Project 3: Zeek & Snort - squatchulator/Tech-Journal GitHub Wiki

Part 1: Zeek

Downloading and Installing Zeek

First, we need to meet a few requirements:
- Add second network adapter to the Zeek server in VCenter
  - Make sure that the two network adapters are on the DMZ and MGMT networks respectively
- Boot the system up. Change the hostname to zeek-yourname. Also create a new user with adduser and add it to the sudoers group.
- Change the IPs using Netplan (sudo nano /etc/netplan/00-installer-config.yaml):
```
network:
  ethernets:
    ens160:
      dhcp4: no
      addresses: [172.16.50.6/29]
      routes:
        - to: default
        via: 172.16.50.2
      nameservers:
        addresses: [172.16.50.2]
    ens192:
      dhcp4: no
      addresses: [172.16.200.13/28]
  version: 2
```
  - Then run sudo netplan apply.

DNS and Firewall

Create a DNS entry that points to Zeek's MGMT IP address (172.16.200.13)
Allow internet connections to Zeek server using the Edge firewall:

set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.0/29
set firewall name DMZ-to-WAN rule 50 action accept
set firewall name DMZ-to-WAN rule 50 description "Allow NTP to DMZ"
set firewall name DMZ-to-WAN rule 50 destination address 172.16.50.0/29
set firewall name DMZ-to-WAN rule 50 protocol udp
set firewall name DMZ-to-WAN rule 50 destination port 123
commit
save

NTP

Run sudo apt-get install ntp -y
Make sure it's working with ntpq -p

Installing Zeek

Run the following commands:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek-lts

Select LocalOnly, restart devices, and now Zeek will be located in /opt/zeek
Rename the config file with cp /opt/zeek/etc/node.cfg /opt/zeek/etc/node.orig
Create a new /opt/zeek/etc/node.cfg with the following:

#SEC350
[logger]
type=logger
host=zeek-miles
#
[manager]
type=manager
host=zeek-miles
#
[proxy-1]
type=proxy
host=zeek-miles
#
[worker-1]
type=worker
host=zeek-miles
interface=ens160
#
[worker-2]
type=worker
host=zeek-miles
interface=ens192

Now, adjust the network settings in /opt/zeek/etc/networks.cfg:

172.16.50.0/29  SEC350-DMZ
172.16.200.0/28 SEC350-MGMT

We also need to adjust the logging format in /opt/zeek/share/zeek/site/local.zeek:

@load policy/tuning/json-logs.zeek

The log rotation value in /opt/zeek/etc/zeekctl.cfg:

LogRotationInterval = 86400

Adjust the root's PATH with nano /root/.profile:

# Append at the bottom:
export PATH=$PATH:/opt/zeek/bin
# Save and exit
source .profile
echo $PATH

Now we can deploy Zeek with:

zeekctl
deploy
# To check the status
status

Now if you visit some websites on Wks01, you should be able to see the logs with cat /opt/zeek/logs/current/dns.log | grep 172.16.200.11
We can see logs from Traveler too with cat /opt/zeek/logs/current/http.log | grep 172.16.50.3

Part 2: Snort

 , ,_
o''   )~
 ''  ''

Setup

First we need to update our Jumpbox with VSFTPD FTP server. This can be installed with:

sudo apt install vsftpd
sudo systemctl start vsftpd

Now we need to update Edge01 firewall to allow pings from DMZ-to-LAN and back, and FTP to LAN from DMZ:

set firewall name DMZ-to-LAN rule 30 action accept
set firewall name DMZ-to-LAN rule 30 description "Allow ICMP from DMZ to LAN"
set firewall name DMZ-to-LAN rule 30 icmp type-name echo-request
set firewall name LAN-to-DMZ rule 30 action accept
set firewall name LAN-to-DMZ rule 30 description "Allow ICMP from LAN to DMZ"
set firewall name LAN-to-DMZ rule 30 icmp type-name echo-request
set firewall name LAN-to-DMZ rule 40 action accept
set firewall name LAN-to-DMZ rule 40 description "Allow FTP from LAN to DMZ"
set firewall name LAN-to-DMZ rule 40 protocol tcp
set firewall name LAN-to-DMZ rule 40 destination port 21
commit
save

Installing SNORT on Zeek

On the Zeek server, run sudo apt install snort to install. If prompted, we are using the ens160 interface (DMZ), and HOME_NET needs to be set to 172.16.50.0/29. We can also run snort -V to make sure it installed ok.
It didn't prompt me for the adapter, so edit /etc/snort/snort.debian.conf and make sure the right adapter is in there.
Now, edit /etc/snort/snort.conf and make sure that the ipvar HOME_NET is set correctly
Once that's done edit the /etc/snort/classification.config file. Append this line to create a custom event type for our rules:

config classification: SEC350-event, SEC350 Test Event,1

Now test the configs we edited with sudo snort -T -i ens160 -c /etc/snort/snort.conf. It should end with "Snort successfully validated the configuration".

Creating Custom Rule #1 - ICMP Ping Alerts

Just to test if snort works, we will make a new rule. To do so, edit the /etc/snort/rules/local.rules file and add the following line:

alert icmp any any -> 172.16.50.4 any (msg:”Jump ICMP Test”; sid:1000001; rev:1; classtype:SEC350-event;)

Now start snort in IDS mode and tell it to output alerts to the console:

sudo snort -A console -q -c /etc/snort/snort.conf -i ens160`

Once you run this, perform a ping from Jump to Wks01 and some alerts should generate!

Creating Custom Rule #2 - HTTP From WKS01 to Nginx

Edit the /etc/snort/rules/local.rules file again and add a line below our ICMP one that says:

alert tcp 172.16.150.100 any -> 172.16.50.3 any (msg:"WKS01 HTTP Connection"; sid:1000002; rev:1; classtype:SEC350-event;)

Run sudo snort -A console -q -c /etc/snort/snort.conf -i ens160 again and browse to Nginx from Wks01 to generate traffic.

Creating Custom Rule #3 - Failed FTP Logins

Repeat the same process as above, but add the following line to /etc/snort/rules/local.rules:

alert tcp 172.16.50.4 21 -> any any (msg: "FTP Login Failed"; content:"530 Login incorrect"; sid:1000003; rev:1; classtype:SEC350-event;)