This tutorial is part of The LAB project.
FWSNORT application layer intrusion detection
This section describes the installation and configuration of "fwsnort" a Snort rule based "application layer" intrusion detection. Fwsnort can be integrated with psad but rules hsould be carefully tested before installing them to a live environment. It downloads Snort rules and converts them to iptables rules. You can convert all rules, type of rules or one-by-one. You can just match traffic or do an active response at the same time.
To be on the safe side you should turn off active intrusion in psad to avoid trouble until you test the config. You can do this by setting "ENABLE_AUTO_IDS N;" in the "/etc/psad/psad.conf" file (see the previous tutorial).
Pre-requirements
The first thing you should do is installing pre-requirements. The install script will need the package "make" from the debian repository. Don't forget to remove it when it is no further needed.
Change your user to root:
su -Install "make" package:
aptitude install make
Install fwsnort
After this you can download and verify the fwsnort sources.
cd /usr/local/src wget "http://www.cipherdyne.org/fwsnort/download/fwsnort-1.5.tar.gz" wget "http://www.cipherdyne.org/fwsnort/download/fwsnort-1.5.tar.gz.md5" md5sum -c fwsnort-1.5.tar.gz.md5
Unpack the sources:
tar xvzf fwsnort-1.5.tar.gz
Change directory to the source dir and install it:
cd /usr/local/src/fwsnort-1.5 ./install.pl
The installer will ask to download the newest snort rules, say "Y" to this.
[+] Would you like to download the latest Snort rules from http://www.emergingthreats.net/? Y
The log file for fwsnort will be located here:
/var/log/fwsnort/fwsnort.log
Configuration
Tha main config file for fwsnort is located at /etc/fwsnort/fwsnort.conf. Edit it and change settings according to your needs.:
nano /etc/fwsnort/fwsnort.conf
I will only show here the settings I have changed for my environmnet but you should check all parameters before proceeding.
Set the HOME_NET parameter. In my case it will be the servers IP address. You can give it a full network if needed:
HOME_NET 20.0.0.10/24;
Some IP address should be ignored from checks. I put my desktop PC-s IP address here. You can leave this NONE:
WHITELIST 20.0.0.1;
You can BLACKLIST some IP addresses which will be blocked all the time.
BLACKLIST NONE;
Save the file and exit.
Enable the rules
Now we can convert the snort rules to iptables with the fwsnort program. There are several arguments that can be used here based on your needs:
Command line arguments:
Rules database can be manually updated with the following command:
fwsnort --update-rules(An example command to convert only one rule which is identified by 2002763: "fwsnort --snort-sid 2002763 --ipt-reject")
Now I will convert all rules to iptables rules with the "fwsnort" command:
fwsnort
The rules can be imported into iptables with the "fwsnort.sh" command:
/etc/fwsnort/fwsnort.sh
You can check the /var/log/messages for the activity of fwsnort. If it block something based on the snort signatures it will be displayed in it.
tail -f /var/log/messages
If everything is alright and you don't see any false blocks (blocked content which should not be blocked) you can enable the block in iptables and psad also. For this you have to remove the rules. Unfortunatelly it does not work with Lenny in my install, so I simply restore the basic iptables script we created in the previous tutorials and which is loaded at boot time.
iptables-restore < /etc/iptables.rules
Now we can finalize the fwsnort rules with active response (drop). Run the following command to convert the rules with drop:
fwsnort --ipt-dropTo apply the above rule to only one interface run the following command to convert the rules with drop:
fwsnort --ipt-drop --restrict-intf eth0
Update the iptables script with:
/etc/fwsnort/fwsnort.sh
You can check the new rules with:
iptables -LEnable boot time start
To automatically generate rules after reboot we have to create a script and enable it at boot time (it did not work perfectly when I inserted it the same way as the normal iptables rules so I have created a separate script). It will generate the iptables rules with the dropping way and appends it to the iptables. The "stop" part is not the default fwsnort mode because it did not work for me (fwsnort --Flush) so I restore the boot time iptables rules and restart psad (if you do not want to loose the rules you better enable IMPORT_OLD_SCANS).
Create a file for the script
nano /etc/init.d/fwsnort
Copy the followings into the file
#! /bin/sh # /etc/init.d/fwsnort # # Some things that run always touch /var/lock/fwsnort # Carry out specific functions when asked to by the system case "$1" in start) echo "Starting script fwsnort" /usr/sbin/fwsnort --ipt-drop /etc/fwsnort/fwsnort.sh ;; stop) echo "Stopping script fwsnort and restore iptables with psad" #psad has to be installed and IMPORT_OLD_SCANS Y; has to be set to be effective. #could be better with just the follongs but did not work for me: #/usr/sbin/fwsnort --ipt-flush #/etc/fwsnort/fwsnort.sh /etc/init.d/psad stop /sbin/iptables-restore /etc/iptables.rules /etc/init.d/psad start ;; *) echo "Usage: /etc/init.d/fwsnort {start|stop}" exit 1 ;; esac exit 0
Make the script executable
chmod 755 /etc/init.d/fwsnort
To make the rules effective after reboot add the rules to the startup scripts with the following command:
update-rc.d fwsnort defaults
Build a custom fwsnort rule
To build a custom snort-like rule create a file with the string we want to match. In this case it will be "Metasploit exploit DB update" and we want this from a remote server from the remote port 443 (update server). We will give the SID 900001 to this rule.
nano /etc/fwsnort/snort_rules/metasploit.rules
Insert the followings into the file:
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"Metasploit exploit DB update"; flow:established; content:"cacert@metasploit.com"; classtype:misc-activity; sid:900001; rev:1;)
Run fwsnort to convert the rule to iptables rule:
fwsnort --snort-sid 900001 --ipt-reject
Update psad.conf to accept the rule:
cp /etc/fwsnort/snort_rules/metasploit.rules /etc/psad/snort_rules echo "900001 4;" >> /etc/psad/snort_rule_dl
Restart psad service:
/etc/init.d/psad restart
Links: http://www.debian-administration.org/articles/28
Scripts: http://www.cipherdyne.org/LinuxFirewalls/
The BOOK: http://www.nostarch.com/firewalls_mr.htm
The next tutorial is: Webserver install - Part 6 - Hardening V. - Debian Lenny