Feature #1771

IDS/IPS (snort)

Added by Giacomo Sanchietti over 6 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-snort
Target version:v6.5
Resolution: NEEDINFO:No

Description

IDS/IPS support.

Major candidate is SNORT (http://www.snort.org)

Associated revisions

Revision 40e15284
Added by Giacomo Sanchietti almost 6 years ago

createlinks, shorewall templates: add NFQUEUE support. Refs #1771

Revision e5a25f6c
Added by Giacomo Sanchietti almost 6 years ago

rules template: fix syntax for httpd-admin service. Refs #1771

Revision 704b5143
Added by Giacomo Sanchietti almost 6 years ago

policy template: redirect loc2net traffic to NFQUEUE when nfqueue property is enabled. Refs #1771

Revision cfece929
Added by Giacomo Sanchietti over 5 years ago

First import - snort 2.9.5.5-1. Refs #1771

Revision 1fc3b02f
Added by Giacomo Sanchietti over 5 years ago

shorewall templates: add NFQ support for extra zones. Refs #1771

Revision 47730415
Added by Giacomo Sanchietti over 5 years ago

Firewall policy: enable NFQ if needed. Refs #1771

Revision e428ac56
Added by Giacomo Sanchietti over 5 years ago

First import. Refs #1771

Revision b54eefd7
Added by Giacomo Sanchietti over 5 years ago

First import. Refs #1771

Revision ac47a90f
Added by Giacomo Sanchietti over 5 years ago

spec: refactor all paths. Refs #1771

Revision 336fb6a1
Added by Giacomo Sanchietti over 5 years ago

Update to snort 2.9.6.1. Refs #1771

Revision 33097205
Added by Giacomo Sanchietti over 5 years ago

Web UI: apply configuration. Refs #1771

Revision c984a5ee
Added by Giacomo Sanchietti over 5 years ago

createlinks, actions: add nethserver-pulledpork-save event. Refs #1771

Revision e0571f07
Added by Giacomo Sanchietti over 5 years ago

createlinks: fix daemon restart. Refs #1771

Revision ad4c0fdb
Added by Giacomo Sanchietti over 5 years ago

templates: add FILE_DATA_PORTS var. Refs #1771

Revision b20fa57f
Added by Giacomo Sanchietti over 5 years ago

DB defaults: rename snort to snortd. Refs #1771

Revision 5f8897ad
Added by Giacomo Sanchietti over 5 years ago

spec: add snortalog dependency. Refs #1771

Revision 32850266
Added by Giacomo Sanchietti over 5 years ago

Web interface: fix syntax in translation. Refs #1771

Revision 74309add
Added by Giacomo Sanchietti over 5 years ago

Force rules download, avoid errors on snort restart. Refs #1771

Revision e92f8f26
Added by Giacomo Sanchietti over 5 years ago

sudoers template: fix wrapper path. Refs #1771

Revision c5d9f748
Added by Giacomo Sanchietti over 5 years ago

Inline help: add IPS rst files. Refs #1771

Revision a7fb5c3b
Added by Davide Principi about 5 years ago

Fixed logrotate patch. Refs #1771

- Updated to upstream version 2.9.6.2
- Added tarball SHA1SUM, to support build-rpm builds

Revision eb37c66e
Added by Davide Principi about 5 years ago

Rebuild for snort-2.9.6.2. Refs #1771

Revision 64134b60
Added by Davide Principi about 5 years ago

Added nethserver-ips group. Refs #1771

History

#1 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20
Snort rebuild with daq and nfq support
  • Dependencies:
    • libnetfilter_queue (from epel)
    • libnfnetlink from (centalt)
    • libmnl
    • libdnet
    • daq, need to be built
  • Configuration:
    • create a simple template for snort.conf
  • Add pulledpork dependency
  • Pulledpork rpm: ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/deadpoint/openSUSE_12.3/src/pulledpork-0.6.1-5.1.src.rpm
    • Depends on: perl-Crypt-SSLeay perl-Archive-Tar
  • Fixes:
    touch /etc/snort/rules/black_list.rules
    touch /etc/snort/rules/white_list.rules
    mkdir -p /usr/lib/snort_dynamicrules
    mkdir /etc/snort/rules/iplists/ 
    
  • Fix init script and sysconfig
    --- /etc/init.d/snortd.ori    2013-10-15 09:36:44.375726032 +0200
    +++ /etc/init.d/snortd    2013-10-15 10:25:13.615957284 +0200
    @@ -45,6 +45,8 @@
    
     if [ "$INTERFACE"X = "X" ]; then
        INTERFACE="-i eth0" 
    +elif [ "$INTERFACE"X = "NFQX" ]; then
    +   INTERFACE="-Q" 
     else 
        INTERFACE="-i $INTERFACE" 
     fi
    @@ -98,7 +100,9 @@
       start)
             echo -n "Starting snort: " 
             cd $LOGDIR
    -        if [ "$INTERFACE" = "-i ALL" ]; then
    +        if [ "$INTERFACE" = "-Q" ]; then
    +                daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -u $USER -g $GROUP $CONF $PASS_FIRST $BPFFILE $BPF $INTERFACE
    +        elif [ "$INTERFACE" = "-i ALL" ]; then
                for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`
                do
                     mkdir -p "$LOGDIR/$i" 
    
    --- /etc/sysconfig/snort.ori    2013-10-15 09:35:37.972316309 +0200
    +++ /etc/sysconfig/snort    2013-10-15 10:14:19.865403270 +0200
    @@ -12,7 +12,7 @@
     # What interface should snort listen on?  [Pick only 1 of the next 3!]
     # This is -i {interface} on the command line
     # This is the snort.conf config interface: {interface} directive
    -INTERFACE=eth0
    +INTERFACE=NFQ
     #
     # The following two options are not directly supported on the command line
     # or in the conf file and assume the same Snort configuration for all
    @@ -23,6 +23,9 @@
     #
     # To listen only on given interfaces use this:
     #INTERFACE="eth1 eth2 eth3 eth4 eth5" 
    +#
    +# To use NFQ mode
    +#INTERFACE=NFQ
    
     # Where is Snort's configuration file?
    
  • Add Shorewall NFQUEUE support

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Giacomo Sanchietti)

#5 Updated by Giacomo Sanchietti over 5 years ago

  • Target version changed from ~FUTURE to v6.5

#6 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 30 to 60
Packages to be built:
  • snort
  • daq
  • snortalog
  • pulledpork
  • nethserver-pulledpork
  • nethserver-snort

TODO: add inline help and manual pages. See: nethserver-snort.

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-pulledpork-0.0.1-1.ns6.noarch.rpm
  • nethserver-snort-0.0.1-6.0gite92f8f26.ns6.noarch.rpm
  • snortalog-0.0.1-1.ns6.noarch.rpm
  • daq-2.0.2-1.x86_64.rpm
  • snort-2.9.6.1-1.x86_64.rpm
  • pulledpork-0.7.0-2.noarch.rpm
Requirements (built from branches):
  • nethserver-firewall-base-1.1.0-50.0git08bb326d.ns6.noarch
  • nethserver-base-2.2.1-42.0git6cfa99e8.ns6.noarch
Test case 1
  • Enable Snort from web interface
  • Check nfqueue is enabled and snort is running
Test case 2
  • Change policy from web interface
  • Check changes are reflected in pulledpork and snort

#9 Updated by Giacomo Sanchietti over 5 years ago

Modifications:
  • pulledpork will always try to download new rule sets
  • snort will not fail to start if pulledpork can't download rule sets
New packages in nethserver-testing:
  • nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
  • nethserver-pulledpork-0.0.1-1.0git74309add.ns6.noarch.rpm

#10 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Davide Marini

#11 Updated by Davide Marini over 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Test case 1 and 2 verified, everything worked as expected.

Just a little note: snort is logging a lot and when it restarts syslogd starts to drop snort messages due to massive logging, i.g.:

Jun 5 15:29:44 server rsyslogd-2177: imuxsock begins to drop messages from pid 5715 due to rate-limiting

Because of this behaviour we can't see the active rules on the log file because they're dropped from syslogd.

#12 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Davide Marini)

Before release, wait for: #2719 #2716

#13 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to ON_QA
  • % Done changed from 90 to 70

Rebuilt with snort-2.9.6.2, to fix logrotate patch

In nethserver-testing:
snort-2.9.6.2-1.x86_64.rpm
snort-debuginfo-2.9.6.2-1.x86_64.rpm
nethserver-snort-0.0.1-8.0giteb37c66e.ns6.noarch.rpm

Packager note
Release with nethserver-snort-0.0.1-8.0giteb37c66e.ns6.noarch.rpm

#14 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Installed nethserver-snort on a new system, snort starts, rules are correct and logrotation works.

Aug 19 14:43:09 localhost snort[12207]: 16381 Snort rules read

#15 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-snort-1.0.0-1.ns6.noarch.rpm
nethserver-openvpn-1.1.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm

...and also dependencies:
nethserver-pulledpork-1.0.0-1.ns6.src.rpm
pulledpork-0.7.0-2.noarch.rpm

Also available in: Atom PDF