Transcription
L JASTLibya Journal AppliedFor Science andTechnology جملة ليبيا للعلوم التطبيقية والتقنية Volume 5.Issue1December2018Securing a Production Network Infrastructureusing SnortMohamed Ghretli1, Remma Aburmila1, Abdulmunem Almukhtar1, Sabri Shmeek11Dept. of Computer NetworkingCollege of Computer Technology (CCTT)Tripoli, LibyaCorrespondent email: mghretli@cctt.edu.lyABSTRACTThe importance of network security has grown tremendously and intrusion prevention/detection systems(IPS/IDS) have been widely developed to insure the security of the network against suspicious threats.Computer network intrusion detection and prevention system consist of collecting traffic data, analyzing thembased on detection rules and generate alerts or dropping them if necessary. In this paper, we used Snort asIntrusion Prevention and configured it in inline mode to protect the production network in real-time. First wepresent a basic description of the theoretical background and our implementation of Snort in inline mode, andthen we provide a discussion of the gained results from many tasks that performed using a penetration testinglab.Keywords: Information Security; Network security; Snort; Intersion Prevention System.I. INTRODUCTIONSecurity is a big issue for all networks in today’senterprise environment. Attackers and intrudershave made many successful attempts to bring downhigh-profile company networks and web services.Many methods have been developed to secure thenetwork infrastructure and communication over theInternet.The existing network security technologies whichare being used nowadays consists of firewalls thatare used to block unwanted incoming traffic, dataencryption while transmission, vulnerabilityassessment tools that find and patch security holespresent in the network. Intrusion detection andprevention is a relatively new addition to suchtechniques.Intrusion detection and prevention methodsstarted appearing in the last decade. Usingintrusion detection methods, we can collect and useinformation from known types of attacks and findout if someone is trying to attack the network orparticular hosts. The information collected this waycan be used to harden the network security, as wellas for legal purposes, which are achieving the goals حقوق الطبع محفوظة للمجلة ليبيا للعلوم التطبيقية Of network security Integrity, confidentiality andavailability.Intrusion detection and prevention systems (IDS &IPS) utilized to analyze the network traffic andprohibit any abnormal activities within thenetwork. The IDS monitors the packets on thenetwork and reports back based on applied securityrules and signatures, the IDS alone is unable tostop denial of service (DoS) attacks and intrusionsparticularly from UDP protocols. On the otherhand, IPS has the ability to drop malicious packetsand close connection session in order to stopfurther attacks. It analyzes all network trafficpassing through and responds with immediateactions to suspicious packets (inline deployment).Snort is an open source network intrusion detectionand prevention system, which is capable ofperforming real-time traffic analysis and packetlogging on IP networks. It can perform protocolanalysis, content searching and matching. It canalso detect a variety of attacks and probes, such asbuffer overflows, stealth port scans, and Dosattacks. Although all intrusion detection methodsCopyright L JAST والتقنية 58
L JASTLibya Journal AppliedFor Science andTechnology جملة ليبيا للعلوم التطبيقية والتقنية Volume 5.Issue1December2018are still new, Snort is ranked among the top qualitysystems available today [1, 2 and 7].II.SNORT RULESSnort uses rules, as attack signatures, that allowdetecting malicious network activities, such as DoSattacks and reconnaissance network traffic. Snort uses asimple, lightweight rules description language that isflexible and quite powerful. Snort rules are divided intotwo logical sections, namely the rule header and the ruleoptions. Figure 1 shows an example of a Snort rule. Therule allows displaying an alert message once a TCPpacket is detected [3].Fig. 1 Snort Rule Format Example [3].III.METHODOLOGYA. Production NetworkThe production network used in this paperconsists of several services built and configured ona top of an Esxi server that placed behind a switch.These services are FTP, HTTP, Mail, ActiveDirectory, DNS, and a syslog server, which areconfigured to receive events from Snort.B. Building and Configuring SnrotSnort built on a dedicated server which ispositioned between the switch and the outsidenetwork, the operating system of this server isUbuntu 14.04. Snort configured as a router toforward traffic between two different subnets, andit is running in inline mode with NFQ and iptables. Before Snort installation from source code,some required packages needs to be installed, thesepackages are the following [4]:sudo apt-get install -y evbison flex zlib1g-dev liblzma-dev libssldev autoconf libtool pkg-config.Also the (NFQ) specific libraries downloaded asthe following:sudo apt-get install libnetfilter-queue-devThen download and install the Data Acquisitionlibrary (DAQ) from the Snort website as thefollowing: حقوق الطبع محفوظة للمجلة ليبيا للعلوم التطبيقية .tar.gztar -xvzf daq-2.0.6.tar.gzcd daq-2.0.6 ./configuremakesudo make installSnort now is ready to be installed from source:sudo gztar -xvzf snort-2.9.11.1.tar.gzcd snort-2.9.11.1./configure --enable-sourcefiremakesudo make installWith the following command to updates the sharedlibraries:sudo ldconfigSince the Snort installation places the Snort binary at/usr/local/bin/snort, it is a common practice to create asymlink to /usr/sbin/snort:sudoln-s/usr/sbin/snortSome directories needs to be created, as thefollowing:sudo mkdir /etc/snortsudo mkdir /etc/snort/rulessudo mkdir /etc/snort/rules/iplistssudo mkdir /etc/snort/preproc rulessudo/usr/local/lib/snort dynamicrulessudo mkdir /etc/snort/so rulesmkdirCreate some files that stores rules and IP lists:sudo touch/etc/snort/rules/iplists/black list.rulessudo touch/etc/snort/rules/iplists/white list.rulessudo touch /etc/snort/rules/local.rulessudo touch /etc/snort/sid-msg.mapCreate logging directories for Snort logs:sudo mkdir /var/log/snortsudo mkdir /var/log/snort/archived logsThe following files need to be moved from theextracted Snort and where it installed to the snortconfiguration directory:cd /snort src/snort-2.9.11.1/etc/sudo cp *.conf* /etc/snortsudo cp *.map /etc/snortsudo cp *.dtd /etc/snortcd /snort usr/local/lib/snort dynamicpreprocessor/Copyright L JAST والتقنية /usr/local/bin/snort59
L JASTLibya Journal AppliedFor Science andTechnology جملة ليبيا للعلوم التطبيقية والتقنية Volume 5.Issue1December2018sudo cp */usr/local/lib/snort dynamicpreprocessorSome parameters need to be configured in/etc/snort/snort.conf file, explained as follows: Set up the network that Snort will protect,in this project, this variable filled with anyoption so Snort can protect any IP beyondthe internal interface, line 45:ipvar HOME NET any To tell Snort about the locations of all thedirectories that created before:var RULE PATH /etc/snort/rulesvar SO RULE PATH/etc/snort/so rulesvar PREPROC RULE PATH/etc/snort/preproc rulesvar WHITE LIST PATH/etc/snort/rules/iplistsvar BLACK LIST PATH/etc/snort/rules/iplistsAfter complete building and configuring Snort, atest is required with the following commend:sudo snort -T -c /etc/snort/snort.conf –QThe result of previous command is shown in figure2, which validates Snort configuration.and analyze it with its components. The iptables NAT masquerade and forwarding rules arethe following respectively [6]:sudo iptables -t nat -A POSTROUTING -oeth0 -j MASQUERADEForwarding rule:sudo iptablesqueue-num 0FORWARD-jNFQUEUE--D. Running Snort in Inline-mode (NFQ withIptables)Snort can run in inline mode using commandline with different options, refers to the snort –helpto see all snort options. The following commandused to run Snort in inline mode:sudo snort -Q --daq nfq --daq-var queue 0 c /etc/snort/snort.conf -A Console -l -s/var/log/snortSnort options are shown in table 1, that explainsoptions used in the previous command [5].Table 1: Snort options with their descriptionsOption-Q--daq type Snort successfully validated theconfiguration!Snort exitingspectrum@SNORT: -ADescriptionEnable inline mode operationSelect packet acquisition module(NFQ type chosen here)--daq-varSpecify extra DAQ configuration name value variable (queue 0 that used byiptables to forward traffic to it.Fig. 2 Console Output Validating Snort Configuration-cTo configure Snort as a router [5], it shouldforward traffic between two different interfaces.Enabling IPv4 forwarding by uncommenting out aline in the file /etc/sysctl.conf, as follows:following path, in this case snort.conf-ASet alert mode ( console chosen here)-lLog to directory, in this case the logdirectory is /var/log/snortnet-ipv4.ip-forwrd 1-sC. Adding Iptables RulesAfter verifying IPv4 forwarding, NetworkAddress Translations (NAT) and forwarding rulesconfigured with iptables. A NAT rule configured totranslate any IP address coming from the externalinterface “eth1” with the IP address of the internalinterface “eth0”, the forwarding rule configured toforward all traffic comes from outside to the NFQafter it pass through iptables, then in theconfiguration of snort in inline mode, there is anoption used to let Snort take traffic from the NFQ حقوق الطبع محفوظة للمجلة ليبيا للعلوم التطبيقية Use Rules Files that included in theLog alert messages to syslogAfter running the previous command, Snort willbe loading its preprocessors and reading the rulesfrom the configuration, if there is anything missingor configured incorrectly in snort.conf or in therules files, Snort will reply with the errors, if thereare no errors, the output to the screen should belike figure 3.Copyright L JAST والتقنية 60
L JASTLibya Journal AppliedFor Science andTechnology جملة ليبيا للعلوم التطبيقية والتقنية Volume 5.Issue1December2018Commencing packet processing (pid 3288)Decoding Raw IP4Fig. 3 Output Screen for Snort Operations in Inline ModeThe previous figure shows how Snort is waitingfor the traffic to process with the loaded rules andthe configuration from the snort.conf.E. Configuring Snort to Log events to Kiwi SyslogServerUsing syslog-ng demon on Snort sensor andconfiguring it to receive events from snort demonand send these events to an external syslog server(Kiwi syslog server) for a remote logging. Theconfiguration is as follows:In snort.conf file, the following lineuncommented out to active syslog output module[4]:output alert syslog: LOG AUTHFig. 4 SSH Brute Force AttackWhile the previous figure 4 shows the gainedusernames, passwords and some information abouteach user, Figure 5 shows the alert generatedmessages on Snort console while the attack iscommencing.LOG ALERTAnd in syslog-ng.conf the following parametersare appended:destination df snort remote{ udp(“192.168.90.101”)Log {source(s src);filter(f auth);destination( df snort remote);};IV.Fig. 5 SSH Brute Force AlertTESTING AND RESULTSIt is not sufficient to build IPS/IDS system on areal production network and running it withoutproper testing and optimization. Using penetrationtesting tools, simulated attacks scenarios performedto ensure that Snort can catch malicious traffic andattacks.A. SSH Brute Force LoginUsing ssh login auxiliary module on metasploiton Kali Linux with the IP address 192.168.80.2 asan attacker, SSH login brute force is performed ona mail server with an IP address of 192.168.40.101as a possible victim. The result of this attack iscatastrophic on the confidentiality and privacy ofthe users, as the attackers gained access tousernames and passwords of system users as shownin Figure 4. حقوق الطبع محفوظة للمجلة ليبيا للعلوم التطبيقية Figure 5 shows the message that refers to SSHbrute force attack coming from the IP 192.168.80.2with port 43302 and going to IP 192.168.40.101with port 22. The alert message also contains theclassification of the attack and its priority. Thisalert message is generated before adding anycustome rules, which means the detectionhappened based upon a VRT rule.B. Scan on Mail ServiceTo protect specific service from attacks andthreats, it is essential for the administrator or thenetwork security officer to think as an attacker.First attacker will scan for open ports and servicesand then performs specific scan for specific serviceto gain more results. The following scan attackperformed using an auxiliary in metasploitframework named smtp enum. Figure 6 shows theauxiliary tool which is used to scan for mail serviceand gain information about the techniques used onthis mail server, the domain name and a list ofusernames in the target server.Copyright L JAST والتقنية 61
L JASTLibya Journal AppliedFor Science andTechnology جملة ليبيا للعلوم التطبيقية والتقنية Volume 5.Issue1December2018msf auxiliary(smtp enum) exploit[*] 192.168.40.101:25 Banner: 220 mail.spectrum.lyESMTP Postfix[ ] 192.168.40.101:25 Users found: ahmed, aisha, fatima,mahmod, mailtest, omar, reem, spectrum[*] Scaned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedmsf auxiliary(smtp enum) Figure 8 shows how this attack fails afteractivating the previously shown rule, and thegenerated message alert by Snort shows the socketnumber of the attack along with the socketnumber of the targeted system.Fig. 6 SMTP Enum Auxiliary SanBasically we can say that this attack mechanismresembles a port scan, and a port scan rule willdetect this attack and generate true positive alarmalert or prevent it based on the rule action. Thefollowing rule is added to detect different scansand it is able to detect this auxiliary, the rule asbelow:drop tcp any any - any any (msg: "SYNAttack"; flag:S, 12; sid: 1000003;)C. Brute Force Attack on HTTP serverIn this task, brute force attack performed usingnmap options to gain a username and password forrestricted access. Figure 7 shows the result of thisattack.Fig. 8 HTTP Brute Force AlertIt is worth showing that while the attack iscommencing, the generated event messages arereceived and logged on the Kiwi syslog server asshown in figure 9.Fig. 9 Kiwi Syslog Event messagesFig. 7 HTTP Brute Force Attack ResultFigure7 shows that the attacker has gained theusername “web” and its password “web”as validcredentials in less than 50 seconds. In order toprevent such attacks, the following rule is added.drop tcp any any - 192.168.20.101 80(msg:"HTTP brute force detected"; flags:S;threshold:type threshold, trackby src,count 10, seconds60;classtype:attempted-dos; sid:2001280;) حقوق الطبع محفوظة للمجلة ليبيا للعلوم التطبيقية Figure 9 shows the time-stamped syslog eventmessages received and the priority configured onthe syslog-ng before. Hostname and the IP addressthat the events received from, and the alert consolemessage which is exactly as the console alert onSnort.Copyright L JAST والتقنية 62
L JASTLibya Journal AppliedFor Science andTechnology جملة ليبيا للعلوم التطبيقية والتقنية I.Volume 5.Issue1December2018CONCLUSIONThis paper outlines the implementation of an opensource Intrusion Prevention System named Snort. Duringthe complexity of the Intrusion Prevention systeminstallation, some technical issues and difficulties exist.Snort requires a trained operator. In particular, itrequires a systems administrator to understand Linux,experience using Snort, and more importantly experiencewith the TCP/IP protocol suite. The learning curve forwriting and applying effective Snort rules is not too steepfor IT professionals. As with all security tools, Snortshould not be looked at as the final step to defendnetworks as much as a single brick in the wall ofnetwork security. Snort is a tool, and tools are only asgood as their users. If users truly want to secure thenetwork, no number of intrusion detection systems andfirewalls will keep the attackers out. Common sense anddiligence in the day-to-day monitoring are still the rulesto live by for effective network security.ACKNOWLEDGMENTWe are highly indebted to the Department ofComputer Networking at College of ComputerTechnology Tripoli for providing necessaryequipment, software regarding this research andaccess to their production networks and use offacilities.Windsor, ON, in 1992, and the Ph.D. degree in microwavesfrom the University Putra Malaysia, Selangor, Malaysia in2005. He received the Gold Medal for best invention in Geneva,Switzerland in 2007 for his valuable research on dual frequencymicro-strip sensor published in IEEE SENSORS JOURNAL,VOL. 7, No.12. Currently, he is an associate professor at theCollege of Computer Technology Tripoli and the head of CiscoNetworking Academy. His research Interests includes computernetworking, data communication, micro-strip antenna andmicrowave sensors.Rima Aburmaylah was born and raised in Tripoli, Libya, in1994. She received her B.S.E. degree from College of ComputerTechnologies Tripoli in Networking 2018, besides her passionin the network security field, Rima is interested in Business,strategic planning, and project management, and she works as asolution engineer and as a member of the project managementteam in IT Company in Libya.Abdulmunem Almukhtar received the B.S.E degree inElectronic and Computer Engineering from College ofIndustrial Technology, Misurata, Libya, in 1995, the M.Sc.degree in Computer Engineering from The Libyan Academy in2010. His recent publications include "Parameter Estimationand Residual Generation for (CARARMA) Model Depend onD-RGELS Algorithm", 4th IEEE Scientific Meeting onComputer Science, in 2018, Istanbul, Turkey. Currently, he islecturer at the College of Computer Technology Tripoli and thehead of Faculty Affairs Office.Sabri Shmeekh received HND in Computer Hardware fromCAHI , Esbia, Libya in 1991 and MS.C in IT from RMITUniversity, Australia in 1999. He earned many internationalcertificates during his career in Cisco Academy and EMCPAAssociate Information Storage and Management. Currently, heis a lecturer at the College of Computer Technology Tripoli andthe head of Networking n Detection with SNORT: Advanced IDSTechniques Using SNORT, Apache, MySQL, PHP,and ACID , Rafeeq Ur Rehman, May 18, 2003.Syngress - Snort 2.1 Intrusion Detection 2nd edition, Jay Beale, Andrew R. Baker,2004.Z. Trabelsi and S. Zeidan, “IDS PerformanceEnhancement Technique based on Dynamic TrafficAwareness Histograms”; IEEE ICC Communicationand Information Systems Security Symposium,2014.Network IDS & IPS Deployment Strategies, eployment-strategies-2143.Managing Security with Snort & IDS Tools:Intrusion Detection with Open Source Tools , KerryJ. Cox , Christopher Gerg, Aug 2,2004.Linux iptables Pocket Reference: Firewalls, NAT &Accounting (Pocket Reference (O'Reilly)) GregorN. Purdy,2004.Snort For Dummies ,Charlie Scott, Paul Wolfe, andBert Hayes,2004.Mohamed Ghretli was born in Tripoli, Libya, in 1965. Hereceived the B.S.E. (Hon) degree in applied physics fromMcMaster University, Hamilton, ON, Canada, in 1984, theM.Sc. degree in applied optics from Windsor University, حقوق الطبع محفوظة للمجلة ليبيا للعلوم التطبيقية Copyright L JAST والتقنية 63
E. Configuring Snort to Log events to Kiwi Syslog Server Using syslog-ng demon on Snort sensor and configuring it to receive events from snort demon and send these events to an external syslog server (Kiwi syslog server) for a remote logging. The configuration is as follows: In snort.conf file, the following line
