Snort's Place in a Windows 2000 Environment
Jon Bull - 4/15/02


1) What is Snort
2) Network Placement
3) Machine Selection
4) O/S Installation
5) Snort Installation
6) Snort Setup
7) A Maintenance Tip
8) Resources
9) Change Log

 

Preface

The target audience of this document is middle of the road administrators who may be looking for an easy to setup network intrusion detection system that won't put a dent in the IT budget. This document will introduce you to Snort.


1) What is Snort?

Snort is an opensourced, lightweight, network intrusion detection system. It makes use of an easy to learn rules system to detect and log the signatures of possible attacks. It was originally created for the *nix operating systems and has now been ported over to the Windows family of operating systems as well.

If you're a little unsure on what a network intrusion detection system does or how it works refer to the references at the end of this paper.

The reasons to choose Snort over other NIDS comes from the fact it is opensourced:

Some terms you'll likely to see in this paper:

Sensor - A sensor is the component of IDS that handles the monitoring of traffic. In the case of Snort, it's the machine with Snort installed

Signature - The sequence or contents of IP packets that are used to identify an attack.

Detect - An attack detected by a sensor.

2) Network Placement

WARNING: This section contains bad ASCII art that may not display properly, view at your own risk.

In order to monitor something, you must have access to it. NIDS is based on a promiscuous network interface card that listens to all packets on a single physical cable. If you want to monitor traffic going to multiple web servers with one sensor, you'll need to place that sensor on a length of cable that all the packets will travel through.

[ Internet ] -------(1) ------- [ Router ] -------(2) ------- [ LAN ]

(Fig 1)

On a simple LAN with no DMZ (see figure 1) there are two optimal places to locate your sensor, between the router and the Internet, and between the router and LAN. The first configuration, denoted with a (1), will detect all attacks against the network, but will not show you which attacks actually get through the router and into the LAN. The second configuration, denoted with a (2), will show you which attacks enter the LAN.

On a network with a DMZ (and bastion hosts) there are three probable locations for your sensor (see figure 2.)

[Internet] ------ (1) ------ [Router 1] --- (2) ----+--- [Router 2] ------ (3) ------ [LAN]
|
[Bastion Hosts]

(Fig 2)

This situation is more complex. These bastion hosts can offer varying types of services and run different operating systems.

If a sensor is placed in location 1 it will detect all attacks against your network.

A sensor placed at location 2 will detect all attacks that make it through your exterior router. If your looking to detect attacks against your bastion hosts this is where you'll want your sensor to be placed. This location will also detect attacks targeted at your LAN, but not give you a hint of whether the attack was successful or not.

Location 3 will detect attacks that reach your LAN, but not attacks targeting your bastion hosts.

You may have decided that location 1 sensors don't do a lot, and when all your router does is route, that may be true. If the router at location 1 is a firewall, or does any sort of packet filtering, a sensor at location 1 can be compared to a second sensor at location 2 to gauge how well of a job the exterior firewall is doing.

Determine your networks layout, what you want to monitor, and where the sensor(s) should be placed. Remember, the sensor will detect all traffic on the physical wire. A standard hub repeats everything from one port to all its other ports. A switch will look for the MAC address of the destination and switch the packet to the proper port.

Most well designed networks make use of a switch to connect a router to a LAN or bastion hosts. This is done to reduce broadcast traffic on the wire. By placing a hub between the router and the switch you create a node that will allow you to easily move your sensor and accommodate security analysis.

3) Machine Selection

The only thing worse then no information, is wrong information. Wrong information will mislead you and give a false sense of security. With this in mind you should gauge your network traffic and expectations for NIDS and build a machine accordingly.

A typical machine setup for a low traffic network can be anywhere from a 300mghz with 128mb of RAM on up. The one constant you'll always want is a fair amount of hard drive space and a 100mb network card.

Network traffic varies from site to site and even segment to segment, so my suggestion is to start out on the low end, and if you find that packet loss occurs, scale the machine up.

4) Operating System Installation

I've chosen Windows 2000 Professional for my Snort implementations for numerous reasons:

Think about how you plan on accessing your Snort logs. If you have the public IP addresses to spare, I suggest IPsec and terminal services or some other remote control software. If your not opposed to manually retrieving the log files or have no public IP addresses to spare, give the Snort machine a private IP (192.168.1.0/24) and dig out a zipdrive to copy logs to. IPSec will encrypt the packet payload of any communications you have with your Snort Sensor, but will not inhibit the sensors ability to detect attacks.

Install the standard Win2k package and lock it down like you would a normal bastion host:


5) Snort Installation

The first thing to do (perhaps even before finishing this document) is to visit Http://www.Snort.org. Read the FAQ and peruse the forums. Get yourself an idea of what you're about to attempt. The "Writing Snort Rules" by Martin Roesch will introduce you to the (very) friendly world of snort rules.

In the Downloads section you'll find the Win32 binaries of the latest version. I haven't tested the MySQL build. Silicon Defenses Michael Steele has created a document explaining the setup of Snort on Win2k Pro with MySQL. You will need to have a packet capture driver, I recommend Packet2k, installed on your snort machine (this is available in the "Tools" section of http://SecurityFocus.Net or an alternate packet capture driver is available at http://netgroup-serv.polito.it/winpcap/install/default.htm )

6) Snort Setup

Now that Snort is on your machine, its time to get the ruleset that will be used to flag attacks. Precanned rulesets will detect known attacks and provide a solid baseline. These are available at Http://www.Snort.org.

Copy the rules into a file on your hard drive. Review the switches for Snort, you'll find that you can increase the scope of your logs to not only detect, but help you reproduce exploits through the use of -C, -X and -b.

Play around with snort at first, write a rule that detects all traffic and notice the output. Modify the logging options until you are comfortable with the amount of output generated.

If you're using Snort to detect short-term threats or script kiddies then perhaps these logs are all you'll need. If you plan on doing a decent job of securing your network, you'll want to keep historical records of all your logs. I suggest Snort2HTML to hand keep logs. This use doesn't scale well however and so large outfits may look towards the MySQL.

Monitor your Snort machine daily.

7) A Maintenance Tip (or Two)

Your Snort machine is going to be logging what will most likely be a high amount of traffic. This will in turn result in fragmentation of disk drives. On the other side of the coin the longer your Snort machine is down for maintenance the bigger the gap in your security becomes. With this in mind I create three partitions when I install Win2k, System (for the o/s), Data (for programs), and Swap (for the paging file - stolen straight from the Linux play book.) The FAT32 filesystem allows for much quicker diskchecks at the cost of file level security.

I do this to limit the amount of time the Disk Keeper and Check Disk require for a partition. This will intern minimize your networks exposure and increase your sensors longevity and uptime.

Keep up with service packs and hot fixes, network security isn't a one time installation, you'll need to keep tabs on your hardware, upkeep your disk drives, check Snort to verify minimal packet loss (done with the status report Snort gives you when you stop the program) and update your rulesets.

8) Resources

Http://www.Snort.org

Http://www.SecurityFocus.net

Http://www.Sans.org

9) Change Log

4/15/02

I'd like to thank Peter B. for reminding me that I ought to spell check documents before putting them up on the net and I'd also like to thank everyone who asked questions and ignored my minor shortcomings (like grammar.)

Removed dead links like WhiteHats and one other.

HTML-ified the document (what was I thinking... Microsoft Word!?)

Spelling and grammar check.

Minor document changes.