Snort Test Environment

For anyone working with Snort, its invaluable to have an environment to develop and test rules. This allows you to tune rules to be as effective as possible and can also be used to aid investigations in incident response situations or for malware analysis. This latest blog is going to take you through how to setup a test lab on a Ubuntu 18.04 analysis machine. This will result in a simple web interface to submit PCAPs to an offline Snort with the ability to use both the Snort and Emerging Threats community rule packs. An example of the web interface can be seen below:

Websnort: Input
Websnort: Snort Community Rules
Websnort: Emerging Threats Rules

This instance of Snort uses a combination of Python virtual environments and the Websnort tool to provide two instances of Snort, hosted through separate web interfaces. The main advantage of this setup is that each instance is contained within its own python virtual environment but uses a single Snort installation, allowing for both rule packs to be used in parallel without the restrictions that come with virtual machines. Also, as you may have noticed from the images above, having access to multiple rule packs gives you the ability to detect varying stages of malcious activity, providing a much more robust toolset.

To get this environment up and running, read and apply the following steps in a terminal:

Update your OS and install the necessary dependencies:

sudo apt update -y
sudo apt upgrade -y
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev bison flex libdnet

Make a temporary directory to store install files:

mkdir -p ~/Downloads/snort_tmp
cd ~/Downloads/snort_tmp

Install daq which is required for Snort:

wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar xvzf daq-2.0.6.tar.gz                   
cd daq-2.0.6
./configure && make && sudo make install

Install latest stable version of Snort (Ubuntu repo out-dated):

cd ~/Downloads/snort_tmp
wget https://www.snort.org/downloads/snort/snort-2.9.15.1.tar.gz
tar xvzf snort-2.9.15.1.tar.gz              
cd snort-2.9.15.1
./configure && make && sudo make install

Update shared libraries:

sudo ldconfig

Create symlink to Snort binary:

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Setup snort group:

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT -g snort

Setup the snort directory structure:

sudo mkdir /etc/snort
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

Copy/create config files into new Snort environment:

sudo cp etc/*.conf* /etc/snort
sudo cp etc/*.map /etc/snort
sudo cp etc/*.dtd /etc/snort
sudo cp src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/* /usr/local/lib/snort_dynamicpreprocessor/
sudo touch /etc/snort/white_list.rules
sudo touch /etc/snort/black_list.rules

Download and extract rule packs:

wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
sudo tar -xvzf community-rules.tar.gz -C /etc/snort/
wget https://rules.emergingthreats.net/open/snort-2.9.7.0/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz -C /etc/snort/

(OPTIONAL) Add functionality for custom rules to be easily added and tested (append rule to custom.rules file to use):

sudo touch /etc/snort/community-rules/custom.rules
echo "include \$RULE_PATH/custom.rules" | sudo tee -a snort.conf > /dev/null

Change permissions and ownership of Snort environment:

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Edit default snort.conf to match new environment:

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf
white_path=$(egrep -i "var WHITE_LIST_PATH .*" /etc/snort/snort.conf)
sudo sed -i "s|$white_path|var WHITE_LIST_PATH /etc/snort|" /etc/snort/snort.conf
black_path=$(egrep -i "var BLACK_LIST_PATH .*" /etc/snort/snort.conf)
sudo sed -i "s|$black_path|var BLACK_LIST_PATH /etc/snort|" /etc/snort/snort.conf
echo -e "\n# --- CUSTOM RULES ---#\n" | sudo tee -a /etc/snort/snort.conf > /dev/null

Add your network address as HOME_NET (append network with your network address):

network="192.168.0.0/24"

sudo sed -i "s|ipvar HOME_NET any|ipvar HOME_NET $network|" /etc/snort/snort.conf

Copy config file to be used by Emerging Threats environment:

sudo cp /etc/snort/snort.conf /etc/snort/et.conf

Setup Snort rule packs in snort.conf:

rule_path=$(egrep -i "var RULE_PATH .*" /etc/snort/snort.conf)
sudo sed -i "s|$rule_path|var RULE_PATH /etc/snort/community-rules|" /etc/snort/snort.conf
echo "include \$RULE_PATH/community.rules" | sudo tee -a /etc/snort/snort.conf > /dev/null

Setup Emerging Threats rule pack in et.conf:

sudo sed -i "s|$rule_path|var RULE_PATH /etc/snort/rules|" /etc/snort/et.conf
find /etc/snort/rules/ -type f -name "*.rules" -printf '%f\n' | while read file; do echo "include \$RULE_PATH/$file" | sudo tee -a /etc/snort/et.conf > /dev/null; done

Install pip3 if not already installed:

sudo apt install python3-pip

Install Python 3 venv to be used for setting up the virtual environments:

sudo apt install python3-venv

Make a default directory for all future venv to be stored:

mkdir $HOME/venv && cd $HOME/venv

Create a new venv for each Snort instance:

python3 -m venv snort
python3 -m venv emerging-threats

Activate snort venv and install websnort:

cd ~/venv/snort
source bin/activate
pip3 install websnort

Start Websnort on port 8001 (change as required):

websnort -p 8001 &

Open a new terminal tab and repeat installation for emerging-threats venv:

cd ~/venv/emerging-threats
source bin/activate
pip3 install websnort

Edit websnort.conf to use et.conf for Emerging Threats rule packs:

sed -i "s|snort.conf|et.conf|" lib/python3.6/site-packages/websnort/conf/websnort.conf

Start second websnort on port 8002 (change as required):

websnort -p 8002 &

Finally, clean up by deleting the temp directory in a new tab:

sudo rm -rf ~/Downloads/snort_tmp

Thats it! You now should be able to access both web interfaces through your hosts web browser on either localhost:8001 (Snort) or localhost:8002 (Emerging Threats). This setup can also be setup on a private network to share with a team of analysts.

Lastly, I just want to go over a simple example of how useful this setup can be in an IR situation. I’ll use a PCAP from https://www.malware-traffic-analysis.net/ which I know to be malicious as a mock trigger PCAP. If you haven’t come across this site before, I highly recommend having a look.

First, upload the PCAP through the web interface as per below:

PCAP Upload

Once Snort has finished running the PCAP and outputs the alerts, select the alert you wish to look into and copy the timestamp as highlighted below:

Snort Alert

Next, open up wireshark and paste the timestamp into the search filter as seen below. This can also be acheived by right-clicking any packets Arrival Time field and selecting prepare a filter. This can be a better option if like in my case, my alert is an hour out due to daylight saving:

Trigger Packet

The packet thats left after running this filter should be the trigger packet which you can now investigate further. Do this by right-clicking on the packet and selecting Follow, TCP Stream:

If you want to confirm you’re looking at the correct packet you can take the SID reported by the Snort alert and search through our rule pack using grep to have a better look at the signature you’re dealing with like below:

TCP Stream
SID Grep

Now, if you want to confirm that the content matches from the signature you can search the stream and confirm you’re looking at the potentially malicious traffic to be investigated further:

Content Match

That’s just a quick example of how this setup can be useful but that’s by no means the only situation. This can also be adopted into a malware analysis environment to develop and test signatures to detect malware traffic or to investigate and tune annoying noisy signatures plaguing a network with false positives.

Enjoy…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s