# mkdir /etc/snort
# mkdir /var/log/snort
# cd /etc/snort
# cp /usr/local/src/snort+IPtables/snort-2.9.7.6/etc/* . (Note: There is a space between the period and the hash symbol)
# tar zxvf /usr/local/src/snort+IPtables/snortrules-snapshot-2976.tar.gz
# cp ./etc/ .
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
**Add a user and group for Snort**
bash
# groupadd -g 40000 snort
# useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
# cd /etc/snort
# chown -R snort.snort *
# chown -R snort.snort /var/log/snort
**Modify the configuration file**
Edit `/etc/snort/snort.conf` with `vi` and make the following changes:
bash
ipvar HOME_NET 10.1.1.0/24 #(For this experiment, this is the IP range)
ipvar EXTERNAL_NET any
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } #(Detect port scans; you can uncomment this line to enable detection. Use nmap to scan and observe the logs.)
include $PREPROC_RULE_PATH/preprocessor.rules #(Uncomment this line)
include $PREPROC_RULE_PATH/decoder.rules #(Uncomment this line)
include $PREPROC_RULE_PATH/sensitive-data.rules #(Uncomment this line)
**Create a symbolic link for Snort in another location**
bash
# ln -s /usr/local/bin/snort /usr/sbin/snort
**Modify permissions for Snort and DAQ directories/files**
bash
# cd /usr/local/src/snort+IPtables
# chown -R snort.snort daq-2.0.6
# chmod -R 700 daq-2.0.6
# chown -R snort.snort snort-2.9.7.6
# chmod -R 700 snort-2.9.7.6
# cd /usr/local/src/
# chown -R snort.snort snort_dynamicsrc
# chmod -R 700 snort_dynamicsrc
# cd /var/log
# chown -R snort.snort snort
# chmod -R 700 snort
# cd /usr/local/bin
# chown -R snort.snort daq-modules-config
# chmod -R 700 daq-modules-config
# chown -R snort.snort u2*
# chmod -R 700 u2*
# cd /etc
# chown -R snort.snort snort
# chmod -R 700 snort
**Configure dynamic rules**
bash
# mkdir -p /usr/local/lib/snort_dynamicrules
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/.so /usr/local/lib/snort_dynamicrules #(For a 64-bit system)
For a 32-bit system:
bash
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/i386/2.9/*.so /usr/local/lib/snort_dynamicrules/
# cd /usr/local/lib
# chown -R snort.snort snort*
# chmod -R 700 snort*
# chown -R snort.snort pkgconfig
# chmod -R 700 pkgconfig
**Export dynamic rule files**
bash
# snort -c /etc/snort/snort.conf âdump-dynamic-rules=/etc/snort/so_rules
If an error occurs, it is likely due to importing rule files that do not match the system architecture.
**Set alert file permissions**
bash
# touch /var/log/snort/alert
# cd /var/log/snort
# chown snort.snort alert
# chmod 700 alert
**Check for configuration errors**
bash
# snort -T -c /etc/snort/snort.conf -i eth0
**Start Snort**
bash
# snort -c /etc/snort/snort.conf -i eth0
**Stop Snort**
bash
# ps -ef | grep snort
# kill -9
â
Step 2: Install and Configure Guardian
**Installation and Configuration**
bash
# cd /usr/local/src/snort+IPtables
# tar zxvf guardian-1.7.tar.gz
# cd guardian-1.7
# touch /etc/snort/guardian.ignore
# touch /etc/snort/guardian.target
# touch /var/log/snort/guardian.log
# cp guardian.pl /usr/local/bin/
# cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
# cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
# cp guardian.conf /etc/snort
**Edit the Guardian configuration file**
Edit `/etc/snort/guardian.conf` with `vi`:
bash
Interface eth0
LogFile /var/log/snort/guardian.log
AlertFile /var/log/snort/alert // Location of the alert file
IgnoreFile /etc/snort/guardian.ignore // Whitelist
TargetFile /etc/snort/guardian.target // Blacklist
TimeLimit 120 // Blocking time in seconds
**Start Guardian**
bash
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
**Stop Guardian**
bash
# ps -ef | grep guardian
# kill -9
â
Step 3: Integration Testing
**Snort and Local iptables Integration**
**Test if rules are loaded**
Edit `/etc/snort/rules/local.rules` and add the following rules:
bash
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:âOUTâ; sid:5000005)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:âINâ; sid:5000006)
**Explanation:** These rules alert on all TCP traffic between the external and internal networks. This is used to test if your `snort.conf` configuration is correct.
**Start Snort and check for alerts**
bash
# snort -c /etc/snort/snort.conf -i eth0
# cd /var/log/snort
# tail -f alert
If you see logs, the `snort.conf` configuration is correct. Otherwise, check the configuration file and directory/file permissions.
**Integration Testing**
If the previous test was successful, remove or comment out the two rules you added in `/etc/snort/rules/local.rules`:
bash
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:âOUTâ; sid:5000005)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:âINâ; sid:5000006)
**Testing with X-Scan**
1. Log in to another Windows testing machine (Note: Scanning from the same machine may lock you out of the Snort host).
2. Download and extract [X-Scan](http://tools.hetianlab.com/tools/X-Scan-v3.3-cn.rar).
3. Open X-Scan and configure the scanning parameters:
â Set the target IP range to the Snort hostâs IP address.
â In âGlobal Settings,â select âAllâ under âScanning Modules.â
â Enable all options in âSNMP Settings,â âNETBIOS Settings,â and âVulnerability Detection Scripts.â
4. Start the scan.
**Check for alerts**
bash
# cd /var/log/snort
# tail -f alert
If alerts are logged, start Guardian to integrate with iptables:
bash
# /usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
**Verify iptables rules**
bash
# iptables -L
If new rules are added, the integration is successful. The `iptables_block.sh` script is executed, and the new rules can be seen using `iptables -L`. At this point, single-host firewall integration is complete.
â
Extended Consideration: Snort Integration with Other Hosts or Routers
**Idea 1:** Install Snort on a host with two network interfaces, bridge the interfaces to operate in transparent mode, and deploy Snort inline behind the networkâs gateway router. This allows monitoring of all internal network traffic and enables local firewall integration for IPS functionality.æè·ŻäșïŒ Write a script to implement the following functionality: Extract alerts from the log files related to other hosts, generate a corresponding firewall rule script for each alert, and store these scripts locally. Then, use the script to log in to the target host, connect to the Snort host, download the rule script, and execute it to achieve coordinated functionality. The drawback of this implementation is that it cannot achieve real-time response, and the coordination depends on too many external factors.
3.4 Experimental Results Summary
Analyze the experimental results, complete the reflection questions, summarize the insights gained from the experiment, and propose suggestions for improvement.
1. Please refer to relevant materials to understand the SnortSam plugin, analyze, and briefly describe the advantages and disadvantages of SnortSam and Guardian.
2. What do you think are the shortcomings of the coordination method used by SnortSam and Guardian?
Takeaway: Security is moving toward integration, and the collaborative coordination of security products is the direction of the future.