.

_ __,
|\,../'\
,'. . `.
.-- '`.
( `' , ;
,`--' _, ,'\
,`.____ `.
/ `, |
' \, '
| / /`,
`, . ,` ./ |
' `. ,' |;,' ,@
______| | _________,_____jv______
`. `. ,'
,'_,','_,
`' `'
ABSTRACT:

I cannot imagine a house without any kind of doors or locks, and in the same way I cannot

imagine an enterprise network infrastructure as to be wide open to the internet without any kind of

defense against cyber threats. According to Kaspersky Lab Security Bulleting 2015, there were

over 1,966,324 attested cyber-attacks in year 2015; 753,684 workstations were infected by various

ransomware software and attacks were carried out from more than six milling hosts. Statistics and

predictions even will increase if we start to count new trends like IoT – Internet of things that will

bring even over attack platform not only targeting enterprises but homes as well. The biggest task

in front of Cyber Security Engineers and experts is to be proactive and to be away ahead in

computer and network infrastructure against hacking and various types of attacks. In order to cover

those previous issues IDS has come to place and in our paper we are focusing on an open source

IDS which is snort and advanced snort technologies.

1
CONTENTS:

Abstract: ..................................................................................................................................................... 1
Contents: .................................................................................................................................................... 2
Introduction: ............................................................................................................................................... 3
Snort: .......................................................................................................................................................... 3
Barnyard2: .................................................................................................................................................. 6
PulledPork:.................................................................................................................................................. 9
Snorby:...................................................................................................................................................... 10
Conclusion: ............................................................................................................................................... 11
Appendix ................................................................................................................................................... 12

2
INTRODUCTION:

In this project we are involved in discussing an effective way to protect network against

outside and inside treats by utilizing and implementing Network Intrusion System Snort.

Intrusion detection system (IDS) is an irreplaceable part of any modern network. While

Firewalls become not enough in order to maintain and prevent organizations perimeter and inside

security IDS systems started to win cybersecurity market. Open Source and commercial product

are available for enterprise, small business and home customers. Besides commercial Intrusion

Detection Systems products, open source systems are widely available for technology enthusiasts

to test, implement and use. Open source Network Intrusion Detection projects are currently popular

and available on the market such as Bro, Suricata and Snort. In this paper we are going to widen

your knowledge about snort and introduce three advanced features to implement side by side with

Snort: Barnyard2, pulled pork, and Snorby. All these previous techniques can make your life easier

while you are using Snort in your environment and they are mostly free.

Snort project was started by Martin Roesch in 1998 and maintained by company

Sourcefire. In 2013, Sourcefire was acquired by Cisco. By this acquisition Cisco provided a superb

enhancement to its own security product line of ASA Firewalls.

SNORT:

Snort is not a GUI based application and is available for the following platforms: Fedora

Linux, CentOS Linux, FreeBSD and Windows OS. Sourcefire IDS can also be downloaded as a

source and compiled manually in Linux environment. By installing IDS on Linux it can be

configured in three different modes: sniffer mode, logger mode and most importantly in intrusion

3
detection mode. According to Snort Intrusion Detection and Prevention Toolkit “Packet logger

mode logs the packets to the disk. Network intrusion detection mode is the most complex and

configurable, allowing Snort to analyze network traffic for matching against a user-defined ruleset

and to perform one of several actions, based on what it sees.” Snort rules needed to be downloaded

and installed separately. Three types of rules are available: Community rules, Registered Rules

and Subscriber rules. Community rules are less often updated then other set of rules. These rules

are free to download and do not require Snort portal account. Community Rule can be downloaded

and installed by following this Linux commands:

wget https://www.snort.org/rules/community
tar -xvfz community.tar.gz -C /etc/snort/rules

Registered rules are only available for registered users and still free. Oinkcode is required

in URL in order to download a rule archive. The last types of rules package are Subscriber Rules.

These set rules are the most often updated and is available for a small annual fee. It is a really good

choice for even self-build home, SOHO and Small business IDS systems.

The power of Snort IDS is in its soli architecture. System consists of the following

components: Sniffer, Preprocessor and Detection Engine, Output (alerts, Log). IDS also have an

API for interfacing plug-ins. Sniffing engine is primarily for collecting data packets of the network.

Sniffer module has a capability to recognize traffic and detect various packets types like TCP,

UDP, and ICMP etc. Preprocessor module is power module of the Snort since it can interface

plugins. These add-ons check raw network traffic and check against various behaviors. Behavior

analysis can be optimized by keeping only needed plugin enabled. Special preprocessor plugins

can be also interfaced for HTTP traffic reconstruction after fragmentation. This is necessary for

further data analysis and prevention of evasion attacks. Next part module is Detection Engine. Its

4
task is to check data packets towards Snort rule set. In case if match is found, alert or log will be

generated by the next and last model caller Alerting/Logging component (Output).

Flexibility of Snort system is still related to wide availability of multiple modules, plugins and

third party applications that can integrate and make IDS more efficient and user friendly. Such

models like Pulled Pork, Barnyard2 and Snorby extend Snort to high enterprise level application.

Ubuntu has proven itself as a reliable and stable server environment for test and production

environment. VMWare Workstation a host base hypervisor was chosen as a platform to run Ubuntu

Server for Snort IDS. Ubuntu Server will require and VMWare Tools with VMXNET3 vNIC

driver installed for higher performance. VMware tools may be downloaded and mounted to Linux

OS and installed with command:

sudo ./vmware-install.pl –d

In order to start Snort installation in Linux environment LibPcap is required. IPTables

firewall is used instead if Snort sensor is configured in inline mode. After all prerequisites are

installed Snort can be downloaded using Linux wget utility, unpacked with tar and installed.

cd ~/snort_src
wget https://snort.org/downloads/snort/snort-2.9.8.0.tar.gz
tar -xvzf snort-2.9.8.0.tar.gz
cd snort-2.9.8.0
./configure --enable-sourcefire
make
sudo make install

After successful installation Snort can be executed by this command snort –V to verify application

version. An additional requirement is to create a separate user account to run snort process. It is a

best practice security approach. After changes needs to be made in Snort configuration file

5
/etc/snort/snort.conf. Since PulledPork will be implemented there is no need to keep individual

rules files. PulledPork will combine all rules in a single file.

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/"

Next, it is important to set proper values for variables HOME_NET and EXTERNAL_NET. These

variables are used for distinguishing between trusted sand untrusted networks. By uncommenting

the following line will enable an administrator to create and test his own Snort rules:

include $RULE_PATH/local.rules

Finally, IDS and configuration files needs to be tested. The simplest was to do so is to run snort

with -T flag and pointing to a snort.conf.

sudo snort -T -i eth0 -c /etc/snort/snort.conf

BARNYARD2:
One of the issues that came with snort is that how snort can keep processing the network

traffic without dropping packets and performing extensive output operations such as send alerts

and log them to the syslog or a database. One of the solutions was to make snort multithreaded,

but it was a nightmare for developers to maintain a stable multithreaded version. As, a result, the

final solution, they came up with was using a secondary program which will focus on generating

alerts. The communication between snort and this secondary program is to be done by spooling

the alerts data using certain kinds of files. And here I’m introducing the unified output format and

Barnyard.

6
 If you are in the network management field and familiar with software define network, we

are almost on the same page. Barnyard was first created to isolate the missions of processing output

data from snort and keep the later focusing on more fundamental operations to monitor the network

traffic. As it was mentioned in Snort Intrusion Detection and Prevention, “Barnyard can be thought

of as an asynchronous event processing and dispatching tool designed for use with Snort.”

Furthermore, by using Barnyard along with snort, we will have an extra benefit as we can separate

the level of access to snort. On one hand, in snort we need to have a root privilege in order to run

the IDS mode. On the other hand, in Barnyard we can be in a user level to read the unified data.

One more advantage of using Barnyard is that we always can reanalyze archived data issued by

unified Barnyard plug-in. Since I mentioned unified files, I would like to talk about the format of

these files; the essential requirements for the format are to be written in a fast way and in a small

size.

Now let’s go to the technical part which is installing Barnyard2 after installing snort. The

basic idea here is that snort is to store events in binary form, and then Barnyard2 will read those

event in asymmetrically and save them in a MYSQL database. Barnyard will require some requests

in order to be installed and work probably such as C compiler and MYSQL server and client as it

shown in the command I provided Also we are going to download a MYSQL library by using one

of these commands depends on the operating system.

sudo apt-get install -y mysql-server libmysqlclient-dev

./configure --with-mysql --with-mysql libraries=/usr/lib/x86_64-

To download, unpack and install Barnyard the following command needs to be used:

7
wget
https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6b
e948f88afb74040f6dc9.tar.gz \-O barnyard2-2-1.14-336.tar.gz
tar zxvf barnyard2-2-1.14-336.tar.gz
mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-
2-1.14-336
cd barnyard2-2-1.14-336
autoreconf -fvi -I ./m4
make
sudo make install

All configurations are located in a special configuration file /etc/snort/barnyard2.conf. This file

will have all information necessary for Banyard2 to connect to MySQL database. Next step is to

test the system. It requires two steps: run Snort and save output to a log and then run Banyard2

and read the output file.

sudo /usr/local/bin/snort -q -u snort -g snort -c

As snort has several modes, Barnyard also provides two modes which are batch processing

and continual processing. First, in batch processing mode, Barnyard will process the each and

every pre-specified unified files and then quit. The advantages of this mode are pulling tangible

data from a unified file, reloading old data into a database, or testing new plug-ins used in snort.

Second, in continual mode, events can be processed instantly if they triggered snort alerts.

Barnyard has one more capability to localize alert messages in very easy way because the data is

loaded from sid-msg.map and gen-msg.map files. Unlike snort which has 48 rule files,

preprocessors, and rule options. As a result, if we need to localize messages by using Barnyard,

we only need to create new sid-msg.map and gen-msg.map. When a new rule needed to be added,

a new entry can be inserted to those two Barnyard primary files.

8
PULLEDPORK:

PulledPork is a powerful tool for keeping SNORT rules up to date. Snort itself does not

have automated capabilities to download updates in the free version. It can be done manually by

default. PulledPork besides downloading rule updates it combines them in one file and maintains

a change log. This tool is open source and written on Perl.

PulledPork can be installed and downloaded by running the following commands:

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-

PulledPork uses the following configuration file /etc/snort/pulledpork.conf. This file must

be edited with Snort Oinkcode. This code can be obtained by registering at Snort portal. This code

will allow to download rules for registered users. This rules are updated more often than

community rules. At the same time SNORT configuration file must be updated with proper

configuration that points to a new rule file:

include $RULE_PATH/snort.rules

In addition, to run PulledPork daily a CRON job needs to be setup. And this feature is

not available on windows. CRON jobs is excellent in automating tasks according to time based

schedule.

9
SNORBY:

Snorby is another open source project that can be implemented with Snort. This add-on is

think is one of the most import parts of IDS. It provides a user friend GUI interface (refer to Figure

1) for monitoring the events and alerts produced by Snort. This project can be found on GitHub

repository. Software was developed on Ruby on Rails and is web based. Snorby can be used also

with other IDS systems like Suricata. One of the great features of Snorby is support of OpenFPC

(Full Packet Support). This allows to capture a complete flow of date instead and see a full scale

of attack.

In order to setup Snorby on Linux environment the following commands needs to be used

(Assuming that Ruby on Rails prerequisites were already installed):

cd ~/snort_src/
wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz -O
snorby-2.6.2.tar.gz
tar xzvf snorby-2.6.2.tar.gz
sudo cp -r ./snorby-2.6.2/ /var/www/html/snorby/
cd /var/www/html/snorby
sudo bundle install
sudo cp /var/www/html/snorby/config/database.yml.example
/var/www/html/snorby/config/database.yml
sudo vi /var/www/html/snorby/config/database.yml

This command is required for creation of Snorby configuration file:

sudo cp /var/www/html/snorby/config/snorby_config.yml.example
/var/www/html/snorby/config/snorby_config.yml
sudo sed -i
s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g \
/var/www/html/snorby/config/snorby_config.yml

This command will finally install Snorby:

10
cd /var/www/html/snorby
sudo bundle exec rake snorby:setup

In addition is recommend to create a separate MySQL database user for Snorby like we

did for Banyard2. This will have provided additional level of security to our database. After new

user is created, authentication information must be updated in the following file

/var/www/html/snorby/config/database.yml

$ mysql -u root -p
myslq> create user 'depaul'@'localhost' IDENTIFIED BY 'TDC577';
myslq> grant all privileges on snorby.* to 'depaul'@'localhost'
with grant option;
myslq> flush privileges;
myslq> exit

Final step is to start Snorby and log in to GUI:

cd /var/www/html/snorby/
sudo bundle exec rails server -e production

Universal Resource locater for Snorby GUI is: http://<localhost>:3000

CONCLUSION:
In our paper we have shown the need for using IDS systems despite the nature of the

environment. It can be for Service providers, enterprises, universities, or even for you home

network. In addition, we have provided you with some types of open source IDS.

Our focus in this paper was to give you a brief description about two techniques that can

optimize snort and make it work fast and efficiently. The third feature was to help the user in

reading and aggregating the data.

Lastly, we have provided you the command lines needed to implement all these three

programs. Those commands belong to Linux environment and were tested on Ubuntu distribution .

11
APPENDIX
Figure 1

12
BIBLIOGRAPHY:

[1 ] B. Caswell, J. Beale and A. Baker, Snort Intrusion Detection and Prevention Toolkit. Burlington:

Elsevier, 2007.

[2 ]Snort.org, 2016. [Online]. Available: https://www.snort.org/documents/snort-ips-tutorial. [Accessed:

15- May- 2016].

[3] R. Dionicio, "Installing PulledPork and Barnyard2 for Snort - Packet6", Packet6, 2014. [Online].

Available: https://www.packet6.com/installing-pulledpork-and-barnyard2-for-snort/. [Accessed: 10-

May- 2016].

[4] N. Dietrich, Snort 2.9.8.x on Ubuntu 12, 14, and 15 with Barnyard2, PulledPork, and Snorby, 1st ed.

2016.

[5] D. Edwards, "Community:Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2,

Pulledpork, and Aanval - Aanval Wiki", Wiki.aanval.com, 2016. [Online]. Available:

http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Ba

rnyard2,_Pulledpork,_and_Aanval. [Accessed: 06- May- 2016].

13