SIEM sobre Raspberry Pi 3 Model B+

12/02/2019

| No hay comentarios

Manual para instalar un SIEM en una Rapsberry Pi 3 Model B+, bajo Windows

Requisitos necesarios:

Una Raspberry Pi 3 Model B+

Una tarjeta SD de al menos 8 Gb

Cable Ethernet

Una fuente de alimentación de 3,5 Amperios y su cable USB

Una imagen de Archlinux ARM . https://archlinuxarm.org/platforms

El Programa Win32DiskImager (para manejo de las imagenes en la SD) https://sourceforge.net/projects/win32diskimager/

Un teclado USB (para la instalación)

Primer paso: INSTALACION DE ARCHLINUX

Usando el programa Win32DiskImager, seleccionar la imagen para nuestra Pi 3 http://os.archlinuxarm.org/os/ArchLinux … est.tar.gz

Introducir formateada nuestra SD (8 Gb/32 Gb) y asignarle letra

Pulsar el botón Write del Win32DiskImager

Extraer la tarjeta SD e introducirla en la Pi 3B+

Segundo paso: CONFIGURACION DE ARCHLINUX

Arrancar la Pi 3B+ e introducir el usuario y clave por defecto roo/root

Cambiar la clave por defecto con el comando passwd por una de nuestra elección

# passwd

Congigurar la interfaz de red con el comando del fichero rc.conf fijando una IP a la (Raspberry Security System (RSS))

Código: Seleccionar todo

vi /etc/rc.conf

# ———————————————————————–
# NETWORKING
# ———————————————————————–
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts
#
HOSTNAME=”RSS”
# Static IP
interface=eth0
address=192.168.1.3
netmask=255.255.255.0
broadcast=192.168.1.255
gateway=192.168.1.1

Desactivar el DHCP de la interfaz de red eth0

# interface=eth0
# address=
# netmask=
# gateway=

Parar los demonios existentes alinicio no necesarios

DAEMONS=(!hwclock syslog-ng network @crond @sshd @openntpd)

Configurar el fichero hosts con el comando

# vi /etc/hosts

192.168.1.3 PiWall
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost

Reiniciar la interfaz de red con el comando

rc.d restart network

Actualizar la distribución con el comando

pacman –Syu

Crear las Keys de las fuentes actualizadas con el comando

pacman-key –init

Volver a actualizar el sistema con pacman -Syu

Instalar los paquetes vim, htop y tcpdump con los comandos

pacman –S vim
pacman –S htop
pacman –S tcpdump

Tras la instalación de dichos paquetes reinicamos nustra Pi 3B+

Una vez reiniciado el sistema usaremos el comando htop para verificar la memoria disponible

htop

Reconfigurar la memoria disponible para asignar 224 Mb al sistema operativo

cd /boot
mv ./start.elf ./start.elf.old
cp ./arm224_start.elf ./start.elf
reboot

Reestructurando el tamaño de la tarjeta SD con el comando

fdisk /dev/mmcblk0p2

Borrar la partición con los comandos

d
2

Crear una nueva partición primaria

n
p
2
Enter
Enter

Escribir los cambios con el comando write

Reiniciar la Pi 3B+ con reboot

reboot

Añadiendo otro usuario con el comando useradd

useradd -m -g users -G optical,storage,video,wheel,power -s /bin/bash rss

Cambiar la contraseña del nuevo usuario con el comando passwd

passwd rss

Instalar el comando sudo

pacman -S sudo

Proporcionar derechos de sudo con el comando visudo

visudo

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

Cerrar la sesión con el comando logout

logout

Configurar el servicio SSH , editando el fichero sshd_config modificando los siguientes parámetros

sudo vi /etc/ssh/sshd_config

# Modify the default port
Port 15507Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60

Desactivar el acceso de root para hacer login y obligar al usuario a escalar privilegios

PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

Reiniciar el servicio sshd

sudo rc.d restart sshd

A partir de ese momento inciaremos sesión con el usuario rss creado anteriormente

Personalizamos la interfaz de red del fichero sysctl.conf con el comando

sudo vi /etc/sysctl.conf

]# Enable Spoof protection (reverse-path filter)
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1# Enable TCP/IP SYN cookies
net.ipv4.tcp_syncookies=1# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
# Do not send ICMP redirects (really important for our single NIC gateway)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
# Do not accept IP source route packets
net.ipv4.conf.all.accept_source_route = 0
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
# router function (important1!!)
net.ipv4.ip_forward = 1
# Avoid Out Of Memory
vm.min_free_kbytes=8192

Aplicar los cambios con el comando

sudo sysctl –p

Configurar los servicios DHCP y DNS instalando el paquete dnsmasq

sudo pacman –S dnsmasq

Cinfiguraremos el fichero dnsmasq.conf con los siguientes parámetros

sudo vi /etc/dnsmasq.conf

## DNS CONFIGURATION ##
# Interfaces for DNS
interface=eth0
listen-address=192.168.1.3
bind-interfaces# Never forward plain names (without a dot or domain part)
domain-needed# Never forward addresses in the non-routed address spaces.
bogus-priv

# Max concurrent DNS queries (default = 150)
dns-forward-max=150
# DNS cache size (default = 150)
cache-size=300
## DHCP CONFIGURATION ##
# DHCP range and lease time
dhcp-range=192.168.1.10,192.168.1.20,255.255.255.0,4d
# Set DHCP as authoritative
dhcp-authoritative

Posteriormente reiniciaremos el servicio con el comando

sudo rc.d restart dnsmasq

Para verificar el funcionamiento del servicio dns ejecutaremos el comando

 sudo tcpdump -i eth0 dst port 53 or src port 53 -n -x -X -v

Configuración del firewall lanzando los siguientes comandos y cambiando sus propiedades

sudo touch /etc/firewall.advanced

sudo touch /etc/firewall.flows

sudo chmod u+x /etc/firewall.*

Posteriormente configuramos el fichero firewall.flows

sudo vi /etc/firewall.flows

#!/bin/bash
# ” Date:
# ” Author :
# ” Version : Flows 1.0
#######################
# FLOW IDENTIFICATION #
##############################################################################################
# NAT_OUT
iptables -t nat -A POSTROUTING -o $LAN -p tcp –ipv4 -m iprange \
–src-range $DHCP_RANGE ! –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –dst-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j NAT_OUT
iptables -t nat -A POSTROUTING -o $LAN -p udp –ipv4 -m iprange \
–src-range $DHCP_RANGE ! –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –dst-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j NAT_OUT
iptables -t nat -A POSTROUTING -o $LAN -p icmp –ipv4 -m iprange \
–src-range $DHCP_RANGE ! –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –dst-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j NAT_OUT
# FORWARD_OUT
iptables -A FORWARD -i $LAN -p tcp –ipv4 -m iprange \
–src-range $DHCP_RANGE ! –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –src-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j FORWARD_OUT
iptables -A FORWARD -i $LAN -p udp –ipv4 -m iprange \
–src-range $DHCP_RANGE ! –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –src-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j FORWARD_OUT
iptables -A FORWARD -i $LAN -p icmp –ipv4 -m iprange \
–src-range $DHCP_RANGE ! –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –src-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j FORWARD_OUT
# FORWARD_IN
iptables -A FORWARD -i $LAN -p tcp –ipv4 -m iprange \
! –src-range $DHCP_RANGE –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –src-type LOCAL\
-m state –state ESTABLISHED,RELATED -j FORWARD_IN
iptables -A FORWARD -i $LAN -p udp –ipv4 -m iprange \
! –src-range $DHCP_RANGE –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –src-type LOCAL\
-m state –state ESTABLISHED,RELATED -j FORWARD_IN
iptables -A FORWARD -i $LAN -p icmp –ipv4 -m iprange \
! –src-range $DHCP_RANGE –dst-range $DHCP_RANGE -m pkttype –pkt-type unicast -m addrtype ! –src-type LOCAL\
-m state –state ESTABLISHED,RELATED -j FORWARD_IN
# LAN_IN
iptables -A INPUT -i $LAN -p tcp –ipv4 -m iprange \
–src-range $DHCP_RANGE -d $RSS -m pkttype –pkt-type unicast -m addrtype –dst-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j LAN_IN
iptables -A INPUT -i $LAN -p udp –ipv4 -m iprange \
–src-range $DHCP_RANGE -d $RSS -m pkttype –pkt-type unicast -m addrtype –dst-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j LAN_IN
iptables -A INPUT -i $LAN -p icmp –ipv4 -m iprange \
–src-range $DHCP_RANGE -d $RSS -m pkttype –pkt-type unicast -m addrtype –dst-type LOCAL\
-m state –state NEW,ESTABLISHED,RELATED -j LAN_IN
# LAN_BROADCAST
iptables -A INPUT -i $LAN -p tcp –ipv4 \
! -d $RSS -m pkttype –pkt-type broadcast -m addrtype –dst-type BROADCAST\
-m state ! –state INVALID -j LAN_BROADCAST
iptables -A INPUT -i $LAN -p udp –ipv4 \
! -d $RSS -m pkttype –pkt-type broadcast -m addrtype –dst-type BROADCAST\
-m state ! –state INVALID -j LAN_BROADCAST
iptables -A INPUT -i $LAN -p icmp –ipv4 \
! -d $RSS -m pkttype –pkt-type broadcast -m addrtype –dst-type BROADCAST\
-m state ! –state INVALID -j LAN_BROADCAST
# INTERNET_GATEWAY
iptables -A INPUT -i $LAN -p tcp –ipv4 \
! -s $LAN_SUBNET -d $RSS -m pkttype –pkt-type unicast -m addrtype –dst-type LOCAL\
-m state –state ESTABLISHED,RELATED -j INTERNET_GATEWAY
iptables -A INPUT -i $LAN -p udp –ipv4 ! \
-s $LAN_SUBNET -d $RSS -m pkttype –pkt-type unicast -m addrtype –dst-type LOCAL\
-m state –state ESTABLISHED,RELATED -j INTERNET_GATEWAY
iptables -A INPUT -i $LAN -p icmp –ipv4 \
! -s $LAN_SUBNET -d $RSS -m pkttype –pkt-type unicast -m addrtype –dst-type LOCAL\
-m state –state ESTABLISHED,RELATED -j INTERNET_GATEWAY
# GATEWAY_LAN
iptables -A OUTPUT -o $LAN -p tcp –ipv4 \
-s $RSS -d $LAN_SUBNET -m pkttype –pkt-type unicast -m addrtype –dst-type UNICAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_LAN
iptables -A OUTPUT -o $LAN -p udp –ipv4 \
-s $RSS -d $LAN_SUBNET -m pkttype –pkt-type unicast -m addrtype –dst-type UNICAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_LAN
iptables -A OUTPUT -o $LAN -p icmp –ipv4 \
-s $RSS -d $LAN_SUBNET -m pkttype –pkt-type unicast -m addrtype –dst-type UNICAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_LAN
# GATEWAY_BROADCAST
iptables -A OUTPUT -o $LAN -p tcp –ipv4 \
-s $RSS -m pkttype –pkt-type broadcast -m addrtype –dst-type BROADCAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_BROADCAST
iptables -A OUTPUT -o $LAN -p udp –ipv4 \
-s $RSS -m pkttype –pkt-type broadcast -m addrtype –dst-type BROADCAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_BROADCAST
iptables -A OUTPUT -o $LAN -p icmp –ipv4 \
-s $RSS -m pkttype –pkt-type broadcast -m addrtype –dst-type BROADCAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_BROADCAST
# GATEWAY_INTERNET
iptables -A OUTPUT -o $LAN -p tcp –ipv4 \
-s $RSS ! -d $LAN_SUBNET -m pkttype –pkt-type unicast -m addrtype –dst-type UNICAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_INTERNET
iptables -A OUTPUT -o $LAN -p udp –ipv4 \
-s $RSS ! -d $LAN_SUBNET -m pkttype –pkt-type unicast -m addrtype –dst-type UNICAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_INTERNET
iptables -A OUTPUT -o $LAN -p icmp –ipv4 \
-s $RSS ! -d $LAN_SUBNET -m pkttype –pkt-type unicast -m addrtype –dst-type UNICAST\
-m state –state NEW,ESTABLISHED,RELATED -j GATEWAY_INTERNET
##############################################################################################

A continuación crearemos reglas en el fichero firewall.advanced con el comando

sudo vi /etc/firewall.advanced

#!/bin/bash
# ” Date August 2012
# ” Author : Guillaume Kaddouch
# ” URL :
# ” Version : Advanced 1.0
echo “Setting up variables”
# VARIABLES TO CUSTOMISE TO MATCH YOUR NETWORK
LAN=”eth0″
LAN_SUBNET=”192.168.1.0/24″
DHCP_RANGE=”192.168.1.10-192.168.1.20″
DNS_SERVER1=”8.8.8.8″
DNS_SERVER2=”208.67.222.222″
RSS=”192.168.1.3″
MODEM_ROUTER=”192.168.1.1″
UNPRIV_PORTS=”1024:65535″
SSH=”15507″
NTP_SERVER=”65.55.21.22″
echo “Flushing existing chains and rules…”
# FLUSHING CHAINS & RULES
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo “Setting up default policies”
# DEFAULT POLICIES
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo “Creating chains”
# CHAINS
iptables -N FORWARD_OUT
iptables -N FORWARD_IN
iptables -N LAN_IN
iptables -N LAN_BROADCAST
iptables -N GATEWAY_LAN
iptables -N GATEWAY_BROADCAST
iptables -N GATEWAY_INTERNET
iptables -N INTERNET_GATEWAY
iptables -t nat -N NAT_OUT
# CHAIN TO CHECK, LOG, AND OPTIMISE
iptables -N CHECK_TCP_FLAGS
iptables -N LOGDROP_TCP_FLAGS
iptables -N LOGDROP_MALWARE
iptables -N LOGDROP_BADPORT
iptables -t mangle -N FAST_DNS
echo “Loading rules”
#################################
# PROTOCOL CHECK & OPTIMIZATION #
##############################################################################################
iptables -A FORWARD -i $LAN -p tcp –ipv4 -j CHECK_TCP_FLAGS
iptables -A INPUT -i $LAN -p tcp –ipv4 -j CHECK_TCP_FLAGS
iptables -t mangle -A OUTPUT -o $LAN -p tcp –ipv4 -s $RSS -m pkttype –pkt-type unicast –dport domain -m \
state –state NEW,ESTABLISHED,RELATED -j FAST_DNS
iptables -t mangle -A OUTPUT -o $LAN -p udp –ipv4 -s $RSS -m pkttype –pkt-type unicast –dport domain -m \
state –state NEW,ESTABLISHED,RELATED -j FAST_DNS
##############################################################################################
###################
# CHECK_TCP_FLAGS #
##############################################################################################
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ACK,FIN FIN -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ACK,PSH PSH -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ACK,URG URG -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags FIN,RST FIN,RST -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags SYN,RST SYN,RST -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL ALL -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL NONE -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL FIN,PSH,URG -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGDROP_TCP_FLAGS
iptables -A LOGDROP_TCP_FLAGS -m limit –limit 1/s -j LOG –log-tcp-options –log-prefix \
“[IPTABLES: BAD TCP FLAGS]”
iptables -A LOGDROP_TCP_FLAGS -j DROP
##############################################################################################
############
# FAST_DNS #
##############################################################################################
iptables -t mangle -A FAST_DNS -p udp -d $DNS_SERVER1 -j TOS –set-tos Minimize-Delay
iptables -t mangle -A FAST_DNS -p udp -d $DNS_SERVER2 -j TOS –set-tos Minimize-Delay
iptables -t mangle -A FAST_DNS -p tcp -d $DNS_SERVER1 -j TOS –set-tos Minimize-Delay
iptables -t mangle -A FAST_DNS -p tcp -d $DNS_SERVER2 -j TOS –set-tos Minimize-Delay
##############################################################################################
# FLOW IDENTIFICATION #
source “/etc/firewall.flows”
############
# NAT_OUT #
##############################################################################################
iptables -t nat -A NAT_OUT -j MASQUERADE –random
##############################################################################################
###############
# FORWARD OUT #
##############################################################################################
# Potential Malware traffic
# If not dropped here, they would have been blocked by the default policy
# However, we take the opportunity to save them in a “bad_traffic” table
# This table enables us to block LAN’s hosts trying to access too many malware ports
# Thus being potentially infected (and requiring an antivirus analysis)
#
# As soon as a LAN host has hit 5 times rules below within 2mn, DROP all forward out from that host
iptables -A FORWARD_OUT -p tcp -m recent –name bad_traffic –rcheck –rttl –hitcount 5 –seconds 120 -j \
LOGDROP_MALWARE
iptables -A FORWARD_OUT -p tcp –dport 139 -m recent –name bad_traffic –set -j LOGDROP_BADPORT
iptables -A FORWARD_OUT -p tcp –dport 445 -m recent –name bad_traffic –set -j LOGDROP_BADPORT
iptables -A FORWARD_OUT -p tcp –dport 135 -m recent –name bad_traffic –set -j LOGDROP_BADPORT
iptables -A FORWARD_OUT -p tcp –dport 6667 -m recent –name bad_traffic –set -j LOGDROP_BADPORT
iptables -A FORWARD_OUT -p tcp –dport 1433:1434 -m recent –name bad_traffic –set -j LOGDROP_BADPORT
iptables -A FORWARD_OUT -p udp –dport 1433:1434 -m recent –name bad_traffic –set -j LOGDROP_BADPORT
iptables -A LOGDROP_BADPORT -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: BAD PORT]”
iptables -A LOGDROP_BADPORT -j DROP
iptables -A LOGDROP_MALWARE -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: INFECTED HOST]”
iptables -A LOGDROP_MALWARE -j DROP
# Allowed ports
iptables -A FORWARD_OUT -p tcp –sport $UNPRIV_PORTS -m multiport –dports ftp,http,https,8080 -j ACCEPT
# Allow ESTABLISHED and RELATED connections to other ports, required for FTP for instance
iptables -A FORWARD_OUT -p tcp –sport $UNPRIV_PORTS –dport $UNPRIV_PORTS -m state –state \
ESTABLISHED,RELATED -j ACCEPT
# NTP Requests (modify the variable at the begining)
iptables -A FORWARD_OUT -p udp -d $NTP_SERVER –sport ntp –dport ntp -j ACCEPT
# Echo request
iptables -A FORWARD_OUT -p icmp -m icmp –icmp-type echo-request -j ACCEPT
# Reject traffic we do not want, many options below (create the corresponding variables)
# iptables -A FORWARD_OUT -p tcp –dport $port_of_a_host_to_block -j REJECT –reject-with \
# icmp-host-prohibited
# iptables -A FORWARD_OUT -d $subnet_to_block -j REJECT –reject-with icmp-net-prohibited
# Block & Log everything else
iptables -A FORWARD_OUT -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: FORWARD_OUT]”
iptables -A FORWARD_OUT -j DROP
##############################################################################################
##############
# FORWARD_IN #
##############################################################################################
# Allow forwarding of incoming established or related flows, with a TTL > 10
iptables -A FORWARD_IN -m ttl –ttl-gt 10 -j ACCEPT
# Block & Log everything else
iptables -A FORWARD_IN -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: FORWARD_IN]”
iptables -A FORWARD_IN -j DROP
##############################################################################################
##########
# LAN_IN #
##############################################################################################
# Allow DHCP broadcasts from the inside
iptables -A LAN_IN -i $LAN -p udp –sport 67:68 –dport 67:68 -j ACCEPT
# Allow DNS queries from the LAN to the Raspberry Security Syste,
iptables -A LAN_IN -i $LAN -p udp –sport $UNPRIV_PORTS –dport 53 -j ACCEPT
iptables -A LAN_IN -i $LAN -p tcp –sport $UNPRIV_PORTS –dport 53 -j ACCEPT
# SSH connections
# (you may add a check for the remote OS)
iptables -A LAN_IN -i $LAN -p tcp –sport $UNPRIV_PORTS –dport $SSH -j ACCEPT
# ICMP LAN (Type 3 = unreachable [destination|port|protocol])
iptables -A LAN_IN -p icmp -m icmp –icmp-type echo-request -j ACCEPT
iptables -A LAN_IN -p icmp -m icmp –icmp-type 3 -j ACCEPT
# Block & Log everything else
iptables -A LAN_IN -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: LAN_IN]”
iptables -A LAN_IN -j DROP
##############################################################################################
##################
# LAN_BROADCAST #
##############################################################################################
# Allow DHCP broadcasts from the inside
iptables -A LAN_BROADCAST -i $LAN -p udp –sport 67:68 –dport 67:68 -j ACCEPT
# Block everything else (do not bother to log broadcast traffic)
iptables -A LAN_BROADCAST -j DROP
##############################################################################################
###########################
# INTERNET_GATEWAY #
##############################################################################################
# Allow already established connections from RSS to Internet to come back to RSS
iptables -A INTERNET_GATEWAY -p all -j ACCEPT
##############################################################################################
########################
# CHAINE GATEWAY_LAN #
##############################################################################################
# Block potential ICMP redirect sent from us (could be caused by a misconfigured sysctl)
iptables -A GATEWAY_LAN -p icmp -m icmp –icmp-type redirect -m limit –limit 1/s -j LOG –log-prefix \
“[IPTABLES: ICMP REDIRECT]”
iptables -A GATEWAY_LAN -p icmp -m icmp –icmp-type redirect -j DROP
# Allow LAN established connections to Raspberry to come back to the LAN
iptables -A GATEWAY_LAN -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A GATEWAY_LAN -p udp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A GATEWAY_LAN -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow DHCP related traffic
iptables -A GATEWAY_LAN -p udp –sport 67:68 –dport 67:68 -j ACCEPT
# Allow Raspi to ping the LAN
iptables -A GATEWAY_LAN -p icmp -m icmp –icmp-type echo-request -m state –state NEW -j ACCEPT
# Block & Log everything else
iptables -A GATEWAY_LAN -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: GATEWAY_LAN]”
iptables -A GATEWAY_LAN -j DROP
##############################################################################################
#####################
# GATEWAY_BROADCAST #
##############################################################################################
# Allow broadcast DHCP replies from RSS
iptables -A GATEWAY_BROADCAST -p udp –sport 67:68 –dport 67:68 -j ACCEPT
# Block & Log everything else
iptables -A GATEWAY_BROADCAST -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: GATEWAY_BROADCAST]”
iptables -A GATEWAY_BROADCAST -j DROP
##############################################################################################
####################
# GATEWAY_INTERNET #
##############################################################################################
# Allow new connections from Raspberry (necessary for updates, installing packages, etc…)
# I do not run updates the night, consequently there is no need for the rule to be active 24/24
iptables -A GATEWAY_INTERNET -p tcp -m multiport –dports ftp,http,https -m time –timestart 09:00 –timestop \
23:00 -j ACCEPT
# Résolutions DNS
iptables -A GATEWAY_INTERNET -p udp –sport $UNPRIV_PORTS -d $DNS_SERVER1 –dport domain -j ACCEPT
iptables -A GATEWAY_INTERNET -p udp –sport $UNPRIV_PORTS -d $DNS_SERVER2 –dport domain -j ACCEPT
iptables -A GATEWAY_INTERNET -p tcp –sport $UNPRIV_PORTS -d $DNS_SERVER1 –dport domain -j ACCEPT
iptables -A GATEWAY_INTERNET -p tcp –sport $UNPRIV_PORTS -d $DNS_SERVER2 –dport domain -j ACCEPT
# Happens when reloading firewall rules
iptables -A GATEWAY_INTERNET -p icmp -m icmp –icmp-type port-unreachable -d $DNS_SERVER1 -j DROP
iptables -A GATEWAY_INTERNET -p icmp -m icmp –icmp-type port-unreachable -d $DNS_SERVER2 -j DROP
# Allow NTP
iptables -A GATEWAY_INTERNET -p udp –dport ntp -j ACCEPT
# Block & Log everything else
iptables -A GATEWAY_INTERNET -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: GATEWAY_INTERNET]”
iptables -A GATEWAY_INTERNET -j DROP
##############################################################################################
## RULES END ##
rules_number=`egrep ‘\-j’ /etc/firewall.advanced | wc -l`
flows_number=`egrep ‘\-j’ /etc/firewall.flows | wc -l`
total_rules=$(( rules_number+flows_number ))
echo “”
echo “$total_rules rules loaded.”
echo “”

Crearemos más reglas del iptables en el fichero firewall.simple con el comando

sudo vi /etc/firewall.simple

#!/bin/bash
# Date August 2012
# Author : Guillaume Kaddouch
# URL : http://networkfilter.blogspot.com
# Version : Standard 1.0
echo “Setting up variables”
# VARIABLES TO CUSTOMISE TO MATCH YOUR NETWORK
LAN=”eth0″
LAN_SUBNET=”192.168.1.0/24″
DHCP_RANGE=”192.168.1.10-192.168.1.20″
DNS_SERVER1=”8.8.8.8″
DNS_SERVER2=”208.67.222.222″
RSS=”192.168.1.3″
MODEM_ROUTER=”192.168.1.1″
UNPRIV_PORTS=”1024:65535″
SSH=”15507″
NTP_SERVER=”65.55.21.22″
echo “Flushing existing chains and rules…”
# FLUSHING CHAINS & RULES
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
echo “Setting up default policies”
# DEFAULT POLICIES
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo “Creating chains”
# CHAIN TO CHECK, LOG, AND OPTIMISE
iptables -N CHECK_TCP_FLAGS
iptables -N LOGDROP_TCP_FLAGS
iptables -t mangle -N FAST_DNS
echo “Loading rules”
#################################
# PROTOCOL CHECK & OPTIMIZATION #
##############################################################################################
iptables -A FORWARD -i $LAN -p tcp –ipv4 -j CHECK_TCP_FLAGS
iptables -A INPUT -i $LAN -p tcp –ipv4 -j CHECK_TCP_FLAGS
iptables -t mangle -A OUTPUT -o $LAN -p tcp –ipv4 -s $RSS -m pkttype –pkt-type unicast –dport domain \
-m state –state NEW,ESTABLISHED,RELATED -j FAST_DNS
iptables -t mangle -A OUTPUT -o $LAN -p udp –ipv4 -s $RSS -m pkttype –pkt-type unicast –dport domain \
-m state –state NEW,ESTABLISHED,RELATED -j FAST_DNS
##############################################################################################
###################
# CHECK_TCP_FLAGS #
##############################################################################################
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ACK,FIN FIN -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ACK,PSH PSH -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ACK,URG URG -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags FIN,RST FIN,RST -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags SYN,RST SYN,RST -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL ALL -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL NONE -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL FIN,PSH,URG -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j LOGDROP_TCP_FLAGS
iptables -A CHECK_TCP_FLAGS -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGDROP_TCP_FLAGS
iptables -A LOGDROP_TCP_FLAGS -m limit –limit 1/s -j LOG –log-tcp-options –log-prefix \
“[IPTABLES: BAD TCP FLAGS]”
iptables -A LOGDROP_TCP_FLAGS -j DROP
##############################################################################################
############
# FAST_DNS #
##############################################################################################
iptables -t mangle -A FAST_DNS -p udp -d $DNS_SERVER1 -j TOS –set-tos Minimize-Delay
iptables -t mangle -A FAST_DNS -p udp -d $DNS_SERVER2 -j TOS –set-tos Minimize-Delay
iptables -t mangle -A FAST_DNS -p tcp -d $DNS_SERVER1 -j TOS –set-tos Minimize-Delay
iptables -t mangle -A FAST_DNS -p tcp -d $DNS_SERVER2 -j TOS –set-tos Minimize-Delay
##############################################################################################
#######
# NAT #
##############################################################################################
iptables -t nat -A POSTROUTING -o $LAN ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED -j MASQUERADE\
–random
##############################################################################################
###########
# FORWARD #
##############################################################################################
# Allow outgoing forward of any connection
iptables -A FORWARD -p tcp -i $LAN -s $LAN_SUBNET ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED \
-j ACCEPT
iptables -A FORWARD -p udp -i $LAN -s $LAN_SUBNET ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED \
-j ACCEPT
iptables -A FORWARD -p icmp -i $LAN -s $LAN_SUBNET ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED \
-j ACCEPT
# Allow incoming forward of established or related connections with TTL greater than 10
iptables -A FORWARD -p tcp -i $LAN ! -s $LAN_SUBNET -d $LAN_SUBNET -m state –state ESTABLISHED,RELATED -m \
ttl –ttl-gt 10 -j ACCEPT
iptables -A FORWARD -p udp -i $LAN ! -s $LAN_SUBNET -d $LAN_SUBNET -m state –state ESTABLISHED,RELATED -m \
ttl –ttl-gt 10 -j ACCEPT
iptables -A FORWARD -p icmp -i $LAN ! -s $LAN_SUBNET -d $LAN_SUBNET -m state –state ESTABLISHED,RELATED -m \
ttl –ttl-gt 10 -j ACCEPT
##############################################################################################
#########
# INPUT #
##############################################################################################
# Allow DHCP broadcasts from the inside
iptables -A INPUT -i $LAN -p udp -s $LAN_SUBNET –sport 67:68 –dport 67:68 -j ACCEPT
# Allow DNS queries from the LAN to the Raspberry
iptables -A INPUT -i $LAN -p udp -s $LAN_SUBNET –sport $UNPRIV_PORTS -d $RSS –dport 53 -j ACCEPT
iptables -A INPUT -i $LAN -p tcp -s $LAN_SUBNET –sport $UNPRIV_PORTS -d $RSS –dport 53 -j ACCEPT
# SSH connections
iptables -A INPUT -i $LAN -p tcp -s $LAN_SUBNET –sport $UNPRIV_PORTS -d $RSS –dport $SSH -j ACCEPT
# ICMP LAN (Type 3 = unreachable [destination|port|protocol])
iptables -A INPUT -p icmp -m icmp –icmp-type echo-request -s $LAN_SUBNET -d $RSS -j ACCEPT
iptables -A INPUT -p icmp -m icmp –icmp-type 3 -s $LAN_SUBNET -d $RSS -j ACCEPT
# Allow already established connections from Raspberry to Internet to come back to itl
iptables -A INPUT -i $LAN ! -s $LAN_SUBNET -d $RSS -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $LAN ! -s $LAN_SUBNET -d $RSS -p udp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $LAN ! -s $LAN_SUBNET -d $RSS -p icmp -m state –state ESTABLISHED,RELATED -j ACCEPT
##############################################################################################
###########
# OUTPUT #
##############################################################################################
# Block potential ICMP redirect sent from us (could be caused by a misconfigured sysctl)
iptables -A OUTPUT -o $LAN -p icmp -m icmp –icmp-type redirect -m limit –limit 1/s -j LOG –log-prefix \
“[IPTABLES: ICMP REDIRECT]”
iptables -A OUTPUT -o $LAN -p icmp -m icmp –icmp-type redirect -j DROP
# Allow LAN established connections to the Raspi to come back to the LAN
iptables -A OUTPUT -o $LAN -p tcp -s $RSS -d $LAN_SUBNET -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $LAN -p udp -s $RSS -d $LAN_SUBNET -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $LAN -p icmp -s $RSS -d $LAN_SUBNET -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow DHCP related traffic
iptables -A OUTPUT -o $LAN -p udp -s $RSS -d $LAN_SUBNET –sport 67:68 –dport 67:68 -j ACCEPT
# Allow Raspberry to ping the LAN
iptables -A OUTPUT -o $LAN -p icmp -m icmp –icmp-type echo-request -s $RSS -d $LAN_SUBNET -m state \
–state NEW -j ACCEPT
# Allow new connections from Raspberry (necessary for updates, installing packages, etc…)
iptables -A OUTPUT -o $LAN -p tcp -s $RSS ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED \
-j ACCEPT
iptables -A OUTPUT -o $LAN -p udp -s $RSS ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED \
-j ACCEPT
iptables -A OUTPUT -o $LAN -p icmp -s $RSS ! -d $LAN_SUBNET -m state –state NEW,ESTABLISHED,RELATED \
-j ACCEPT
# DNS requests
iptables -A OUTPUT -o $LAN -p udp -s $RSS –sport $UNPRIV_PORTS -d $DNS_SERVER1 –dport domain -j ACCEPT
iptables -A OUTPUT -o $LAN -p udp -s $RSS –sport $UNPRIV_PORTS -d $DNS_SERVER2 –dport domain -j ACCEPT
iptables -A OUTPUT -o $LAN -p tcp -s $RSS –sport $UNPRIV_PORTS -d $DNS_SERVER1 –dport domain -j ACCEPT
iptables -A OUTPUT -o $LAN -p tcp -s $RSS –sport $UNPRIV_PORTS -d $DNS_SERVER2 –dport domain -j ACCEPT
# Allow NTP
iptables -A OUTPUT -o $LAN -p udp –dport ntp -s $RSS -j ACCEPT
##############################################################################################
iptables -A INPUT -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: INPUT DROP]”
iptables -A INPUT -j DROP
iptables -A OUTPUT -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: OUTPUT DROP]”
iptables -A OUTPUT -j DROP
iptables -A FORWARD -m limit –limit 1/s -j LOG –log-prefix “[IPTABLES: FORWARD DROP]”
iptables -A FORWARD -j DROP
## RULES END ##
rules_number=`egrep ‘\-j’ /etc/firewall.simple | wc -l`
echo “”
echo “$rules_number rules loaded.”
echo “”

Cargaremos las reglas con el fichero rc.local con el comando

sudo vi /etc/rc.local

El sistema nos devolverá el siguiente resultado:

echo “Loading iptables rules”
/etc/firewall.VERSION >> /dev/nu

Si queremos observar los resultados arrojados por dicho fichero lo harem os con el siguiente comando

sudo tail -f /var/log/iptables.log

Configuraremos el fichero logrotate.conf con el comando

sudo vi /etc/logrotate.conf

# see “man logrotate” for details
# rotate log files weekly
weekly# keep 12 weeks worth of backlogs
rotate 12

Tercer paso: CONFIGURACION de SNORT

En primer lugar instalaremos Snort con el comando

sudo pacman -S snort

Posteriormente configuraremos el fichero snort.conf con el comando

sudo vi /etc/snort/snort.conf

# Step 1 : variables
#########################################################################################################################
ipvar HOME_NET [192.168.1.0/24]
ipvar EXTERNAL_NET !$HOME_NET
ipvar DNS_SERVERS [192.168.1.3]
ipvar SMTP_SERVERS $HOME_NET
ipvar HTTP_SERVERS $HOME_NET
ipvar SQL_SERVERS $HOME_NET
ipvar TELNET_SERVERS $HOME_NET
ipvar FTP_SERVERS $HOME_NET
ipvar SIP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar ORACLE_PORTS 1024:
portvar FTP_PORTS [21,2100,3535]
portvar SIP_PORTS [5060,5061,5600]
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
ipvar SSH_SERVERS [192.168.1.3]
portvar SHELLCODE_PORTS !80
portvar SSH_PORTS [22,15507]
portvar GTP_PORTS [2123,2152,3386]
ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH $RULE_PATH
var BLACK_LIST_PATH $RULE_PATH# Step #2: Configure the decoder. For more information, see README.decode
#########################################################################################################################
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all

# Step #3: Configure the base detection engine. For more information, see README.decode
#########################################################################################################################
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
# This setting is very important :
# “lowmem” is required for Snort to run with low memory
config detection: search-method lowmem search-optimize max-pattern-len 20
config event_queue: max_queue 8 log 3 order_events content_length
config paf_max: 16000
# Step #4: Configure dynamic loaded libraries.
#########################################################################################################################
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
# Step #5: Configure preprocessors
#########################################################################################################################
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \
161 445 513 514 587 593 691 1433 1521 2100 3306 6070 6665 6666 6667 6668 6669 \
7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 \
7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555
preprocessor stream5_udp: timeout 180
# HTTP normalization and anomaly detection. For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
max_spaces 0 \
small_chunk_length { 10 5 } \
ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 } \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
enable_cookie \
extended_response_inspection \
inspect_gzip \
normalize_utf \
unlimited_decompress \
normalize_javascript \
apache_whitespace no \
ascii no \
bare_byte no \
directory no \
double_decode no \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash no \
utf_8 no \
u_encode yes \
webroot no
# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort – Preprocessors – RPC Decode
preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
# Back Orifice detection.
preprocessor bo
# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no
preprocessor ftp_telnet_protocol: telnet \
ayt_attack_thresh 20 \
normalize ports { 23 } \
detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
ports { 21 2100 3535 } \
telnet_cmds yes \
ignore_telnet_erase_cmds yes \
ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
ftp_cmds { XSEN XSHA1 XSHA256 } \
alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
alt_max_param_len 256 { CWD RNTO } \
alt_max_param_len 400 { PORT } \
alt_max_param_len 512 { SIZE } \
chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
cmd_validity ALLO < int [ char R int ] > \
cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
cmd_validity MACB < string > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
cmd_validity MODE < char ASBCZ > \
cmd_validity PORT < host_port > \
cmd_validity PROT < char CSEP > \
cmd_validity STRU < char FRPO [ string ] > \
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
ignore_telnet_erase_cmds yes \
telnet_cmds yes
# SMTP normalization and anomaly detection. For more information, see README.SMTP
preprocessor smtp: ports { 25 465 587 691 } \
inspection_type stateful \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0 \
log_mailfrom \
log_rcptto \
log_filename \
log_email_hdrs \
normalize cmds \
normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
max_command_line_len 512 \
max_header_line_len 1000 \
max_response_line_len 512 \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
xlink2state { enabled }
# Portscan detection. For more information, see README.sfportscan
# preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
# ARP spoof detection. For more information, see the Snort Manual – Configuring Snort – Preprocessors – ARP Spoof Preprocessor
# preprocessor arpspoof
# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
# SSH anomaly detection. For more information, see README.ssh
preprocessor ssh: server_ports { 22 15507 } \
autodetect \
max_client_bytes 19600 \
max_encrypted_packets 20 \
max_server_version_len 100 \
enable_respoverflow enable_ssh1crc32 \
enable_srvoverflow enable_protomismatch
# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
preprocessor dcerpc2: memcap 102400, events [co ]
preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
smb_max_chain 3, smb_invalid_shares [“C$”, “D$”, “ADMIN$”]
# DNS anomaly detection. For more information, see README.dns
preprocessor dns: ports { 53 } enable_rdata_overflow
# SSL anomaly detection and traffic bypass. For more information, see README.ssl
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
# SDF sensitive data preprocessor. For more information see README.sensitive_data
preprocessor sensitive_data: alert_threshold 25
# Modbus preprocessor. For more information see README.modbus
preprocessor modbus: ports { 502 }
# DNP3 preprocessor. For more information see README.dnp3
preprocessor dnp3: ports { 20000 } \
memcap 262144 \
check_crc
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules
# Step #6: Configure output plugins
#########################################################################################################################
include classification.config
include reference.config
# Step #7: Customize your rule set
#########################################################################################################################
include $RULE_PATH/local.rules
# Minimal rules for home NIDS (6 files)
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/botnet-cnc.rules
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/web-client.rules
# Additional rules (15 files)
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/phishing-spam.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/specific-threats.rules
include $RULE_PATH/telnet.rules
## TOTAL FILES = 21 files to load
# Other disabled files : Suit yourself
#include $RULE_PATH/blacklist.rules
#include $RULE_PATH/pop3.rules
#include $RULE_PATH/rservices.rules
#include $RULE_PATH/scada.rules
#include $RULE_PATH/snmp.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/voip.rules
#include $RULE_PATH/web-activex.rules
#include $RULE_PATH/web-attacks.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/x11.rules
###################################################
# Step #8: Customize your preprocessor and decoder alerts
# For more information, see README.decoder_preproc_rules
###################################################
# decoder and preprocessor event rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
# include $PREPROC_RULE_PATH/sensitive-data.rules
###################################################
# Step #9: Customize your Shared Object Snort Rules
# For more information, see http://vrt-sourcefire.blogspot.com/2009 … rules.html
###################################################
# dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/chat.rules
# include $SO_RULE_PATH/dos.rules
# include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/icmp.rules
# include $SO_RULE_PATH/imap.rules
# include $SO_RULE_PATH/misc.rules
# include $SO_RULE_PATH/multimedia.rules
# include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
# include $SO_RULE_PATH/p2p.rules
# include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/snmp.rules
# include $SO_RULE_PATH/specific-threats.rules
# include $SO_RULE_PATH/web-activex.rules
# include $SO_RULE_PATH/web-client.rules
# include $SO_RULE_PATH/web-iis.rules
# include $SO_RULE_PATH/web-misc.rules
# Event thresholding or suppression commands. See threshold.conf
include threshold.conf
#include $RULE_PATH/chat.rules
#include $RULE_PATH/content-replace.rules
#include $RULE_PATH/file-identify.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/icmp.rules
#include $RULE_PATH/icmp-info.rules
#include $RULE_PATH/imap.rules
#include $RULE_PATH/info.rules
#include $RULE_PATH/misc.rules
#include $RULE_PATH/multimedia.rules
#include $RULE_PATH/mysql.rules
#include $RULE_PATH/nntp.rules
#include $RULE_PATH/oracle.rules
#include $RULE_PATH/other-ids.rules
#include $RULE_PATH/policy.rules
#include $RULE_PATH/pop2.rules

Por defecto SNORT no tiene reglas configuradas, así que debemos registrarnos en la web de SNORT para descargarlas en la URL https://www.snort.org/users/sign_upExiste la posibilidad de registrarse gratuitamente durante un mes

Una vez registrado procederemos a generar una descarga gratuita de las reglas https://www.snort.org/downloads/#rule-downloads

Es posible descargar las reglas para la versión 3.0 en la URL https://www.snort.org/downloads/communi … les.tar.gz y para la versión 2.9 en la URL https://www.snort.org/downloads/communi … les.tar.gz

A continuación entramos en la carpeta del usuario rss con el comando

cd /home/rss

wget http://www.snort.org/reg-rules/snortrules-snapshot-VERSION.tar.gz/oinkcode -O ./snortrules-snapshot-VERSION.tar.gz

Una vez descargado el fichero procedemos a descomprimirlo con TAR

tar zxpvf ./snortrules-snapshot-VERSION.tar.gz

sudo mv ./preproc_rules/ /etc/snort/
sudo mv ./rules/ /etc/snort/
sudo mv ./so_rules/ /etc/snort/

Crearemos dos ficheros white_list.rules y black_list.rules

touch /etc/snort/rules/white_list.rules
touch /etc/snort/rules/black_list.rules

Verificamos la versión de snort instalada con el comendo

sudo snort –version

Creamos un test de alerta para verificar el funcionamiento de snort con el comando

sudo vi /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:10000001;)

verificaremos igualmente la configuración con el comando

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T

Verificaremos en pantalla las alertas en pantalla con el comando

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

La última verificación que haremos será reiniciar el sistema con el comando reboot para verificar que todo funciona correctamente

reboot

Cuarto paso: VERIFICACION FUNCIONAMIENTO

Configuración del fichero snort con el comando

sudo vi /etc/conf.d/snort

# Where is the snort.conf file.
SNORT_CONF=”/etc/snort/snort.conf”# What user account should we run under.
USER=”snort”# What group account should we run under.
GROUP=”snort”

# define the interface we listen on
INTERFACE=”eth0″
# If you are using prelude, delete the ‘-A fast’ option
SNORT_OPTIONS=”-A fast -b -D -p”

Si todo funciona correctamente snort mostrará que esta en funcionamiento con el comando en caso de que no funcione correctamente mostrará el mensaje fork: Cannot Allocate Memory

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

Crearemos una partición SWAP de 512 Mb con el comando

sudo dd if=/dev/zero of=/swapfile.img bs=1M count=512
sudo mkswap /swapfile.img
sudo swapon /swapfile.img

SNORT debería funcionar de forma fluida a partir de ese momento con el comando

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

Arrancaremos la SWAP con el comando

sudo vi /etc/fstab

# add this at the end
/swapfile.img none swap sw 0 0

Configuraremos SNORT para arrancarse automaticamente con el comando

sudo vi /etc/rc.conf

DAEMONS=(!hwclock syslog-ng network @crond @sshd @openntpd dnsmasq snort)

Reiniciaremos de nuevo el sistema con el comando

sudo reboot

htop

sudo tail –f /var/log/snort/alert

Si todo ha funcionado bien, el test de funcionamiento de las reglas lo verificaremos con el comando

sudo vi /etc/snort/rules/local.rules

Reiniciamos SNORT y verificamos el resultado

sudo rc.d restart snort

Manuales

| Etiquetas: RASPBERRY PI, RPI, SIEM

Deja una respuesta Cancelar la respuesta