Friday, May 24, 2013

Troubleshooting your Snort deployment

I recently had a discussion with a user new to snort and autosnort who wanted to know some troubleshooting techniques that can be done to see if snort is working and/or snorby or the web interface of your choosing is working. After thinking about it, I decided it might be a good idea to post my troubleshooting steps here to assist users of snort and snorby in general to determine if things are working okay.

Before we begin here, realize that there are a number of moving parts with any IDS/IPS deployment.  Understanding the basics of networking (OSI/TCPIP stacks, collision domains and/or broadcast domains) really help you in understanding why snort can or cannot see traffic for certain parts of your network. If you have no way of copying traffic from the network segment you want to protect, then snort will not be able to see anything.

Now that I got that part out of the way, there are a couple of basic components in any snort deployment:

1) the network

How busy is your network? If the network isn't particularly active, it may take a while before you see any sort of alerts from snort.

2) the method you are using to pass network traffic to snort

How are you copying traffic to snort's sniffing interface? Do you have an old hub? a professional grade network tap or hobbyist network tap? A switch that can do port mirroring/span ports? Is snort sitting in a VM? does that virtual machine have a way to sniff traffic off of the vswitch?

Any IDS/IPS deployment needs a reliable method to clone/copy traffic off of the network. If you plug snort into a regular switch port or SOHO router, you're usually only going to see broadcast traffic (usually UDP broadcasts, CDP broadcasts, Spanning tree traffic, and ARP requests) and will be absolutely useless to you.

You need to have the equipment or means to copy traffic to snort somehow.

3) Snort itself and how it's configured

If you have a light ruleset (say the balanced ruleset from pulledpork, or the connectivity over security ruleset), you won't be seeing very many alerts, unless those rules are a really big deal, like big enough to be included in those rulesets, and/or if your network is particularly infested with bad traffic.

4) Barnyard2, how it's configured and/or the database it is logging to

Autosnort is configured to use barnyard2 and log to a local database. normally this is the "snort" database, but some web interfaces require their own database (e.g. Aanval uses the aanval database and snort database, snorby uses the snorby database). Does barnyard2's database user have the right access to insert events to the database? does the database user have the right credentials?

For other barnyard2 logging options, such as syslog, is the remote host allowing connections from your sensor's management interface? is the SIEM solution configured to log syslog events properly?

So, to summarize IDS/IPS deployments have a number of parts that have to work together to provide you with a working solution: The network itself, the method you are using to copy network traffic to snort, snort or the IDS/IPS solution you are using and what its configured to alert on, and the method by which you are logging intrusion events (barnyard2/database/syslog).

Here are some basic troubleshooting methods I've devised:

Basic Steps:

1) are snort processes running? If you're using Snorby or another specialized logging interface, are the processes that interface relies on running?

ps -ef | grep snort
ps -ef | grep delayed

you are looking for this output from ps -ef | grep snort:

root      1853  1258  0 17:54 pts/0    00:00:00 grep snort
snort     1883     1  0 May18 ?        00:00:47 /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i br0
root      1912     1  0 May18 ?        00:00:53 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

you are looking for this output from ps -ef | grep delayed:

root      1869  1258  0 17:55 pts/0    00:00:00 grep delayed
root      2161     1  0 May18 ?        00:11:01 delayed_job
If snort and barnyard2 BOTH are not running, check /var/log/messages (cat /var/log/messages [or /var/log/syslog depending on your distro] | grep snort) to see if you can determine why. Look for error, critical or fatal messages as they indicate reasons why snort or barnyard2 refused to run. We'll talk about snorby's delayed_job process in a moment.

2) ifconfig -a

-- which interface is snort sniffing traffic on? is it in promiscuous mode?

You're looking for output that looks something like this on the interface that snort is sniffing traffic on, pay attention to the lines in bold face:

eth1      Link encap:Ethernet  HWaddr 00:0c:29:8b:bb:ca
          inet6 addr: fe80::20c:29ff:fe8b:bbca/64 Scope:Link

The most important lines above are UP RUNNING PROMISC, because the interface must be up, must be running, and likely should be in promiscuous mode to pick up traffic. the NOARP line isn't entirely necessary, but it's there to ensure that the sniffing interface doesn't respond to arp queries in case attackers are probing the network to try and find your IDS installations.

3) How are you passing traffic to snort? is snort's sniffing interface attached to a switch span? a hub? a network tap? if it's a virtual machine on ESXi or something of that nature, is the vswitch snort is sniffing off of configured to allow promiscuous mode network cards?

If you're in a corporate environment, and are a proficient network administrator, I'm going to assume you know what a switch span port is. These are also referred to as mirror ports. Most professional grade switches have an option to copy ALL traffic seen on a switch to a single interface. You would plug snort's sniffing interface into this mirror interface for snort to see traffic for that entire network segment.

If you're a security reasearcher and don't have money for a procurve or cisco switch that does port mirroring, here's some awesome alternatives:

This is a 5-port switch from microtik. Very very affordable and capable of port mirroring.

Alternatively, if you want a bigger name-brand switch, I personally use netgear's GS108T switch for my home network, since it was the cheapest switch I was aware at the time that allowed port mirroring:

An alternative to span/mirror ports are network taps. On the professional/corporate side, Net Optics, Gigamon and several other vendors offer network tap solutions. Often ridiculously priced, but without all of the possible problems that come with setting of span/mirror ports. These devices are solely dedicated to creating exact clones of network traffic passing over the wire and nothing else.

For those on the cheap side, there are several results via google on how to make your own network tap, but be aware that these sorts of taps are usually for 10/100 networks and usually do not support tapping gigabit networks.

Finally for vmware environments, I posted a specialized tutorial on how to "hack" vmware player on how to bridge traffic from one physical interface or another, using the vmnetconfig.exe from vmware workstation (check the pdf document available in my autosnort github if you're interested...)

But for professional deployments or network labs running vmware ESX/ESXi, it's pretty easy to configure a vswitch to allow promiscuous mode nics. That's really all you have to do is change vswitch security settings, allow promiscuous mode NICs and just configure the snort VM to sniff off of that vswitch.

4) run tcpdump on snort's sniffing interface:

tcpdump -i ethX not arp and not port 22

X is the ethernet interface number snort is sniffing traffic on. the "not arp and not port 22" is telling tcpdump to ignore ssh traffic and arp broadcasts.

while tcpdump is running, on another system on the network, try doing something to generate network traffic (ping, go to a web page, etc.). did tcpdump see your traffic? If not, you may need to investigate how you're mirroring traffic to snort.

5) Check and see if the snort.u2 file is greater than 0 bytes:
ls -al /var/log/snort
check the output of the ls command. You're looking for the snort.u2 file, it should look something like this:

-rw-------  1 snort snort 67261 May 19 17:39 snort.u2.1368917933
the numbr "67261" in the middle is the file's size. If your snort.u2 file is 0 bytes, that means snort hasn't generated any alerts.
So those are the basic steps. You confirm that snort is running, confirm that the interface is in promisc mode, and confirm that mirroring device is actually pushing traffic to where snort can see it, and confirm snort is logging events.

Snorby-specific troubleshooting steps:
Here's a couple of things you can try to confirm that barnyard2 and snorby are working together:

1) ps -ef | grep delayed
- You are looking for an entry that looks something like this:

root      2161     1  0 May18 ?        00:11:00 delayed_job
if the delayed_job process is NOT running, run this command:

cd /var/www/snorby && ruby script/delayed_job start
then run this command to see if the sensor_cache needs to be updated:

cd /var/www/snorby && rails runner ';'
note: I do not know if you need root permission to run the commands above, but if the above commands fail without root privileges, run the command:
 sudo su -
to get a shell with root privileges and re-run those commands.

2) you'll want to check the contents of barnyard2.conf and snorby's database.yml to make sure they match:
cat /usr/local/snort/etc/barnyard2.conf
on the log mysql line, check these values and make sure they match:
log,mysql, user=snort password=[password you gave the snort database user] dbname=snorby host=localhost

cat /var/www/snorby/config/database.yml

verify these lines in database.yml:

snorby: &snorby
  adapter: mysql
  username: snort
  password: [same password in the barnyard2.conf file]
  host: localhost

  database: snorby
  <<: *snorby

  database: snorby
  <<: *snorby

  database: snorby
  <<: *snorby

the most important lines to check are the dbname: and database: line under production are the same database, and that the password= and password: lines are the same to make sure that barnyard2 and snorby agree on the correct password to use to log to and read from that same database.

If the database lines and password lines match, at the very least, we know that barnyard2 and snorby are talking to the right database.

3) One last check you can perform is to verify that the snort user has the privileges to talk to the snorby database. run this command:

mysql -usnort -p[snort database user's password, no spaces] snorby -e "show tables;"

your output should look like this:

| Tables_in_snorby  |
| agent_asset_names |
| aggregated_events |
| asset_names       |
| caches            |
| classifications   |
| data              |
| delayed_jobs      |
| detail            |
| encoding          |
| event             |
| events_with_join  |
| favorites         |
| icmphdr           |
| iphdr             |
| lookups           |
| notes             |
| notifications     |
| opt               |
| reference         |
| reference_system  |
| schema            |
| search            |
| sensor            |
| settings          |
| severities        |
| sig_class         |
| sig_reference     |
| signature         |
| tcphdr            |
| udphdr            |
| users             |
This confirms that the snorby database exists and that the schema was configured properly during installation.

4) If the snort.u2 file in /var/log/snort is NOT 0 bytes, and you confirmed the snort database user was able to see the tables in the snorby database, there's one last set of commands you can run:
mysql -usnort -p[snort database user's password] snorby -e "select * from event\G;"
if you get "empty set" as the return value from that command, snorby doesn't have anything. If you get a bunch of data from this command, snorby should have events in the "events" tab on the web interface.
you can also run this command:
mysql -usnort -p[snort database user's password] snorby -e "select count(*) from event;"
you should get something like this:

| count(*) |
|     5284 |
I have a boatload of events, because I have a testing suite that causes snort to trigger alerts like crazy, but basically, you're looking for the count number to NOT be 0. If the count is 0 there's no events for snorby to report on.

Hope this helps you all out



No comments:

Post a Comment