Making Linux an IPS device using SNORT

Prerequisites

To get the most from the article, you should have a basic knowledge of SNORT, Linux and a working Linux system on which you can practice the commands covered in this article. Also you should have some networking knowledge such as TCP/IP, iptables, etc.

What Is IPS (Intrusion Prevention System)?

Intrusion Detection System (IDS) is a device which monitors packets on your network. IDS reports attack behaviors based on security rules and signatures applied on the device. However IDS has certain disadvantages, such as high false positive rate, unable to stop Denial of Service (DoS) attack and intrusion from UDP protocols.
Intrusion Prevention System (IPS), on the other hand, not only has the ability of IDS, but also can drop malicious packets and close connection sessions in order to stop further attacks. IPS could achieve Real-time Interdiction by leveraging in-line deployment in the network topology. It analyzes all network traffic passing through system and takes actions to suspicious packets immediately.

Network deployment method of IDS and IPS

Due to the differences between IDS and IPS, the deployment of these two systems is designed according to their characteristics.
IDS usually plays the role of monitoring. IDS must be able to sniff the traffic which interests IDS while not compromise the overall network throughput. Following figure illustrates the typical way of deploying an IDS device on a network.

On the other hand, IPS must take immediate action to suspicious packets. The deployment need to enable IPS to look at each packet and deal with suspicious packet real-time. Typically making all traffic pass through IPS could achieve the deployment requirement. This is so-called in-line deployment.

 

SNORT on Linux to Act as an IPS – The Idea behind It

Generally SNORT is sophisticated IDS software, which monitors network traffic to detect and analyze attacking behaviors according to predefined rules. SNORT sends alerts to network administrator while attacks or abnormal network activities are detected. However, the function of the system is limited to passively monitoring party. The protective action must rely on the administrator’s response.
Though SNORT is commonly used as an IDS, it has some enhanced capabilities could make it into an IPS. This article mainly illustrates how SNORT can act as an IPS device.
By using the following settings, SNORT becomes an IPS to take immediate action to suspicious traffics.

• Network Deployment Method
  • In-line deployment: The inline deployment enable SNORT to look at each packet and deal with suspicious packet directly
• Advanced Network Configuration
  • - iptables
• SNORT Mode Configuration
  • - in-line mode
• SNORT’s rule Actions
  • drop/reject/sdrop

The Actual Implementation – Lab Exercise

We are going to implement a basic IPS box step by step in this lab. This box has 2 interfaces acting as one inline segment and is connected between host A and host B. The following figure shows the topology. Moreover, we will play some packets from host A to host B to see if part of them will be dropped as we expect.

 

Configure and run SNORT in inline mode

Please refer to the following article to see how to install SNORT: http://www.ibm.com/developerworks/web/library/wa-snort1/
Add following rule set to /etc/snort/rules/snort.rules, which allows any packet except tcp packet whose destination is port 23.

drop tcp any any -> any 23 (msg: "Drop telnet packets"; sid: 1000001)
pass ip any any -> any any

Edit /etc/snort/my-snort.conf as follows:

config daq_dir: /usr/lib64/daq
config daq: nfq
config daq_mode: inline
config policy_mode: inline 
output alert_full: stdout
include /etc/snort/rules/snort.rules

Run SNORT with the following command line options

$ snort -c /etc/snort/my-snort.conf -Q --alert-before-pass

Now, we can send an ICMP Ping packet from host A to host B. The ICMP Ping packets should be forwarded successfully because the ICMP packets are allowed in our SNORT rule set.

winson@VM-UBUNTU:~$ ping 1.0.67.2 -c 1
PING 1.0.67.2 (1.0.67.2) 56(84) bytes of data.
64 bytes from 1.0.67.2: icmp_req=1 ttl=64 time=0.838 ms
--- 1.0.67.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.838/0.838/0.838/0.000 ms

Then we can use telnet to send TCP packets destinating to port 23 and we should get a connection timed out message.

winson@VM-UBUNTU:~$ telnet 1.0.67.2
Trying 1.0.67.2...
telnet: Unable to connect to remote host: Connection timed out

We can also go to SNORT console to see these telnet packets are dropped by SNORT

[**] [1:1000001:0] <> Drop telnet packets [**]
[Priority: 0] 
05/03-17:34:41.995762 1.0.67.1:40145 -> 1.0.67.2:23
TCP TTL:64 TOS:0x10 ID:3913 IpLen:20 DgmLen:60 DF
******S* Seq: 0x310D692D Ack: 0x0 Win: 0x16D0 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 156788324 0 NOP WS: 5 

[**] [1:1000001:0] <> Drop telnet packets [**]
[Priority: 0] 
05/03-17:34:44.985455 1.0.67.1:40145 -> 1.0.67.2:23
TCP TTL:64 TOS:0x10 ID:3914 IpLen:20 DgmLen:60 DF
******S* Seq: 0x310D692D Ack: 0x0 Win: 0x16D0 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 156788625 0 NOP WS: 5 

 [**] [1:1000001:0] <> Drop telnet packets [**]
[Priority: 0] 
05/03-17:34:50.995668 1.0.67.1:40145 -> 1.0.67.2:23
TCP TTL:64 TOS:0x10 ID:3915 IpLen:20 DgmLen:60 DF
******S* Seq: 0x310D692D Ack: 0x0 Win: 0x16D0 TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 156789226 0 NOP WS: 5 

Now it is a Linux box with basic IPS capabilities. You can try to write more complicated SNORT rules to make it more powerful.

Reference

• Using Snort: Part 1: Installation and configuration: http://www.ibm.com/developerworks/web/library/wa-snort1/
• Architecting intrusion-detection solutions: http://www.ibm.com/developerworks/opensource/library/ar-intrudet/index.html