Linux

How to install Snort and use as Web Application Firewall!

Considering a number of attacks on web application these days, one must be pro-active in case of the security. You might already be using Web Application Firewall for your web application security including but not limited to ModSecurity. However, ModSecurity works at the application layer.

That means it is installed with Web Server Software (Apache, Nginx etc). Any malicious packets that travel towards your web application are then blocked by this firewall on the application layer. Packet first arrives on the interface of a server, then it moves to the Linux kernel and eventually, it arrives at the application (here application is a web server). ModSecurity is installed as a module in a web server, which inspects every packet before it is delivered to the web application.

Now, would it be better to inspect these packets as soon as they arrive on your network interface cards? Before they even reach your web server? Yes, it would be better and it can be achieved via Snort. Snort is an intrusion detection system and it looks into all the packets that come on your network interface card. In this article, we will see that how to install snort and use as web application firewall. (Even though it can be used to prevent against many more attacks).

Step 1: Download Ubuntu and Prepare Environment for Snort Installation

I’ve performed the installation of Snort on Ubuntu 16.04 server version without a single glitch. You can download the exact Ubuntu version that I’ve used from here. Once the download is complete you need to create a virtual machine on either VMware or Oracle Virtual box. Or you can look at vps offers to buy a vps to test snort, but make sure you get Ubuntu 16.04 server version installed on your VPS. Once you have a virtual machine ready with Ubuntu installed we are ready to prepare our environment for Snort installation by installing pre-requisites.

We first need to bring all our system packages to their latest version along with the kernel, we can simply use these commands to do that:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade -y

# than install openssh server to access your virtual machine via ssh


sudo apt-get install -y openssh-server
sudo reboot

Snort has 4 most important dependencies:

  1. pcap (libpcap-dev)
  2. PCRE (libpcre3-dev)
  3. Libdnet (libdumbnet-dev)
  4. DAQ

Except for DAQ everything is available in default Ubuntu repository, we will install daq from the source directly. Commands below will install everything that we require:

sudo apt-get install -y build-essential

sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev

Following software is required by daq:

sudo apt-get install -y bison flex

Now install daq:

wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install

There are some libraries, they are not mandatory but it can improve snort performance, they can be installed using:

sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev

sudo apt-get install -y libnghttp2-dev

That is all we’ve successfully installed all pre-requisites. You can now easily install snort.

Step 2: Configure Network Adaptor

We’ve to disable two settings for your network adaptor for snort to work properly:

  • Large Receive Offload
  • Generic Receive Offload

You can do that via pasting following two lines on your network interface file: ( /etc/network/interfaces )

post-up ethtool -K ens33 gro off
post-up ethtool -K ens33 lro off

Note: “ens33” is the name of the interface on my vps, to get the name of the interface on your machine you can use “ifconfig” command, the output will be something like this:

Your network interface file will finally look like:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens33
iface ens33 inet dhcp
post-up ethtool -K ens33 gro off
post-up ethtool -K ens33 lro off

Now restart your network.

Step 3: Install Snort!

After installing all the dependencies and configuring your interface you are now ready to install snort from source.

wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz
tar -xvzf snort-2.9.9.0.tar.gz
cd snort-2.9.9.0
./configure --enable-sourcefire
make
sudo make install

If nothing fails, snort is now successfully installed. But we’ve to do a lot more.

You can now test snort installation using:

/usr/local/bin/snort -V

Your output should something like this:

Step 4: Configure Snort!

Snort is installed, but just like any other software in Linux, it depends on a lot of configuration files, in this step we will create configuration files needed by a snort and set proper permissions so that snort can access those files.

We will start by creating a user “snort” under which Snort will run than create files required by a snort and change the owner of those files to “snort” user.

Let us start by creating a user and group snort:

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

We will now create some directories, these directories will contain snort configuration and other important related files:

sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules

Create files that will save rules:

sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map

Create directories where snort will store logs, you can create them on location which suits you best:

sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

Let’s change the permissions now:

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

We now need to make snort the owner of the directories we created above:

sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Snort depends upon a lot of configurations files, some of these configuration files can be taken directly from the Snort tarball that you have downloaded. We can use the commands below to copy these files to their respective locations:

Note: I am assuming you are in a directory where you have extracted Snort tarball.

cd snort-2.9.9.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

We now have everything ready, all we need to do now is configure our configuration files and start snort so that we can inspect our network traffic.

Step 5: Define Rules!

Before we start Snort, we have to define rules, for now, we will comment out all the rules that come by default with snort, so that we can do our own manual test. You can comment out all the current rules using:

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

We will now make some changes in “/etc/snort/snort.conf”

On line 45 of this file you will have something like this: “ipvar HOME_NET any”

Note: “nano +45 /etc/snort/snort.conf” , command within quotes will take you directly to 45th line on this file.

You can remove any with your network configuration, and example of it will be:

ipvar HOME_NET 172.16.51.1/24
This tells snort that your interface is configured on this subnet and snort will inspect packets only on this network, after editing your file must be similar to this:
We now have to set some paths starting from line 104, and your paths should look like:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists

We will create a special file where we are going to define custom rules so that we can test the successful installation of Snort, for that you need to uncomment a line on 546.

After uncommenting the line it should look like:

include $RULE_PATH/local.rules
Finally, let snort test the configuration file to make sure everything is in order, we can do that using the command:
sudo /usr/local/bin/snort -T -i ens33 -c /etc/snort/snort.conf

It must say following at the end: Snort successfully validated the configuration!

Step 6: Test the working of Snort!

 We will now test our Snort installation before moving forward, we can define rules in the file located at “/etc/snort/rules/local.rules”. Paste following rule in this file:
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477;rev:3;)

Let see what does this rule means:

Rule Action: alert

This means what to do when this rule is triggered, it is set to alert only and do no other action.

Protocol: icmp

The rule implies to icmp packets on the interface card.

Source IP and Source port:

Next, we define that this rule should trigger for any IP address and for any port.

Arrow:

Determine the direction of the packet.

Destination IP and Destination Port:

They are also set to any

Last Option (In brackets):

Is the message which will be displayed when this rule is triggered, as seen in the image below:

Start Snort

Once you have defined the rule and you know what each option in the rule meant, it is the time we should start Snort to listen on the interface and trigger alerts if there are any rules matched, you can start snort using:

sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33

Note: Please replace “ens33” with your interface name.

Once you run this command, there will be no output yet. But snort is started, it will start printing output once any rule is triggered.

Now go to another machine in the network and ping your snort virtual machine, and you will see something like this:

If this is what you see, that means Snort is successfully installed and configured. If not please go back and see what you have missed and make sure everything is in the correct order.

Step 7: Install Web Server!

This article was about protecting web server using Snort, now that Snort is installed and configured we will install our web server and define some rules that can protect against web application attacks. Apache can be installed using:

sudo apt-get install apache2

Make sure that installation is successfully by pointing your browser to http://< IP Address >

It should load apache default page, something like this:

Step 8: Define rules to block Malicious web traffic

We will first define a simple rule which will generate alerts for all the HTTP packets:

alert tcp any any -> any 80 (msg:"HTTP Packet"; sid:478;rev:3;)

This rule simply says that if any packet whose protocol is “TCP” and its destination port is “80“, the trigger should be raised. (Normally web server runs on port 80)

Now start Snort and again open your IP on the browser at http://< IP Address >

You would see some alerts like this generated where Snort is running:

However this is the very general rule and this won’t tell us anything, we will have to define rules that will protect us against real attacks:

alert tcp any any -> any 80 (msg:"XSS Attack"; sid:479;rev:3;content:"alert(1)")

This is another simple rule, that does the same thing as the last one, but it will only generate alerts if a packet contains following content inside it “alert(1)”, which is a general test of XSS attack on a web application. After adding this rule to the file, visit the following link:

http://< IP Address>/?=alert(1)

You will see something like this:

However, you do not need to worry about generating rules, because there are millions of attack signatures. You can use rules that are already defined by experts. You can download and paste those rules in the file.

  1. Apache rules for Snort can be found here.
  2. Some PHP rules here.
  3. SQL Injection rules here.

Conclusion

In this article we learned how to install snort, and how can we use Snort to protect against web application attacks. And why it is beneficial to stop web attacks at interface level rather than on application level.

Because it is much better to stop the attack before it even reaches the application, this reduces the chance of your web server getting compromised.

If you have any question or queries feel free to ask in the comment box below.

1 thought on “How to install Snort and use as Web Application Firewall!

    • Author gravatar

      Nice article but my criticism is you show how to generate alerts using Snort but not how to block the possible attacks based on the alerts generated.. unless I missed something – so this is not really a description of how to use snort as a WAF more just snort as an IDS for web. How you gonna drop traffic that is flagged as malicious?

Leave a Reply

Your email address will not be published. Required fields are marked *