Get OpenNMS
Get Involved
Get to Know Us
From OpenNMS
'Snort' is an Intrusion Detection System (IDS). What it does is to scan all the network traffic, seeking patterns that can mean dangerous activity.
Snort can inform about this situations, loggin its results to an alert file, Syslog and sending SNMP traps.
'OpenNMS' is a NMS that can receive SNMP traps; OpenNMS contains a complete notification system that supports problem escalations and several types of event notifications wich make it ideal to receive those traps and then notify the security team about an incident.
This guide will cover only the necessary steps to perform such integration, the maintainer is encouraged to read each application documentation as necessary.
The setup explained here asumes than Snort and OpenNMS reside on different servers; Also only a basic Snort configuration is showed (without ACID for example).
You will need the following software to complete this installation:
Note - if you are keen on this, Span port enabled snort is available
in http://bugzilla.opennms.org/cgi-bin/bugzilla/show_bug.cgi?id=1498
against a more recent snort revision, the patches described will also correctly handle
target nodes as if snort was not part of the chain.
- Snort (1.8.7+). Important note: Snort 2.0 doesn't offer support for sending SNMP traps anymore. There are plans for a plugin but when this functionality will be added is unknown. Also Snort 1.8.x and 1.9.x have security problems so if you're worried about your security you may want to dissable some Snort options in order to keep running the old versions while the SNMP support issue is worked out.
- OpenNMS (1.0.1+)
- NMAP (For test purpouses only, 2.54+)
- MIB2OpenNMS (If you don't want to use the XML that appears on this file, Version 0.2.2 )
See the resources section for more information where to get this packages.
Installing Snort
Download the snort source code and signatures from http://www.snort.org/dl/
- http://www.snort.org/dl/snort-1.8.7.tar.gz
- http://www.snort.org/dl/signatures/snortrules-stable.tar.gz (always use the stable signatures)
Make sure than you have the Net-SNMP package installed and OpenSSL. If not, then install them first and then continue. For example, to install all the Net-SNMP binaries:
root@linux0107 run]# rpm -Uhv ucd-snmp-4.2.3-1.i386.rpm ucd-snmp-devel-4.2.3-1.i386.rpm ucd-snmp-utils-4.2.3-1.i386.rpm
Untar, compile and install Snort
cd /usr/local/src tar -xzvf snort-1.8.7.tar.gz tar -xzvf snortrules-stable.tar.gz ./configure --with-snmp --with-openssl make clean make make install
Create a directory called /etc/snort and then copy the signatures (including the snort.conf file) to /etc/snort:
Create an user / group to run snort:
groupadd snort useradd -g snort -c "Snort User" -d /etc/snort passwd snort (assign a password to the Snort user)
Create the directory where snort will store the alerts:
mkdir /var/log/snort chown -R snort:snort /var/log/snort
Configure Snort
Open the /etc/snort.conf file and change the following variables:
HOME_NET EXTERNAL_NET DNS_SERVERS SMTP_SERVERS HTTP_SERVERS SQL_SERVERS TELNET_SERVERS HTTP_PORTS SHELLCODE_PORTS ORACLE_PORTS RULE_PATH (set it to /etc/snort)
Please read the comments inside the snort.conf file to get an idea of appropiate values for this variables.
Is nice to log to syslog too, so uncoment the line that says:
output alert_syslog: LOG_AUTH LOG_ALERT
Start Snort
Create the following script as '/etc/init.d/snortd'. This will be used to run snort on daemon mode:
#!/bin/sh
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#
# June 10, 2000 -- Dave Wreski <dave@linuxsecurity.com>
# - initial version
#
# July 08, 2000 Dave Wreski <dave@guardiandigital.com>
# - added snort user/group
# - support for 1.6.2
# Source function library.
. /etc/rc.d/init.d/functions
# Specify your network interface here
INTERFACE=eth0
# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
daemon /usr/local/bin/snort -u snort -g snort -d -D \
-c /etc/snort/snort.conf
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
Start snort:
/etc/init.d/snortd start
And check the snort status:
/etc/init.d/snortd status
Check /var/log/messages for errors and /var/log/snort/alert for alert messages. By this time the Pig should be running :).
Testing Snort with SNMP traps
First, lets check if we can send SNMP traps with snort:
Start the Net-SNMP trap daemon on a test machine
[root@linux0037 root]# snmptrapd -P 2002-09-24 15:06:59 UCD-snmp version 4.2.4 Started.
Prepare Snort to send traps and informs
Please note than we asume this Snort instalation is the sensor 1 and that the OpenNMS trapd is listening on loghost on the port 162:
output trap_snmp: alert, 1, trap -v 2c -p 162 TEST_MACHINE_WHERE_NET_SNMP_TRAPD_RUNS <my_trap_password>
OpenNMS 1.0.1 doesn't support "inform", so leave this line commented:
# output trap_snmp: alert, 1, inform -v 2c -p 162 TEST_MACHINE_WHERE_NET_SNMP_TRAPD_RUNS <my_trap_password>
Otherwise you will get a message like the following:
Sep 24 15:14:15 XXX snort: +============= !! ATTENTION !! ===============+ Sep 24 15:14:15 XXX snort: | Snort was configured to send 'Informs' BUT Sep 24 15:14:15 XXX snort: | there is no response from the Trap receiver Sep 24 15:14:15 XXX snort: | You will need to check that the SnmpTrapd is Sep 24 15:14:15 XXX snort: | alive and kicking on port 162 of YYYY Sep 24 15:14:15 XXX snort: | Snort will switch to TRAP mode. Sep 24 15:14:15 XXX snort: | You will need to restart Snort to revert to Sep 24 15:14:15 XXX snort: | INFORM mode. Sep 24 15:14:15 XXX snort: +============= !! ATTENTION !! ===============+
Now restart snort (/etc/init.d/snortd restart) and then simulate an event with NMAP:
[root@linux0037 root]# nmap -O <my_victim_machine> Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on my_victim_machine (YY.ZZ.PP.QQ): (The 1548 ports scanned but not shown below are in state: closed) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open listen 6000/tcp open X11 8082/tcp open blackice-alerts Remote operating system guess: Windows 2000 Professional, Build 2183 (RC3) Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
You should be able to see something like this on the windows were you're running the trapd daemon:
2002-09-24 15:17:01 MY_SNORT_BOX [KK.KK.KK.KK]: system.sysUpTime.0 = Timeticks: (102689304) 11 days, 21:14:53.04 .iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTrap.snmpTrapOID.0 = OID: enterprises.10234.2.1.3.1 enterprises.10234.2.1.1.1.3.1 = "Snort! <*-.Version 1.8.7 (Build 128)" enterprises.10234.2.1.1.1.5.1.2 = 1 enterprises.10234.2.1.1.1.6.1.2 = "KK.KK.KK.KK" enterprises.10234.2.1.2.1.2.1.2 = "1032895021.693904" enterprises.10234.2.1.2.1.4.1.2 = "spp_stream4: NMAP FINGERPRINT (stateful) detection" enterprises.10234.2.1.2.1.6.1.2 = 1 enterprises.10234.2.1.2.1.7.1.2 = "MY.HACKER.IP.ADDRESS" enterprises.10234.2.1.2.1.8.1.2 = 1 enterprises.10234.2.1.2.1.9.1.2 = "YY.ZZ.PP.QQ" enterprises.10234.2.1.2.1.10.1.2 = 55125 enterprises.10234.2.1.2.1.11.1.2 = 135 enterprises.10234.2.1.2.1.26.1.2 = Hex: 00 01 03 23 94 CF enterprises.10234.2.1.2.1.27.1.2 = Hex: 00 03 47 48 34 72
Good, Snort detected the Port scan and warned you about it!. Pay attention to the OID, we'll use those to setup OpenNMS so we can "match" these traps.
Now put the NMS machine on the Snort configuration file and restart:
output trap_snmp: alert, 1, trap -v 2c -p 162 OPENNMS_MACHINE <my_trap_password>
Preparing OpenNMS
First we need to tell OpenNMS about this events; In order to do that we will add the following definitions to the /opt/OpenNMS/etc/eventconf.xml file.
Optional:
If you don't want to generate the XML MIB definition by hand, then just cut and paste the one that appears on this section.
The easiest way to generate the XML definitions is to take the Snort MIBS file and convert them to the eventconf.xml format using mib2openms (asume than the Snort sources are on /usr/local/src/snort-1.8.7/MIBS):
export MIBPATH="/usr/share/snmp/mibs:/usr/share/mibs:/usr/share/mibs/:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/irtf:/usr/share/mibs/tubs:/usr/local/src/snort-1.8.7/MIBS"
I had to "rename" the original Common MIB file, otherwise mib2openms barked about a missing MIB module:
ln -s /usr/local/src/snort-1.8.7/MIBS/SnortCommonMIB.txt /usr/local/src/snort-1.8.7/MIBS/SNORT-COMMON-MIB /usr/bin/mib2opennms -f /tmp/SnortIDAlertMIB.xml -m $MIBPATH /usr/local/src/snort-1.8.7/MIBS/SnortIDAlertMIB.txt
Add the Event defintion
MIB2OpenNMS generates something like this:
<!-- Start of auto generated data from MIB: SNORT-INTRUSION-DETECTION-ALERT-MIB --> <event> <mask> <maskelement> <mename>id</mename> <mevalue>.1.3.6.1.4.1.10234.2.1</mevalue> </maskelement> <maskelement> <mename>generic</mename> <mevalue>3</mevalue> </maskelement> <maskelement> <mename>specific</mename> <mevalue>1</mevalue> </maskelement> </mask> <uei>http://uei.opennms.org/mib2opennms/sidaAlertGeneric</uei> <event-label>SNORT-INTRUSION-DETECTION-ALERT-MIB defined trap event: sidaAlertGeneric</event-label> <descr><p>The Sida Alert Generic Trap is sent whenever an event is detected by snort (rules) and no specific Alert is found applicable.</p> <table><tr> <td><b>sidaSensorVersion</b></td><td>%parm[~np~#~/np~1]%</td><td><p;></p></td;></tr><tr> <td><b>sidaSensorAddressType</b></td><td>%parm[~np~#~/np~2]%</td> <td><p;>unknown(0) ipv4(1) ipv6(2) dns(16)</p></td;></tr><tr> <td><b>sidaSensorAddress</b></td><td>%parm[~np~#~/np~3]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertTimeStamp</b></td><td>%parm[~np~#~/np~4]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertActionsTaken</b></td><td>%parm[~np~#~/np~5]%</td> <td><p;>none(0) logged(1) alerted(2) blocked(3) tagged(4) tcpRstToSender(16) tcpRstToReceiver(18) tcpRstToSenderAndReceiver(19) icmpNetUnreachToSender(20) icmpHostUnreachToSender(21) icmpPortUnreachToSender(22) icmpAllUnreachToSender(23)</p></td;></tr><tr> <td><b>sidaAlertMsg</b></td><td>%parm[~np~#~/np~6]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertMoreInfo</b></td><td>%parm[~np~#~/np~7]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertSrcAddressType</b></td><td>%parm[~np~#~/np~8]%</td> <td><p;>unknown(0) ipv4(1) ipv6(2) dns(16)</p></td;></tr><tr> <td><b>sidaAlertSrcAddress</b></td><td>%parm[~np~#~/np~9]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertDstAddressType</b></td><td>%parm[~np~#~/np~10]%</td> <td><p;>unknown(0) ipv4(1) ipv6(2) dns(16)</p></td;></tr><tr> <td><b>sidaAlertDstAddress</b></td><td>%parm[~np~#~/np~11]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertSrcPort</b></td><td>%parm[~np~#~/np~12]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertDstPort</b></td><td>%parm[~np~#~/np~13]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertImpact</b></td><td>%parm[~np~#~/np~14]%</td> <td><p;>unknown(1) badUnknown(2) notSuspicious(3) attemptedAdmin(4) successfulAdmin(5) attemptedDos(6) successfulDos(7) attemptedRecon(8) successfulReconLimited(9) successfulReconLargescale(10) attemptedUser(11) successfulUser(12)</p></td;></tr><tr> <td><b>sidaAlertEventPriority</b></td><td>%parm[~np~#~/np~15]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertSrcMacAddress</b></td><td>%parm[~np~#~/np~16]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertDstMacAddress</b></td><td>%parm[~np~#~/np~17]%</td><td><p;></p></td;></tr></table> </descr> <logmsg dest='logndisplay'><p>sidaAlertGeneric trap received sidaSensorVersion=%parm[~np~#~/np~1]% sidaSensorAddressType=%parm[~np~#~/np~2]% sidaSensorAddress=%parm[~np~#~/np~3]% sidaAlertTimeStamp=%parm[~np~#~/np~4]% sidaAlertActionsTaken=%parm[~np~#~/np~5]% sidaAlertMsg=%parm[~np~#~/np~6]% sidaAlertMoreInfo=%parm[~np~#~/np~7]% sidaAlertSrcAddressType=%parm[~np~#~/np~8]% sidaAlertSrcAddress=%parm[~np~#~/np~9]% sidaAlertDstAddressType=%parm[~np~#~/np~10]% sidaAlertDstAddress=%parm[~np~#~/np~11]% sidaAlertSrcPort=%parm[~np~#~/np~12]% sidaAlertDstPort=%parm[~np~#~/np~13]% sidaAlertImpact=%parm[~np~#~/np~14]% sidaAlertEventPriority=%parm[~np~#~/np~15]% sidaAlertSrcMacAddress=%parm[~np~#~/np~16]% sidaAlertDstMacAddress=%parm[~np~#~/np~17]%</p> </logmsg> <severity>Indeterminate</severity> </event> <event> <mask> <maskelement> <mename>id</mename> <mevalue>.1.3.6.1.4.1.10234.2.1</mevalue> </maskelement> <maskelement> <mename>generic</mename> <mevalue>3</mevalue> </maskelement> <maskelement> <mename>specific</mename> <mevalue>2</mevalue> </maskelement> </mask> <uei>http://uei.opennms.org/mib2opennms/sidaAlertScanStatus</uei> <event-label>SNORT-INTRUSION-DETECTION-ALERT-MIB defined trap event: sidaAlertScanStatus</event-label> <descr><p>The Sida Alert Generic Trap is sent whenever an event is detected by snort (rules) and no specific Alert is found applicable.</p> <table><tr> <td><b>sidaSensorVersion</b></td><td>%parm[~np~#~/np~1]%</td><td><p;></p></td;></tr><tr> <td><b>sidaSensorAddressType</b></td><td>%parm[~np~#~/np~2]%</td> <td><p;>unknown(0) ipv4(1) ipv6(2) dns(16)</p></td;></tr><tr> <td><b>sidaSensorAddress</b></td><td>%parm[~np~#~/np~3]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertTimeStamp</b></td><td>%parm[~np~#~/np~4]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertActionsTaken</b></td><td>%parm[~np~#~/np~5]%</td> <td><p;>none(0) logged(1) alerted(2) blocked(3) tagged(4) tcpRstToSender(16) tcpRstToReceiver(18) tcpRstToSenderAndReceiver(19) icmpNetUnreachToSender(20) icmpHostUnreachToSender(21) icmpPortUnreachToSender(22) icmpAllUnreachToSender(23)</p></td;></tr><tr> <td><b>sidaAlertMsg</b></td><td>%parm[~np~#~/np~6]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertSrcAddressType</b></td><td>%parm[~np~#~/np~7]%</td> <td><p;>unknown(0) ipv4(1) ipv6(2) dns(16)</p></td;></tr><tr> <td><b>sidaAlertSrcAddress</b></td><td>%parm[~np~#~/np~8]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertDstAddressList</b></td><td>%parm[~np~#~/np~9]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertSrcPort</b></td><td>%parm[~np~#~/np~10]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertDstPortList</b></td><td>%parm[~np~#~/np~11]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertScanDuration</b></td><td>%parm[~np~#~/np~12]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertScannedHosts</b></td><td>%parm[~np~#~/np~13]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertTCPScanCount</b></td><td>%parm[~np~#~/np~14]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertUDPScanCount</b></td><td>%parm[~np~#~/np~15]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertScanType</b></td><td>%parm[~np~#~/np~16]%</td><td><p;>other(1) stealth(2)</p></td;></tr><tr> <td><b>sidaAlertEventStatus</b></td><td>%parm[~np~#~/np~17]%</td><td><p;>other(1) start(2) inProgress(3) end(4)</p></td;></tr><tr> <td><b>sidaAlertEventPriority</b></td><td>%parm[~np~#~/np~18]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertSrcMacAddress</b></td><td>%parm[~np~#~/np~19]%</td><td><p;></p></td;></tr><tr> <td><b>sidaAlertDstMacAddress</b></td><td>%parm[~np~#~/np~20]%</td><td><p;></p></td;></tr></table> </descr> <logmsg dest='logndisplay'><p>sidaAlertScanStatus trap received sidaSensorVersion=%parm[~np~#~/np~1]% sidaSensorAddressType=%parm[~np~#~/np~2]% sidaSensorAddress=%parm[~np~#~/np~3]% sidaAlertTimeStamp=%parm[~np~#~/np~4]% sidaAlertActionsTaken=%parm[~np~#~/np~5]% sidaAlertMsg=%parm[~np~#~/np~6]% sidaAlertSrcAddressType=%parm[~np~#~/np~7]% sidaAlertSrcAddress=%parm[~np~#~/np~8]% sidaAlertDstAddressList=%parm[~np~#~/np~9]% sidaAlertSrcPort=%parm[~np~#~/np~10]% sidaAlertDstPortList=%parm[~np~#~/np~11]% sidaAlertScanDuration=%parm[~np~#~/np~12]% sidaAlertScannedHosts=%parm[~np~#~/np~13]% sidaAlertTCPScanCount=%parm[~np~#~/np~14]% sidaAlertUDPScanCount=%parm[~np~#~/np~15]% sidaAlertScanType=%parm[~np~#~/np~16]% sidaAlertEventStatus=%parm[~np~#~/np~17]% sidaAlertEventPriority=%parm[~np~#~/np~18]% sidaAlertSrcMacAddress=%parm[~np~#~/np~19]% sidaAlertDstMacAddress=%parm[~np~#~/np~20]%</p></logmsg> <severity>Indeterminate</severity> </event> <!-- End of auto generated data from MIB: SNORT-INTRUSION-DETECTION-ALERT-MIB -->
Then Add this XML fragment to your OpenNMS /opt/OpenNMS/etc/eventconf.xml file, just like this:
<?xml version="1.0"?>
<events xmlns="http://xmlns.opennms.org/xsd/eventconf">
<global>
<security>
<doNotOverride>logmsg</doNotOverride>
<doNotOverride>operaction</doNotOverride>
<doNotOverride>autoaction</doNotOverride>
<doNotOverride>tticket</doNotOverride>
</security>
</global>
<!-- Start of auto generated data from MIB: SNORT-INTRUSION-DETECTION-ALERT-MIB -->
<event>
<mask>
<maskelement>
<mename>id</mename>
<mevalue>.1.3.6.1.4.1.10234.2.1</mevalue>
</maskelement>
<maskelement>
<mename>generic</mename>
<mevalue>3</mevalue>
</maskelement>
.....(rest of the file omited) .....
Important note: At the time of this writting i was unable to use the previous XML "as is". Instead i "non MIB formatted" errors on the OpenNMS web interface and changed the event definition to look like this:
<!-- Start of auto generated data from MIB: SNORT-INTRUSION-DETECTION-ALERT-MIB -->
<event>
<mask>
<maskelement>
<mename>id</mename>
<mevalue>.1.3.6.1.4.1.10234.2.1.3</mevalue>
</maskelement>
<maskelement>
<mename>generic</mename>
<mevalue>6</mevalue>
</maskelement>
<maskelement>
<mename>specific</mename>
<mevalue>1</mevalue>
</maskelement>
</mask>
<uei>http://uei.opennms.org/mib2opennms/sidaAlertGeneric</uei>
<event-label>SNORT-INTRUSION-DETECTION-ALERT-MIB defined trap event: sidaAlertGeneric</event-label>
<descr><p>The Sida Alert Generic Trap is sent whenever an
event is detected by snort (rules) and no specific
(Rest of the XML omitted).
So far this setup works for me, let me know if you have a better way of doing this.
Note: This section is still incomplete.
Restart OpenNMS to make this changes effective
[root@loghost etc]# /etc/init.d/tomcat4 stop; /etc/init.d/opennms restart; /etc/init.d/tomcat4 start
Go to the OpenNMS console (Home > Admin > Configure Notifications > Event Notifications) and click on "Add New Event Notification"
Then choose "SNORT-INTRUSION-DETECTION-ALERT-MIB defined trap event: sidaAlertGeneric" on "Home > Admin > Configure Notifications > Event Notifications > Choose Event"
Build your rule on "Home > Admin > Configure Notifications > Event Notifications > Build Rule"; Don't select any service and leave the IP addresses as "*.*.*.*"
Validate your results ( Home > Admin > Configure Notifications > Validate Rule)
Finally choose a path ( Home > Admin > Configure Notifications > Choose Path)
You can use the following values:
Name: Snort generic alert Description: Whatever you want Choose A Path: Email-Security/Managment Message text: Reference: %parm[#7]% Ofender: %parm[#9]% Afected: %parm[#11]% Reporter: %interface% Time sent: %time% Message subject: Notice #%noticeid%: node %interface% Snort alert
Click finish
Then click on the button that says "Turn on"
Now you can test again using NMAP on any machine. You should get an email, pager or IM message (depends on what you have on defined for the path "Email-Security/Managment". Also note than you can use more parameters for the text message.
Resources
- Snort home page
- http://www.snort.org
- OpenNMS home page
- http://www.opennms.org
- NMAP
- http://www.insecure.org/nmap/
- MIB2OpenNMS home page
- http://www.tompa.nu/mib2opennms/
Version history: 0.1 - 09/24/2002 - Alpha release
AUTHOR
Jose Vicente Nunez Zuleta (josevnz at newbreak dot com)
Newbreak LLC System Administrator
