This series of 3 articles - co-authored with my colleague**Nicola Cardace @ncardace **- discusses the usage of an Intrusion Detection System (IDS) with the Apigee hybrid runtime and Google Cloud Monitoring and Logging.
This is the second article, discussing the installation of the Snort IDS. Please refer to Part 1 if you missed it!
Install Open Source IDS (Snort)
At this step, please connect to your IDS VM using ssh to proceed to the Snort installation.
Installation of Snort on Ubuntu
The following chapter details the installation of Snort on Ubuntu.
Installing from the source
sudo apt-get update -y
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev \
libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev \
bison flex libdnet autoconf libtool
mkdir ~/snort_src && cd ~/snort_src
Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The DAQ replaces direct calls to libpcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort. It is possible to select the DAQ type and mode when invoking Snort to perform pcap readback or inline operation, etc.
wget[ https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz](https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz)
tar -xvzf daq-2.0.7.tar.gz
cd daq-2.0.7
autoreconf -f -i
./configure && make && sudo make install
cd ~/snort_src
wget[ https://www.snort.org/downloads/snort/snort-2.9.17.1.tar.gz](https://www.snort.org/downloads/snort/snort-2.9.17.1.tar.gz)
tar -xvzf snort-2.9.17.1.tar.gz
cd snort-2.9.17.1
./configure --enable-sourcefire && make && sudo make install
Configuring Snort to run in Network IDS (NIDS) mode
sudo ldconfig
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
Setting up username and folder structure
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo cp ~/snort_src/snort-2.9.17.1/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.17.1/etc/*.map /etc/snort
Add local rules:
sudo vi /etc/snort/rules/local.rules
Here is an example of a local rule. Keep in mind that an alert rule is defined on one single line.
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures. Put your local
# additions here.
alert tcp $HOME_NET any -> [67.213.75.205] 443 (msg:"Feodo Tracker: potential Dridex CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/67.213.75.205/; sid:900505001; rev:1;)
Above is an example of a snort rule (file: local.rules) that triggers an alert if the destination of a target endpoint or a service callout uses the suspicious IP address 67.213.75.205
It explicitly says that if a TCP connection is made from $HOME_NET (Apigee hybrid runtime pods) to 67.213.75.205 on port 443, an alert will be generated by the IDS (Snort)
The following threshold is also set on the local rule:
threshold: type limit, track by_src, seconds 60, count 1;
It explicit mentions that a limit of 1 alert per minute (60 seconds) is generated per source IP (Apigee hybrid “runtime” pods).
Basics of Snort rules can be found here.
Snort Configuration
At this step, we need to configure snort. For this, please edit the Snort configuration file:
sudo vi /etc/snort/snort.conf
Make sure that variables HOME_NET and EXTERNAL_NET are defined in snort.conf:
- HOME_NET: is an array containing the IP ranges used by your Apigee hybrid runtime (ingress and Message Processor pods)
- EXTERNAL_NET can be set to any
Here is a screenshot of a Snort configuration, providing an example on how these 2 variables can be set (cf. line 45 and 48):
You also need to specify the custom local rules that you want to include in your Snort configuration.
For this, go to the “Step #7” of your Snort configuration file and include your local rules (file: local.rules), as shown on the following picture:
Testing the Apigee hybrid & IDS solution
The Apigee hybrid and IDS solution can be easily tested.
For this you can create a an API proxy that contains a service callout policy or a target endpoint. In this case, the URL of the service callout (or target endpoint) uses a hostname or IP address that is considered as a security sensitive destination.
As an example, identify IP addresses of httpbin.org or example.com. We will consider these IP addresses as suspicious destinations.
Modify the local.rules file in order to integrate these IP addresses.
Here is an example:
alert tcp $HOME_NET any -> [18.235.124.214] 443 (msg:"Testing a simple Snort rule"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:000000001; rev:1;)
alert tcp $HOME_NET any -> [52.201.75.114] 443 (msg:"Testing a simple Snort rule"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:000000002; rev:1;)
NB: in this example, 18.235.124.214 and 52.201.75.114 are IP addresses of httpbin.org (there may be some others…)
From now on, each time one of these 2 IP addresses will be used as a target destination on an Apigee hybrid runtime, an alert will be triggered by Snort. Let’s test it!
API Proxy Configuration
We just create here a simple API Proxy in pass-through mode. The target endpoint of this API proxy is:
https://httpbin.org/get
Remember that in our test we consider httpbin.org as a suspicious destination…
Verify the target endpoint, as shown on the following picture:
Starting Snort
You can start your Snort IDS in console mode, using the following command:
sudo snort -A console -i ens4 -u snort -g snort -c /etc/snort/snort.conf
The output of the command is provided on the following picture:
At this step, all the API traffic of the Apigee hybrid runtime is mirrored to the Snort IDS Virtual Machine (VM) and scanned by Snort from the ens4 interface…Please refer to Part 1 in case you want to learn and discover the implementation details of the solution.
Let’s call the “simple API”, using the following cURL command:
export RUNTIME_IP=<YOUR_APIGEE_HYBRID_RUNTIME_INGRESS_IP>
export RUNTIME_HOST_ALIAS=<YOUR_APIGEE_HYBRID_RUNTIME_HOST_ALIAS>
curl -k https://$RUNTIME_HOST_ALIAS/simple/v1 -i --resolve "$RUNTIME_HOST_ALIAS:443:$RUNTIME_IP"
You should receive an HTTP 200 response, as the following one:
HTTP/2 200
date: Tue, 27 Jul 2021 11:44:21 GMT
...
{
"args": {},
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
...
}
On the Snort IDS console, you should see a message like this one:
07/27-11:44:21.479674 [**] [1:2:1] Testing a simple Snort rule [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.130.0.3:55202 -> 52.201.75.114:443
You can see that the suspicious call has been detected by Snort, which has triggered an alert we can see in the console.
In the next article of the series, we install a logging agent (fluentd) on the IDS Virtual Machine (VM) in order to push logs from the IDS VM to Cloud Logging.
Finally, we create an alerting policy on Google Cloud Monitoring in order to see alerts directly on the Google Cloud console.