Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPS: snort basic implementation #891

Closed
gsanchietti opened this issue Nov 7, 2024 · 8 comments
Closed

IPS: snort basic implementation #891

gsanchietti opened this issue Nov 7, 2024 · 8 comments
Labels
milestone goal 👑 This describes an announced milestone goal verified All test cases were verified successfully
Milestone
NethSecurity 8.4

Comments

@gsanchietti
Copy link
Member

Add the IPS (Intrusion Prevention System) feature to prevent and mitigate attacks.

Proposed solution:

Implement command-line configuration for Snort.
Main features:

  • rule set customization: support for Emerging Threats, Snort community, and Snort subscriber
  • automatic configuration in IPS mode using NFQ
  • automatic configuration for HOME_NET variable including VPN networks
  • bypass options for source and destination for IPv4 and IPv6

The module will provide no UI inside the first release.
@gsanchietti gsanchietti added this to the NethSecurity 8.4 milestone Nov 7, 2024
@gsanchietti gsanchietti moved this to In progress 🛠 in NethSecurity Nov 7, 2024
This was referenced Nov 7, 2024
Merged
Closed
@gsanchietti gsanchietti added the milestone goal 👑 This describes an announced milestone goal label Nov 18, 2024
gsanchietti added a commit that referenced this issue Dec 3, 2024
@gsanchietti
feat(snort3): merge pull request #885
623e529 
Snort3 basic setup

#891
@gsanchietti gsanchietti mentioned this issue Dec 3, 2024
Merged
gsanchietti added a commit that referenced this issue Dec 9, 2024
@gsanchietti
feat(snort): support queue_maxlen (#961)
758b400 
#891
@gsanchietti gsanchietti mentioned this issue Dec 13, 2024
Closed
@gsanchietti
Copy link
Member Author

gsanchietti commented Dec 13, 2024
edited
Loading

Testing image: 23.05.5-ns.1.3.0-140-gc034f31f

@gsanchietti
Copy link
Member Author

gsanchietti commented Dec 13, 2024
edited
Loading

Test Case 1: Verify Snort 3 Setup

  • Step 1: Ensure Snort 3 is installed.
  • Step 2: Execute the following command to enable Snort using the "security" rule policy: 
    echo '{"enabled": true, "set_home_net": true, "include_vpn": false, "ns_policy": "security", "ns_disabled_rules": []}' | /usr/libexec/rpcd/ns.snort call setup
ns-snort-rules --download
uci commit snort
/etc/init.d/snort restart
  • Expected Result: Snort 3 should be enabled, and rules should be downloaded.

Test Case 2: Verify Rule Policies

  • Step 1: Configure Snort with the "balanced" policy: 
    echo '{"enabled": true, "set_home_net": true, "include_vpn": false, "ns_policy": "balanced", "ns_disabled_rules": []}' | /usr/libexec/rpcd/ns.snort call setup
uci commit snort
ns-snort-rules --restart
  • Expected Result: Snort should apply the "balanced" rule policy and log the correct configurations.

Test Case 3: Verify Oinkcode Configuration

  • Step 1: Set an Oinkcode using the following command: 
    uci set snort.snort.oinkcode=your_oinkcode
uci commit snort
ns-snort-rules --download
/etc/init.d/snort restart
  • Expected Result: Rules should be successfully downloaded with the specified Oinkcode.

Test Case 4: Verify Bypass Rules

  • Step 1: Add bypass rules for specific source IP addresses: 
    uci add_list snort.nfq.bypass_src_v4=192.168.100.23
uci add_list snort.nfq.bypass_src_v4=192.168.100.28
uci commit snort
/etc/init.d/snort restart
  • Expected Result: Traffic from the specified IP addresses should bypass Snort IPS analysis.

Test Case 5: Verify Disable Rules

  • Step 1: Disable specific rules by adding their SIDs: 
    uci add_list snort.snort.ns_disabled_rules=1,24225,false_positive
uci commit snort
ns-snort-rules
/etc/init.d/snort restart
  • Expected Result: The specified rules should be excluded from the Snort ruleset.

Test Case 6: Verify Suppress Rules

  • Step 1: Add suppress rules for specific IP addresses: 
    uci add_list snort.snort.ns_suppress='1,1234,by_src,1.2.3.4,very_bad'
uci add_list snort.snort.ns_suppress='1,1234,by_dst,8.8.8.8,noisy_rule'
uci commit snort
/etc/init.d/snort restart
  • Expected Result: The specified rules should be ignored for the given IP addresses or CIDRs.

Test Case 7: Verify Alerts and Logs

  • Step 1: Generate traffic that matches Snort rules.
  • Step 2: Check system logs and JSON files for alerts: 
    less /var/log/messages
cat /var/log/snort/1_alert_json.txt | jq .
snort-mgr report
  • Expected Result: Alerts should be logged correctly, and relevant information should be available in JSON format.

Test Case 8: Verify Disable and Stop IPS

  • Step 1: Execute the following command to disable Snort: 
    echo '{"enabled": false}' | /usr/libexec/rpcd/ns.snort call setup
uci commit snort
/etc/init.d/snort stop
  • Expected Result: Snort IPS should be disabled, and the service should stop running.

@gsanchietti gsanchietti added the testing Packages are available from testing repositories label Dec 13, 2024
@nethbot nethbot moved this from In Progress 🛠 to Testing in NethSecurity Dec 13, 2024
gsanchietti added a commit that referenced this issue Dec 13, 2024
@gsanchietti
fix(snort): multiple fixes (#964)
c034f31 
#891
@cotosso
Copy link
Contributor

cotosso commented Dec 17, 2024
edited
Loading

Test case 1 :(security policy): OK

root@NethSec:~# cat /var/ns-snort/rules/snort.rules| wc -l
592
root@NethSec:~# ps ax | grep snort
26822 ?        Sl     0:01 /usr/bin/snort -c /var/snort.d/snort_conf.lua --tweaks ns_local --daq nfq --daq-var queue_maxlen=4096

Test Case 2 (balanced policy) : ok

root@NethSec:~# cat /var/ns-snort/rules/snort.rules| wc -l
384

The number of rules has decreased compared to the previous case.

Test Case 3 (oinkcode) : OK

Processing rule file /var/ns-snort/snort-rules/rules/snort3-browser-firefox.rules
Processing rule file /var/ns-snort/snort-rules/rules/snort3-browser-chrome.rules
Processing rule file /var/ns-snort/snort-rules/rules/snort3-app-detect.rules
Appended **8893** rules to /var/ns-snort/rules/snort.rules
Restarting snort...
root@NethSec:~#

@cotosso
Copy link
Contributor

cotosso commented Dec 17, 2024
edited
Loading

Test case 4 (bypass src)
after having bypassed the IP 192.168.15.232 nft rules have changed accordingly:

table inet snort {
        set bypass_src_v4 {
                type ipv4_addr
                flags interval
                elements = { 192.168.15.232 }
        }

        set bypass_dst_v4 {
                type ipv4_addr
                flags interval
        }

        set bypass_src_v6 {
                type ipv6_addr
                flags interval
        }

        set bypass_dst_v6 {
                type ipv6_addr
                flags interval
        }

        chain forward_ips {
                type filter hook forward priority filter; policy accept;
                ip saddr @bypass_src_v4 counter packets 239 bytes 40395 accept
                ip daddr @bypass_dst_v4 counter packets 0 bytes 0 accept
                ip6 saddr @bypass_src_v6 counter packets 0 bytes 0 accept
                ip6 daddr @bypass_dst_v6 counter packets 0 bytes 0 accept
                counter packets 229 bytes 37937 queue flags bypass to 4-7

Said that, the snort restart may be be avoided in cases like this, where only nft rules are involved.

@cotosso
Copy link
Contributor

cotosso commented Dec 17, 2024

Test Case 5: Verify Disable Rules : OK

@gsanchietti
Copy link
Member Author

Test case 7 verified:

# snort-mgr report
Events (run at 2024-12-18T08:57:03+01:00)
  Count Message                                                            gid   sid Dir Source         Destination
      2 SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt   1 300053 C2S 47.245.124.200 192.168.5.3(80)
      1 SERVER-WEBAPP PHP PHP-CGI command execution attempt                  1 63598 C2S 47.245.124.200 192.168.5.3(80)
      3 incidents shown of 3 logged (100.00%)

Test case 8 verified.

@gsanchietti
Copy link
Member Author

Test case 6 verified using testing rules: ns-snort-rules --testing

Before the suppress configuration, an alert for a PING is found inside the log:

Dec 18 08:55:34 NethSec snort: [1:99010:0] "TEST ALERT ICMP v4" {ICMP} 192.168.100.22 -> 1.1.0.1

Added the suppression:

# uci add_list snort.snort.ns_suppress='1,99010,by_src,192.168.100.22'
# uci commit snort
`/etc/init.d/snort restart

Verify the configuration:

# cat /var/ns-snort/ns_local.lua 
suppress = 
{

    { gid = 1, sid = 99010, track = 'by_src', ip = '192.168.100.22' },

}

Another ping does not produce any alert.

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Dec 18, 2024
@nethbot nethbot moved this from Testing to Verified in NethSecurity Dec 18, 2024
@gsanchietti
Copy link
Member Author

Released on 23.05.5-ns.1.4.0

@github-project-automation github-project-automation bot moved this from Verified to Done ✅ in NethSecurity Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
milestone goal 👑 This describes an announced milestone goal verified All test cases were verified successfully
Projects
NethSecurity
Archived in project
Milestone
NethSecurity 8.4
Development

No branches or pull requests
3 participants
@filippocarletti @gsanchietti @cotosso