For anyone working with Snort, its invaluable to have an environment to develop and test rules. This allows you to tune rules to be as effective as possible and can also be used to aid investigations in incident response situations or for malware analysis. This latest blog is going to take you through how to setup a test lab on a Ubuntu 18.04 analysis machine. This will result in a simple web interface to submit PCAPs to an offline Snort with the ability to use both the Snort and Emerging Threats community rule packs. An example of the web interface can be seen below:
This instance of Snort uses a combination of Python virtual environments and the Websnort tool to provide two instances of Snort, hosted through separate web interfaces. The main advantage of this setup is that each instance is contained within its own python virtual environment but uses a single Snort installation, allowing for both rule packs to be used in parallel without the restrictions that come with virtual machines. Also, as you may have noticed from the images above, having access to multiple rule packs gives you the ability to detect varying stages of malcious activity, providing a much more robust toolset.
To get this environment up and running, read and apply the following steps in a terminal:
Update your OS and install the necessary dependencies:
sudo apt update -y
sudo apt upgrade -y
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnetMake a temporary directory to store install files:
mkdir -p ~/Downloads/snort_tmp
cd ~/Downloads/snort_tmpInstall daq which is required for Snort:
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure && make && sudo make installInstall latest stable version of Snort (Ubuntu repo out-dated):
cd ~/Downloads/snort_tmp
wget https://www.snort.org/downloads/snort/snort-2.9.15.1.tar.gz
tar xvzf snort-2.9.15.1.tar.gz
cd snort-2.9.15.1
./configure && make && sudo make installUpdate shared libraries:
sudo ldconfigCreate symlink to Snort binary:
sudo ln -s /usr/local/bin/snort /usr/sbin/snortSetup snort group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT -g snortSetup the snort directory structure:
sudo mkdir /etc/snort
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrulesCopy/create config files into new Snort environment:
sudo cp etc/*.conf* /etc/snort
sudo cp etc/*.map /etc/snort
sudo cp etc/*.dtd /etc/snort
sudo cp src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
sudo touch /etc/snort/white_list.rules
sudo touch /etc/snort/black_list.rulesDownload and extract rule packs:
wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
sudo tar -xvzf community-rules.tar.gz -C /etc/snort/
wget https://rules.emergingthreats.net/open/snort-2.9.7.0/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz -C /etc/snort/(OPTIONAL) Add functionality for custom rules to be easily added and tested (append rule to custom.rules file to use):
sudo touch /etc/snort/community-rules/custom.rules
echo "include \$RULE_PATH/custom.rules" | sudo tee -a snort.conf > /dev/nullChange permissions and ownership of Snort environment:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrulesEdit default snort.conf to match new environment:
sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
white_path=$(egrep -i "var WHITE_LIST_PATH .*" /etc/snort/snort.conf)
sudo sed -i "s|$white_path|var WHITE_LIST_PATH /etc/snort|" /etc/snort/snort.conf
black_path=$(egrep -i "var BLACK_LIST_PATH .*" /etc/snort/snort.conf)
sudo sed -i "s|$black_path|var BLACK_LIST_PATH /etc/snort|" /etc/snort/snort.conf
echo -e "\n# --- CUSTOM RULES ---#\n" | sudo tee -a /etc/snort/snort.conf > /dev/nullAdd your network address as HOME_NET (append network with your network address):
network="192.168.0.0/24"
sudo sed -i "s|ipvar HOME_NET any|ipvar HOME_NET $network|" /etc/snort/snort.confCopy config file to be used by Emerging Threats environment:
sudo cp /etc/snort/snort.conf /etc/snort/et.confSetup Snort rule packs in snort.conf:
rule_path=$(egrep -i "var RULE_PATH .*" /etc/snort/snort.conf)
sudo sed -i "s|$rule_path|var RULE_PATH /etc/snort/community-rules|" /etc/snort/snort.conf
echo "include \$RULE_PATH/community.rules" | sudo tee -a /etc/snort/snort.conf > /dev/nullSetup Emerging Threats rule pack in et.conf:
sudo sed -i "s|$rule_path|var RULE_PATH /etc/snort/rules|" /etc/snort/et.conf
find /etc/snort/rules/ -type f -name "*.rules" -printf '%f\n' | while read file; do echo "include \$RULE_PATH/$file" | sudo tee -a /etc/snort/et.conf > /dev/null; doneInstall pip3 if not already installed:
sudo apt install python3-pipInstall Python 3 venv to be used for setting up the virtual environments:
sudo apt install python3-venvMake a default directory for all future venv to be stored:
mkdir $HOME/venv && cd $HOME/venvCreate a new venv for each Snort instance:
python3 -m venv snort
python3 -m venv emerging-threatsActivate snort venv and install websnort:
cd ~/venv/snort
source bin/activate
pip3 install websnortStart Websnort on port 8001 (change as required):
websnort -p 8001 &Open a new terminal tab and repeat installation for emerging-threats venv:
cd ~/venv/emerging-threats
source bin/activate
pip3 install websnortEdit websnort.conf to use et.conf for Emerging Threats rule packs:
sed -i "s|snort.conf|et.conf|" lib/python3.6/site-packages/websnort/conf/websnort.confStart second websnort on port 8002 (change as required):
websnort -p 8002 &Finally, clean up by deleting the temp directory in a new tab:
sudo rm -rf ~/Downloads/snort_tmpThats it! You now should be able to access both web interfaces through your hosts web browser on either localhost:8001 (Snort) or localhost:8002 (Emerging Threats). This setup can also be setup on a private network to share with a team of analysts.
Lastly, I just want to go over a simple example of how useful this setup can be in an IR situation. I’ll use a PCAP from https://www.malware-traffic-analysis.net/ which I know to be malicious as a mock trigger PCAP. If you haven’t come across this site before, I highly recommend having a look.
First, upload the PCAP through the web interface as per below:
Once Snort has finished running the PCAP and outputs the alerts, select the alert you wish to look into and copy the timestamp as highlighted below:
Next, open up wireshark and paste the timestamp into the search filter as seen below. This can also be acheived by right-clicking any packets Arrival Time field and selecting prepare a filter. This can be a better option if like in my case, my alert is an hour out due to daylight saving:
The packet thats left after running this filter should be the trigger packet which you can now investigate further. Do this by right-clicking on the packet and selecting Follow, TCP Stream:
If you want to confirm you’re looking at the correct packet you can take the SID reported by the Snort alert and search through our rule pack using grep to have a better look at the signature you’re dealing with like below:
Now, if you want to confirm that the content matches from the signature you can search the stream and confirm you’re looking at the potentially malicious traffic to be investigated further:
That’s just a quick example of how this setup can be useful but that’s by no means the only situation. This can also be adopted into a malware analysis environment to develop and test signatures to detect malware traffic or to investigate and tune annoying noisy signatures plaguing a network with false positives.
Enjoy…
[McB]Defence 