Using Snort Stealthily

jukal writes "Linux Journal has an article on using Snort as stealth sniffer, a stealth NDIS probe and stealth loger -- on a network interface with no IP address. 'Snort is a versatile and powerful tool for sniffing, intrusion detection and packet logging. Configuring it to run stealthily in sniffing mode or NIDS mode is easy; incorporating it into a stealth-logging solution is only slightly less so'"

Snort UI

[glh]

Snort is a great tool. However, the last time I used it I found it a little bit difficult to get it working just the way I want with all the parameters. In reality, I guess that is probably a good thing or every l33t hax0r would be out there using it.

Regardless- has anyone made any good UI to use it? I really liked the way "sniffit" worked with interactive mode. Maybe someone could design a UI and call it "sniffles" or whatever. The stealth mode version could be called "silent sneeze" :)

Re:Snort UI

[HappyPhunBall]

The "133t hax0r" type you mentioned is much more likely to be trying to avoid snort than deploying it.

You can find some snort enhancements at this site. Have fun.

Re:Snort UI

[silvercloak]

Try the webmin plugin: http://www.snort.org/dl/contrib/snort-1.0.wbm

Here is a great setup guide for snort including webmin and the snort plugin:
http://www.snort.org/docs/snort-rh71-mysq l.pdf

I have been using Snort since 1.8.3. It has not always been easy to configure, use, understand. It has helped us find an close at least one security issue.

Re:Snort UI

[checkitout]

If you want a really good snort UI, go with PureSecure. You can get it over at http://demarc.com/

Check the screenshots, and you'll see what I mean.

It's not open source, but it is free for personal use and by far the best Ui for snort. We use it here at work. It also does some tripwire and Big brother type stuff.

Great!

[MuMart]

Just one question ... What's a loger for?

Re:Great!

[jaeson]

Another Question: what is a NDIS?

Re:Great!

[Hast]

Most people would probably call it Network Intrusion Detection System though. The same people would probably call the computer storing information a "logger" as well. Generally these people are know as "those who can spell".

What would a "Network Detection Intruder System" be BTW? An intrusion system which detects networks?

Re:Great!

[HughsOnFirst]

>CAT5 and snip the write cables

you mean clip the #1 and #2 wires at the computer end ?

I'll have to try that

Re:Great!

Would it not be easier just to do a ifconfig etx up? (note interface should be set to manual with no ip assigned).

I just insert the comment as part of puresecures init script.

Re:Great!

[jaeson]

Ive spent many years playing around with computer security (the last two years
were spent at Counterpane Internet Security) and I never heard of a NDIS.

Network Detection Intruder System?
Is this for intruding on Network Detection setups? :^P

Even more simple ...

[mustangdavis]

Won't tcpdump or netstat -an do basically the same thing?

If you're THAT worries about security, I have 3 words for you:

Build a firewall!!!

(and don't make your firewall similar to swiss cheese by poking lots of holes in it!)

Re:Even more simple ...

[netphilter]

Get real...firewalls are not the "end all" solution to every security problem. You're also mixing passive and active defense. Firewalls are designed to BLOCK attacks at the gateway. Snort (and all network-based IDS') are designed detect attacks that have gotten through your firewall...and they do get through, I assure you.

Re:Even more simple ...

[vofka]

Unfortunately, firewalls are not the be-all and end-all of network security... A firewall can effectively protect your network from malicious access from the outside world, however it can not prevent hack-attacks on your systems which originate from within your network.

There are two primary reasons for hack-attacks originating inside a firewalled-zone:
1. A trojaned system, usually due to poor Antivirus policy and/or poor user education.
2. A Disgruntled employee who is out to get you!

Obviously, the best solutions to these problems are to implement a good Antivirus product and virus protection policy, and to keep your employees happy!

Unfortunately, no matter how hard you try, there are always likely to be problems you have not forseen - which is where Sniffers and NIDS tools come in. Whilst these tools are also not the sole answer to anyone's prayers, they can often help as part of an overall security system implementation.

Snort is (IMHO) one of the best NIDS tools out there - I have used Snort for a couple of years as part of an integrated security solution, and the logfiles it generates, once properly parsed, have helped me track down a number of threats to network security, and plug any holes present before the problems became serious.

Firewalls are not a panacea, nor are NIDS tools, used together though, they are much more than the sum of their parts....

Re:Even more simple ...

[ericman31]

The best analogy for defending your networks is a castle. Castles have moats, walls and an inner keep, all to protect the treasures of the kingdom (jewels, the princess, etc.). But, none of that does you any good without sentries watching the moat and walls who can report to the Captain of the Watch anything out of the norm. Your network defense should consist of a hardened router(the moat), firewall and DMZ (walls), and your private networks (the keep). You should have intrusion detection systems, syslogs from routers and firewalls and regular system monitoring (sentries). All of this should be parsed by a system that provides alerts for key events (report to the Captain of the Watch) and is also checked regularly by humans.

Re:Even more simple ...

[RagManX]

Build a firewall!!!

You probably should work in the security world before making statements about things you clearly don't understand. tcpdump is a tool for watching all or select traffic. It dumps raw packets, and you have to figure out what to make of them. Snort is a tool for analyzing those packets and alerting on suspicious data. It provides the information you need to help you find potentially dangerous traffic.

Where I work, we have a T-3 'net connection. We typically run about 40% available bandwidth. You'll have just a *TINY* bit of trouble keeping up with that traffic if you manually analyze tcpdump logs. If you run Snort, it will do the bulk of the work, and alert you on things it thinks bear further investigation. It makes mistakes. But having it help focus your traffic checks makes the day a lot easier.

As for using a firewall, too many people have the mistaken impression that once they install a firewall, all their worries will go away. If you have an insider attacking one of your corporate servers, a firewall doesn't help with that at all. An intrusion detection system like Snort will. If you users bring in discs from home that contain trojan programs with call home features, your firewall probably won't catch that, but an intrusion detection system probably will. If your users are surfing to pr0n sites, your firewall might catch that, but an intrusion detection system has a much greater chance.

A firewall is a good thing to have, but everyone working in the security field is going to tell you that it is not enough. We have a concept which we frequently preach to newbs - defense in depth. Put as many systems in place for securing your network as you can realistically manage and track. If you have only a single security device, once an exploit comes out for that device, your network is wide open. And every single security system out there has bugs, so depending on one greatly increases your chances of getting 0wnzerized. Put in multiple systems, and you are likely to catch attacks on at least one of them, in the event that a way to avoid one part of your defense is found.

RagManX

Re:Even more simple ...

[jcostom]

Build a firewall!!!

Score: -17, bad security.

Installing a firewall is not a magic solution. Suppose you run a website. You WILL be permitting 80/tcp through your firewall, probably also 443/tcp. Along comes the next worm that uses only http to gain entry to a system (Think CodeRed, Nimda && friends). How exactly is your firewall going to stop that sort of traffic? The answer you're searching for is, "it won't."

In addition to firewalling, running a NIDS sensor will help abate these threats. Most NIDS products support the notion of killing a connection (rskill, for RealSecure, flexresp for Snort, etc.) - this is how you can stop the threat of CR, CR-II, Nimda, et al.

Another way to abate these kinds of threats is to use something like Hogwash (which strangely enough is based on Snort), or a reverse-proxy that can inspect HTTP requests. Of course, those only help for HTTP traffic - there's a lot more out there besides HTTP. Remember sendmail, uw-imap, old qpopper, bind, and friends? They've all had remote-rootables that blew right through firewalls, since they only used the designated "proper" port(s) for the vulnerable daemon.

Use your head. There is no security magic bullet. It's a process, not a single product.

Re:Even more simple ...

[palme999]

Suppose you run a website. You WILL be permitting 80/tcp through your firewall, probably also 443/tcp. Along comes the next worm that uses only http to gain entry to a system (Think CodeRed, Nimda && friends). How exactly is your firewall going to stop that sort of traffic? The answer you're searching for is, "it won't."

Ahh but if you are allowing 443/tcp, how exactly is your IDS going to detect that sort of traffic? Seeing how the session is encrypted. The answer you're searching for is, "it won't."

Re:Even more simple ...

[jcostom]

Not familiar with dsniff, ettercap, and the like, eh? Or how about large-scale SSL-based websites? Most of those actually terminate the SSL connections on some sort of SSL acceleration device, spitting out plain old http traffic out the back side.

Re:Even more simple ...

[palme999]

I'm familiar with dsniff, but I think you'll agree it's use is silly in an IDS/commercial web context (MITM with user getting cert doesn't match pop ups). I hadn't considered the SSL acceleration device though, that's a good point.

Re:Even more simple ...

[delcielo]

Snort will also catch bad traffic buried in protocols that are allowed through your firewall.

For instance, http is probably something that you're going to allow through your firewall. Snort can detect nimda signatures in the http traffic. You're firewall won't.

I'll admit to not having read the article, mostly because the description seems very close to what we do at my job. We use Snort on an interface that has no ip address, and plug it into a port on the switch that mirrors the traffic from the router. This is done at every entry point into our network, and a few internal points as well. The logs are sent through a second ethernet card (with ip) to a mysql database using ACID (Analysis Console for Intrusion Detection.) Once we got the rules tweaked, it became a fairly useful and easy tool to use.

Re:Even more simple ...

[goofrider]

Well, at least your apache log files will. And since you do have the *private key* that is used to encrypt every packets going through your SSL server, theorically, you should be able to decrypt those packets if they were logged. But then i don't know if anyone tried it.

Servers...

[Will_TA]

Does anyone have a server call Charlie?

Charlie% Snort Charlie -1 line...

Warning

[ekrout]

An article like this is kinda sketchy as a feature on a site like Slashdot, which is composed largely by members who attend various colleges and universities across the world, all of which surely have Appropriate Usage Policies that clearly state that this type of network sniffing is not legal on their network.

So, kids, be smart about what "network analysis tools" you use. I know our head network administrator personally, and he sees EVERYTHING (no, really -- EVERY BIT) of traffic that he wants.

Use something like this at my school, and you'll be using a lab computer to check email by the end of the day since they'd disable your port immediately ;-D

Re:Warning

[flonker]

It's easy to remain undetected with a custom patch cord, (no transmit). IIRC, 10BaseT, you simply didn't set up the TX wires, and 100BaseT, you untwisted one of the twisted pairs.

It's even possible to remain undetected with software only, but you *really* need to know what you're doing. Stuff can be detected on the ethernet layer that most people aren't aware of.

Re:Warning

[RagManX]

How exactly is he going to see a traffic analysis system which is set up to transmit no data on to the network? Sure, if it is done wrong it will be detectable, but it isn't hard to make a non-detectable Snort setup work.

RagManX

Re:Warning

[silicon_synapse]

Just ARP flood the switches until they fall back into hub mode.

Re:Warning

[Old+Uncle+Bill]

Ummm... two NICs?

Re:Warning

[GeorgeH]

A 10baseT patch cable with the TX wires clipped will get you a whole lotta nothing because the TX wires are used for heartbeat signals. You need to corrupt the outgoing frames instead, which is a PITA.

The easier method is to use a 10 Mbit AUI adapter with the TX pins cut. You can probably even find a 10baseT -> AUI adapter at a computer junk shop for a buck or three.

For more about creating a receive-only ethernet adapter check out http://www.robertgraham.com/pubs/sniffing-faq.html #receive-only or read up on Antisniff (weird, I can't find anything about it on @stake's site).

Re:Warning

[monkeydo]

1. This doesn't work on quality switches.
2. Unless all the network folks are asleep at the wheel this doesn't qualify as stealthy.

www.prelude-ids.org

Also worth investigate Prelude
"Prelude is a new innovative hybrid Intrusion Detection system designed to be very modular, distributed, rock solid and fast. "

Re:Snort is okay

[ericman31]

Funny, I can have my SNORT installation log to Oracle, MSSQL Server, MySQL, PostGreSQL, etc. And I can perform vulnerability assessments, etc. By adding on ACID (from CERT) and logsnorter, I can integrate my firewall logs and view everything through a very nice web UI. Best of all, except for the hardware I run it on, and the work, my IDS and vulnerability assessment platform hasn't cost me a dime.

And your "superior SQL Server 2000" has more holes than swiss cheese, which is why I'm using MySQL in a secured, private network, for my logs.

Interesting challenge

[DragonWyatt]

Unfortunately, the NIC can still introduce errors and whatnot onto the segment... Also, don't forget that not all traffic on an ethernet segment is IP!

The biggest problems are:

1. A switch can mangle the packets a little before they're port-mirrored
2. How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port :) ? (dropped packets are a significant reality on a busy network)

'Course, what you REALLY need is a good, *electrically* transparent impedance matching tap, like one of these.

Re:Interesting challenge

[ericman31]

2. How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port :) ? (dropped packets are a significant reality on a busy network)

Simple, you connect your firewall to a hub on each interface. You then connect your hub to the switches (or routers) that carry network traffic for each interface. On that same hub you connect your IDS, running in stealth mode. The IDS will pick up all packets, since a hub simply repeats all traffic out every port. Those packets that are dropped outbound from the firewall will be caught by the firewall syslogs. Inbound packets that are dropped are going to be of little concern if they are dropped prior to the firewall interface.

Re:Interesting challenge

[silversurf]

Why not just mirror a port on a switch? I don't believe (and I'm sure someone will correct me if I'm wrong) that a mirrored port does not show the connecting host on the switch fabric since it's a replication of the mirrored port. I think this avoids having to "stealth" the host to any degree. Since we're looking for traffic to/from a firewall interface (for example), it's simple enough just mirror the port that that FW interface is plugged in to, then you'll be capturing all in/out traffic of your network. simple.

In order to really do NIDS right, you need a NIDS host at every gateway in/out of your network, plus possibly some on remote segments, then collect all the alerts back to a central DB that can be correlated and alerted on. One NIDS host can't "see" everything if you have many switched or routed segments, or multiple WAN links, etc.

But, that transparent impedence matching tap is pretty cool though. Hmmmmm....donuts....

-s

Re:Interesting challenge

[Mike+Schiraldi]

Unfortunately, the NIC can still introduce errors and whatnot onto the segment

Not if you use a one-way ethernet cable.

Re:Interesting challenge

[ericman31]

It's not a spanning tree nightmare at all. A firewall sits at the boundary of two networks, network A and network B, let's say. Firewall Interface A connects to hub A which connects to network A. IDS A is also connected to hub A. And ditto for B. This is Firewall Design 101. Since, generally, Firewalls, on at least one side, are connected to the Public Internet, your network on that side is not going to be gigE.

Re:Interesting challenge

[jcostom]

How exactly DOES one monitor >100mbit full-duplex traffic using only a single 100mbit port :) ?

Um, you don't. That's what Gigabit Ethernet is for. Check out the Intel Copper Gig cards - there's Linux support for them and they're reliable cards.

On another note, I don't quite see how using 2 nics, one on a management LAN and the second with no IP bound to it doing the sniffing is a revelation! Shouldn't this just be common sense? After all, it's been a standard NIDS sensor practice for quite a long time now. To really do this job right, all of the sensors should be using a management LAN for reporting back to a MySQL/PostgreSQL database, which in turn is queried by ACID, or something similar..

BTW, ACID's SQL is so terribly un-optimized, it's downright pitiful. I know of a large company that's getting ready to release a huge patch to ACID to actually optimize its SQL usage, bringing performance for large-scale snort deployments up to a reasonable level.

Re:Interesting challenge

[ericman31]

Switches can, and do, mangle packets, even when mirroring. By configuring your IDS to be "stealthy", putting the NIC into promiscuous mode, and using a simple hub at the gateway, you can capture all traffic that crosses the network boundary. Besides that, why bother putting a layer 2 switch between your firewall interface and your public internet routers? Which is one of the obvious locations for your IDS? The other really obvious location being in your DMZ?

Re:Interesting challenge

[stinky+wizzleteats]

Simple, you connect your firewall to a hub on each interface.

Which would be a great idea, except that hubs are half-duplex.

Re:Interesting challenge

[monkeydo]

Since, generally, Firewalls, on at least one side, are connected to the Public Internet, your network on that side is not going to be gigE.

Aside from your suggestion of using hubs in a real network just being stupid, how do you know what the connection to my firewall will be? Firewalls come with GigE interfaces you know. They also come built into switch modules like the 6500's from Cisco. Many people have firewalls in facilities that provide Fast or GigEthernet connections to the Internet and charge by the bit.

Re:Interesting challenge

[monkeydo]

Some switches do not receive traffic on mirrored ports, some do. Better ones are configurable.

There are lots of places you can put NIDS and it realy depends on what you want to see. If you only want to see active attacks you could put it only inside your firewall. If you want to see the stuff that your firewall blocks (useful for justification and verification) you put one outside your firewall. If you are worried about internal stuff you put one near your jewels. There is no single setup that wilbe right for every network.

Re:Interesting challenge

[monkeydo]

Switches can, and do, mangle packets, even when mirroring.

Please explain what you mean by "mangle packets"

By configuring your IDS to be "stealthy", putting the NIC into promiscuous mode, and using a simple hub at the gateway, you can capture all traffic that crosses the network boundary.

What does promiscuous mode have to do with being stealthy. If your NIC isn't promiscuous you don't have NIDS you have HIDS. Hubs suck.

Besides that, why bother putting a layer 2 switch between your firewall interface and your public internet routers?

If you have redundant firewalls or multiple paths to the Internet you already have a switch there so you can connect all the interfaces on a common segment. If you have a single router and a single firewall use a tap. You can still have a full duplex connection and you don't have to worry about the $10 hub crapping out and taking down your internet connection. If you don't care about any of the above, what do you need NIDS for?

Re:Interesting challenge

[dago]

If you have redundant firewalls or multiple paths to the Internet you already have a switch there so you can connect all the interfaces on a common segment.

Usually, the point of having redundancy is to avoid single point of failure. If you connect your multiple path to a single switch, then you may have problem because you rely on a single piece of hardware.

Re:Interesting challenge

[dago]

I know of a large company that's getting ready to release a huge patch to ACID to actually optimize its SQL usage, bringing performance for large-scale snort deployments up to a reasonable level.

What if some people would be interested in that optimisation ? (what is the actual status of that)

Re:Interesting challenge

[monkeydo]

If you want complete redundancy you'll need 2 firewalls with twice as many ports on each as you need. Each segment will then have 2 switches and each firewall will have a connection to each switch. This depends on your firewall being able to have multiple interfaces on the same segment.

If your firewall doesn't support this configuration you can have a seperate switch between each firewall and router and mesh them.

It is also possible to use a redundant load balancer in this position to pass traffic through multiple firewalls. This has the added benefit of allowing you to load balance your firewalls. There's lot's of was it can be done and it is possible to engineer a perfectly redundant network, it's just a bit expensive.

Re:Interesting challenge

[stinky+wizzleteats]

which makes me wonder, can you split the UTP cable so the upgoing packets go through one hub and the downgoing packet go through another hub?

Technically this is doable, given a few custom cables and a very ugly wiring configuration. This isn't how the pros do it, however. Given that the need is:

• An IDS box without an address
• A wiring facility which allows all traffic to be picked up
• Some means of out of band management.

The best thing to do is plan the point of insertion for the IDS. Most WAN circuits are far below the 100Mbps level. Therefore, the best place to sniff is between the WAN edge device and the gateway router. Set both devices up for half duplex communication, insert a hub, and away you go. The only problem here is that the hub is now the single point of failure for the WAN. This is why some shops use very advanced electronic taps which may even sniff the raw WAN packets before they ever get to the termination device.

Out of band remote management can be achieved with the implementation of a management network. The easiest way to do this is with a second NIC in the IDS box. The slickest way to do it is with 802.1q tagging and VLANS. If you have the right switches and NICS in place, you can build a complete isolated management network without changing a single piece of hardware.

Re:Snort is okay

[marmoset]

Whew, the ISS marketing guys really did a number on your mind, didn't they?

I worked on intrusion detection at a site where we had two IDS systems set up in parallel, one based on RealSecure and the other being a custom tailored solution that utilized a "sensor" machine sitting in our DMZ with a quiet NIC, similar to what's described in the linked article. It used tcpdump for data collection, and saved most of our incoming and outgoing network traffic to a fast disk array for analysis (based on tcpdump filters.) Hourly scripts would process the saved packages with Snort (and a variety of other tools, some of them free and some of them custom written for us and the other sites on our WAN.)

While RealSecure is fine for detecting bumbling script kiddies and obvious misconfigurations (like unpatched boxes becoming Nimda zombies), the tcpdump solution was far better at detecting the serious intrusion attempts, like the slow and low network probes with custom crafted packets, and telling us exactly who on our network was doing boneheaded things like using telnet across network boundaries. RealSecure's coming in a pretty box and costing a lot of money doesn't make it the end-all be-all of intrusion detection systems.

Come on !

[stud9920]

This is an invitation for the taco snotting guide troll, isn't it ?

Re:Snort is okay

[SpaceJunkie]

Sounds more like a church of scientology lecture than a security system. Mysql, snort and other unix/linux products also have naming conventions- just different ones. As if thats the real issue anyway...

Re:Snort is okay

[mustangsal]

Kind of like logging snort output to a mysql db, and running nessus on anything you find thats questionable, but without the mega dollar outlay for software.

A better article, and other links ....

[ericman31]

There's a better article about SNORT and ACID on LinuxWorld. Also, if you want to investigate SNORT, check out the following links:

• CERT's HOWTO on ACID and SNORT
• SNORT's manual on installing SNORT, MySQL, ACID on RedHat
• A variety of deployment guides provided by SNORT
• A collection of various IDS documents and white papers, including a good piece by Marcus Ranum on benchmarking

Re:Snort is okay

[RagManX]

But you are much better off using something like ISS' RealSecure

The wonderful tool which is less configurable than Snort, doesn't log data as well, and provides less viewable data about packets which set off alerts.

which feeds into either workgroup manager or their new flagship product, Site Protector.

And this is better than Snort how? Snort can log to local or remote databases, text files, syslog, and probably other formats (but I haven't tried). It supports multiple output formats, so you can choose how you want to look at the data. It also supports loading a database from tcpdump files (Our training with ISS never covered how to do this with RealSecure, and I'm doubtful that it can be done).

With that, you can dump all your events into a superior MS SQL 2000 server for event correlation, queries, and forensics.

Superior in what way? It costs more than Postgres or MySQL, has more holes than any other database out there, and costs an insane amount of money compared to what most people running Snort would use (we use MySQL here, I know many people using Postgres, or you can dump to text files).

You can also tie together your intrusion detection with your vulnerability assessment so, if you see a bunch of a certain kind of attack, you can automatically launch a vulnerability assessment with just that attack to ensure you have everything protected (and to make sure that there isn't a new development or test box sitting there insecure since you had no inkling of its existence).

In the world of real security grunts, we like to call such a tool Nessus (http://www.nessus.org/). It scans for more vulnerabilities than ISS (the marketing claims by ISS notwithstanding), is updated more frequently, offers more flexibility in scanning options, has a better support community, and is free.

Unfortunately for me, ISS has brainwashed many, many people in the Department of Energy. I'm forced to use their product on a day-to-day basis. On the upside, I can run Snort and Nessus to do all my real checks and detects, and the go to the ISS products I have to use, try to make them show me the data I need, and report with that. But every single site I have to deal with which uses ISS has done the same thing I've done - shoved it in a corner, set up a system with Snort and a system with Nessus, and gone about getting real work done with free, easy to use, well supported tools.

RagManX

Re:Snort is okay

[turambar386]

Cost of an ISS RealSecure Deployment for a mid-sized business: $100,000

Cost of a Snort Deployment for a mid-sized business: $0.00

Hmmm...decisions, decisions...

OMG

[CableModemSniper]

You killed Linux Journal! You bastards! I figured it was time for an alternative South Park joke.

Re:Snort is okay

[libertarian]

Check the snort page for some good, detailed information on how to do this (mySQL logging) and much more.
Here's one way: Snort Installation Manual

Lee

Re:Snort is okay

[RagManX]

The advantage of something like RealSecure is that it can take action in realtime as the attempts are detected. Reset the connections, modify firewall rules, AND generate an alarm.

So can Snort. It is not built in, so you'll have to load an additional plugin. But then again, the makes of Snort understand that it is an Intrusion Dectection System. If you want more than detection use the plugins that are available to react on certain alerts. You can set up Snort to send resets, just like ISS does. But that slows down the other work that Snort does, so you won't find that feature integrated into the package.

RagManX

SNORT - the price is right!

[AIM-9X]

You can't beat Snort for the price. I've evaluated the ISS products, and they're bang:buck ratio is not good enough. It was going to cost me $68K just to set up a trial system.

For the cost of one NIC and some existing obsolete hardware, I now have a hardened Snort sensor outside my firewall. I can see all inbound and outbound traffic, which is logged to MySQL and viewed thru ACID. Not bad for about $30.

Sourcefire (founded by Marty Roesch - creator of Snort) is releasing a rack-mount device that can manage freeware Snort sensors. Cost is about $15K. Hell of a lot cheaper than the alternatives! I'll be getting one of those soon... If you run Bastille security, with a little know-how, you can stealthify your Snort sensors to the point where they become invisible. I get scanned regularly, and nobody has yet found the IDS box. Me == happy!

Re:Snort can do that and more

[libertarian]

>Did I miss it, can snort (with any add on package) actually take action upon what it detects ?
Yes, it can. You missed it.
There's a great add-in that allows dynamic updating of Firewall-1 rules called SnortSAM. There are others as well.
If those programs don't suit you, if you have skill with Perl you could also craft a program to send the RST (reset) packets based on certain alerts.

Or you could always pay me to do it. (shameless plug)
You can do all that, and more.
The question is whether your organization has the time and resources to set it up and support it. If you've got the money, but not the time, perhaps a commercial solution is better.
Lee

Re:Snort is far more than OK

[libertarian]

Amen, brother!

Re:Snort is okay

[libertarian]

Trolling, agreed.
But sometimes you must respond, so that the uninitiated and unwary will not be taken in by the trolling.

Using Snort Stealthily?

[utexaspunk]

Who'd've thought Slashdot, of all places, would be giving me tips on my secret drug habit? Thanks, /.!

Depends where you are.

[laserjet]

I always go in to the bathroom before I snort, but that kind of depends on where you are. Basically anywhere where no one will see you snorting is good, and if you use a rolled up dollar bill, I would hide that as well.

snort as a deterrent AND the BitchX TROJAN

[ph1l]

I have had a lot of fun with snort. Perhaps
the greatest thing it does is deter would-be
bad guys from even looking at your machine
twice... as soon as they find you've got snort
running they go away in most cases.

This does not apply to the script-kiddies running
the NT http directory traversals every 15 minutes
against your Linux box. I have found that even a
good solid dos does not stop THEM.

Oh yeah while I am here, why haven't the lords of
slashdot run my story on the current bitchx
source tarball trojan? You could save an awful
lot of folks grief by just running the damn story
and not worrying about the fact that you ran the
same story months ago. This is a new, different
incarnation of the thing and it is quite bad;
giving paz.bakunin.net a root shell on the system
of anybody running the configure script from the
bitchx source tarball downloaded from
ftp.bitchx.org.

The md5sum of the trojanned bitchx is:
a9d6bb266c503a09d46cef679fce8320

The md5sum of the clean bitchx is:
79431ff0880e7317049045981fac8adc

The name of the bitchx source tarball is:
ircii-pana-1.0c19.tar.gz

If you run the configure script from the trojanned
tarball, you will wind up with a connection to
port 6667 on paz.bakunin.net with a shell on your
end. Also, a copy of your /etc/passwd file will
be sent to that port.

I can state with 100% certainty that the BitchX
package that is part of slackware 8.1 is totally
clean and safe. The BitchX source tarball from
ftp.irc.org is also clean.

Reasons for a security sniffer...

Just a little story. At my previous job (an e-commerce .com site, where our database contained probably several million credit-card#'s and email addresses), we hired a few consultants to do some Java coding...

About a week later, because of our security tools, we discovered one of the consultants port-scanning our network. The director went and asked him why he was port scanning, with no good reply, and told him to stop doing it.

About 2 weeks later, yet again, the *same* consultant was found port-scanning the network again, this time hitting our production website boxes at our offsite co-location (which includes the database boxes, loaded with data that only a handful of people had access to). He was promptly walked out the door, and the consulting company was asked to replace him with someone else.

While a firewall will protect you from attacks from the outside, attacks from the inside are just as dangerous.

Re:Reasons for a security sniffer...

[Old+Uncle+Bill]

Question is, who do you work for? Unless you are hired as a security consultant most companies frown upon port scanning. Port scanning itself does not cause a lot of problems, but the results can be used for nefarious purposes. The company I work for (as would the last 3) would have walked him out the first time, and any company that doesn't is foolish.

Re:Reasons for a security sniffer...

[Old+Uncle+Bill]

If one of your employees was walking around the office with a set of keys from home trying to get into all of the managers offices, would someone have a problem with that? I mean, putting a key in a lock is really a harmless thing, right?

What "valid" use does a developer have with a port scanner on my network (outside of the development labs)? BTW, the feds have been called in at places I work for less than that. I'm assuming you work in academia or something?

Re:Simple...

[jcostom]

what if you're using snort on gigE, over fiber-optics?

Use the right tool for the right job. In this case, switch out that fiber GBIC for a Cu GBIC and use a Cu-Gig card in the sensor.

Can be done with OpenBSD

[pagansage]

I was employed at a place that did the same thing with OpenBSD about a year ago. Our methods required knocking out IPv4 support from the kernel and recompiling it. Only then did we think it safe enough to use in the DMZ.

The main problem with this approach was grabbing the Alerts and such once you had it up and running. This was solved using a JAZ drive no one wanted. A definite kludge but it worked at the time...

Been there, done that

[Krelnik]

No offense to our open-source IDS friends, but the commercial IDS world realized this exact thing at least 5 years ago. I used to work on the network based IDS products at ISS, and we started recommending this back in 1997 (when I started working there). Here is a link (PDF) to a document that describes (among other things) running RealSecure in "stealth mode" and it dates from 1998.

Re:Been there, done that

[ericman31]

No offense to our commercial IDS friends, but their products are over-priced and underwhelming. The key in network security is not how much money you spend, or getting commercial products that the Gartner whores recommend. The key is people who understand networks and security, and products that actually do the job. And, when you go to your management and tell them you want to spend $10,000 instead of the $100,000 that the consultant said it would cost, and you point out that you can do the same, or better, job, your manager will be happy too.

Re:Been there, done that

[Krelnik]

The key is people who understand networks and security, and products that actually do the job.

In an ideal world, yes. And in such an ideal world, your brilliantly trained security experts could tweak and tweak and end up with something that probably works as good or better as the much more expensive commercial solution.

There's a slight problem.

In case you haven't noticed, we don't live in an ideal world. The facts are that: (a) there are simply not enough security-savvy people to go around, (b) those that are available can command a high price, perhaps just as high or higher than what you would spend on a commercial system and (c) frankly most companies don't want to be bothered to hassle with hiring people with such esoteric knowledge.

In this, the real world, the commercial products that you deride play a vital role for such companies.

Yes, if I was running a company I would prefer to have security expertise in house doing this. But the world is full of compromises, and frankly one very valid compromise people make is to buy commercial systems instead of hiring bodies to tweak something up with Snort.

P.S. You might want to actually try out the commercial systems you deride. I think you would find that yes, the current version of RealSecure is very expensive but in the long run it saves you money because (a) it is so heavily optimized over something like snort that you end up buying less hardware to monitor the same network and (b) you don't need as many expensive propeller-heads around to set it up and run it.

Disclaimer: Yes, I own stock in ISS, and I used to work for them. They are a good company with good products.

Re:Been there, done that

[SquadBoy]

The only reason we are using ISS at the moment is because they have certified sensors for Nokia's IPSO. If I could get a supported Snort package for my IPSO firewalls I would switch in a heartbeat. Having said that yes they are very good have good support and work as advertised. The one thing I wish is that the Linux and IPSO ports would keep up with the Windows stuff.

Re:Been there, done that

[flinxmeister]

Yep...heard this before. "we'll replace person X with a product". If a company is not going to spend the resources hiring someone who understands security, then no product in the world will help them. Security tools are (or should be) by definition tools for people who understand security. Plugging in a shiny $50k box will not protect them. These boxes, however fully featured, must have someone competent running them. And then there's this myth that you have to have some uber-geek to be a security expert. You don't need an uber-geek, you just need a competent admin who doesn't poo-poo security. The reason to purchase a commercial product over using open source products like snort and nessus should NEVER be because "our techies wouldn't understand the open source tool". If that's your reasoning, unplug that DSL connection and step away slowly. If a person can't understand a snort implementation, you're wasting your money on a commmercial product.

Re:Been there, done that

[Krelnik]

Actually the real solution to this problem in the scenario you describe is to outsource your security management. Don't buy the shiny boxes in the first place, let someone else do it and pay them a monthly fee to watch them for you.

Not coincidentally, ISS has a quite nice offering in this area as well.

Re:Been there, done that

[ericman31]

Well said, thanks. It's not that hard to become a reasonably capable security administrator.... IF you were already a capable system administrator to start with. And no, I don't mean that you can install the OS, create some users and reboot the box without consulting a manual. Medium to large organizations that have UNIX platforms they are maintaining with their own internal personnel have all the expertise on staff already to develop one or two competent security administrators. No need to go out and hire consultants or purchase shiny boxes (unless, of course, the shiny box does something you need it to do and is the cost effective choice).

Your system is not secure if someone else is in control of your security platforms (this is a perfectly valid argument for excluding any Windows product from a security role). So, if at all possible, do not rely on consultants or contractors, nor on closed source platforms.

Re:Been there, done that

[monkeydo]

So, if at all possible, do not rely on consultants or contractors, nor on closed source platforms.

What's wrong with consultants and contractors? In my experience enployees are much more likely to have a grudge against the company. There are also more likely to be incompetant since if they weren't, why would you need consultants?

Security is a very specialized field, and if you don't beleive that it's probably because you don't understand real security. Most companies can't afford to keep real dedicated security people on the payroll and so consultants fill that role very well.

Does Hogwash already do this?

[Blahbbs]

Hogwash already does this I thought.

Re:Does Hogwash already do this?

[phaktor]

Yes you can set up Hogwash to be stackles (no tcp/ip stack) and just read the raw packets over the ethernet. Hogwash is built to be a gatekeper, being placed in the middle of the stream and not just a tap from it.

Re:Snort is okay

[flinxmeister]

This is really cool. Until someone spoofs an attack from AOL, Yahoo, and Hotmail SMTP servers.

When the CEO can't get email from his daughter at college, this cool sounding autoresponse thingamajig doesn't look so smart all of a sudden.

real world advice

[stinky+wizzleteats]

If you're going to do this, make sure you put two interfaces (or use 802.1q) in the box so you can monitor it via a management network. The importance of knowing your IDS is working is more valuable than its being undetectable to intruders. Two interfaces also obviates the need for the tortured fake IP traffic syslogging mentioned in the article. Oh, and one more thing - management network != general LAN.

I didn't think you snorted acid...

[Hormonal]

I can smell blue!

Re:I didn't think you snorted acid...

[kin_korn_karn]

TASTES LIKE BURNING~!

IPCop has one

[wirefarm]

The IPCop Firewall Distro comes with snort and has an easy-to-understand web interface and a decent set of default rulesets. Unfortunately, tuning the rules cannot be done through the web interface, but you can log in and tweak with a text editor.

Cheers,
Jim

Snort is passive

[wirefarm]

All that snort does is *watch* for stuff, not prevent it - It's up to the admin to read the logs and decide then what to block, using some other tool.
If you set it up and get familiar with it, you'll see that this is a good thing, due to the nature of it - it is sometimes overly-paranoid and the level of false-positives is very high. If it blocked all of the stuff it thought was an intrusion, you'd never get too much done.
That said, I have heard of tools that use Snort to trigger the insertion of firewall rules based upon certain types of 'intrusions'.
Snort's a great learning tool, but don't think it's actually *protecting* anything.
If you don't read its logs, it's like a security camera that nobody watches...

Cheers,
Jim

You're thinking UDP, not TCP...

[wirefarm]

Since it's a *Packet* sniffer, you just need to tear open the packets to snort them - no dollar bill required.

Cheers,
Jim

Finisar Century Tap - FKA Shomiti Tap

[humanasset]

You may want to take a look at the Finisar Century Tap. There used to be a lot of information on the taps on the website when they were made by Shotmiti. Once Shomiti was bought by Finisar, a lot of the information disappeared. The tap allows you to "tap in" to a link. I have one installed between the firewall and switch. I use two interfaces, one is on the inside network for management, and the is connected to the tap in promiscuous mode without an IP address. The tap is pretty much invisible.

http://www.finisar.com/product/product.php?produ ct _id=110&product_category_id=98

Here is a PDF showing how to setup the tap with your Snort sensor. The only problem is the tap is really overpriced -- about $500. But, making a custom cable is a PITA.

Re:Finisar Century Tap - FKA Shomiti Tap

[humanasset]

Forgot the link...

http://www.snort.org/docs/100Mb_tapping1.pdf

Re:Firewall protection

[goofrider]

If a daemon listens on a port that is open for incoming internet connections (eg. Apache), firewalls can only detect DoS type attacks. Firewalls aren't virus scanners for network sockets, there's no way a firewall would be able to reject an incoming packet as it arrives that it may contain malicious data.

Your Apache log files can probly tell u a lot more about exploit attempts.