Now that I finished my LPIC-2 certification, I am going to working on some security stuff. One of the things I wanted to learn more about was the IDS Snort. It is an open source IDS (Intrusion Detection System) and very popular so I figured it would be worthwhile to learn. In order to utilize Snort to it’s fullest on your network it requires some pre-work before you put your Snort instance out there to do it’s thing. This blog post will cover the simplest of the setups, where you are concerned with monitoring one network that has one ingress and egress point.
Prerequisite #1:
The first and most important thing you need to do is to mirror traffic at a point such as where your firewall or router enter the network infrastructure. In my case I have an AT&T router that connects to the AT&T fiber network and then is plugged into port 8 in my Aruba switch. I have an access point plugged into port 7 and to ensure I am catching everything I want to mirror all the traffic from port 7 and port 8 to a third port (in my case port 1 on my Aruba switch).
Before I got the Arbua Instant-On I had a cheap but surprisingly good switch from Zyxel that was capable of port mirroring and super easy to setup, I have included a screenshot of the page where you do it in the switch management web interface. Just go to the Mirroring tab and you can see here I have all traffic inbound and outbound from ports 1-4 being mirrored to port 5 which is the monitor port.
It is slightly more involved with the Aruba but still very straightforward, below are some shots of the setup from my Instant On Portal. Just go to the Tools tab to setup mirroring and when your done go to the Ports tab and you should see the directional arrows in the port the traffic is being mirrored to.
The point here is…just plugging Snort into a switch port isn’t going to be very useful because switches will route traffic based on layer 2 address to the specific port it is destined for. The only traffic Snort would see is traffic bound for the device it’s installed on. You will definitely need a switch or a firewall that can mirror traffic to a port for your installation to be an effective IDS.
Prerequisite #2:
The device you use for your Snort machine has to have 2 network interface cards. I decided to use a Raspberry Pi running Ubuntu with Snort using the ethernet connection (plugged into port 1 of my switch) and me accessing the Snort Pi using the wireless interface. I don’t see this working any other way, you have to have 2 interfaces, one to access the device the other to do the actual traffic monitoring. I have the wireless interface using a static IP so I can SSH into the device and the ethernet card is up and in promiscuous mode w/o an IP (this is how I have it setup with the Aruba, with the Zyxel it was configured with a DHCP address in promiscuous mode and working fine, the Aruba did not like that at all).
In the next post we’ll install Snort and I will show you how the Pi is setup and show you that Snort is working using a simple nmap Xmas scan, stay tuned!
Rob