Snort on DSL connection

I was proficient with working on Snort on my eth0 connection during my previous Ubuntu installation. Later, I changed to Fedora, and eth0 was replaced with eno1. And the other change – I started using a direct DSL line, which used the ppp connection.

Now while doing ifconfig for the DSL connection, I get the interface as ppp0 instead of eno1.

ifconfig - ppp0

 

The limitation with Snort is that it will consider only the ether packets, ignoring the ppp0 connection. Even when I am using the ppp0/DSL connection through my Ethernet port, the connection is not through eno1.

If you try starting the Snort instance with the command

# snort -c /etc/snort/snort.conf -l /var/log/snort/ 

it will give the following error:

ERROR: Cannot decode data link type 113
Fatal Error, Quitting..

Snort initial error

If you try looking for the error, you will get a variety of solutions. If your snort version is 2.9.6.1, none of them are going to work for you. The reason is – they have stopped supporting the –enable-non-ether-decoders.

If you put that argument with your command for igniting Snort, you will be provided with a list of available arguments, but –enable-non-ether-decoders will not be allowed. I was furiously looking for a solution regarding this problem. After going through some forums, it came to my mind to try a walk-through.

The easiest option available was to make Snort work with the ppp0 connection (which is plugged in to eno1) work with eno1.  You have to try giving the command with an additional argument, which is -i eno1:

# snort -D -i eno1 -c /etc/snort/snort.conf -l /var/log/snort/

This will start the Snort Daemon on the eno1 interface, capturing all the packets and dumping them to your desired location. The logs will be located in files named snort.log.xxxx. For every instance there will be a new log file, which has the packets logged in Binary PCAP format to be readable by Wireshark, Snort, or other similar applications.

Snort Logs

If you try to read these logs with some text reader/editor, it will be like reading the Webdings fonts. Don’t do that. Snort has a better reader, also called Snort -r.

Give the command:

# snort -r snort.log.1405955899

This will give you a nice analysis of the packets with all the logs available to you. You can also export the readable content to a .txt file by the normal methods.

Snort -r Output

Choose the rules very wisely which you are applying for Snort. As this was for a test environment, I implemented all the available rules to the scenario; and that gave me 5 MB of logs when I ran Snort for just 25 seconds. You need to cut that down, Roger!

Parsing and getting the required information from these logs is one more task. Have you tried Splunk, lately? Here: http://apps.splunk.com/app/340/

 

TL;DR list your interface as eno1 even if you are using a ppp0 connection

Snort on Debian

Snort, is an Intrusion Detection and Prevention System for Windows and *nix machines. You can download it from here: Snort Download.

Well, for debian we dont require to download it from there. The command to download and install it is-

# apt-get install snort

This will download and install Snort to your Debian.

Next step is to configure the Snort for generating alerts for any activity.  For example, we can consider ICMP-ping requests for alerts. Whenever someone pings our machine, an alert will be logged.

For configuration, 3 directories are necessary. If they are not created on their own, create them with mkdir command. They are:

/etc/snort

/etc/snort/rules

/var/log/snort

Now, our configuration file is: /etc/snort/snort.conf

If you need, you can take a backup of the original file, and then create a new file and edit it as below:

include /etc/snort/rules/icmp.rules

We don’t need to add other lines, as right now we are considered about only the ICMP requests, we will configure only the icmp.rules file and hence it is referenced in the snort.conf  file.

Now, the icmp.rules file contains the below content:

alert icmp any any -> any any (msg:”Hey, someone pinged!”; sid:477; rev:3;)

This line will log any ICMP request from any source, with the given message. The sid and rev are used to uniquely identify Snort rules and its revisions.

Now, to start Snort listening on interface eth1, the command will be:

snort -c /etc/snort/snort.conf -l /var/log/snort -i eth1

The first location is where the Snort configuration file is located, while the second location with -l is where to store the alert, and -i provides the interface selection.

Now, ping the machine from some other machine, and you will find an entry in the alert file located in /var/log/snort. It will contain the source and destination IP addresses, the time and date of the incident and other information related to the query.

Similarly, you can configure Snort to generate alerts on various incidents like FTP login, SSH attempts, Telnet requests.

Snort Configuration for ICMP