Friday, November 30, 2012

bug fixes,clarifications and feature requests

I had a conversation with a user of autosnort by the name of Guillaume a few days ago regarding a couple of bugs to fix and features to integrate into the script, specifically for CentOS. bug fixes will be released shortly after this post.

First, the bugs:

1) line 105 of autosnort for CentOS was a yum -y upgrade command. the difference between update and upgrade are minor, however they could be enough of a problem to some users to warrant an explanation:

yum upgrade performs software updates against CentOS and also removes packages installed that have been marked as obsolete either as part of an upgrade to a new software version or at the whim of the distro maintainers.

yum update just performs maintenance updates on the system. obsolete packages are left alone. For this purpose, I have changed the yum statement from upgrade to update.

2) the rm statement for removing the epel repo rpm file (line 127) was malformed and was attempting to delete a url. this of course would never succeed and has been fixed.

3) the copy statement (321, 325) for so rules somehow isn't copying so rules to the correct directory. this has been resolved.

Next, some clarifications:

Guillaume noticed that for the interface that snort is configured to listen on, that the options -arp and -multicast are configured for that interface. he cautioned me that this would lead to this interface to not responding to requests if there is an ip address assigned on the interface.

I've taken Sourcefire's own 3D training as well as the snort/rule writing courses. this is the recommended configuration for dedicated IDS system. If you are going to dedicate a system to sniffing network traffic, you always want to ensure that you have at least two dedicated network interfaces available:

1) an interface that is dedicated solely to sniffing traffic. We aren't going to respond to ANYTHING for ANYONE on this interface. this is the interface you have connected to your hub, tap, span port, etc. whose sole job it is to grab traffic, and give it to snort for analysis, hopefully without choking on it. Connections to or from your sensor should never be seen or attempted on this interface.

2) the secondary or "management" interface you will use to talk to the host via ssh http/https or other secure means you will use to analyze the events snort has recorded, or use to forward events to a central location.

it is never recommended (and on 3d boxes damn near impossible) to have your sniffing and management traffic on the same interface. it is also recommended to not have your sniffing interface respond to multicast or arp requests for opsec reasons: you do not need your users or potential attackers who have exploited their way onto your network to know that you're listening.

I never really clarified this on any of the documentation except the portion of the script that asks you to specify the sniffing interface so I hope this helps to clarify why the script does this -- I will be adding this to the requirements portion of the autosnort readme, albeit in a much more condensed form.

feature requests:

Guillaume has requested that GRO and LRO Generic and Large Receive Offload be disabled via ethtool for all script versions per the recommendations of the snort user guide. The snort user guide was written by professionals, I can't really argue against it, so expect changes to the script soon to ensure ethtool is installed and gro/lro is disabled with the exception of backtrack -- If you want an explanation as to why, check the readme I have included with the backtrack version of autosnort. To paraphrase it, the goals for the backtrack autosnort script were simply to update the snort installation, and not provide a full IDS deployment.

Guillaume also requested replacing the VRT tarball request with pulledpork. I had plans to do this eventually, but it will be a little while before this is done. mark my words, that its in the works.

I'm also getting requests for other web front ends, including base and snorby -- again, they are definitely in the works, but will be a while off due to time constraints -- I have a day job unfortunately and only really have time to work on this project over the weekend, and even then I still have family and friends I love dearly. I ask that you be patient and know that though I am dedicated to this project, I am still a man.

Thanks for your support, I hope you continue to enjoy autosnort while I continue to improve upon it.



No comments:

Post a Comment