snort_large (1)

Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection (NIDS)  has the ability to perform real-time traffic analysis and packet logging on Internet protocal (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflow, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user

 

 

#yum install libdnet libdnet-devel pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget –y

1

 

#mkdir /usr/local/snort
#cd /usr/local/snort
#wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz -O libpcap.tar.gz
#tar zxvf libpcap.tar.gz
#cd libpcap-1.3.0
#./configure && make && make install

2

 

#echo “/usr/local/lib” >> /etc/ld.so.conf
#ldconfig –v

 

 

#cd /usr/local/snort
#wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gz
#tar zxvf daq.tar.gz
#cd daq-2.0.0
#./configure && make && make install
#ldconfig –v

 

3

 

#groupadd snort
#useradd -g snort snort

 

 

Installing Snort

 

#cd /usr/local/snort
#wget http://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gz
#tar zxvf snort.tar.gz
#cd snort-22.9.4.6
#./configure –prefix /usr/local/snort –enable-sourcefire && make && make install

 

4

 

Create links for Snort files

#ln -s /usr/local/snort/bin/snort /usr/sbin/snort
#ln -s /usr/local/snort/etc /etc/snort

 

 

Configure Snort startup script to run at startup

#cp rpm/snortd /etc/init.d/
#chmod +x /etc/init.d/snortd
#cp rpm/snort.sysconfig /etc/sysconfig/snort
#chkconfig –add snortd

5

 

 

Delete following lines from snort startup file

#vi /etc/init.d/snortd

# check if more than one interface is given
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then

else
 # Run with a single interface (default)
 daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
fi

 

 

 

6

 

 

Comment out the following variable in /etc/sysconfig/snort and add / to the LOGDIR variable

#vi /etc/sysconfig/snort

LOGDIR=/var/log/snort/

#ALERTMODE=fast

#BINARY_LOG=1

 

7

 

 

 

Download Snort rules files from http://www.snort.org/snort-rules to

 

#/usr/local/snort

You have to register to the site in order to get the free register user rules or you can pay and get the most update rules as a “Subscriber user”

 

 

 

Extract rules file in the new created directory

#cd /usr/local/snort
#tar zxvf /usr/local/src/snort/snortrules-snapshot-2940.tar_3.gz

 

 

Create directory for snort logging

#mkdir -p /usr/local/snort/var/log
#chown snort:snort /usr/local/snort/var/log
#ln -s /usr/local/snort/var/log /var/log/snort

 

 

Create links for dynamic rules files and directories

#ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
#ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
#ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules

 

Set snort permissions

#chown -R snort:snort /usr/local/snort

 

8

 

 

Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin

#vi /usr/local/snort/etc/snort.conf

#preprocessor reputation: \
#   memcap 500, \
#   priority whitelist, \
#   nested_ip inner, \
#    whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules

output unified2: filename snort.log, limit 128

 

9

 

Create Dynamicrules directory

#mkdir /usr/local/snort/lib/snort_dynamicrules

 

 

Copy dynamicrules files

#cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.4.0/*so /usr/local/snort/lib/snort_dynamicrules/

 

 

Dump the stub rules

#snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/snort/so_rules

10

 

Enable snort dynamic rules configuration in the end of snort.conf file

#vi /usr/local/snort/etc/snort.conf

# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules

 

 

Test Snort configuration

#snort -c /usr/local/snort/etc/snort.conf -T

snort  automatic  rules   updating   with  pulledpork

PulledPork is a rule manager for Snort . It will help automatizing the process of downloading and installing/updating your VRT Snort rules, SharedObject rules or Emerging Threats rules.

#yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y

 

 

Installing PulledPork

Download and extract PulledPork

#cd /usr/local/snort
#wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
#cd /usr/local/snort
#tar zxvf pulledpork.tar.gz
#mv pulledpork-0.6.1 pulledpork

 

13

Generate Oinkcode at Snort web site

  • If you are not already register to snort web site so do it now at https://www.snort.org/signup
  • Login to Snort web site
  • Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links”  section
  • Click Generate Code and copy your new Oinkcode
  • Change the following in PulledPork configuration file

 

 

#vi /usr/local/snort/pulledpork/etc/pulledpork.conf

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber
# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|

rule_path=/usr/local/snort/etc/rules/snort.rules

local_rules=/usr/local/snort/etc/rules/local.rules
# Where should I put the sid-msg.map file?
sid_msg=/usr/local/snort/etc/sid-msg.map

# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort
# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/snort/etc/snort.conf
# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules

distro=RHEL-6-0

pid_path=/var/run/snort_eth0.pid

 

 

14

 

 

Change RULE_PATH variable in snort configuration file

#vi /usr/local/snort/etc/snort.conf

var RULE_PATH /usr/local/snort/etc/rules

 

 

 

Remove all snort include rules files

#sed -i ‘/^include $RULE_PATH/d’ /usr/local/snort/etc/snort.conf

 

 

Add the following include files to snort configuration file

#echo “include \$RULE_PATH/snort.rules” >> /usr/local/snort/etc/snort.conf
#echo “include \$RULE_PATH/local.rules” >> /usr/local/snort/etc/snort.conf
#echo “include \$RULE_PATH/so_rules.rules” >> /usr/local/snort/etc/snort.conf

 

 

Create rules directory

#mkdir /usr/local/snort/etc/rules

 

 

Create your local rules file

#cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/

 

 

If you don’t have local rules file then create an empty one

#touch /usr/local/snort/etc/rules/local.rules

 

Run PulledPork for the first time

#/usr/local/snort/pulledpork/pulledpork.pl –c /usr/local/snort/pulledpork/etc/pulledpork.conf

 

 

16

 

 

 

Schedule PulledPork to run every day. Add the following line to the end of crontab file

#vi /etc/crontab

0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf

17

 

 

PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.

 

 

Installing Barnyard2

Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic.

Install MySQL

#yum install mysql mysql-devel git libtool -y

 

 

Download Barnyard and run autogen

#cd /usr/local/src/snort
#git clone https://github.com/firnsy/barnyard2.git barnyard2
#cd barnyard2
./autogen.sh

 

 

Configure Barnyard

#./configure –with-mysql –with-mysql-libraries=/usr/lib64/mysql

Install Barnyard

#make && make install

 

 

 

Configure Barnyard start script to run at startup

#cp rpm/barnyard2 /etc/init.d/
#chmod +x /etc/init.d/barnyard2
#cp rpm/barnyard2.config /etc/sysconfig/barnyard2
#chkconfig –add barnyard2

 

 

Create links for Barnyard files and create archive directory

#ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
#ln -s /usr/local/bin/barnyard2 /usr/bin/
#mkdir /var/log/snort/eth0/archive/

 

20

 

Change barnyard running time and change -L to -l in barnyard2 startup script on “BARNY_OPTS=” line

#vi /etc/init.d/barnyard2

chkconfig: 2345 70 60

BARNYARD_OPTS=”-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE –l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS”

 

 

#chkconfig barnyard2 reset

Edit LOG_FILE variable in Barnyard sysconfig file

#vi /etc/sysconfig/barnyard2

LOG_FILE=”snort.log”

 

22

 

 

Start Snort and Barnyard

#service snortd start
#service barnyard2 start

23

 

Barnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs. We can now install frontend application like BASE or Snorby to see and analyze snort data in a convenient  web application.

 

 

installing snorby

Snorby is a new and modern Snort IDS front-end. The basic fundamental concepts behind snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.

 

 

Install apache and prerequisite packages

#yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y

 

 

Download and install Ruby

#cd /usr/local/src/snort
#wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p327.tar.gz
#tar xvzf ruby-1.9.3.p327.tar.gz
#cd ruby-1.9.3.p327
#./configure && make && make install

24

 

Install openssl extension

#cd ext/openssl/
#ruby extconf.rb
#make && make install

 

25

 

Install gem dependencies

#gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails –no-rdoc –no-ri
#gem install rake –version=0.9.2 –no-rdoc –no-ri
#gem uninstall rake –version=0.9.2.2

26

 

Download and install wkhtmltopdf

#cd /usr/local/snort
#wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
#tar jxvf wkhtmltopdf-0.9.9-static-amd64.tar.gz
#mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
#chown root:root /usr/local/bin/wkhtmltopdf

 

 

Download and configure snorby

#cd /var/www/html/
#git clone http://github.com/Snorby/snorby.git
#cd /var/www/html/snorby/config/
#cp database.yml.example database.yml
#cp snorby_config.yml.example snorby_config.yml
#chown -R apache:apache /var/www/html/snorby

Set mysql root password

#mysqladmin password bhuvi

Configure snorby database username and password

#vi database.yml

....
snorby: &snorb
adapter: mysql
 username: root
 password: bhuvi
 host: localhost
...

 

29

Install Snorby

#cd /var/www/html/snorby
#bundle install –deployment
#rake snorby:setup

 

 

Configure Barnyard to output alerts to snorby database

#vi /etc/snort/barnyard.conf

...
output database: log, mysql, dbname=snorby user=root password=bhuvi host=localhost
...

 

 

Restart Barnyard
#service barnyard2 stop
#service barnyard2 start

 

Install Passenger module for apache

#gem install passenger
#cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.5/bin
#./passenger-install-apache2-module

 

33

 

Configure and restart apache

#vi /etc/httpd/conf/httpd.conf

...
LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.5/libout/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-4.0.5
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
        ServerAdmin admin@sathish.com
        ServerName www.sathish.com
        DocumentRoot /var/www/html/snorby/public        <Directory "/var/www/html/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>

 

34

 

 

#Service httpd restart

#cd /var/www/html/snorby
#rails  server  -e  production  -d

35

 

 

That’s all. Now you can work with your new Snorby system to analyze Snort data.

36 37

 

Please visit http://www.snorby.org/ for more information about Snorby configuration and usage.