Using Snort IDS/IPS for web applications protection part I

This is my first published tutorial so don't expect a high quality :) but i expect you'll point me  if you have a note.

Part one: Building the lab

There are always many solutions, and as what we're saying in Jordan : "all roads lead to Rome".

Snort one of the intrusion detection and prevention systems,which is available as an open source solution.

Either i did not find any tutorial (or am a bad googler),that give you a training environment to develop your skills for using Snort ,which can help you later to protect your production environment, so i decided to write this tutorial.

In this tutorial i used GNS3 network simulator to build a very simple environment which contains a c7200 cisco router,with two subnet network 192.168.1.0/24 this is the $HOME_NET, and 192.168.2.0/24 this is the $EXTERNAL_NET .

A CentOS web serever which is one of the linux distro, it works on subnet 192.168.1.0 with static ip a address 192.168.1.8 and at the same subnet i configured the Snort IDS/IPS which i installed on another CentOs, and i installed the DVWA  as a PHP/MySQL web application at the web server.

I used  virtualbox to build the virtual machines,so when you download the gns3 try to install the version which support the vbox but if you like to use quemo then nobody can say Don't.

Two things you must know:

1- It is a damn vulnerable lab,DONT connect it with Internet,stay local.

2-Snort shall be connected with either a hub or switch,in the case of  switch you have to know :"you must mirror the traffic of a switch port or VLAN. For this we will use the "port mirroring" mechanism which means the switch duplicates the traffic on your chosen interface or VLAN and send it to Snort."

So what about the hub?,for me i don't have any hub and sure i don't have a switch and i don't have enough money to buy it, and GNS3 does not emulate  switches or hubs, where switches/hubs are data link layer ...bla bla.

The solution to get a mirrored traffic is to convert one of your virtual linux machines to a hub :D.

I wont describe how to install the Snort on the CentOS because you'll find a very good manual on the Snort Doc.

I wont describe how to install or configure the web server and DVWA but if you did not find your way for this leave a comment to me and i'll do "InshaAllah".

 

Lets go now:

Q:What is the problem?.

A:I want an environment to test the Snort IDS/IPS, to write and test my written rules on.

OK the suggested solution:

-Can you get cisco IOS iso image?

-If yes follow this solution,And  if no then just take one of your virtual machines and configure it to work as a router!. 

Router Configurations:

en

config t

int fa 0/0
ip address 192.168.1.1 255.255.255.0

no sh

int fa 0/1

ip address 192.168.2.1 255.255.255.0

no shut

exit

router eigrp 1

network 192.168.1.0 0.0.0.255

network 192.168.2.0 0.0.0.255

Ctrl+z

wr

copy running-config startup-config 

Hub Configurations

Now the hub shall be connected via three NIC:

1- connect with our router 7200C

2-connect with our Snort IDS/IPS

3-connect with another switch for sure we're not going to spanned more than one switch port which is not a good design even if we're using a simple design,we still work locally which means we're consuming the host resources.

~$brctl addbr br0

Simply lets start with the bridge:

~$ vi /etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=br0

TYPE=Bridge

BOOTPROTO=static

ONBOOT=yes

IPADDR=192.168.1.10

network=192.168.1.0

NETMASK=255.255.255.0

GATEWAY=192.168.1.1

DELAY=0

~$ vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

ONBOOT=yes

BOOTPROTO=static

BRIDGE=br0

~$ vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

ONBOOT=yes

BOOTPROTO=static

BRIDGE=br0

~$ vi /etc/sysconfig/network-scripts/ifcfg-eth2

DEVICE=eth2

ONBOOT=yes

BOOTPROTO=static

BRIDGE=br0

~$brctl addif br0 eth0

~$brctl addif br0 eth1

~$brctl addif br0 eth2

~$ip link set br0 up

~$ip addr 192.168.1.10/24 brd + dev br0

~$route add default gw 192.168.1.1 dev br0

~$ifconfig br0 up



~$service network restart

# this will convert the machine to work as a hub.
~$brctl setageing br0 0

~$chkconfig network on

Snort machine some configurations

I'll suppose that you have installed the snort on your linux machine and you tested it to see if it works on the sniffer mode and packet logger mode and the IDS mode:

Test for the sniffer mode:

~$snort -v -i eth0 

Test for the IDS mode:

~$ snort -c /etc/snort/snort.conf  -A console -i eth0

Now pleas add another interface to the snort machine and you'll know why we did this when we run snort on the inline mode (IPS).

the only two interfaces on you linux Snort machine shall be look like this:

~$vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

ONBOOT=yes

BOOTPROTO=none

~$vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1

ONBOOT=yes

BOOTPROTO=none

Note no IP addresses, snort shall listen to the traffic ! and shall not interact with the outside world!.

For our test lab you can leave the default configurations i the snort.conf, or like what i did:

~$vi /etc/snort/snort.conf

ipvar HOME_NET 192.168.1.0/24

ipvar EXTERNAL_NET !$HOME_NET

and in the snort.conf

I commented out all the default rules because, am going to write my own rules.

------------------------------------------------

This part just a brief  view for a training lab, to use Snort IDS/IPS in,for ppl don't want to west their resources or don't have the required resources like routers,hubs,switches..however i suppose that they know what am doing here(if no then tell me).

This is our simple network if you notice the hub, it is not real hub it is just the linux machine that we converted it to work as hub and then i changed the symbol. 

Note: GNS3 default switches can not really mirror the traffic ,it is not a full switch simulation there is another solution for traffic spanning but you  should   have a real switch to do it.

______________________________________________________________________

Filially on the other subnet you need a connected machine (lets say BackTrack-5) to do your tests.

on the other subnet (192.168.2.0) either you'll configure a DHCP server and connect it or for the simplicity  use a static ip address.