EN:Snort/Installation
Prerequisites
Update repositories
To ensure up-to-date versions of your LAMP installation, it is recommended to add dotdeb repositories.
Edit your /etc/apt/sources.list file and add following lines:
- For Squeeze:
deb http://packages.dotdeb.org stable all deb-src http://packages.dotdeb.org stable all
- For Lenny:
deb http://packages.dotdeb.org oldstable all deb-src http://packages.dotdeb.org oldstable all
Add the key:
$ cd /usr/local/src/ $ wget http://www.dotdeb.org/dotdeb.gpg $ cat dotdeb.gpg | sudo apt-key add -
And update:
# apt-get update
Needed packages
# apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 \ libpcre3-dev autoconf libcrypt-ssleay-perl libtool libssl-dev \ build-essential automake gcc make flex bison
LAMP environment
Install Apache, PHP and MySQL:
# apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common \ mysql-client php5-mysql libmysqlclient-dev php5-gd php-pear \ libphp-adodb php5-cli
libpcap
$ cd /data/src/ $ wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz $ tar xzvf libpcap-1.1.1.tar.gz $ cd libpcap-1.1.1/ $ ./configure --prefix=/usr --enable-shared $ make # make install
libdnet
$ cd /data/src/ $ wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz $ tar xzvf libdnet-1.12.tgz $ cd libdnet-1.12/ $ ./configure --prefix=/usr --enable-shared $ make # make install
DAQ
DAQ is the Data-Acquisition API that is necessary to use Snort.
$ cd /data/src/ $ wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz $ tar xzvf daq-0.6.2.tar.gz $ cd daq-0.6.2/ $ ./configure [...truncated...] Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes $ make # make install
Installation of Snort
First download Snort last version:
$ cd /data/src/ $ wget http://www.snort.org/dl/snort-current/snort-2.9.1.2.tar.gz
Uncompress and install:
$ tar xzvf snort-2.9.1.2.tar.gz $ cd snort-2.9.1.2/ $ ./configure \ --with-mysql \ --enable-dynamicplugin \ --enable-sourcefire \ --enable-gre \ --enable-ipv6 \ --enable-zlib $ make # make install
Create a dedicated user and group:
# groupadd snort # useradd -g snort snort
Then create Snort directories and give appropriate permissions:
# mkdir -p /usr/local/etc/snort/rules/ # mkdir /var/log/snort/ # mkdir /var/log/barnyard2/ # mkdir /usr/local/lib/snort_dynamicrules/ # chown snort:snort /var/log/snort/ /var/log/barnyard2/
Configuration
Configuration of Snort
Configuration files
Create configuration files:
# cp /data/src/snort-2.9.1.2/etc/{*.conf*,*.map} /usr/local/etc/snort/
Then apply a basic configuration:
# vim /usr/local/etc/snort/snort.conf
Section 1: network variables
ipvar HOME_NET any ipvar EXTERNAL_NET any var CONF_PATH /usr/local/etc/snort var LIB_PATH /usr/local/lib var RULE_PATH $CONF_PATH/rules var SO_RULE_PATH $CONF_PATH/so_rules
Section 4: Configure dynamic loaded libraries
Uncomment following lines:
dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so dynamicdetection directory $LIB_PATH/snort_dynamicrules
Section 6: Output plugins
Uncomment following line:
output log_unified2: filename snort.log, limit 128
Section 8: preprocessors
Ensure preprocessors are active by uncommenting following lines:
# decoder and preprocessor event rules include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules include $PREPROC_RULE_PATH/sensitive-data.rules
Download rules
Rules Managers
It is recommended to install rules via pulledpork. It will simplify the installation of VRT and SO rules.
Rules Managers enable to automatize the importation of rules. For more information, please refer to these items:
- Pulledpork (recommended by Snort)
- Oinkmaster
Manually installing rules
Manual download of VRT::Snort rules
Snort is based on rules. To be able to download rules, you must first create an account (https://www.snort.org/signup) to get a valid oinkcode.
Once logged in, go to the rules page (https://www.snort.org/snort-rules/?#rules) and download snortrules-snapshot-2904.tar.gz from the Registered User Release section.
Then uncompress it in a temporary directory (say /tmp). Then copy the rules in your Snort directory:
# tar xzvf snortrules-snapshot-2904.tar.gz -C /tmp/ # mv /tmp/*rules /usr/local/etc/snort/
Manual download of EmergingThreats rules
First download and copy the rules to the Snort rules directory:
$ cd /data/src/ $ wget http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz $ tar xzvf emerging.rules.tar.gz $ cp rules/*.rules /usr/local/etc/snort/rules/
In order that these rules are processed by Snort, you will have to copy emerging configuration file to /etc/snort/ and include this file in Snort's configuration file:
$ cp rules/emerging.conf /usr/local/etc/snort/ $ vim /usr/local/etc/snort/snort.conf
Include the emerging.conf file at the end of section #7:
################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules [...TRUNCATED...] include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules include emerging.conf ################################################### # Step #8: Customize your preprocessor and decoder alerts # For more information, see README.decoder_preproc_rules ###################################################
Also uncomment all necessary rules from emerging.conf
Errors and warnings with rules
In case of duplications, Snort will keep the highest version:
/etc/snort/./rules/emerging-sql.rules(1029) GID 1 SID 688 duplicates previous rule. Using higher revision.
If there are two rules with different protocols, Snort will stop:
ERROR: /etc/snort/./rules/emerging-netbios.rules(227) GID 1 SID 3159 in rule duplicates previous rule, with different protocol.
Tests
Create a basic rule to test if Snort engine works:
# vim /usr/local/etc/snort/rules/local.rules
And paste this rule:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)
Start Snort:
# /usr/local/bin/snort \ -A console -q \ -u snort -g snort \ -c /usr/local/etc/snort/snort.conf \ -i eth0
You can check that Snort has successfully started with one of these 2 commands:
$ grep "Initialization Complete" /var/log/syslog Mar 11 08:21:49 snort snort[2607]: --== Initialization Complete ==-- $ ps aux | grep snort snort 2795 1.8 56.3 180780 144476 ? Ssl 08:45 0:27 /usr/local/bin/snort -A full -Dq -u snort -g snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort/ -i eth0 root 2948 0.0 0.3 3148 772 pts/0 S+ 09:10 0:00 grep snort
Check that Snort works fine by pinging the probe from another computer:
$ ping -c 1 192.168.100.36
On the console, you should see such lines:
03/10-19:22:26.012239 [**] [1:10000001:0] ICMP test [**] [Priority: 0]
{ICMP} 192.168.100.37 -> 192.168.100.36
03/10-19:22:26.013172 [**] [1:10000001:0] ICMP test [**] [Priority: 0]
{ICMP} 192.168.100.36 -> 192.168.100.37
Configuration of MySQL
Database creation
In this section, we will create a database to save the events.
First connect to MySQL:
$ mysql -u root -p
Then create a user, a database, and give appropriate privileges:
mysql> CREATE USER snort@localhost IDENTIFIED BY 'snort_password'; mysql> CREATE DATABASE snort; mysql> GRANT ALL PRIVILEGES ON snort.* TO snort@localhost;
Once done, quit MySQL:
mysql> \q
Import structure
We are now going to create the structure (tables and data) from a script provided with the installation package.
$ mysql -u snort -p snort < /data/src/snort-2.9.0.4/schemas/create_mysql
When required, enter the password you have defined in the previous step, associated to the "snort" user ("snort_password").
Installation of Barnyard2
Refer to this page.
Install Snort as IPS
$ /usr/local/bin/snort \ -D \ -daq afpacket \ -Q \ -c /usr/local/snort/etc/snort.conf \ -i eth0:eth2
Thank you for your comprehension.