2.16.2010 - 1

Quick Start Guide for using Sourcefire Snort on Amazon EC2

2

Quick Start Guide for using Sourcefire Snort on Amazon EC2 About  Sourcefire  Snort  for  Amazon  EC2...............................................................................................3  Sourcefire  Snort  for  Amazon  EC2  Image  Architecture................................................................................ 3  

Starting and Configuring an Initial Sourcefire Snort AMI for Amazon EC2 ........................6  Storing  the  Configured  Endpoint  Protection  AMI  for  Amazon  EC2 ......................................................11  Maintaining  Endpoint  Protection  AMIs  for  Amazon  EC2 .........................................................................11  

Additional  Resources ............................................................................................................................... 12  Snort  Website  and  community..........................................................................................................................12  Additional  Applications.......................................................................................................................................12  

3

About Sourcefire Snort for Amazon EC2 Sourcefire Snort is now available for Amazon Elastic Computing Cloud (EC2) users. Amazon Web Services (AWS) account holders can subscribe to a Sourcefire Snort Amazon Machine Image (AMI) for EC2 to protect their cloud. This document assumes that you are already familiar with Amazon EC2 and that you have followed the process described in the Amazon EC2 Getting Started Guide. You should also be familiar with Snort and its different components. The following documents provide additional information for using Amazon EC2 and Sourcefire Snort for Amazon EC2:

• Amazon Elastic Compute Cloud User Guide • Amazon EC2 Getting Started Guide • Vtun Configuration • Snort BASE

Sourcefire Snort for Amazon EC2 Image Architecture The Sourcefire Snort EC2 Image contain the following installed Applications:

• Snort 2.5.8 • PHP-5 • PHP-Pear • BASE-1.4.4 • VTun-3.0.1 • MySQL • Apache2 Webserver • Certified Snort Rules Automatically Updated. • Oinkmaster • Daemonlogger.

This document assumes that you are already familiar with Snort and IDS as well as the supporting applications mentioned above. The Snort website provide detailed documentation about the supporting applications that would help you setup and maintain your Sourcefire Snort for Amazon EC2 deployment.

4

The Amazon EC2 cloud does not allow visibility for the IDS image to the network it needs to monitor. To solve this challenge, additional application were installed on the Sourcefire Snort for Amazon EC2. You need to install those applications on the AMI in order to allow your IDS Image to protect your cloud. The following applications are needed:

• VTun-3.0.1 • Daemonlogger

VTun is the easiest way to create Virtual Tunnels over TCP/IP networks. It support various tunnel types and provides many useful features: - Encryption - Compression - Traffic shaping VTun is easily and highly configurable. It can be used for various network tasks: - VPN - Mobile IP - etc Using Linux Based AMI, the easiest way to obtain VTun would be to use Yum or apt-get commands depending on your Linux distribution. Daemonlogger is a libpcap-based program. It has two runtime modes: - It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 1 GB of data is logged. - It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode. These two runtime modes are mutually exclusive, if the program is placed in tap mode (using the -I switch) then logging to disk is disabled. The Sourcefire Snort for Amazon EC2 image uses Daemonlogger as a soft tap to sniff packets from your client AMI and rewrite them to a second interface and tunnel the traffic to your Sourcefire Snort for Amazon EC2 image using VTun. Requirements for installing Daemonlogger: - A recent version of libpcap. - A recent version of libdnet. You can install both required libraries by using the Yum or apt-get commands depending on your Linux distribution. You would need to compile and install Daemonlogger from source. To obtain the source code use the following link: http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html

5

Compiling and installing Daemonlogger from source is very simple. Follow the instruction at the README file with in the Daemonlogger directory.

6

Starting and Configuring an Initial Sourcefire Snort AMI for Amazon EC2 Before you start, you must get a license from Amazon Web Services for your account: https://aws-portal.amazon.com/gp/aws/user/subscription/index.html?offeringCode=3955FE73 To configure an initial Endpoint Protection AMI for Amazon EC2: 1. Navigate your browser to http://aws.amazon.com, and under the Developers tab, click on AWS Management Console.

7

2. At the AWS Management Console, click Sign in to the AWS Console, and enter your AWS username and password. The Amazon EC2 Console Dashboard appears.

3. Before launching an instance, create a new key-pair if one does not already exist by clicking on the Key-Pairs button under the Navigation tab.

8

4. Click on Create Key Pair, and provide a new key-pair name in the Create Key Pair pop-up window, and then click Create.

5. Click on AMIs under the Navigation tab, and look for the Sourcefire AMI, using the Instance-Store Images from the Viewing Tab.

9

6. Select the AMI, and click Launch.

7. In the pop-up window, then enter the number of instances (1 preferred), and select the key-pair that was created from the drop-down box. Add or change a security group if required as described in step 8.

10

8. Click the Create button in the Launch Instance Wizard window to the right of the Security Groups drop-down menu to create new Security Group.

You can change an existing security group, but changing an existing security group needs to be done prior to clicking on the Launch button. For more information about security groups, see the Amazon Elastic Compute Cloud User Guide at: http://awsdocs.s3.amazonaws.com/EC2/latest/ec2-ug.pdf. 9. Click Launch to start the Amazon EC2 instance. 10. Click on the Instances button under the Navigation tab. 11. Identify the instance that was started using our key-pair, and wait for the Status column to turn to running. This should take a couple of minutes. 12. Once the instance is running, select the instance, and then copy the Public DNS.

11

13. Run the SSH command or PuTTY from a Windows machine 14. Paste the Public DNS obtained from Step 12 in the Computer field, and click Connect. 15. At the AWS Management Console, click Instance Actions, and then click Get Certificate to include on your ssh command. 16. From the command prompt run shh –i <your_certificate.pem> to login to your instance.

Storing the Configured Endpoint Protection AMI for Amazon EC2 When you bundle a running instance, Amazon EC2 creates an AMI based on the instance and stores it in Amazon's Simple Storage Service (S3). You must store your instance in S3 or risk losing your instance if you terminate the running instance prior to saving it. For more information about using Amazon S3, refer to the Amazon Simple Storage Service Getting Started Guide.

Maintaining Endpoint Protection AMIs for Amazon EC2 If you update a running instance, changes are lost after the instance terminates, unless you have bundled the instance as described above.

12

Additional Resources

For additional resources and reference refer to the following links:

Snort Website and community http://www.snort.org http://www.snort.org/community

Additional Applications http://base.secureideas.net/ BASE for Snort http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html Daemonlogger http://vtun.sourceforge.net/ VTun Application