Quick Start Guide for using Sourcefire Snort on Amazon EC22.16.2010 - 1 ...Quick Start Guide for using Sourcefire Snort on Amazon EC2 About Sourcefire Snort for Amazon EC2 ..........................................12 2 ............................3 Sourcefire Snort for Amazon EC2 Image Architecture.............................................................................................................................................................................................................................................................................................................................................................11 Maintaining Endpoint Protection AMIs for Amazon EC2 .....................................................................................................6 Storing the Configured Endpoint Protection AMI for Amazon EC2 ...................................................... 12 Snort Website and community............................. 3 Starting and Configuring an Initial Sourcefire Snort AMI for Amazon EC2 ........................................................................................11 Additional Resources ....12 Additional Applications............. 4.8 PHP-5 PHP-Pear BASE-1.About Sourcefire Snort for Amazon EC2 Sourcefire Snort is now available for Amazon Elastic Computing Cloud (EC2) users. 3 . This document assumes that you are already familiar with Amazon EC2 and that you have followed the process described in the Amazon EC2 Getting Started Guide.0. Oinkmaster Daemonlogger. The Snort website provide detailed documentation about the supporting applications that would help you setup and maintain your Sourcefire Snort for Amazon EC2 deployment. The following documents provide additional information for using Amazon EC2 and Sourcefire Snort for Amazon EC2: • • • • Amazon Elastic Compute Cloud User Guide Amazon EC2 Getting Started Guide Vtun Configuration Snort BASE Sourcefire Snort for Amazon EC2 Image Architecture The Sourcefire Snort EC2 Image contain the following installed Applications: • • • • • • • • • • Snort 2.5. You should also be familiar with Snort and its different components.4 VTun-3.1 MySQL Apache2 Webserver Certified Snort Rules Automatically Updated. Amazon Web Services (AWS) account holders can subscribe to a Sourcefire Snort Amazon Machine Image (AMI) for EC2 to protect their cloud. This document assumes that you are already familiar with Snort and IDS as well as the supporting applications mentioned above. the easiest way to obtain VTun would be to use Yum or apt-get commands depending on your Linux distribution.Encryption . if the program is placed in tap mode (using the -I switch) then logging to disk is disabled. You need to install those applications on the AMI in order to allow your IDS Image to protect your cloud. It can be used for various network tasks: .A recent version of libpcap. It has two runtime modes: . It support various tunnel types and provides many useful features: . You can install both required libraries by using the Yum or apt-get commands depending on your Linux distribution. You would need to compile and install Daemonlogger from source.Compression . Requirements for installing Daemonlogger: .snort. The following applications are needed: • • VTun-3.A recent version of libdnet. To obtain the source code use the following link: http://www. additional application were installed on the Sourcefire Snort for Amazon EC2.org/users/roesch/Site/Daemonlogger/Daemonlogger.Mobile IP . Daemonlogger is a libpcap-based program. These two runtime modes are mutually exclusive.1 Daemonlogger VTun is the easiest way to create Virtual Tunnels over TCP/IP networks.etc Using Linux Based AMI. The Sourcefire Snort for Amazon EC2 image uses Daemonlogger as a soft tap to sniff packets from your client AMI and rewrite them to a second interface and tunnel the traffic to your Sourcefire Snort for Amazon EC2 image using VTun. .It sniffs packets and rewrites them to a second interface.0. essentially acting as a soft tap.Traffic shaping VTun is easily and highly configurable. .html 4 .VPN . To solve this challenge.It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging.The Amazon EC2 cloud does not allow visibility for the IDS image to the network it needs to monitor. By default the file rolls over when 1 GB of data is logged. It can also do this in daemon mode. 5 .Compiling and installing Daemonlogger from source is very simple. Follow the instruction at the README file with in the Daemonlogger directory. html?offeringCode=3955FE73 To configure an initial Endpoint Protection AMI for Amazon EC2: 1. Navigate your browser to http://aws. click on AWS Management Console.com/gp/aws/user/subscription/index. 6 . you must get a license from Amazon Web Services for your account: https://aws-portal.Starting and Configuring an Initial Sourcefire Snort AMI for Amazon EC2 Before you start. and under the Developers tab.com.amazon.amazon. 7 .2. At the AWS Management Console. create a new key-pair if one does not already exist by clicking on the Key-Pairs button under the Navigation tab. Before launching an instance. and enter your AWS username and password. The Amazon EC2 Console Dashboard appears. click Sign in to the AWS Console. 3. and provide a new key-pair name in the Create Key Pair popup window. Click on AMIs under the Navigation tab. 5. 8 . using the Instance-Store Images from the Viewing Tab. and look for the Sourcefire AMI. and then click Create.4. Click on Create Key Pair. and select the key-pair that was created from the drop-down box. 7.6. 9 . Select the AMI. In the pop-up window. then enter the number of instances (1 preferred). Add or change a security group if required as described in step 8. and click Launch. Click Launch to start the Amazon EC2 instance. see the Amazon Elastic Compute Cloud User Guide at: http://awsdocs.8. but changing an existing security group needs to be done prior to clicking on the Launch button. and then copy the Public DNS. 12. This should take a couple of minutes. Click the Create button in the Launch Instance Wizard window to the right of the Security Groups drop-down menu to create new Security Group. You can change an existing security group.s3. and wait for the Status column to turn to running. select the instance.amazonaws. For more information about security groups. 9. 10. 11.pdf. Once the instance is running. Identify the instance that was started using our key-pair.com/EC2/latest/ec2-ug. 10 . Click on the Instances button under the Navigation tab. 16. From the command prompt run shh –i <your_certificate. Run the SSH command or PuTTY from a Windows machine 14. Amazon EC2 creates an AMI based on the instance and stores it in Amazon's Simple Storage Service (S3). For more information about using Amazon S3.pem> to login to your instance. 15. Storing the Configured Endpoint Protection AMI for Amazon EC2 When you bundle a running instance. changes are lost after the instance terminates. unless you have bundled the instance as described above. 11 . click Instance Actions. and then click Get Certificate to include on your ssh command. and click Connect. You must store your instance in S3 or risk losing your instance if you terminate the running instance prior to saving it. At the AWS Management Console.13. refer to the Amazon Simple Storage Service Getting Started Guide. Paste the Public DNS obtained from Step 12 in the Computer field. Maintaining Endpoint Protection AMIs for Amazon EC2 If you update a running instance. snort.snort.org http://www.Additional Resources For additional resources and reference refer to the following links: Snort Website and community http://www.secureideas.net/ VTun Application 12 .html Daemonlogger http://vtun.org/community Additional Applications http://base.net/ BASE for Snort http://www.org/users/roesch/Site/Daemonlogger/Daemonlogger.sourceforge.snort.