 63000K bpf 10:26 0.00% snort

Looking in the snort.conf file, I enabled the following option to reduce memory usage.

config detection: search-method lowmem

When I re-ran Snort, memory usage dropped to about 37 MB.

20334 root 1 -58 0 37480K 36656K bpf 0:02 20.06% snort

Keep in mind that Snort will perform less well when given lower memory. On higher bandwidth links it will drop packets.

For information on how to now tune your Snort installation, I recommend reading my newest article Tuning Snort in the August 2006 Sys Admin magazine.

8 comments:

Malus said...

You can just type "make rmconfig" in a port directory to delete the options you set. I find it easier than mucking around for the location it is saved at.

Richard Bejtlich said...

Thanks Malus -- excellent comment.

Joel Esler said...

Rich,

Run Snort with "AC" search method for about 24 hours in Daemon mode. Let me know your initial mem util, and then 24 hours later.

Richard Bejtlich said...

Note to self: had to copy /usr/local/etc/snort/gen-msg.map to /nsm/rules/hacom/gen-msg.map on hacom because gen-msg.map not shipped with rules.

Richard Bejtlich said...

Note to self: Snort 2.6.0 with all rules enabled runs out of memory on a box with 512 MB RAM and other processes running.

Richard Bejtlich said...

Note to self: all rules enabled, lowmem enabled, uses about 57 MB.

Richard Bejtlich said...

Note to self: check these options.

Joel Esler said...

I'm running 2.6.0 on 512 mgs of RAM with lots of processes running (102 to be exact). And it's fine.