6 Replies Latest reply on Jun 21, 2017 11:14 AM by wilbercollect

    LEMs Snort

    evanr

      I have been trying to get Snort going on our LEM box and while the process shows up in top.  It doesn't appear some of the rule are working.  I followed this guide SolarWinds Knowledge Base :: Snort IDS Best Practices.  It would seem there are some discrepancies in the .conf files.  I have edited the snort.conf with our subnets as well as the snort.debian.conf.  I'm not entirely sure which one needs to be updated.  Per the guide the variables are updated in the snort.debian.conf and I guess then are queried from the snort.conf.  Does anyone have a definitive guide for this on LEM?  Or am I better off setting up Snort from scratch on a dedicated box?

        • Re: LEMs Snort
          martindl76

          Here is a sample of my config file for snort.debian.conf

           

          DEBIAN_SNORT_STARTUP="boot"

          DEBIAN_SNORT_HOME_NET="[Use commas between multiple addresses]"

          DEBIAN_SNORT_OPTIONS="-A fast -I -N --nolock-pidfile"

          DEBIAN_SNORT_INTERFACE="eth1"

          DEBIAN_SNORT_SEND_STATS="true"

          DEBIAN_SNORT_STATS_RCPT="root"

          DEBIAN_SNORT_STATS_THRESHOLD="1"

           

          This is for the eth1 interface (the interface with no IP address)

          Snort is left unconfigured for the management interface. This is done by using the following syntax:

          DEBIAN_SNORT_STARTUP="manual"

           

          In the snort.conf file I have configured the HOME_NET variables as well (just to be sure) and the EXTERNAL_NET as well.

          In debian I know that the snort.debian.conf file is used for configuration of variables. The question would be then what file SUPERCEEDS the other. That I do know. I would advise you to log in through SSH to Solarwinds, go to Appliance and enter "checklogs". From here you can check both the daemon logs(5) or Snort(3...i think). The daemon logs will let you know if you have a snort configuration issue. The Snort log will show you alerts.

           

          Hope this helps Good luck!

          1 of 1 people found this helpful
            • Re: LEMs Snort
              evanr

              Yeah it's definitely up and configured.

              21714 snort     20   0  134m  52m 3780 S    3  0.7   0:44.63 snort

               

              1371060294000 SLEM snort[21601]: Initializing Network Interface eth0

              1371060294000 SLEM snort[21601]: Initializing daemon mode

              1371060294000 SLEM snort[21601]: Daemon parent exiting

              1371060294000 SLEM snort[21714]: Daemon initialized, signaled parent pid: 21601

              1371060295000 SLEM snort[21714]: Checking PID path...

              1371060295000 SLEM snort[21714]: PID path stat checked out ok, PID path set to /var/run/

              1371060295000 SLEM snort[21714]: Writing PID "21714" to file "/var/run//snort_eth0.pid"

              1371060295000 SLEM snort[21714]: Decoding Ethernet on interface eth0

              1371060330000 SLEM snort[21714]:

              1371060330000 SLEM snort[21714]: [ Port Based Pattern Matching Memory ]

              1371060330000 SLEM snort[21714]: +-[AC-BNFA Search Info Summary]------------------------------

              1371060330000 SLEM snort[21714]: | Instances        : 242

              1371060330000 SLEM snort[21714]: | Patterns         : 21229

              1371060330000 SLEM snort[21714]: | Pattern Chars    : 190012

              1371060330000 SLEM snort[21714]: | Num States       : 123529

              1371060330000 SLEM snort[21714]: | Num Match States : 17345

              1371060330000 SLEM snort[21714]: | Memory           :   4.50Mbytes

              1371060330000 SLEM snort[21714]: |   Patterns       :   0.99M

              1371060330000 SLEM snort[21714]: |   Match Lists    :   1.79M

              1371060330000 SLEM snort[21714]: |   Transitions    :   1.63M

              1371060330000 SLEM snort[21714]: +-------------------------------------------------

              1371060330000 SLEM snort[21714]:

              1371060330000 SLEM snort[21714]:         --== Initialization Complete ==--

              1371060330000 SLEM snort[21714]: Snort initialization completed successfully (pid=21714)

               

              snort.conf

              var HOME_NET sub1/16,sub2/24

              var EXTERNAL_NET !$HOME_NET

               

              snort.debian.conf

              DEBIAN_SNORT_HOME_NET="[sub1/16,sub2/24]"

               

              We would like to deploy this as a true IDS solution to capture traffic stats for our entire LAN.  Will this only work if we log all our fw/security devices through LEM?  I can tell you I tested a simple port scan against another device on our network and Snort did not detect it.  Possibly a rule config issue, or am I asking too much from LEM?

               

              Only when I actually scanned the LEM machine did any rule fire off.

              06/12-14:12:31.380821  [**] [122:1:0]  <eth0> (portscan) TCP Portscan [**] [Priority: 3] {PROTO:255} x.x.x.x -> s.s.s.s

              x = scanning box

              s = lem box

                • Re: LEMs Snort
                  evanr

                  Just in case anyone else is running LEM via HyperV and is looking to do the same thing.

                   

                  Straight from the horses mouth:

                  Snort included on LEM is capable of sniffing the entire network as long as you're forwarding all the network's traffic to an anonymous (no IP) promiscuous mode NIC in the LEM. This would basically require mirroring or spanning the traffic from a core switch/router that all traffic flows through, down a dedicated port on that switch/router to the physical host that LEM is running on.

                   

                  Having said that, I'm afraid that Hyper-V 2008 does not support this type of setup. It's virtual switches require that the traffic have a specific destination relevant to the VMs.

              • Re: LEMs Snort
                nicole pauls

                We're continuing to track HV's support for promiscuous mode to see if this is possible.

                 

                Also, it's possible our docs are out of date. We don't see a lot of customers using Snort in the virtual environment anymore because of the spanning/mirroring requirements (usually best done by dedicating a hardwired port to the LEM virtual appliance and assigning it to the second interface) and the version of Snort referenced in the docs is probably older than the one actually shipping on the appliance.

                 

                From a rules management perspective it may also be easier to deploy Snort on your own so that you can update it (or use a newer version of it) and more easily use their VRT rules, even the delayed version. Depends on how current you need your ruleset to be and how much management you want to do.

                • Re: LEMs Snort
                  wilbercollect

                  we have this up and running on Hyper-V Core 2016.

                  you have to run some powershell commands on the host and then set the NIC on the server to be a destination port then setup a port span on your physical switch between your source and destination, but it appears to be working now

                   

                  Powershell on Host

                   

                  $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
                  # None = 0, Destination = 1, Source = 2

                  $portFeature.SettingData.MonitorMode = 2
                  Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <Virtual Switch Name> -VMSwitchExtensionFeature $portFeature