Skip to content

Latest commit

 

History

History
153 lines (113 loc) · 6.06 KB

README.md

File metadata and controls

153 lines (113 loc) · 6.06 KB

IDS using Snort3

Welcome to the Snort3 Enhancement Project! This initiative aims to strengthen the Snort3 Intrusion Detection and Prevention System (IDS/IPS) by automating the process of blocking suspicious IP addresses after multiple failed login attempts. This project specifically targets brute-force attacks on SMTP servers. The scripts provided will help you monitor Snort3 logs and simulate brute-force attacks for testing purposes.

Prerequisites

Before you start running the scripts, make sure you have the following set up on your system:

  1. Snort3:

    • Ensure that Snort3 is installed, configured, and running properly. You can install it on a Linux system using the following command:
      sudo apt install snort3
    • For detailed installation and configuration instructions, refer to the official Snort3 documentation.
    • Check that alerts are being logged correctly in the alert_fast.txt file located at /var/log/snort/alert_fast.txt. You can verify this by checking the Snort configuration file (/usr/local/etc/snort/snort.lua) to ensure alerts are set to be recorded.
  2. iptables:

    • Make sure iptables is installed and configured correctly. This tool will be used to block IP addresses based on alerts generated by Snort3.
  3. Python 3:

    • The scripts are written in Python 3, so ensure it is installed on your system:
      sudo apt install python3

Included Files

This project includes two main scripts:

  1. snort3_auto_block.py:

    • This script monitors the Snort3 alert log for failed login attempts on an SMTP server. If it detects multiple failed attempts from the same IP address, it automatically blocks that IP using iptables.
  2. brute_force.py:

    • This script simulates a brute-force attack on an SMTP server by attempting to log in with multiple passwords from a provided file.

How to Run the Project

1. Run the Blocking Script

To get started with monitoring and blocking suspicious IPs, follow these steps:

  1. Setup Logging:

    • The script will create and maintain a log file at /var/log/snort/Failed_Login.txt to store blocking activities. Ensure you have the necessary permissions to create and write to this file.
  2. Run the Blocking Script:

    sudo python3 snort3_auto_block.py
    • This command starts monitoring Snort3 logs for failed login attempts and will block any IP that exceeds a specified number of failed attempts.
  3. Verify the Blocking:

    • To check if an IP has been blocked, view the current rules in iptables:
      sudo iptables -L

2. Run the Brute Force Simulation Script

Now let's test how well our blocking mechanism works:

  1. Set Up Your SMTP Server:

    • Ensure you have an SMTP server running on your network since the brute_force.py script will attempt to log in using usernames and passwords provided in text files.
  2. Prepare Username and Password Files:

    • Create a usernames.txt file containing usernames you want to test.
    • Create a passwords.txt file listing passwords for login attempts.
  3. Run the Brute-Force Simulation:

    python3 brute_force.py
    • This script will attempt to log into your SMTP server using the usernames and passwords from your files. If it successfully logs in, it will print out the correct password; if not, it will continue trying.

Integration Steps

To run your blocking script as a service, follow these integration steps:

  1. Navigate to Systemd Directory:

    cd /etc/systemd/system
  2. Create a New Service File:

    • Create a new service file named according to its functionality (for example, "FailedLoginAttempt"):
      sudo nano your_file_name.service
  3. Add Content to Your Service File:

    [Unit]
    Description=Failed Login Attempt Monitoring Service
    After=snort3.service
    Requires=snort3.service
    
    [Service]
    Type=simple
    ExecStart=/usr/bin/env python3 /path/to/your_script.py
    ExecStop=/bin/kill -TERM $MAINPID
    
    [Install]
    WantedBy=multi-user.target

    Note: Replace /path/to/your_script.py with the actual path to your snort3_auto_block.py script.

  4. Reload Systemd Daemon: After saving your service file, reload systemd to recognize your new service:

    sudo systemctl daemon-reload
  5. Enable the Service: To ensure that your service starts automatically on boot, enable it:

    sudo systemctl enable your_file_name.service
  6. Start Your Service: Finally, start your service with:

    sudo systemctl start your_file_name.service
  7. Check Service Status: To verify that your service is running correctly, use:

    sudo systemctl status your_file_name.service

By following these steps, your snort3_auto_block.py script will run as a systemd service, automatically monitoring for failed login attempts and blocking suspicious IP addresses as defined in your code.

Testing the Integration

To ensure everything is working as expected:

  1. Simulate Brute Force Attacks:

    • Run the brute_force.py script again to simulate brute-force attempts on your SMTP server using different passwords from your passwords.txt file.
  2. Monitor Blocking Script:

    • The snort3_auto_block.py script should detect any failed login attempts and block any suspicious IPs after reaching the defined threshold.
  3. Verify Blocked IPs:

    • Use this command again to check if any IPs have been blocked:
      sudo iptables -L

Technologies Used

  • Snort3: A powerful Network Intrusion Detection System (NIDS) used for detecting suspicious activities.
  • Python 3: The programming language used for scripting automation tasks.
  • iptables: A firewall utility that blocks suspicious IP addresses based on failed login attempts.
  • SMTP Server: The target server for simulating brute-force attack scenarios in this project.