openstack/os-ken
Code Issues Proposed changes
Files
15d41af6d73efe004f5a855ad55111e50f087f1c
os-ken/doc/source/snort_integrate.rst
Slawek Kaplonski a74bac9100 Add CLI scripts from osken to be installed via setup.cfg 
Instead of keeping hardcoded files in bin/ directory it is
more flexible to install such files using setup.cfg file.
It will for example install files with correct shebang for
python2 and python3.

This patch also removes tools/osken-manager.spec file
as it was used by PyInstaller in Ryu and it isn't used
in os-ken.

Change-Id: Ie85c64d81c86f0059528ad4d8e238a4124d4e5b4
2018-12-12 15:04:37 +01:00

4.9 KiB
Raw Blame History

Snort Intergration

This document describes how to integrate OS-Ken with Snort.

Overview

There are two options can send alert to OS-Ken controller. The Option 1 is easier if you just want to demonstrate or test. Since Snort need very large computation power for analyzing packets you can choose Option 2 to separate them.

[Option 1] OS-Ken and Snort are on the same machine :

+------------------------+
|      unixsock          |
|    OS-Ken  ==  snort   |
+----eth0-----eth1-------+
       |       |
+-------+   +----------+   +-------+
| HostA |---| OFSwitch |---| HostB |
+-------+   +----------+   +-------+

The above depicts OS-Ken and Snort architecture. OS-Ken receives Snort alert packet via Unix Domain Socket . To monitor packets between HostA and HostB, installing a flow that mirrors packets to Snort.

[Option 2] OS-Ken and Snort are on the different machines :

+---------------+
|    Snort     eth0--|
|   Sniffer     |    |
+-----eth1------+    |
       |             |
+-------+   +----------+   +-----------+
| HostA |---| OFSwitch |---| LAN (*CP) |
+-------+   +----------+   +-----------+
       |             |
  +----------+   +-------------+
  |  HostB   |   |   OS-Ken    |
  +----------+   +-------------+

*CP: Control Plane

The above depicts OS-Ken and Snort architecture. OS-Ken receives Snort alert packet via Network Socket . To monitor packets between HostA and HostB, installing a flow that mirrors packets to Snort.

Installation Snort

Snort is an open source network intrusion prevention and detectionsystem developed by Sourcefire. If you are not familiar with installing/setting up Snort, please referto snort setup guides.

http://www.snort.org/documents

Configure Snort

The configuration example is below:

  • Add a snort rules file into /etc/snort/rules named Myrules.rules :

    alert icmp any any -> any any (msg:"Pinging...";sid:1000004;)
alert tcp any any -> any 80 (msg:"Port 80 is accessing"; sid:1000003;)

  • Add the custom rules in /etc/snort/snort.conf :

    include $RULE_PATH/Myrules.rules

Configure NIC as a promiscuous mode. :

$ sudo ifconfig eth1 promisc

Usage

[Option 1]

  1. Modify the simple_switch_snort.py: :

    socket_config = {'unixsock': True}
# True: Unix Domain Socket Server [Option1]
# False: Network Socket Server [Option2]

  2. Run OS-Ken with sample application: :

    $ sudo osken-manager os_ken/app/simple_switch_snort.py

The incoming packets will all mirror to port 3 which should be connect to Snort network interface. You can modify the mirror port by assign a new value in the self.snort_port = 3 of simple_switch_snort.py

  1. Run Snort: :

    $ sudo -i
$ snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf

  2. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): :

    $ ping 192.168.8.50

  3. You can see the result under next section.

[Option 2]

  1. Modify the simple_switch_snort.py: :

    socket_config = {'unixsock': False}
# True: Unix Domain Socket Server [Option1]
# False: Network Socket Server [Option2]

  2. Run OS-Ken with sample application (On the Controller): :

    $ osken-manager os_ken/app/simple_switch_snort.py

  3. Run Snort (On the Snort machine): :

    $ sudo -i
$ snort -i eth1 -A unsock -l /tmp -c /etc/snort/snort.conf

  4. Run pigrelay.py (On the Snort machine): :

    $ sudo python pigrelay.py

This program listening snort alert messages from unix domain socket and sending it to OS-Ken using network socket.

You can clone the source code from this repo. https://github.com/John-Lin/pigrelay

  1. Send an ICMP packet from HostA (192.168.8.40) to HostB (192.168.8.50): :

    $ ping 192.168.8.50

  2. You can see the alert message below: :

    alertmsg: Pinging...
icmp(code=0,csum=19725,data=echo(data=array('B', [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 97, 98, 99, 100, 101, 102, 103, 104, 105]),id=1,seq=78),type=8)

ipv4(csum=42562,dst='192.168.8.50',flags=0,header_length=5,identification=724,offset=0,option=None,proto=1,src='192.168.8.40',tos=0,total_length=60,ttl=128,version=4)

ethernet(dst='00:23:54:5a:05:14',ethertype=2048,src='00:23:54:6c:1d:17')


alertmsg: Pinging...
icmp(code=0,csum=21773,data=echo(data=array('B', [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 97, 98, 99, 100, 101, 102, 103, 104, 105]),id=1,seq=78),type=0)

ipv4(csum=52095,dst='192.168.8.40',flags=0,header_length=5,identification=7575,offset=0,option=None,proto=1,src='192.168.8.50',tos=0,total_length=60,ttl=64,version=4)
View Git Blame Copy Permalink