ips — intrusion detection/prevention system and the related aspects
The snort(8) intrusion detection system is integrated in Kernun.
IPS/IDS is configured in the ips section on the
system level of the Kernun configuration. See
system(5).
Four modes of IPS/IDS are available; they are configured using the item
mode:
logThe IDS mode is used, i.e., the suspicious traffic is logged.
dropThe IPS mode is used. The suspicious packets are dropped.
rejectThe IPS mode is used. The suspicious connections are reset.
advancedThe IPS mode is used. The reaction to the suspicious connections can be tuned using modifysid expressions for the oinkmaster(1).
The traffic from the interfaces named by items iface
are analyzed by the IDS/IPS system. Rule refreshments aspects can be configured
using the license item.
The IPS mode is used if mode drop,
reject or advanced is
specified in the Kernun configuration.
In the IPS mode, the traffic from one or more interfaces are redirected to snort using the divert socket (divert(4)), and snort is configured to analyze the traffic on that divert socket.
The following ipfw(8) rule is established for each interface for redirecting the traffic:
ipfw add 1000 divert 1 ip from any to any via iface
If it is so specified (item pass-ssh), the traffic for
administrative SSH connections
to the firewall is excluded from being redirected to the divert socket by
establishing the following rule for each IP address
(IP) and port (PORT)
the ssh-server listens on:
ipfw add 100 pass ip from any toIPPORTipfw add 100 pass ip fromIPPORTto any
If the SSH server listens on the special IP address 0.0.0.0, the following rule is
established, which excludes all the traffic on the SSH port from
being redirected to the divert socket:
ipfw add 100 pass ip from any to anyPORTipfw add 100 pass ip from anyPORTto any
Once the packet is redirected to the divert socket, it is analyzed by snort. Depending on the outcome of the snort analysis, the packet is either re-injected back to the IP stack, or it is dropped, or the connection is reset. The suspicious traffic is logged as well.
The IDS mode is used if mode log is
specified in the Kernun configuration.
In the IDS mode, the traffic from one or more interfaces is replicated to a special netgraph interface ng0. Snort is configured to analyse the traffic on this interface and to log the suspicious traffic. The ng0 interface is prepared upon Kernun startup using the following commands:
ngctl mkpeer iface 1 inet ngctl connect ipfw: ng0: 1 inet
Snort is configured to analyze the traffic on the ng0
interface. The traffic is replicated to ng0 by establishing
the following ipfw rules for each
interface that is configured to be
analyzed:
ipfw add 1 deny ip from any to any via ng0
ipfw add 1000 ngtee 1 ip from any to any via interface
The first rule denies the real traffic on ng0, the second one actually replicates the traffic.
Snort analyses the traffic based on a ruleset. Kernun maintains two ruleset instances:
/usr/local/etc/snort/rules.origThis ruleset is used as the reference ruleset, and
acts as the original for generating the
rules. This ruleset must be present in
order to successfully apply the configuration and start the
IPS module. See section Obtaining the
ruleset.
/usr/local/etc/snort/rulesThis ruleset is generated using
oinkmaster(1) from the
rules.orig upon the application of the
configuration. This copy is used by snort.
In accordance with the ips.mode value in the
Kernun configuration, transcription rules for oinkmaster
are generated. They adjust the rules if needed, transcribing the
rules.orig into
rules. The transcription rules are
specified by the modifysid expressions (see
oinkmaster(1)). The oinkmaster
configuration file is stored at
/usr/local/etc/oinkmaster-local.conf.
The following modifysid expressions
are generated into oinkmaster-local.conf,
in accordance with ips.mode:
log
No modifysid expression is generated
into oinkmaster.local.
drop
The following modifysid expression is
generated to oinkmaster-local, which
makes snort drop all the suspicious packets:
modifysid * "^alert " | "drop "
reject
The following modifysid expression is
generated to oinkmaster-local, which
makes snort reset all the suspicious connections:
modifysid * "^alert " | "reject "
advancedNo implicit modifysid expression is
generated into the oinkmaster-local.
Instead, it is possible to specify
modifysid expressions explicitly in the
Kernun configuration. Each such modifysid item
is generated into the
oinkmaster-local. Thus the
transcription process can be fully controlled from the
Kernun configuration.
For licensing reasons, the ruleset is not included in the Kernun distribution. Before using snort, it is necessary to provide rule definitions.
It is possible either to install the static ruleset into the
/usr/local/etc/snort/rules.orig, or
to configure automatic rule download. This
section covers the latter option.
For the automatic ruleset download, the
oinkcode must be provided in the
license item of the Kernun
configuration. If the subscription release rules (paid) is
available, specify the subscription
element. The oinkcode can be obtained from the snort Web
pages.
After the system is applied, the script
oinkcron can be used to download the
rules. This script is also scheduled for a daily automatic
download via cron, as specified in
samples/include/crontab.cml.