Mise en place de Snort sur CentOS 7

Sommaire

  • Exemple de règle snort
  • Explication des règle demandées
  • Présentation du script
  • Informations
  • Commandes utiles

Exemple de règle snort

snort_rule.png

Explication des règle demandées

Alerter et loguer le trafic ftp

alert tcp any any -> $HOME_NET 21 (msg:"Tentative connexion FTP";sid: 10000001; rev: 1;)
log tcp any any -> any 21 (sid: 10000002; rev: 1;)

Alerter et loguer le trafic ICMP en echo-request

alert icmp any any -> $HOME_NET any (itype: 8; msg: "ICMP Echo request";sid: 10000003; rev: 1;)
log icmp any any -> any any (sid: 10000004; rev: 1;
  • Le sid doit être unique pour chaque règle
  • Le type itype correspond au type de paquet ICMP voir tableau ci-dessous:
Valeur Type de paquet ICMP
0 Echo reply
3 Destination unreachable
4 Source quench
5 Redirect
8 Echo request
11 Time exceed
12 Parameter problem
13 Timestamp request
14 Timestamp reply
15 Information request
16 Information reply

Présentation du script

#!/bin/bash

# Pré-requis
yum install -y epel-release libnghttp2 libdnet tcpdump

# Installation de Snort
yum install -y https://www.snort.org/downloads/snort/snort-2.9.16-1.centos7.x86_64.rpm

# Ajout des dossiers manquant
mkdir -p /etc/snort/rules
mkdir /usr/local/lib/snort_dynamicrules
chmod -R 5775 /etc/snort
chmod -R 5775 /usr/local/lib/snort_dynamicrules
chown -R snort:snort /etc/snort
chown -R snort:snort /var/log/snort/
chown -R snort:snort /usr/local/lib/snort_dynamicrules
touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/local.rules

# Fix
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
sed -i 's#\#include $RULE_PATH/local.rules#include $RULE_PATH/local.rules#g' /etc/snort/snort.conf
ln -s /usr/lib64/libdnet.so.1.0.1 /usr/lib64/libdnet.1
sed -i 's#PATH ../#PATH /etc/snort/#g' /etc/snort/snort.conf

# Ajout des règles
echo '# Rules FTP
alert tcp any any -> $HOME_NET 21 (msg:"Tentative connexion FTP";sid: 10000001; rev: 1;)
log tcp any any -> any 21 (sid: 10000002; rev: 1;)

# Rules ICMP 
alert icmp any any -> $HOME_NET any (itype: 8; msg: "ICMP Echo request";sid: 10000003; rev: 1;)
log icmp any any -> any any (sid: 10000004; rev: 1;)' > /etc/snort/rules/local.rules

echo "output log_unified2: filename snort.log, limit 128, nostamp
output alert_unified2: filename snort.alert, limit 128, nostamp" >> /etc/snort/snort.conf

# Configuration du service Snort
echo "[Unit]
Description=Snort NIDS
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -i ens4 -c /etc/snort/snort.conf 

[Install]
WantedBy=multi-user.target" > /etc/systemd/system/snort.service

# Activation du service snort
systemctl enable snort

# SELinux en mode permissif (sinon le service démarre pas)
setenforce Permissive

# Démarrage du service snort
systemctl start snort

Informations

  • Tester sur CentOS 7
  • Non tester sur CentOS 8
  • ens4 est l'interface qui connecter au port span du switch (rien à configurer sur celle ci)

Commandes utiles

  • Test de la configuration
snort -T -c /etc/snort/snort.conf -i ens4
  • Mode écoute en console de snort
snort -d -l /var/log/snort/ -A console -i ens4 -c /etc/snort/snort.conf