OpenWRT - Snort IDS

http://wiki.openwrt.org/MiniHowtos#head-2f41030163df5954cafe1d1ec8001dc27c4cbba7 -------------------------------------------------------------------------------- Installing and Configuring Snort The easiest way to install the version of Snort is with the OpenWrt Admin Console. But before you do that, check /etc/ikpg.conf on the router and make sure the repository mentioned above is included as a source. If it's not, add this line to the file: src nico-t http://nthill.free.fr/openwrt/ipkg/testing Then click on System and Installed Software in the OpenWrt Admin Console and refresh the list of available packages by clicking on Update package lists. All that's left to do then is scroll down the list of packages, find the version of Snort you want, and click on Install next to it. Before you configure Snort, you'll need to get some rules from the Snort site. Snort rules define the packets that Snort should identify and take action on, and the actions that should be taken. Rather than downloading only the rules included in the default OpenWrt snort.conf file, I downloaded a full set and put them in /etc/snort/rules. That way, I don't have to get new rule sets each time I tweak snort.conf. You'll need to define the HOME_NET variable near the top of /etc/snort/snort.conf, and also define an output method near the bottom. Once you've done those two things, Snort should be ready to run, except for whatever tweaking you need to do for preprocessors and rules. The pre-configured version of snort.conf, for example, comes with almost all the preprocessors commented out. To activate them, simply remove the # signs from the beginning of each line of the section for the preprocessor you want. The same thing is true for the rules. Note: Remember to keep an eye on memory usage as you activate preprocessors and rule sets. My HOME_NET in snort.conf already looked like this, so I kept it: var HOME_NET 192.168.1.0/24 For the output option, I removed the # from this line: # output alert_syslog: LOG_AUTH LOG_ALERT Those two changes made, I started snort running by entering snort -i vlan1 & and it blasted off, producing the following on my OpenWrt console: root@OpenWrt:~# Running in IDS mode with inferred config file: /etc/snort/snort.conf Initializing Network Interface vlan1 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface vlan1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 X-Link2State Config: Ports: 25 691 112 Snort rules read... 112 Option Chains linked into 57 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Warning: flowbits key 'tls1.client_hello.request' is checked but not ever set. Warning: flowbits key 'sslv3.client_hello.request' is checked but not ever set. +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none +------------------------------------------------------------------------------ Rule application order: ->activation->dynamic->alert->pass->log Log directory = /var/log/snort --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.3.3 (Build 14) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2004 Sourcefire Inc., et al. To make sure Snort was logging to the remote machine, I checked the syslog there and found these two new entries in /var/log/syslog: Mar 2 15:40:44 192.168.1.1 kernel: vlan1: dev_set_promiscuity(master, 1) Mar 2 15:40:44 192.168.1.1 kernel: device vlan1 entered promiscuous mode Before making any big changes to the rules or preprocessors, I wanted to have baseline measurement of how much system resources Snort was eating in terms of memory and CPU, so I asked top. Top said: Mem: 18420K used, 12164K free, 0K shrd, 896K buff, 4664K cached Load average: 1.00, 1.01, 0.76 (State: S=sleeping R=running, W=waiting) PID USER STATUS RSS PPID %CPU %MEM COMMAND 571 root R 436 1 98.4 1.4 vi 899 root R 412 561 0.7 1.3 top 898 root S 7916 561 0.3 25.8 snort 560 root S 640 537 0.3 2.0 dropbear 890 root S 640 537 0.0 2.0 dropbear 561 root S 464 560 0.0 1.5 ash 891 root S 460 890 0.0 1.5 ash 530 nobody S 436 1 0.0 1.4 dnsmasq 49 root S 428 1 0.0 1.3 syslogd 537 root S 420 1 0.0 1.3 dropbear 379 root S 400 1 0.0 1.3 udhcpc 1 root S 392 0 0.0 1.2 init 55 root S 392 1 0.0 1.2 init 541 root S 388 1 0.0 1.2 httpd 50 root S 340 1 0.0 1.1 klogd 542 root S 300 1 0.0 0.9 telnetd 3 root SWN 0 1 0.0 0.0 ksoftirqd_CPU0 7 root SW 0 1 0.0 0.0 mtdblockd 6 root SW 0 1 0.0 0.0 kupdated 4 root SW 0 1 0.0 0.0 kswapd 32 root SWN 0 1 0.0 0.0 jffs2_gcd_mtd4 5 root SW 0 1 0.0 0.0 bdflush 2 root SW 0 1 0.0 0.0 keventd Right out of the box, and with only minimal rules in place, Snort was eating 25% of system memory. I added rules and preprocessors, primarily for the detection of scans, but I've tried to avoid taking more than 50% of memory or to have less than 1000K free memory. So far, so good, and with no impact on performance of the router. But remember, you can overload the router if you're not careful, so keep a watchful eye on available resources as you tweak the config. After I enabled the scan detection preprocessors and added a couple of additional rule sets, Snort's memory consumption climbed to 49.3% and the amount of free memory had shrunk to just over 5000K. I decided to stop there. You might consider installing the plain Jane version first, then moving to one of the database-specific versions if you like. But if you do, remember that changing versions requires more than simply changing your snort.conf to indicate the database: you have to remove the plain Jane version of Snort and then install the database version. That process will replace your snort.conf, so if you want to keep your old one, make a copy before you install the new version of Snort. -------------------------------------------------------------------------------- There's a security distribution built on top of OpenWrt that comes with both Snort and Snort-inline- http://packetprotector.org/ [packetprotector.org] The downside is the limited hardware support- it only runs on the WRT54SLGS and ASUS WL-500g Deluxe. --------------------------------------------------------------------------------