An alchemists view from the bar

Network Security Alchemy

Archive for July 2009

ET RBN Blacklists with Snort and DumbPig

leave a comment »

I spent a few minutes updating DumbPig to work with Marty’s latest blacklist patch, with some great results. It looks like Marty has done a great job in keeping packet performance high while providing a rich blacklist configuration. DumbPig for the as yet unenlightened, processes Snort rulesets and offers advice when a “dumb” rule is detected. Blacklist snort rules are a good example if dumbness so I thought I would focus in a bit on why and how to use these tools.

Before digging into the tech, let me tease you with some performance numbers. My test below was basic, but should provide some relation to the real world.

Test 1) Stock snort.conf and VRT subscription release (processing approx 1.2GB of pcap files)

$ snort –pcap-dir /var/local/pcaps/defcon-2004/ -A fast -l /tmp -c /etc/snort/snort.conf

Run time for packet processing was 46.994580 seconds
Snort processed 2752654 packets.

Test 2) Stock snort.conf, with the “emerging-rbn.rules” (20/july/2009) added

$ snort –pcap-dir /var/local/pcaps/defcon-2004/ -A fast -l /tmp -c /etc/snort/snort.conf

Run time for packet processing was 89.749301 seconds
Snort processed 2752654 packets.

Test 3) Stock snort.conf, but using a DumbPig created blacklist file from the same “emerging-rbn.rules”

$ snort –pcap-dir /var/local/pcaps/defcon-2004/ -A fast -l /tmp -c /etc/snort/snort.conf

Run time for packet processing was 48.348535 seconds
Snort processed 2752654 packets.

So that’s a whopper of a performance increase while maintaining the same IP based detection ability. I don’t claim you will see the same performance in the wild, but an increase like this should get your attention. Feel free to re-create the tests on your own network and let me know the results (for my interst only).

Configuring Snort 2.6.4.1 with the Blacklist patch (v2)

I have seen a few posts on the internet where people have run into issues configuring and using the blacklist patch. Below are the steps I took to build a system in prep for this weeks Snort Users webinar on DumbPig and other tools so I thought I would share the configuration here.

Starting platform: Debain Lenny – base installation + ssh and sudo (with lward in the sudoers)

1) Install the debs we know will be needed for the compile of Snort

lward@webexprep:~$ sudo apt-get install libpcap0.8 libpcap0.8-dev libdumbnet-dev build-essential libpcre3-dev automake autoconf libtool

2) Download and extract the snort 2.8.4.1 source

lward@webexprep:~$ wget http://dl.snort.org/snort-current/snort-2.8.4.1.tar.gz
lward@webexprep:~$ tar -zxvf ./snort-2.8.4.1.tar.gz

3) Download and extract the Blacklist patch

lward@webexprep:~$ cd snort-2.8.4.1/
lward@webexprep:~/snort-2.8.4.1$ wget http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz
lward@webexprep:~/snort-2.8.4.1$ tar -zxvf ./iplist.patch.v2.tgz

4) Read the README.iplist

5) Pactch your Snort source tree

lward@webexprep:~/snort-2.8.4.1$ patch -p1 < iplist.patch

6) Rerun aclocal / automake/ autoconf

lward@webexprep:~/snort-2.8.4.1$ aclocal -I m4
lward@webexprep:~/snort-2.8.4.1$ automake
lward@webexprep:~/snort-2.8.4.1$ autoconf

7) Configure Snort (and enable IP listing).

lward@webexprep:~/snort-2.8.4.1$ ./configure –enable-iplist

(note there should be no errors , if you have m4 prelude messages, see the comment at the bottem of this post).

8) Compile  / install

Debain / Ubuntu users: You will have to “fix” the dnet/dumbnet fsckup created by the decnet libraries poluting the debian package namespace. A simple symlink will suffice.

lward@webexprep:~/snort-2.8.4.1$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
lward@webexprep:~/snort-2.8.4.1$ make
lward@webexprep:~/snort-2.8.4.1$ sudo make install

9) Set up your snort configuration.

lward@webexprep:~/snort-2.8.4.1$ sudo mkdir /etc/snort
lward@webexprep:~/snort-2.8.4.1$ sudo chown lward /etc/snort/
lward@webexprep:~/snort-2.8.4.1$ cp etc/* /etc/snort/
lward@webexprep:~/snort-2.8.4.1$ vi /etc/snort/snort.conf

(Change your RULE_PATH to /etc/snort/rules)

10) Grab the VRT snort ruleset from snort.org, and stuck it in your home directory. This exact process will depend on your subscription level.

11) Set up the VRT snort rules

lward@webexprep:~/snort-2.8.4.1$ cd
lward@webexprep:~$ pwd
/home/lward
lward@webexprep:~$ ls
snort-2.8.4.1  snort-2.8.4.1.tar.gz  snortrules-snapshot-2.8.tar.gz
lward@webexprep:~$ tar -zxf ./snortrules-snapshot-2.8.tar.gz
lward@webexprep:~$ cp -r rules/ /etc/snort/

12) Grab yourself a pcap to test and play with

lward@webexprep:~$ wget http://rm-rf.co.uk/downloads/Honeynet-RFP-iis.tgz
lward@webexprep:~$ tar -zxvf ./Honeynet-RFP-iis.tgz

13) Test snort

lward@webexprep:~$ snort -c /etc/snort/snort.conf -A fast -l /tmp -r ~/Honeynet-RFP-iis.pcap

14) Enable, and test the blacklist functions

lward@webexprep:~$ echo preprocessor iplist: blacklist TestBlacklist /etc/snort/rules/test.blacklist >> /etc/snort/snort.conf
lward@webexprep:~$ echo 172.16.0.0/16 > /etc/snort/rules/test.blacklist
lward@webexprep:~/snort-2.8.4.1$ snort -c /etc/snort/snort.conf -A fast -l /tmp -r ~/Honeynet-RFP-iis.pcap

<Check that your are getting blacklist events in your /tmp/alert file. Make sure you add a CIDR that exists in your pcap test data!>

15) Install dumbpig

Install required perl modules from CPAN

lward@webexprep:~$ sudo cpan -e “Parse::Snort”
lward@webexprep:~$ sudo cpan -e “LWP::Simple”
lward@webexprep:~$ wget http://rm-rf.co.uk/downloads/dumbpig
lward@webexprep:~$ chmod +x ./dumbpig

16) Grab the latest Emerging threats RBN list

lward@webexprep:~$ wget http://www.emergingthreats.net/rules/emerging-rbn.rules

17) Convert the rule file into a blacklist

lward@webexprep:~$ ./dumbpig -q -r emerging-rbn.rules -b /etc/snort/rules/rbn.blacklist

DumbPig will detect rules that will work best in a blacklist, and add them to the file “rbn.blacklist”. For more usage inforamtion, take a look at the dumbpig page.

lward@webexprep:~$ head -n 5 /etc/snort/rules/rbn.blacklist
# Autogenerated blacklist by DumbPig from emerging-rbn.rules
# Contact leon.ward@sourcefire.com
# For more information about dumbPig visit http://rm-rf.co.uk
114.80.67.30/32 114.80.67.32/32 <snip>    # From Sid 2406000 : “ET RBN Known Russian Business Network IP TCP (1)” : emerging-rbn.rules
114.80.67.30/32 114.80.67.32/32 <snip>    # From Sid 2406001 : “ET RBN Known Russian Business Network IP UDP (1)” : emerging-rbn.rules

18) Reconfigure your snort.conf to the the rbn.blacklist

Something like this should work for you” “preprocessor iplist: blacklist RBN_Hosts /etc/snort/rules/rbn.blacklist”

And that’s it, the rest is up to you to use/abuse as you need.

Troubleshooting

Troubleshooting build problems. If you are having fun with one of the below, start with a clean source tree, re-patch, and follow step 6 (note the aclocal command).

undefined reference to `SetupIpList'
configure.in:1050: warning: macro `AM_PATH_LIBPRELUDE' not found in library

Happy Snorting - Leon

Written by leonward

July 20, 2009 at 12:06 pm

Posted in Security, snort

Tagged with ,