Setting up SNORT on GCP

Overview:

An intrusion detection system is a service that  provides threat detection for intrusions, malware, spyware, and command-and-control attacks on your network. Generally the IDS is deployed as a bump in a line setup however setting them up in a cloud environment can sometimes be tricky as there are a lot of nuances to take care of since the network is not self managed. GCP specially eases this by providing Cloud IDS which is basically an IDS running on a google managed instance which in the backend uses Palo alto’s threat detection service to detect network threats. In our topic for discussion today we will be exploring an alternate setup with the same concept. Just like Cloud IDS our setup would also works by creating a Google-managed peered network with mirrored VMs. Traffic in the peered network is mirrored, and then inspected by Snort’s threat detection  technologies to provide advanced threat detection. You can mirror all traffic or you can mirror filtered traffic, based on protocol, IP address range, or ingress and egress. We can even monitor north-south and east-west traffic or even VM-to-VM communication to detect lateral movement

Setting up an IDS in your cloud to monitor crucial networks can also help you meet your advanced threat detection and compliance requirements, including PCI 11.4 and HIPAA.

Just like Cloud IDS uses a resource known as an IDS endpoint, a zonal resource that can inspect traffic from any zone in its region. Each IDS endpoint receives mirrored traffic and performs threat detection analysis. We would also be deploying IDS endpoint but instead of Palo Alto’s threat detection running on the instances we will be running Snort on these instances. A packet mirroring policy would be configured to send a copy of your network traffic to the instances for analysis.

Architecture:

For our setup we have a owasp Juice shop instance running in US central 1 (Zone a) connected to an external load balancer since it is hosting a Web application on it. For this setup we will only focus on the VPC network which is set to default with a network range 10.128.0.0/20 . In the same zone we have hosted an instance of Ubuntu 18 and installed Snort on it. This instance is created solely for the purpose of monitoring the traffic hence it only has one adapter and this adapter is set to promiscuous mode. The packet mirroring is being performed on the internal l4 load balancer which is set to have a target of that snort Instance.

In order for this setup to work the following things need to be configured:

1. VM instance with snort installed on it 

2. Unmanaged instance group

3. Internal L4 load balancer( backend config pointing to the Unmanaged instance group)

4. Packet mirroring policy (pointing to the internal L4 load balancer

Step 1 VM Instance:

The External IP on the Snort VM is not necessary for this project, you can still keep it if in future you want to connect snort to a Grafana dashboard from sitting on  an external source.

Step 2 Unmanaged instance group:

We can even have multiple instances of snort or any IDS you prefer running simultaneously , which you can select in the VMs portion; this would enable you to have multiple instances doing packet analysis with out being overloaded. The internal load balancer which we will attach to this instance group later in the setup would take care of load sharing between the instances.

Step 3 Internal L4 load balancer:

a.) Select the ‘TCP Load Balancing’:

b.) Since we are using this load balancer to monitor internal traffic we will set it to ‘Only between VMs’’

c.) In the backend config set the instance group that we set earlier:

d.) You can set the front end configs as default but make sure that you click the drop down ‘Advanced Configurations’ as the most important step of this setup is a check box in it which is ‘ Enable this load balancer for packet mirroring’

Note: If you do not enable this the load balancer will not show up in the packet mirroring policy.

e.) Review and Finalise:

4) Packet mirroring policy:

a.) Set the name of the policy:

b.) Set the VPC network:

In our case the collector VM ( snort instance) and the instances/ network to monitor are in the same VPC network.

c.) Select the network to mirror:

d.) Select the collector destination

Here we will select our previously created internal load balancer.

e.) select the kind of traffic you want to monitor within the policy:

Testing the Configurations

In order to test if snort can properly monitor the mirrored traffic and can compare it against a preset rule base, We have fired up another instance for a test which will be sending ICMP traffic to our juice shop instance . On the other hand we will also create an internal test rule to monitor ICMP traffic from this test instance.

IP Config:

Snort VM: 10.128.0.4/20

Ping test instance: 10.1.28.0.8/20

Juice shop instance: 10.128.0.2/20

a.) internal rule on Snort

b.) Snort picking up the network traffic : 

Final Thoughts:

For this setup we kept it pretty basic , but you can always extend it to a level where you can write a cloud function which is attached as a subscription to a topic which monitors network traffic on the mirrored policy and if traffic is seen fire up an instance from the instance template and send the traffic to it for analysis and the shut the instance down. However for this you will need an external tool like Wazhu or any other tool to store the alerts from IDS as the instance would be volatile.