Wondering about the usage on a Raspberry PI

[ovizii]

I might have a blonde moment but how is this useful on a PI?

Maybe I could plug the ethernet cable from my ISP straight into the PI and then have it act as an access point? This way it could work as an IDS between a few wireless clients and the internet or how else would you use it on a PI?

[joanbono]

Hi @ovizii !!

I have Snorter fully working on my Raspberry Pi as IDS. I have the Raspberry connected to a port-mirror on my switch (directly connected to the ISP router), where are connected also two Access Points for Wireless connection, so the RPi sees all the traffic. Something like this:

So, the Raspberry log all the alerts in /var/log/snort/alerts.csv and also saves pcaps.

I hope I answered your question, did I?

Regards! 😄

[ovizii]

@joanbono thanks, that makes sense I had not thought of that before.

I'm just thinking that the PI is a "cheap" consumer product while a switch with port-mirroring is more of a higher-end product so I guess if you have a switch capable of port-mirroring you probably have a router with a built-in IDS.

Apart from that, I think I am still missing something from the big picture. If I am not mistaken, port-mirroring only means a copy of every packet is also sent to the port where the PI is listening so say snort detects an intrusion, how could it act upon it seeing that it can only "influence" its own ports on the PI and none of the ports on the switch?

I hope you understand where I am coming from, snorter sounds great, running on a PI is awesome I'm just missing the application or maybe my networking isn't up to par so I'd be happy for pointers :-)

[joanbono]

Hi @ovizii , I'll try to answer everything 😄

I'm just thinking that the PI is a "cheap" consumer product while a switch with port-mirroring is more of a higher-end product so I guess if you have a switch capable of port-mirroring you probably have a router with a built-in IDS.

Sure! I have a pfSense with a Suricata in IPS mode, but I also have the Pi as IDS with Snort. The switch I have is this one: Netgear ProSAFE (I bought mine in Amazon for 45$ a year ago), which is far away for a higher-end product (thinking about Cisco or Mikrotik switch, which are difficult to configure for people without a tech background).

Apart from that, I think I am still missing something from the big picture. If I am not mistaken, port-mirroring only means a copy of every packet is also sent to the port where the PI is listening so say snort detects an intrusion, how could it act upon it seeing that it can only "influence" its own ports on the PI and none of the ports on the switch?

If I've undesrstood what you mean, the answer is easy: It's possible to configure in the /etc/snort/snort.conf which are the IP or the ports. Something like this:

if snort_ip == source_ip or snort_ip == dest_ip:
       dont_do_anything() and continue
else:
      log_traffic() and look_for_alerts()

I hope you understand where I am coming from, snorter sounds great, running on a PI is awesome I'm just missing the application or maybe my networking isn't up to par so I'd be happy for pointers :-)

In fact, I started Snorter for Network forensics, because install Snort was really painfully, this is why WebSnort is included 😃 . I use Snorter to install Snort in virtual machines or even in little servers which I used in my job: Go to a CPD, connect the probe to the Port-Mirror Switch, detect which computers are infected because a botnet (based on previous incidents and using custom rules). So, the point is, I tried to install it in one of my Raspberry, and it worked. Then many of my friends used Snorter in their RPi and this is why I decided to "open" the script.

So, yeah, you're right, Snort is not "necessary" for domestic usage, but, it relies in your paranoia level 😆

I love this image:

Regards!

[ovizii]

@joanbono thanks for the helpful answers. I do understand more now and thanks for pointing me toward that netgear switch, I wasn't aware such cheap switches were so "smart" - pun intended :-)

There is one point I am still unclear about. You said you used the PI as a network sniffer, I do fully understand how you use it as an intrusion detection system in this way but how would you actually use it for the second part of snort: intrusion prevention system?

Maybe I misunderstood but I have so far only seen snort installed on the "gateway" systems i.e. on a central router this being able to actually perform the "prevention" part. This is the part I am missing, how can snort running on a PI getting a copy of every network packet prevent anything?

[joanbono]

Hi @ovizii

There is one point I am still unclear about. You said you used the PI as a network sniffer, I do fully understand how you use it as an intrusion detection system in this way but how would you actually use it for the second part of snort: intrusion prevention system?

At the moment, Snorter is not ready to use as IPS. RPi connected to a port-mirror is only able to detect, but, if you want to block based-rule attacks, you have to connect it in-line mode, so, you need a USB-to-Ethernet adapter, because the RPi only have one Ethernet Interface, or, if you use the RPi3, you can use it as an access point, so it will be "inline" because the "bridge" between the wlan0 and the eth0.

I have a friend who has the RPi in-line using a USB-to-Ethernet adapter, but you have to specify it in the configuration:

./configure --enable-sourcefire
make && sudo make install

Then, when running Snort, indicate the interfaces:

sudo snort -T -c /etc/snort/snort.conf -Q -i eth0:wlan0

With the -Q you are telling snort to run in-line mode between eth0 and wlan0.

So, you have to change the rules you want to block. For example, this rule will detect any ICMP packet:

alert icmp any any -> $HOME_NET any (msg:"ICMP packet detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)

And changing the alert for drop will discard automatically every packet matching the rule:

drop icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)

So, it will be a good point to create a Snorter_IPS.sh script for use Snort as in-line IPS, but I'll prefer to wait until Snort 3 is released.

Maybe I misunderstood but I have so far only seen snort installed on the "gateway" systems i.e. on a central router this being able to actually perform the "prevention" part. This is the part I am missing, how can snort running on a PI getting a copy of every network packet prevent anything?

As told before, only in-line systems are capable of "blocking" traffic, working as Intrusion Prevention System.

Thanks! 😄

[joanbono]

Hi @ovizii

Can I close the issue, or do you have another question?

Regards!

[ovizii]

Yes you can close it, you have clarified my questions, thanks.