Install Snort IDS in Windows

Install Snort IDS in Windows

In this article, we are going to install Snort on windows, perform basic configuration then add snort rules. Snort can also be configured as an intrusion prevention system, but in our case, we will just configure snort as an IDS.

Carry out the following steps

Download and install Snort and Winpcap

Download snort rules

Configure snort.conf file

Run snort that displays alert on console

Run snort that saves alert to a file

=============================================================

Step 1:

Note: Install snort and winpcap as an administrator.

Download winpcap https://www.winpcap.org/ and install it as an administrator, just let it install with default settings. Restart your computer.

Download snort installer exe at https://www.snort.org/downloadsand install it as an administrator, just choose defaults configuration where you only have to click “I Agree”, “Next” , “Next” , “Next”, “Close” and “Ok”.

===============================================================

Step 2:

Sign up for an account in snort to be able to download rules set. Signing up is easy and you will receive an email confirmation from snort then after confirmation, you now can log in and download the rule set (see image below) https://www.snort.org/downloads#rules.

Download rules

Extract the downloaded file, in my case the file is snortrules-snapshot-2990.tar.gzthen it became snortrules-snapshot-2990.tar. Also extract this file and you will have four folders.

etc

preproc_rules

rules

so_rules

Copy etc contents to C:\Snort\etc\ and replace existing files to the updated version.

Copy preproc_rules contents to C:\Snort\preproc_rules\ and replace existing.

Copy rules contents to C:\Snort\rules\ 

================================================================

Step 3: Open the snort.conf file with your favorite text editor, I my case, I use wordpad.

Scroll down and look for the following lines and make change as indicated below. Do not copy paste including underlined statements, they are just remarks.

From	To       Note: Reasons are also stated here underlined
ipvar HOME_NET any	ipvar HOME_NET 192.168.43.0/24 Where 192.168.43.0/24 is my home network, yours could be different
ipvar EXTERNAL_NET any	ipvar EXTERNAL_NET !$HOME_NET Because any IP that is not in my home net might be an external net
var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules	var RULE_PATH C:\Snort\rules #var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH  C:\Snort\preproc_rules
var WHITE_LIST_PATH ../rules var BLACK_LIST_PATH ../rules	var WHITE_LIST_PATH C:\Snort\rules var BLACK_LIST_PATH C:\Snort\rules
# config logdir:	config logdir: C:\Snort\log uncomment and enter the log dir
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/	dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so	dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
dynamicdetection directory /usr/local/lib/snort_dynamicrules	#dynamicdetection directory /usr/local/lib/snort_dynamicrules
# Does nothing in IDS mode preprocessor normalize_ip4 preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6	# Does nothing in IDS mode #preprocessor normalize_ip4 #preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream #preprocessor normalize_icmp4 #preprocessor normalize_ip6 #preprocessor normalize_icmp6
whitelist $WHITE_LIST_PATH/white_list.rules, \    blacklist $BLACK_LIST_PATH/black_list.rules	whitelist $WHITE_LIST_PATH/white_list.rules, \    blacklist $BLACK_LIST_PATH/black_list.rules You need to manually create this two files with names white_list.rules and black_list.rules in C:\Snort\rules\ directory
# site specific rules include $RULE_PATH/local.rules	# site specific rules include $RULE_PATH\local.rules We are changing the / to \ and do the same to all .rules down to the last rule usually is include $RULE_PATH/x11.rules. This is because we are in windows.
# include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules	include $PREPROC_RULE_PATH\preprocessor.rules include $PREPROC_RULE_PATH\decoder.rules include $PREPROC_RULE_PATH\sensitive-data.rules

Save the file and close wordpad.

Restart your computer (You’ve just installed snort) to avoid a lot of classtype error.

=========================================================

Step 4:

Open a command prompt as an administrator. Then cd to C:\Snort|bin then run the command below to see available interface:

snort -W

This will list a number of interaces, choose an interface represented by its index, in my case I chose 3 then just take note of this.

To show information about different switches you can enter the command:

            snort -?

Run snort that displays alerts on console with the following command:

snort -i 3 -c c:\Snort\etc\snort.conf -d -l c:\Snort\log -A console

This may take a while but as soon as the console pops up, you can monitor here when an alert is triggered. To stop snort just press ctrl+c.

==============================================================

Step 5:

Run snort that saves alert to a file. We will name it as 21June2017alert.txt to remind us when this article was created. Enter the following command.

snort -i 3 -c c:\Snort\etc\snort.conf -d -l c:\Snort\log -A console > c:\Snort\log\21june2017alert.txt

From now you can monitor the file c:\Snort\log\21june2017alert.txt for alerts.

If you want to check whether your interface is working or not, perform a test. Open the file C:\Snort\rules\local.rules then add the alert below.

        alert icmp any any -> any any (msg: "Testing ICMP"; sid:10001)

Rerun snort  that displays alerts on console as mentioned above. Open another command prompt and ping any host like "ping www.google.com" and check the snort console window if it displays an alert, if not then try another interface.

For more info and references:

www.snort.org
www,microsoft.com

Analyzing windows event log for malicious activity

What is windows event log?

Windows event log is a record of a computer's alerts and notifications such as errors, warning and other information.

There are a lot of System Information and Event Management (SIEM) tools out there that collects and analyzes logs and monitors for security threats, these softwares offers many advance and somewhat features.

In this article, we are going to explore windows event viewer to perform a simple security analysis and create a simple custom view for monitoring.

We are going to use the following event ID 4672 - Special privileges assigned to new logon.

This event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. There are reasons why we need to monitor for such event, we usually give our employees a standard user rights and hackers can perform privilege escalation (e.i. Metaspoit’s meterpreter script getsystem that will use a number of different techniques to attempt to gain SYSTEM level privileges).  

Sample list of event IDs:

ID	Message
4672	Special privileges assigned to new logon.
4673	A privileged service was called.
4674	An operation was attempted on a privileged object.
5140	A network share object was accessed.
5142	A network share object was added.
5145	A network share object was checked to see whether the client can be granted desired access.

A list of event IDs can be found here:

 https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008-r2

To do this, click on start button, search for event viewer, right-click on event viewer and run it as an administrator then you will see a window as shown below.

We are going to filter the result to only show special privilege logon. Follow the steps below.

Now you can analyze whether this special logon associated with time if it was authorized. 

Next, we are going to create a custom view to monitor special logon.

Here we are naming it as Custom Special Logon.

Now we can click on this tab every time we want to check for special logons. 

There are a lot of configuration options available, make a custom view that suits your need.

Now that you have a basic event analyzing skill, think of this situation. A malware infects a computer in your network that can leverage its privilege and can map a network and performs a copy maybe of itself.

You may want to investigate a series of event IDs to include 5140 and 4672, refer to the table I created above.

Security tools such as metasploit framework has its meterpreter a command called clearev which clears the event log. This capability is not new to elite hackers which can craft their own custom tools. A cleared event log should ring your loudest bell available.

For more info and references:

https://technet.microsoft.com/en-us/library/cc766401(v=ws.11).aspx

https://www.petri.com/monitoring-windows-event-logs-for-security-breaches

https://www.manageengine.com/products/active-directory-audit/windows-security-eventlog-monitoring.html

https://support.microsoft.com/en-us/help/977519/description-of-security-events-in-windows-7-and-in-windows-server-2008-r2

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

http://resources.infosecinstitute.com/relevance-of-windows-eventids-in-investigation/

What and why Cyber Threat Intelligence

What and why Cyber Threat Intelligence.

When we say intelligence, we are dealing with information while cyber threat is the possibility of a malicious attempt to damage or disrupt a computer network or system.

With the above definitions, we can say that in cyber threat intelligence is about gathering of information that could possibly harm computer network or system.

Similarly to Human Intelligence (HUMINT) and Open Source Intelligence (OSINT), a good source of information often comes from the community and just about 10 to 20% of it is from internal or from the agent himself.  Although reliability of this information vary from source to source, it is still beneficial to include this information for processing and analysis.

So, why the need for CTI?

Know what’s coming and prepare for it. The capability to identify threats that may come to your organization is important for an efficient decision for enhanced security and threat response.  Relevant and timely threat intelligence can help organization stays updated one step ahead of the threat as these threats are constantly evolving because of cyber criminal’s motivation that drives them to develop sophisticated attacks for their gains and cause. 

Everyone is at risk on cyber attacks no matter the size of your organization is, but with a well CTI, it helps your security team to monitor and detect  malicious activity on your network and be updated to the latest threats. CTI is not the only one and all solution but perhaps it can serve as the basis for making good decision to provide a quality cyber security.

The lack of utilization of intelligence can lead to a future crisis. Now that you have an idea of what is cyber threat intelligence and an overview of how it can help your organization, what will be your excuse for not implementing it. Cyber threat intelligence is the future of cyber security, and that future has already started in the past and keeps moving forward, don’t get left behind, catch up. Now!

For more info and references:

https://ics-cert.us-cert.gov/content/cyber-threat-source-descriptions

https://www.helpnetsecurity.com/2015/05/19/the-importance-of-good-threat-intelligence/

https://www.upwork.com/hiring/for-clients/what-is-cyber-threat-intelligence/