Published on

Testing SNORT – IDS rulesets

Authors
  • avatar
    Name
    Predrag TASEVSKI
    Twitter

SCENARIO

The objective of this laboratory test, scenario is to create a solution and instructions for testing an IDS^1^ systems usefulness for detecting attacks against a wordpress site. In addition, we have to develop/download/find/whatever a SNORT configuration (rulesets, preprocessors, whatever) that performs better than the default configuration in previous post. By better we mean:

  • Less false positives
  • Less false negatives
  • The objectives are contradictory so the rule of thumb is one false negative per 10 false positives eg. solution with 10 false positives and 2 false negatives is better than the solution with 100 false positives and 1 false negatives, but the solution with 10 false positives and 1 false negative is better than the solution with 1 false positive and 2 false negatives.
  • Attack is defined by a single invocation of all the test scripts in a row.

Meanwhile, the new rules have to be able to detect not only the default attacks that are set to a default snort configuration, yet they have to be able to detect SQL injection, brute force password, apache killer script, pytbull, etc. Furthermore, in figure 1 we are illustrating the scenario.

Illustration 1: Illustration of Scenario

Therefore, in the proposal section we will present two proposals that have been submitted due to this laboratory test and additionally in result section we will highlighted the identification numbers made by snort set new rules. In section appendixes we will provide you with more details configuration procedures, configuration of VM’s – Virtual Machines, attacks, etc.

Finally, closing with an conclusion and the results of best set of rules made of the proposals.

SETUP of SNORT

To setup snort in a right way, that will work for the second Host only network please following the instruction link provided with a full description and configuration of snort [SNORT2].

PROPOSALS

In total two proposals are presented in next sub-sections.

PROPOSAL 1

Add rules to your Snort. On your Snort machine:

cd /etc/snort/ruleswget https://www.tud.ttu.ee/~t061780/attacks/robert.rules

Now you have the rules, add them to your snort conf file (default /etc/snort/snort.conf). To do that insert:

include $RULE_PATH/robert.rules somewhere with rest of the rules after line 800. Run Snort and test.

PROPOSAL 2

To be able to insert the snort rules in to the snort file please double check where it is located. You can find the location with the following command: find / -name snort.conf Before you continue please change the IP address to your server address on line number #6, example alert tcp any any -) 192.168.56.X where x is your octet. Then to add the following rules at the conf file do the following command:

cat predrag.rules; snort.conf

Now it is time to start or restart snort. It should work.

RESULTS

After executing the above proposal we will highlight the results into the table bellow. Result are presented from the total amount of reports, registered alerts in the snort. This is done by help of web interface of Basic Analysis and Security Engine in addition Analysis Console for Intrusion Databases (ACID) project tool [ACID]. Therefore, the result from the proposals are highlighted below:

| Attack performed

|

Proposal number

| Baseline Total number of Alerts

| Total number of Alerts

| Unique Alerts

| | | |

| SQL injection

|

1

|

0

|

0

|

0

|

| SQL injection

|

2

|

0

|

52

|

1

|

| Pytbull – evasion

|

1

|

N/A

|

128

|

6

|

| SQL injection + nmap

| Combine both

|

N/A

|

36

|

5

|

| Pytbull

|

Combine both

|

N/A | 844 | 7 |

Table 1: Details of total report numbers of alerts made by SNORT and the different proposal rule sets. Details of the attacks conducted in the table are presented in appendixes section.

Additionally, figure 2 is presenting the pine chart of the total number alerts recognized by Snort.

Illustration 2: Total number of Alerts.

Secondly, figure 3 is representing the pine chart of total number of unique alerts recognized by Snort.

Illustration 3: Total number of Unique Alerts

CONCLUSION

From the above results we came to conclusion that the new applied rules were successful and were able to recognize alerts more then the default rule set of Snort. Meanwhile, only proposal 2 was able to recognized an SQL injections without any additional tweaking. Although proposal 1 was still useful, on the other hand the best solution is when we combine the both rule sets proposals. Then the Snort is able to recognized an significant number of total alerts and additionally for our laboratory report more interesting is unique total number alerts.

Closing, even the default Snort rules configuration is good, yet when you tweak it by your own needs, you will have much better IDS system for your network. In future it should be recommended always refer to [snort_rules], to gather more available advance Snort rules, made by experts. Where will help you to configure and setup Snort IDS system to detecting attacks against a wordpress site, etc.

APPENDIXES

Appendix 1 is the configuration of the attacker virtual machine, in more detail Blacktrack 5 distribution. Secondly, Appendix 2 is the ubuntu wordpress configuration server and additional is the configuration and setup process and refer links of IDS Snort virtual machine. Appendix 4, 5 and 6 are providing brief details about the attacks that were conducted during this laboratory test.

APPENDIX 1

  • Installation media: Black Track 5 GNOME 32bit iso image;
  • HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
  • NIC1 NAT;
  • NIC2 host only (for ssh and http access from host);
  • Downloadable link

APPENDIX 2

  • Installation media: Ubuntu 10.04 32bit iso image;
  • HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
  • NIC1 NAT;
  • NIC2 host only (for ssh and http access from host);
  • Language used in installation process: English and country Estonia;
  • Keyboard Layout English;
  • Hostname: pece
  • Partition methods: Guided, use entire disk
  • Username: pece
  • no http proxy
  • Default applications
sudo apt-get install lamp phpmyadminwget -c https://wordpress.org/latest.tar.gztar xvjf latest.tar.gzsudo cp wordpress /var/www/wordpresssudo nano /var/www/wordpress/wp-config.php Change the settings to your needs

APPENDIX 3

  • Installation media: Ubuntu 10.04 32bit iso image;
  • HW: Virtualbox, 1CPU 32bit, 512MB RAM, 8GB HD (dynamic allocation);
  • NIC1 NAT;
  • NIC2 host only (for ssh and http access from host);
  • Language used in installation process: English and country Estonia;
  • Keyboard Layout English;
  • Hostname: pece
  • Partition methods: Guided, use entire disk
  • Username: pece
  • no http proxy
  • Default applications
  • Snort configuration and installation refer to [SNORT1] in addition, please refer to [SNORT2].

APPENDIX 4

Here we test typical SQL- injection in URLs

Commands used:

wget "https://192.168.56.101/?p=1'%20OR%20'1'='1"wget "https://192.168.56.101/?p=1'%20AND%201=(SELECT%20COUNT(*)%20FROM%20tabname);%20—"

Snort by default does not detect this, where in applying the proposal 2 rules, it did detect.

APPENDIX 5

To test Snort and acidbase, perform a portscan of the Snort host.

sudo nmap -p1-65535 -sV -sS -O 192.168.56.102

APPENDIX 6

To setup pytbull it is a bit of pain, yet if you follow the rules and the documentation it will work like shark. For documentation please refer to [pytbull_doc].

Bibliography

[SNORT2] Nick Moore, Snort 2.8.4.1 Ubuntu 9 Installation Guide, June 2009, Link

[ACID] Basic Analysis and Security Engine, Welcome to the Basic Analysis and Security Engine (BASE) project , 2008,Link

[snort_rules] Link

[SNORT1] kat-amsterdam, SnortIDS, December 2010, Link.

[pytbull_doc] Sébastien Damaye, Official documentation for pytbull v1.3 -, 2011, Link

[1] IDS – Intrusion detection system