Chapter 2. Automating Network Intrusion Detection and Prevention Systems (IDPS) with Ansible Automation Platform

Procedure

1. Call snort using sudo and ask for the version:

     $ sudo snort --version
   
      ,,_     -*> Snort! <*-
     o"  )~   Version 2.9.13 GRE (Build 15013)
     ""    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

   Copy to Clipboard Toggle word wrap

2. Verify that the service is actively running using the following command:

   sudo systemctl:

   $ sudo systemctl status snort
   ● snort.service - Snort service
      Loaded: loaded (/etc/systemd/system/snort.service; enabled; vendor preset: disabled)
      Active: active (running) since Mon 2019-08-26 17:06:10 UTC; 1s ago
     Main PID: 17217 (snort)
      CGroup: /system.slice/snort.service
              └─17217 /usr/sbin/snort -u root -g root -c /etc/snort/snort.conf -i eth0 -p -R 1 --pid-path=/var/run/snort --no-interface-pidfile --nolock-pidfile
   [...]

   Copy to Clipboard Toggle word wrap
3. If the Snort service is not actively running, restart it with systemctl restart snort and recheck the status.
4. When you confirm that the service is actively running, exit the Snort server by simultaneously pressing CTRL and D, or by typing exit on the command line. All further interaction will be done through Ansible Automation Platform from the Ansible control host.

Procedure

1. Install the ids_rule role using the ansible-galaxy command:

   $ ansible-galaxy install ansible_security.ids_rule

   Copy to Clipboard Toggle word wrap

2. Create a new playbook file titled add_snort_rule.yml. Set the following parameters:

   - name: Add Snort rule
     hosts: snort

   Copy to Clipboard Toggle word wrap

3. Add the become flag to ensure that Ansible handles privilege escalation.

   - name: Add Snort rule
     hosts: snort
     become: true

   Copy to Clipboard Toggle word wrap

4. Specify the name of your IDPS provider by adding the following variables:

   - name: Add Snort rule
     hosts: snort
     become: true
   
     vars:
       ids_provider: snort

   Copy to Clipboard Toggle word wrap

5. Add the following tasks and task-specific variables (e.g., rules, Snort rules file, and the state of the rule - present or absent) to the playbook:

   - name: Add Snort rule
     hosts: snort
     become: true
   
     vars:
       ids_provider: snort
   
     tasks:
       -  name: Add snort password attack rule
          include_role:
            name: "ansible_security.ids_rule"
          vars:
            ids_rule: 'alert tcp any any -> any any (msg:"Attempted /etc/passwd Attack"; uricontent:"/etc/passwd"; classtype:attempted-user; sid:99000004; priority:1; rev:1;)'
            ids_rules_file: '/etc/snort/rules/local.rules'
            ids_rule_state: present

   Copy to Clipboard Toggle word wrap

   Tasks are components that make changes on the target machine. Since you are using a role that defines these tasks, the include_role is the only entry you need.

   The ids_rules_file variable specifies a defined location for the local.rules file, while the ids_rule_state variable indicates that the rule should be created if it does not already exist.

6. Run the playbook by executing the following command:

   $ ansible-navigator run add_snort_rule.ym --mode stdout

   Copy to Clipboard Toggle word wrap

   Once you run the playbook, all of your tasks will be executed in addition to your newly created rules. Your playbook output will confirm your PLAY, TASK, RUNNING HANDLER, and PLAY RECAP.