Thursday, 3 September 2020

SNORT 3.0 -Intrusion Detection System on ubuntu 20.04

Subscribe to " FACEITNET " Youtube channel for more interesting videos 

IDS using SNORT

 

Install and Configure Snort 3 on Ubuntu 20.04

 

Ubuntu comes with built in SNORT, Check the version by using the following command

apt show snort

Mostly you will see version 2.9


In order to install and configure Snort 3 on Ubuntu 20.04, you need to build it from the source.

Firstly run system package cache update

Sudo apt update

Sudo apt upgrade

Install Required Build Tools

For a successful build and installation of Snort 3 on Ubuntu 20.04, there are a number of build tools and dependencies that needs to be installed prior to the build process as outlined on the Dependencies page.

sudo apt install build-essential libpcap-dev libpcre3-dev libnet1-dev zlib1g-dev luajit hwloc libdnet-dev libdumbnet-dev bison flex liblzma-dev openssl libssl-dev pkg-config libhwloc-dev cmake cpputest libsqlite3-dev uuid-dev libcmocka-dev libnetfilter-queue-dev libmnl-dev autotools-dev libluajit-5.1-dev libunwind-dev

Download and install latest version of the Snort DAQ (Data Acquisition library) . DAQ is not available on the default Ubuntu repos and hence, you need to build and install it from the source.

mkdir snort-source-files

cd snort-source-files

git clone https://github.com/snort3/libdaq.git

Run the command again

cd libdaq

./bootstrap

./configure

make

sudo make install

 

Download and install google’s thread-caching malloc, Tcmalloc, a memory allocator optimized for high concurrency situations which will provide better speed for the trade-off of higher memory usage. This is an optional dependency but highly recommended.

 

cd ../

wget https://github.com/gperftools/gperftools/releases/download/gperftools-2.8/gperftools-2.8.tar.gz

tar xzf gperftools-2.8.tar.gz

cd gperftools-2.8/

./configure

make

sudo make install

 

 

Install Snort 3 from Source Code on Ubuntu 20.04

Now that we have all required dependencies in place, download and install Snort 3 on Ubuntu 20.04;

Clone Snort 3 Github source code;

cd ../

git clone git://github.com/snortadmin/snort3.git

Navigate to Snort 3 source directory, compile and install it;

cd snort3/

./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc

Navigate to the build directory and compile and install Snort 3 on Ubuntu 20.04;

cd build

make (this will take time to complete. Be patient)

make install

Once the installation completes, update shared libraries;

ldconfig

Verify Snort 3 Installation by checking the version;

snort -V


The above confirms that Snort 3 installation is successful and is working fine.

Configuring Snort 3 NIDS on Ubuntu 20.04

Configure Network Interface Cards

First off, put the interface on which Snort is listening for network traffic on promiscuous mode so that it can be able to see all of the network traffic sent to it rather than seeing only the traffic originating from within the Snort 3 server alone.

ip link set dev ens33 promisc on

Verify

Disable Interface Offloading to prevent Snort from truncating large packets larger than 1518 bytes. You can check if this feature is enabled;

ethtool -k ens33 | grep receive-offload ( need to install ethtool )

generic-receive-offload: on

large-receive-offload: off [fixed]

GRO is enabled while LRO is fixed and hence cannot be changed.

Then disable;

ethtool -K ens33 gro off lro off

The two NIC changes are temporary. To ensure the changes persists across system reboot, create and enable a systemd service unit to implement the changes;

sudo vim /etc/systemd/system/snort3-nic.service ( Need to install vim  - sudo apt install vim)

Add the below in the newly opened file.

[Unit]

Description=Set Snort 3 NIC in promiscuous mode and Disable GRO, LRO on boot

After=network.target

 

[Service]

Type=oneshot

ExecStart=/usr/sbin/ip link set dev ens33 promisc on

ExecStart=/usr/sbin/ethtool -K ens33 gro off lro off

TimeoutStartSec=0

RemainAfterExit=yes

[Install]

WantedBy=default.target

Reload systemd configuration settings;

systemctl daemon-reload ( Enter the password)

Start and enable the service on boot;

systemctl enable --now snort3-nic.service ( Enter the password)

 

Install Snort 3 Rulesets on Ubuntu 20.04

Rulesets is the main artery for Snorts intrusion detection engine. There are three types of Snort Rules:

·         Community Rules

·         Registered Rules

·         Subscriber Rules

In this tutorial, we will install the community Snort rules;

Create Snort Rules directory. In the /usr/local/etc/snort/snort_defaults.lua config file, the default rules path (RULE_PATH), is defined as /usr/local/etc/rules.

mkdir /usr/local/etc/rules

Download Snort 3 community rules from Snort 3 downloads page;

wget https://www.snort.org/downloads/community/snort3-community-rules.tar.gz

Extract the rules and store them on Snort rules directory;

tar xzf snort3-community-rules.tar.gz -C /usr/local/etc/rules/

ls /usr/local/etc/rules/snort3-community-rules/

AUTHORS  LICENSE  sid-msg.map  snort3-community.rules  VRT-License.txt

Now that we have the rules to get us started in place, you need to configure Snort 3. Open the main configuration file for editing;

sudo vim /usr/local/etc/snort/snort.lua

Set the networks to protect against attacks as the value for the HOME_NET variable. For simplicity, i just set this to the subnet of Snort 3 interface. The EXTERNAL_NET is anything other than our HOME_NET;i

...

-- HOME_NET and EXTERNAL_NET must be set now

-- setup the network addresses you are protecting

HOME_NET = '192.168.57.3/32'

-- set up the external network addresses.

-- (leave as "any" in most situations)

-- EXTERNAL_NET = 'any'

EXTERNAL_NET = '!$HOME_NET'

...

You can edit Snort defaults in the /usr/local/etc/snort/snort_defaults.lua configuration file.

Under IPS section, define the location to your rules;

 

ips =
{
    -- use this to enable decoder and inspector alerts
    --enable_builtin_rules = true,
 
    -- use include for rules files; be sure to set your path
    -- note that rules files can include other rules files
    include = '/usr/local/etc/rules/snort3-community-rules/snort3-community.rules'
}
...

Save and exit the configuration file. 

Create Snorts Log directory;

mkdir /var/log/snort

 

Next, run syntax checking;

snort -c /usr/local/etc/snort/snort.lua

 

Create Custom local rules for the purposes of testing our Snort setup.

vim /usr/local/etc/rules/local.rules

 

Create a rule to detect ping tests;

alert icmp any any -> $HOME_NET any (msg:"ICMP connection test"; sid:1000001; rev:1;)

 

Save and exit the local rules file. Check the syntax;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules

Next, run the test by executing the command below;

snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i ens33 -A alert_fast -s 65535 -k none

 

On another terminal, ping your Snort server. While the ping runs, you should see the alert lines written to standard output;

Challenge Task

 write your own rules to detect SSH, Telnet, FTP, HTTP traffic

Write a rule to detect Facebook Traffic like below

Finished.

Friday, 24 April 2020

How to type in Tamil on Apple Mac computers.

How to type in Tamil on Apple Mac computers. 


Go to System Preferences 


Then click Keyboard from System Preference. 



Then Go to Input Source tab in the menu and Click the Little + at the bottom left corner. 

Now Select Tamil from the left-hand side menu and then on the other side select Tamil Anjal and Click Add to setup the Tamil Phonetic Keyboard. 


To Type in Tamil, use the same shortcut Alt + 2. That’s all now you can type in Tamil phonetic keyboard. 
.

Http vs Https