This is my first published tutorial so don't expect a high quality :) but i expect you'll point me if you have a note.
Part one: Building the lab
There are always many solutions, and as what we're saying in Jordan : "all roads lead to Rome".
Snort one of the intrusion detection and prevention systems,which is available as an open source solution.
Either i did not find any tutorial (or am a bad googler),that give you a training environment to develop your skills for using Snort ,which can help you later to protect your production environment, so i decided to write this tutorial.
In this tutorial i used GNS3 network simulator to build a very simple environment which contains a c7200 cisco router,with two subnet network 192.168.1.0/24 this is the $HOME_NET, and 192.168.2.0/24 this is the $EXTERNAL_NET .
A CentOS web serever which is one of the linux distro, it works on subnet 192.168.1.0 with static ip a address 192.168.1.8 and at the same subnet i configured the Snort IDS/IPS which i installed on another CentOs, and i installed the DVWA as a PHP/MySQL web application at the web server.
I used virtualbox to build the virtual machines,so when you download the gns3 try to install the version which support the vbox but if you like to use quemo then nobody can say Don't.
Two things you must know:
1- It is a damn vulnerable lab,DONT connect it with Internet,stay local.
2-Snort shall be connected with either a hub or switch,in the case of switch you have to know :"you must mirror the traffic of a switch port or VLAN. For this we will use the "port mirroring" mechanism which means the switch duplicates the traffic on your chosen interface or VLAN and send it to Snort."
So what about the hub?,for me i don't have any hub and sure i don't have a switch and i don't have enough money to buy it, and GNS3 does not emulate switches or hubs, where switches/hubs are data link layer ...bla bla.
The solution to get a mirrored traffic is to convert one of your virtual linux machines to a hub :D.
I wont describe how to install the Snort on the CentOS because you'll find a very good manual on the Snort Doc.
I wont describe how to install or configure the web server and DVWA but if you did not find your way for this leave a comment to me and i'll do "InshaAllah".
Lets go now:
Q:What is the problem?.
A:I want an environment to test the Snort IDS/IPS, to write and test my written rules on.
OK the suggested solution:
-Can you get cisco IOS iso image?
-If yes follow this solution,And if no then just take one of your virtual machines and configure it to work as a router!.
Router Configurations:
en
config t
int fa 0/0
ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
no sh
int fa 0/1
ip address 192.168.2.1 255.255.255.0
no shut
exit
router eigrp 1
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
Ctrl+z
wr
copy running-config startup-config
Hub Configurations
1- connect with our router 7200C
2-connect with our Snort IDS/IPS
3-connect with another switch for sure we're not going to spanned more than one switch port which is not a good design even if we're using a simple design,we still work locally which means we're consuming the host resources.
~$brctl addbr br0
Simply lets start with the bridge:
~$ vi /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.1.10
network=192.168.1.0
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DELAY=0
~$ vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
BRIDGE=br0
~$ vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
BRIDGE=br0
~$ vi /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
ONBOOT=yes
BOOTPROTO=static
BRIDGE=br0
~$brctl addif br0 eth0
~$brctl addif br0 eth1
~$brctl addif br0 eth2
~$ip link set br0 up
~$ip addr 192.168.1.10/24 brd + dev br0
~$route add default gw 192.168.1.1 dev br0
~$ifconfig br0 up
~$service network restart
# this will convert the machine to work as a hub.
~$brctl setageing br0 0
~$chkconfig network on
Snort machine some configurations
and in the snort.conf
I'll suppose that you have installed the snort on your linux machine and you tested it to see if it works on the sniffer mode and packet logger mode and the IDS mode:
Test for the sniffer mode:
~$snort -v -i eth0
Test for the IDS mode:
~$ snort -c /etc/snort/snort.conf -A console -i eth0
Now pleas add another interface to the snort machine and you'll know why we did this when we run snort on the inline mode (IPS).
the only two interfaces on you linux Snort machine shall be look like this:
~$vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
~$vi /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
Note no IP addresses, snort shall listen to the traffic ! and shall not interact with the outside world!.
For our test lab you can leave the default configurations i the snort.conf, or like what i did:
~$vi /etc/snort/snort.conf
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
and in the snort.conf
I commented out all the default rules because, am going to write my own rules.
------------------------------------------------
This part just a brief view for a training lab, to use Snort IDS/IPS in,for ppl don't want to west their resources or don't have the required resources like routers,hubs,switches..however i suppose that they know what am doing here(if no then tell me).
This is our simple network if you notice the hub, it is not real hub it is just the linux machine that we converted it to work as hub and then i changed the symbol.
Note: GNS3 default switches can not really mirror the traffic ,it is not a full switch simulation there is another solution for traffic spanning but you should have a real switch to do it.
______________________________________________________________________
Filially on the other subnet you need a connected machine (lets say BackTrack-5) to do your tests.
on the other subnet (192.168.2.0) either you'll configure a DHCP server and connect it or for the simplicity use a static ip address.
on the other subnet (192.168.2.0) either you'll configure a DHCP server and connect it or for the simplicity use a static ip address.
This comment has been removed by the author.
ReplyDeleteHi,
ReplyDeleteI am using Windows 7 and installed GNS3 and Snort there. But I cannot connect Snort with GNS3, so when I am running the GNS3 application, Snort cannot track any packets there. Is there any I can track packets from GNS3 in Snort?
Your help will be very much appreciated.
Hello David ..As i understand what you did is : installing GNS3 Snort on same host ? if yes then this maybe this tutorial can help you :
Deletehttp://www.gns3.net/documentation/gns3/connecting-gns3-to-real-networks/
However It will be better to explain to me what is the topology you have built.. so i can track with you what is the exact issue
This comment has been removed by the author.
ReplyDeletebitch
ReplyDelete