 Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. Snort has become the de facto standard for IPS. How to install Snort? This question does not have such an easy answer... 1. Install dependencies We open a console and start the game... sudo apt-get install nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3-dev g++ bison flex libpcap-ruby make autoconf libtool libnetfilter-queue-dev libdumbnet-dev iptables-dev libcrypt-ssleay-perl We install too MySQL (we will be prompted for a root user password) sudo apt-get install mysql-server sudo apt-get install libmysqlclient-dev Just in case just run: sudo apt-get update sudo apt-get upgrade 2. Install JpGraph 1.27.1 and Snort Report SnortReport needs Jpgraph, so we install it: sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz sudo mkdir /var/www/jpgraph sudo tar zxvf jpgraph-1.27.1.tar.gz sudo cp -r jpgraph-1.27.1/src /var/www/jpgraph/ and now we install Snort Report. First we download it from http://www.symmetrixtech.com/ sudo tar zxvf snortreport-1.3.3.tar.gz -C /var/www/ and now we tell Snort Report the password for MySQL: sudo gedit /var/www/snortreport-1.3.3/srconf.php and we change $pass = “YOURPASS” to our own password and we save the file. 3. Install Data Acquisition Api (DAQ) and libdnet This is needed by Snort from 2.9.0 version. We can download DAQ from http://www.snort.org/downloads/1806 sudo tar zxvf daq-1.1.1.tar.gz cd daq-1.1.1 sudo ./configure sudo make sudo make install We need too to install libdnet in this fashion (do not use synaptic): wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz sudo tar zxvf libdnet-1.12.tgz cd libdnet-1.12/ sudo ./configure sudo make sudo make install sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 Update the shared library path echo >> /etc/ld.so.conf /usr/lib echo >> /etc/ld.so.conf /usr/local/lib && ldconfig 4. Install Snort We download the newest version from: http://www.snort.org/snort-downloads sudo tar zxvf snort-2.9.3.tar.gz cd snort-2.9.3 sudo ./configure --prefix=/usr/local/snort --enable-sourcefire sudo make sudo make install sudo mkdir /var/log/snort sudo mkdir /var/snort sudo groupadd snort sudo useradd -g snort snort sudo chown snort:snort /var/log/snort Now we download the latest rules from: http://www.snort.org/snort-downloads and: sudo tar zxvf snortrules-snapshot-2930.tar.gz -C /usr/local/snort sudo mkdir /usr/local/snort/lib/snort_dynamicrules sudo cp /usr/local/snort/so_rules/precompiled/Debian-6-0/x86-64/2.9.3.0/* /usr/local/snort/lib/snort_dynamicrules sudo touch /usr/local/snort/rules/white_list.rules sudo touch /usr/local/snort/rules/black_list.rules sudo ldconfig 5. Snort.conf First off, relatively newer versions of Snort include support for IPv6, but if you are not using IPv6 or if you have not compiled Snort to use IPv6 (by using the --enable-ipv6 configuration option), you need to change all the “ipvar” declarations to say “var” instead. Go through the lines in step 1 and change them all. var WHITE_LIST_PATH /usr/local/snort/rules var BLACK_LIST_PATH /usr/local/snort/rules var RULE_PATH /usr/local/snort/rules var SO_RULE_PATH /usr/local/snort/so_rules var PREPROC_RULE_PATH /usr/local/snort/preproc_rules dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules output unified2: filename snort.u2, limit 128 There are not very many settings in step 8, so in general you just want to make sure that you uncomment any rules here that correspond to preprocessors you configured to load in step 5. Uncomment the first three lines in step 8. 6. Barnyard2 Barnyard2 allows Snort to hand off the database logging tasks and devote more processing resources to packet analysis and core intrusion detection, so from a performance optimization standpoint, unified2 output is preferred over direct database logging. Because Barnyard2 is implemented between Snort and MySQL, configuring the tool requires adjusting settings for Snort’s configuration to produce unifed2 output, and settings for Barnyard2 to be able to pick up the output, parse it, and write it to MySQL. wget https://nodeload.github.com/firnsy/barnyard2/tarball/master -O barnyard2-2.10.tar.gz sudo tar zxvf barnyard2-2.10.tar.gz cd firnsy-barnyard2* sudo autoreconf -fvi -I ./m4 sudo ./configure --with-mysql sudo make sudo make install sudo cp etc/barnyard2.conf /usr/local/snort/etc sudo mkdir /var/log/barnyard2 sudo chmod 666 /var/log/barnyard2 sudo touch /var/log/snort/barnyard2.waldo sudo chown snort.snort /var/log/snort/barnyard2.waldo 7. Mysql data base The next step is to setup the MySQL server. Simply doing and "apt-get install" of programs such as apache and mysql on Debian, the programs are installed and started along with the init scripts configured for startup at boot time.Then get into the mysql command prompt: mysql -u root -p then enter your password "mypassword" to get the prompt). Create the snort database: mysql> create database snort; Create the snort user and privileges: mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE \ on snort.* to snort@localhost; Set the snort user password for the database: mysql> SET PASSWORD FOR snort@localhost=PASSWORD('mypassword'); mysql> exit Now we have to import the schema that comes with the barnyard2 program (look for it inside the folder schemas) and: mysql -u root -p < create_mysql snort Now you can login to the mysql server and look at the tables created: mysql -u root -p (enter your password again) mysql> use snort; mysql> show tables; You should see the list of new tables you just imported. And finally, mysql> exit Now a very important step that will speed up SnortReport. Take the file create_indexes.sql (located inside the package of SnortReport) and: mysql -u root -p -D snort < /var/www/snortreport-1.3.3/create_indexes.sql Otherwise SnortReport becomes very slow as logged data increases. 8. Barnyard.conf We edit the configuration file: sudo vi /usr/local/snort/etc/barnyard2.conf and we write the following changes: config logdir: /var/log/barnyard2 config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth0 config waldo_file: /var/log/snort/barnyard2.waldo output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort host=localhost 9. Testing Snort Start Barnyard2 and Snort: sudo barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 After several hours, check the alarms, opening a web browser in the page: http://localhost/snortreport-1.3.3/alerts.php 10. PulledPork Download from http://code.google.com/p/pulledpork/ To use the Sourcefire VRT Certified Rules, go to snort.org, register for an account and get an “oinkcode”, this will allow you to download their Registered User rule set. You need to use the oinkcode at the beginning of pulledpork.conf. About pulledpork.conf: Comment out line 20 & 24 Line 56: change to: rule_path= /usr/local/snort/rules/snort.rules Line 64: change to: rule_path= /usr/local/snort/rules/local.rules Line 67: change to: sid_msg= /usr/local/snort/etc/sid-msg.map Line 90: change to: config_path= /usr/local/snort/etc/snort.conf Line 101: change to: distro=Lucid-Lynx Line 133: Uncomment and change to: snort_version=2.9.3.0 (*) Line 137: Uncomment and change to: /usr/local/snort/etc/enablesid.conf Line 139: Uncomment and change to: /usr/local/snort/etc/disablesid.conf Line 140: Uncomment and change to: /usr/local/snort/etc/modifysid.conf (*) Another possibility is to write the version directly on the script. Choose security or balance for the set of rules to download. Now, disable all block (fwsam) rules: echo pcre:fwsam >> /usr/local/snort/etc/disablesid.conf Fix an apparent typo in the modifysid.conf file: sudo gedit /usr/local/snort/etc/modifysid.conf change last line to: 302,429,1821 "$EXTERNAL_NET" "$HOME_NET" We install new rules by: sudo /usr/local/snort/bin/pulledpork.pl -c /usr/local/snort/etc/pulledpork.conf -T -l Edit snort.conf and add the new set of rules called snort.rules. 11. Some cleaning up And some cleaning up may be good! rm -rf /var/log/snort/* /var/log/barnyard2/* To clean up (erase!) Snort data base echo "drop database snort" | mysql --user=user --password=password; and then you can configure again a new one following the steps we described previously. 12. Generating basic alerts If we simply wish to control tcp and udp traffic we just add the following rules to the file local.rules: alert icmp any any -> any any (msg:"ICMP Testing Rule"; sid:9000001;) alert tcp any any -> any 80 (msg:"TCP Testing Rule"; sid:9000002;) alert udp any any -> any any (msg:"UDP Testing Rule"; sid:9000003;) if you want to look for stealth port scans/sweeps: alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF; sid:9000004;) alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F; sid:9000005;) alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0; sid:9000006;) alert tcp any any -> $HOME_NET any (msg:"XMAS Scan"; flags: FPU; sid:9000007;) alert tcp any any -> $HOME_NET any (msg:"Full XMAS Scan"; flags: SRAFPU; sid:9000008;) alert tcp any any -> $HOME_NET any (msg:"URG Scan"; flags: U; sid:9000009;) alert tcp any any -> $HOME_NET any (msg:"URG FIN Scan"; flags: FU; sid:9000010;) alert tcp any any -> $HOME_NET any (msg:"PUSH FIN Scan"; flags: FP; sid:9000011;) alert tcp any any -> $HOME_NET any (msg:"URG PUSH Scan"; flags: PU; sid:9000012;) alert any any -> any any (flags: SF,12; msg: "Possible SYN FIN scan"; sid:9000013;) alert tcp any any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping!"; sid:9000014;) and this one to detect outcoming 403 errors: alert tcp $HTTP_SERVERS $HTTP_PORTS - $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server, established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;) A full set of convenient rules to detect that we are under attack: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown; sid:1292; rev:4;) Good luck!!! |
|
16. Snort |