This series of 3 articles - co-authored with my colleague Nicola Cardace @ncardace  - discusses the usage of an Intrusion Detection System (IDS) with the Apigee hybrid runtime and Google Cloud Monitoring and Logging.

This is the second article, discussing the installation of the Snort IDS. Please refer to Part 1 if you missed it!

Install Open Source IDS (Snort)

At this step, please connect to your IDS VM using ssh to proceed to the Snort installation.

Installation of Snort on Ubuntu

The following chapter details the installation of Snort on Ubuntu.

Installing from the source

sudo apt-get update -y
sudo apt install -y gcc libpcre3-dev zlib1g-dev libluajit-5.1-dev \
libpcap-dev openssl libssl-dev libnghttp2-dev libdumbnet-dev \
bison flex libdnet autoconf libtool
mkdir ~/snort_src && cd ~/snort_src

Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The DAQ replaces direct calls to libpcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort. It is possible to select the DAQ type and mode when invoking Snort to perform pcap readback or inline operation, etc.

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
tar -xvzf daq-2.0.7.tar.gz
cd daq-2.0.7
autoreconf -f -i
./configure && make && sudo make install
cd ~/snort_src
wget https://www.snort.org/downloads/snort/snort-2.9.17.1.tar.gz
tar -xvzf snort-2.9.17.1.tar.gz
cd snort-2.9.17.1
./configure --enable-sourcefire && make && sudo make install

Configuring Snort to run in Network IDS (NIDS) mode

sudo ldconfig
sudo ln -s /usr/local/bin/snort /usr/sbin/snort

 Setting up username and folder structure

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

sudo mkdir -p /etc/snort/rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules

sudo cp ~/snort_src/snort-2.9.17.1/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.17.1/etc/*.map /etc/snort

 Add local rules:

sudo vi /etc/snort/rules/local.rules

 Here is an example of a local rule. Keep in mind that an alert rule is defined on one single line.

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp $HOME_NET any -> [67.213.75.205] 443 (msg:"Feodo Tracker: potential Dridex CnC Traffic detected"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url, feodotracker.abuse.ch/browse/host/67.213.75.205/; sid:900505001; rev:1;)

Above is an example of a snort rule (file: local.rules) that triggers an alert if the destination of a target endpoint or a service callout uses the suspicious IP address  67.213.75.205

It explicitly says that if a TCP connection is made from $HOME_NET (Apigee hybrid runtime pods) to 67.213.75.205 on port 443, an alert will be generated by the IDS (Snort)

The following threshold is also set on the local rule: 

threshold: type limit, track by_src, seconds 60, count 1;

It explicit mentions that a limit of 1 alert per minute (60 seconds) is generated per source IP (Apigee hybrid "runtime" pods).

Basics of Snort rules can be found here.

Snort Configuration 

At this step, we need to configure snort. For this, please edit the Snort configuration file:

sudo vi /etc/snort/snort.conf

Make sure that variables HOME_NET and EXTERNAL_NET are defined in snort.conf:

• HOME_NET: is an array containing the IP ranges used by your Apigee hybrid runtime (ingress and Message Processor pods)
• EXTERNAL_NET can be set to any

Here is a screenshot of a Snort configuration, providing an example on how these 2 variables can be set (cf. line 45 and 48):

You also need to specify the custom local rules that you want to include in your Snort configuration.

For this, go to the "Step #7" of your Snort configuration file and include your local rules (file: local.rules), as shown on the following picture:

Testing the Apigee hybrid & IDS solution

The Apigee hybrid and  IDS solution can be easily tested.

For this you can create a an API proxy that contains a service callout policy or a target endpoint. In this case, the URL of the service callout (or target endpoint) uses a hostname or IP address that is considered as a security sensitive destination.

As an example, identify IP addresses of httpbin.org or example.com. We will consider these IP addresses as suspicious destinations.

Modify the local.rules file in order to integrate these IP addresses.

Here is an example:

alert tcp $HOME_NET any -> [18.235.124.214] 443 (msg:"Testing a simple Snort rule"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:000000001; rev:1;)
alert tcp $HOME_NET any -> [52.201.75.114] 443 (msg:"Testing a simple Snort rule"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:000000002; rev:1;)

NB: in this example, 18.235.124.214 and 52.201.75.114 are IP addresses of httpbin.org (there may be some others...)

API Proxy Configuration

We just create here a simple API Proxy in pass-through mode. The target endpoint of this API proxy is:

https://httpbin.org/get 

Starting Snort

You can start your Snort IDS in console mode, using the following command:

sudo snort -A console -i ens4 -u snort -g snort -c /etc/snort/snort.conf

The output of the command is provided on the following picture:

At this step, all the API traffic of the Apigee hybrid runtime is mirrored to the Snort IDS Virtual Machine (VM) and scanned by Snort from the ens4 interface...Please refer to Part 1 in case you want to learn and discover the implementation details of the solution.

Let's call the "simple API", using the following cURL command:

export RUNTIME_IP=<YOUR_APIGEE_HYBRID_RUNTIME_INGRESS_IP>
export RUNTIME_HOST_ALIAS=<YOUR_APIGEE_HYBRID_RUNTIME_HOST_ALIAS>
curl -k https://$RUNTIME_HOST_ALIAS/simple/v1 -i --resolve "$RUNTIME_HOST_ALIAS:443:$RUNTIME_IP"

You should receive an HTTP 200 response, as the following one:

HTTP/2 200 
date: Tue, 27 Jul 2021 11:44:21 GMT
...
{
"args": {}, 
"headers": {
"Accept": "*/*", 
"Host": "httpbin.org", 
...
}

On the Snort IDS console, you should see a message like this one:

07/27-11:44:21.479674 [**] [1:2:1] Testing a simple Snort rule [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.130.0.3:55202 -> 52.201.75.114:443

You can see that the suspicious call has been detected by Snort, which has triggered an alert we can see in the console.

In the next article of the series, we install a logging agent (fluentd) on the IDS Virtual Machine (VM) in order to push logs from the IDS VM to Cloud Logging.

Finally, we create an alerting policy on Google Cloud Monitoring in order to see alerts directly on the Google Cloud console.