004. Snorby Installation on CentOS

Tested On

OS: CentOS 6.2 i386
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.14

About

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install Snorby

  • Install apache and prerequisite packages
yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y
  • Download and install Ruby
cd /usr/local/src/snort
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p327.tar.gz
tar xvzf ruby-1*
cd ruby-1*
./configure && make && make install
  • Install openssl extension
cd ext/openssl/
ruby extconf.rb
make && make install
  • Install gem dependencies
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails --no-rdoc --no-ri
gem install rake --version=0.9.2 --no-rdoc --no-ri
gem uninstall rake --version=0.9.2.2
  • Download and install wkhtmltopdf
cd /usr/local/src/snort
  • For i386:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
  • For X86_64:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf
  • Download and configure snorby
cd /var/www/html/
git clone http://github.com/Snorby/snorby.git
cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
chown -R apache:apache /var/www/html/snorby
  • Set mysql root password
mysqladmin password humus
  • Configure snorby database username and password
vi database.yml
....
snorby: &snorby
 adapter: mysql
 username: root
 password: humus
 host: localhost
...
  • Install Snorby
cd /var/www/html/snorby
bundle install --deployment
rake snorby:setup
  • Configure Barnyard to output alerts to snorby database
vi /etc/snort/barnyard.conf
...
output database: log, mysql, user=root password=humus dbname=snorby host=localhost
...
  • Restart Barnyard
service barnyard2 stop
service barnyard2 start
  • Install Passenger module for apache
gem install passenger
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin
./passenger-install-apache2-module
  • Configure and restart apache
vi /etc/httpd/conf/httpd.conf
...
#<VirtualHost *:80>
#    ServerAdmin [email protected]
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
        ServerAdmin [email protected]
        ServerName snorby.nachum234.com
        DocumentRoot /var/www/html/snorby/public

        <Directory "/var/www/html/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>
service httpd restart
  • Configure DNS name snorby.nachum234.com to resolve the IP address of the snorby server (DNS or hosts file)
  • Browse to http://snorby.nachum234.com and login to snorby with the default username/password [email protected]/snorby

That’s all. Now you can work with your new Snorby system to analyze Snort data.

If you don’t already configure your snort system to get automatic updates you can do it using the following guide: Configure Snort Automatic Rules Updating With Pulledpork

Please visit http://www.snorby.org/ for more information about Snorby configuration and usage.

104. Snorby Installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.14

About

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install Snorby

  • Install apache and prerequisite packages
apt-get install apache2 libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev -y
  • Download and install Ruby
cd /usr/local/src/snort
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.gz
tar xvzf ruby-1*
cd ruby-1*
./configure && make && make install
  • Install openssl extension
cd ext/openssl/
ruby extconf.rb
make && make install
  • Install gem dependencies
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format sqlite3 rack-mount rails
gem install rake --version=0.9.2
gem uninstall rake --version=0.9.2.2
  • Download and configure snorby
cd /var/www/
git clone http://github.com/Snorby/snorby.git
cd /var/www/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
  • Change wkhtmltopdf path
sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/snorby/config/snorby_config.yml
  • Configure snorby database username and password
vi database.yml
....
snorby: &snorby
 adapter: mysql
 username: root
 password: humus
 host: localhost
...
  • Install Snorby
cd /var/www/snorby
bundle install --deployment
rake snorby:setup
  • Configure Barnyard to output alerts to snorby database
vi /etc/snort/barnyard.conf
...
output database: log, mysql, user=root password=humus dbname=snorby host=localhost
...
  • Restart Barnyard
service barnyard2 stop
service barnyard2 start
  • Install Passenger module for apache
gem install passenger
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin
./passenger-install-apache2-module
  • Configure and restart apache
vi /etc/apache2/apache2.conf
...
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so 
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19 
PassengerRuby /usr/local/bin/ruby
# Include generic snippets of statements
...
vi /etc/apache2/sites-available/234-snorby
<VirtualHost *:80>
        ServerAdmin [email protected]
        ServerName snorby.nachum234.com
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>
ln -s /etc/apache2/sites-available/234-snorby /etc/apache2/sites-enabled/234-snorby
service apache2 restart
  • Configure snorby.nachum234.com to resolve the IP address of the snorby server (DNS or hosts file)
  • Browse to http://snorby.nachum234.com and login to snorby with the default username/password [email protected]/snorby

That’s all. Now you can work with your new Snorby system to analyze Snort data.

If you don’t already configure your snort system to get automatic updates you can do it using the following guide: Configure Snort Automatic Rules Updating With Pulledpork

Please visit http://www.snorby.org/ for more information about Snorby configuration and usage.

001. Snort Installation on CentOS 6.3

Tested On

OS: CentOS 6.3 i386, CentOS x86_64, CentOS 5.7, Ubuntu 10.04 TLS
Snort Version: Version 2.9.4.6 GRE (Build 73)
Hardware: Virtual Machine (VirtualBox 4.1.22)

About

Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that is build from tcpdump (linux sniffer tool).

This installation guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.

Prerequisite

  • Update your system using yum update and reboot
yum update -y
reboot
  • Install EPEL repository
rpm -Uvh http://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm
  • Install PCRE, libdnet and more prerequisite packages
yum install libdnet libdnet-devel pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y
  • Create dir for Snort prerequisite sources
mkdir /usr/local/src/snort
cd /usr/local/src/snort
  • Download and install libpcap
wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz -O libpcap.tar.gz
tar zxvf libpcap.tar.gz
cd libpcap-*
./configure && make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig -v
  • Download and install DAQ
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gz
tar zxvf daq.tar.gz
cd daq-*
./configure && make && make install
ldconfig -v
  • Create snort user and group
groupadd snort
useradd -g snort snort

Install Snort

  • Download and install Snort
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gz
tar zxvf snort.tar.gz 
cd snort-2*
./configure --prefix /usr/local/snort --enable-sourcefire && make && make install
  • Create links for Snort files
ln -s /usr/local/snort/bin/snort /usr/sbin/snort
ln -s /usr/local/snort/etc /etc/snort
  • Configure Snort startup script to run at startup
cp rpm/snortd /etc/init.d/
chmod +x /etc/init.d/snortd
cp rpm/snort.sysconfig /etc/sysconfig/snort
chkconfig --add snortd
  • Delete following lines from snort startup file
vi /etc/init.d/snortd
...
# check if more than one interface is given 
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
...
else 
 # Run with a single interface (default) 
 daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF 
fi
  • Comment out the following variable in /etc/sysconfig/snort and add / to the LOGDIR variable
vi /etc/sysconfig/snort
...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
...
#BINARY_LOG=1
...
  • Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snort
You have to register to the site in order to get the free register user rules
or you can pay and get the most update rules as a "Subscriber user"
  • Extract rules file in the new created directory
cd /usr/local/snort
tar zxvf /usr/local/src/snort/snortrules-snapshot-2*
  • Create directory for snort logging
mkdir -p /usr/local/snort/var/log
chown snort:snort /usr/local/snort/var/log
ln -s /usr/local/snort/var/log /var/log/snort
  • Create links for dynamic rules files and directories
ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
  • Set snort permissions
chown -R snort:snort /usr/local/snort
  • Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin
vi /usr/local/snort/etc/snort.conf
...
#preprocessor reputation: \
#   memcap 500, \
#   priority whitelist, \
#   nested_ip inner, \
#    whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules
...
output unified2: filename snort.log, limit 128
...
  • Create Dynamicrules directory
mkdir /usr/local/snort/lib/snort_dynamicrules
  • Copy dynamicrules files
    • On i386 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/i386/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/
    • On x86_64 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/
  • Dump the stub rules
snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules
  • Enable snort dynamic rules configuration in the end of snort.conf file
vi /usr/local/snort/etc/snort.conf
...
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
...
  • Test Snort configuration
snort -c /usr/local/snort/etc/snort.conf -T
  • Update Snort rules automatically

PulledPork is an opensource perl script that can update your rules files automatically. To install PulledPork please go to this guide Configure Snort automatic rules updating with PulledPork.

Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

Here is a link for Barnyard Installation.

Please visit http://www.snort.org/ for more information about Snort configuration and usage.

101. OpenVAS Installation on Ubuntu 10.04

OS: Ubuntu 10.04 64bit (LTS)
Hardware: Virtual Machine (VirtualBox 4.1.8)
OpenVAS: 4.0.6

About

OpenVAS is an opensource vulnerability network scanner. OpenVAS let you scan your network for vulnerabilities and create a report on your network status.

Prerequisite

  • Update your OS and restart
sudo su -
apt-get update
apt-get upgrade -y
reboot
  • Install prerequisites packages from apt-get
sudo su -
apt-get install build-essential cmake doxygen uuid libgpgme11 libgpgme11-dev libpcap0.8-dev libpcap0.8 uuid-dev pkg-config libglib2.0* autoconf libgnutls-dev bison sqlite3 libsqlite3-dev xsltproc libxslt1-dev xmltoman texlive-latex-base nmap rpm alien texlive-latex-recommended texlive-latex-base texlive-latex-extra -y
  • Download and install wmi
mkdir /usr/local/src/openvas
cd /usr/local/src/openvas 
wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2 -O wmi.tar.bz2
tar xjvf wmi.tar.bz2
cd wmi*
wget http://www.openvas.org/download/wmi/openvas-wmi-1.3.14.patch
patch -p1 < openvas-wmi-1.3.14.patch
cd Samba/source
./autogen.sh
./configure
make proto all
make libraries
bash install-libwmiclient.sh
  • Download and install libmicrohttpd
cd /usr/local/src/openvas 
wget wget http://mirror.veriportal.com/gnu/libmicrohttpd/libmicrohttpd-0.9.15.tar.gz -O libmicrohttpd.tar.gz
tar xzvf libmicrohttpd.tar.gz
cd libmicrohttpd*
./configure && make && make install

OpenVAS Installation

  • Download and install openvas-libraries
cd /usr/local/src/openvas/
wget http://wald.intevation.org/frs/download.php/979/openvas-libraries-4.0.6.tar.gz -O openvas-libraries.tar.gz
tar zxvf openvas-libraries.tar.gz
cd openvas-libraries*
cmake .
make
make install
  • Download and install openvas-scanner
cd /usr/local/src/openvas
wget http://wald.intevation.org/frs/download.php/983/openvas-scanner-3.2.5.tar.gz -O openvas-scanner.tar.gz
tar zxvf openvas-scanner.tar.gz
cd openvas-scanner*
cmake .
make
make install
  • Download and install openvas-manager
cd /usr/local/src/openvas
wget http://wald.intevation.org/frs/download.php/871/openvas-manager-2.0.4.tar.gz -O openvas-manager.tar.gz
tar zxvf openvas-manager.tar.gz
cd openvas-manager*
cmake .
make
make install
  • Download and install openvas-administrator
cd /usr/local/src/openvas
wget http://wald.intevation.org/frs/download.php/987/openvas-administrator-1.1.2.tar.gz -O openvas-administrator.tar.gz
tar zxvf openvas-administrator.tar.gz
cd openvas-administrator*
cmake .
make
make install
  • Download and install greenbone-security-assistant
cd /usr/local/src/openvas
wget http://wald.intevation.org/frs/download.php/857/greenbone-security-assistant-2.0.1.tar.gz -O greenbone-security-assistant.tar.gz
tar zxvf greenbone-security-assistant.tar.gz
cd greenbone-security-assistant*
cmake .
make
make install
  • Download and install openvas-cli
cd /usr/local/src/openvas
wget http://wald.intevation.org/frs/download.php/1016/openvas-cli-1.1.4.tar.gz -O openvas-cli.tar.gz
tar zxvf openvas-cli.tar.gz
cd openvas-cli*
cmake .
make
make install
  • Configure OpenVAS new libs
ldconfig
  • Create Certificate
openvas-mkcert
-------------------------------------------------------------------------------
                        Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.

CA certificate life time in days [1460]:    ENTER
Server certificate life time in days [365]:    ENTER
Your country (two letter code) [DE]: IL    ENTER
Your state or province name [none]:    ENTER
Your location (e.g. town) [Berlin]: Holon    ENTER
Your organization [OpenVAS Users United]: HUMUS LTD    ENTER
-------------------------------------------------------------------------------
                        Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
   Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
   Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
    Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
    Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit
ENTER
  • Sync NVT
openvas-nvt-sync
  • Create certificate for OpenVAS Manager
openvas-mkcert-client -n om -i
  • Start OpenVAS services for the first time
openvassd
openvasmd --rebuild
openvasmd
openvasad
gsad
  • Create new user for OpenVAS
openvasad -c 'add_user' -n admin --role=Admin
  • Configure OpenVAS services to run at server startup process
vi /etc/rc.local
...
/usr/local/sbin/openvassd
/usr/local/sbin/openvasmd
/usr/local/sbin/openvasad
/usr/local/sbin/gsad
exit 0
  • Connect to OpenVAS server
    • Using a web browser browse to https://openvas_server_IP
    • Continue on the security certificate alert
    • Log in using your created username and password
  • Create your first scan config
    • Click on Scan Configs
    • In the Name field enter test1
    • In the Base field click on “Full and fast” in order to use the default OpenVAS configuration
    • Click on Create Scan Config
    • On your new test1 Scan Config click Edit Scan Config button
    • If your scanning server is weak like mine (one cpu 1.7GHz and memory 1GB) then you need to change the max_hosts field to about 5 and max_checks to  about 2 and click on “Save Config”
    • If you are going to scan a big range of IP addresses, and you know that many of them are down or does not exist, then you should consider changing the Ping Host NVT setting to enable “Mark unreachable Hosts as dead”, if not your scan will be very slow because OpenVAS will try to run all NVT on every IP, even if it’s not available.
    • To do so click edit on “Port scanners”
    • Click edit on “Ping Host”
    • In “Mark unrechable Hosts as dead (not scanning)” click on the yes checkbox
    • Click “Save Config”
  • Create your targets
    • Click on Targets
    • In Name field enter test1
    • In hosts field enter your comma seprated IP addresses (e.g. 192.168.10.0/24,127.0.0.1)
    • Click on “Create Target”
  • Create your first Task
    • Click on New Task
    • In the Name field enter test1
    • In the Scan Config select your new created test1 Scan Config
    • In the Scan Targets select your new created test1 Target
    • Click on create Task
  • Run your first created Task
    • Click on Tasks
    • Click on the play button right to your new test1 task

That’s it. OpenVAS server installation completed. You can create new scans on your network and schdule them to run frequently and check their reports.

For more information on OpenVAS visit http://www.openvas.org

001. OpenVAS 5 Installation on CentOS 6.2

OS: CentOS 6.2 32bit
Hardware: Virtual Machine (VirtualBox 4.1.14)
OpenVAS: 5

About

OpenVAS is an opensource vulnerability network scanner. OpenVAS let you scan your network for vulnerabilities and create a report on your network status.

Prerequisite

  • Disable SELINUX
vi /etc/selinux/config
...
SELINUX=disabled
...
  • Install wget
yum install wget -y
  • Update your Operating System and reboot
yum update -y 
reboot

OpenVAS Installation

  • Install atomic repository
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
Atomic Archive installer, version 2.0.3

BY INSTALLING THIS SOFTWARE AND BY USING ANY AND ALL SOFTWARE
PROVIDED BY ATOMICORP LIMITED YOU ACKNOWLEDGE AND AGREE:

THIS SOFTWARE AND ALL SOFTWARE PROVIDED IN THIS REPOSITORY IS
PROVIDED BY ATOMICORP LIMITED AS IS, IS UNSUPPORTED AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ATOMICORP LIMITED, THE
COPYRIGHT OWNER OR ANY CONTRIBUTOR TO ANY AND ALL SOFTWARE PROVIDED
BY OR PUBLISHED IN THIS REPOSITORY BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

Do you agree to these terms? (yes/no) [Default: yes]
ENTER
Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-14.el6.art.noarch.rpm: OK

The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
  atomic          - [ACTIVATED] - contains the stable tree of ART packages
  atomic-testing  - [DISABLED]  - contains the testing tree of ART packages
  atomic-bleeding - [DISABLED]  - contains the development tree of ART packages
  • Install OpenVAS
yum install openvas -y
  • Run openvas-setup to configure OpenVAS
openvas-setup
Openvas Setup, Version: 0.1

Step 1: Update NVT's
Please note this step could take some time.
Once completed, NVT's will be updated automatically every 24 hours

Updating NVTs....
Stopping openvas-scanner:                                  [  OK  ]
Starting openvas-scanner:
                                                           [  OK  ]
Updating OpenVAS Manager database....

Step 2: Configure GSAD
The Greenbone Security Assistant is a Web Based front end
for managing scans. By default it is configured to only allow
connections from localhost.

Allow connections from any IP? [Default: yes] Stopping gree[  OK  ]curity-assistant:
Starting greenbone-security-assistant:                     [  OK  ]

Step 3: Choose the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT's manually, and manage roles.

Enter password: enter password for admin user
ENTER
ad   main:MESSAGE:3223:2012-01-19 11h09.05 IST: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:3223:2012-01-19 11h09.05 IST: User admin has been successfully created.

Step 4: Create a user

Using /var/tmp as a temporary file holder.

Add a new openvassd user
---------------------------------

Login : humus
ENTER
Authentication (pass/cert) [pass] :
ENTER
Login password : enter user password
ENTER
Login password (again) : enter user password again
ENTER
User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that humus has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
ctrl-D
Login             : humus
Password          : ***********

Rules             :

Is that ok? (y/n) [y]
ENTER
Setup complete, you can now access GSAD at:
  https://<IP>:9392
  • Start OpenVAS administrator
/etc/init.d/openvas-administrator start
  • Download openvas-check-setup script and check OpenVAS setup
cd /usr/local/src/
wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup -O openvas-check-setup.sh --no-check-certificate
chmod +x openvas-check-setup.sh
./openvas-check-setup.sh --server
  • Open Greenbone Security Assistent port in linux firewall
vi /etc/sysconfig/iptables
...
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9392 -j ACCEPT  
...
service iptables restart
  • Connect to OpenVAS server
    • Using a web browser browse to https://openvas_server_IP:9392

That’s it. OpenVAS server installation completed. You can create new scans on your network and schdule them to run frequently and check their reports.

For more information on OpenVAS visit http://www.openvas.org

001. Nessus Installation on CentOS 5.7

OS: CentOS 5.7 32bit
Hardware: Virtual Machine (VirtualBox 4.1.8)
Nessus: 4.4.1

About

Nessus is a vulnerability network scanner. Nessus let you scan your network for vulnerabilities and create a report based on your network status.

Nessus Installation

  • Download Nessus
mkdir /usr/local/src/nessus
cd /usr/local/src/nessus
wget "http://downloads.nessus.org/nessus3dl.php?file=Nessus-4.4.1-es5.i386.rpm&licence_accept=yes&t=05a5e71c02e574b66e0f558865246dca" -O nessus.rpm
  • Install Nessus package
rpm -ihv nessus.rpm
  • Activate your Nessus account with your activation code
/opt/nessus/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX
ENTER
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.
  • Start Nessus server
service nessusd start
  • Create new user for Nessus
/opt/nessus/sbin/nessus-adduser
Login : admin
ENTER 
Login password : type a password ENTER
Login password (again) : type again the previous password ENTER
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
ENTER
User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that admin has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser manual for the rules syntax

Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)
ENTER
Login             : admin
Password         : ***********
This user will have 'admin' privileges within the Nessus server
Rules             :
Is that ok ? (y/n) [y]
ENTER
User added
  • Connect to Nessus server
    • Using a web browser browse to https://nessus_server_IP:8834
    • Continue on the security certificate alert
    • Log in using your created username and password
    • Create your first scan and run it

That’s it. Nessus server installation completed. You can create new scans on your network and schdule them to run frequently

For more information on Nessus visit http://www.nessus.org

003. OSSEC Client Installation on Windows

OS: Windows XP SP3, Windows 7 i386
OSSEC Version: 2.6
Hardware: Virtual Machine (VirtualBox 4.1.8)

About

OSSEC is an opensource Host Intrustion Detection System (HIDS). OSSEC let you monitor log files, integrity of files and detects root kits in a client-server environment.

Prerequisite

OSSEC Client Installation

  • Run the downloaded exe file
    1. Welcome to OSSEC HIDS Windows Agent v2.6 Setup Wizard – Click Next
    2. License Agreement – Read the license agreement and if you agree click on I agree
    3. Coose Components – If you are not running IIS, click to remove the mark on “Scan and monitor IIS logs” and click Next
    4. Coose Install Location – Click Install
    5. Completing the OSSEC HIDS Windows Agent v2.6 Setup Wizard – check that “Run OSSEC Agent Manager” is marked and click Finish
  • On the OSSEC server run manage_agents tool to add a new client
/var/ossec/bin/manage_agents
Choose A to add an agent: A -> Enter
provide a name for your new agent: winxp-2 -> Enter
provide the IP of your new agent: x.x.x.x -> Enter
Provide an OSSEC ID for your new agent: 002 -> Enter
Confirm adding it?: y -> Enter
Choose E to extract key for an agent: E -> Enter
Provide the ID of the new agent: 002 -> Enter
Copy the agent key information
press ENTER to return to the main manu
Choose Q -> Enter to quit
  • On the OSSEC windows client run manage_agent tool if it’s not already running and configure your new client installation
    1. Start -> All Programs -> OSSEC -> Manage Agents
    2. OSSEC Agent Manager – Fill your “OSSEC server IP”, and the “Authentication Key” that was copied from the server. Click save
    3. Confirm Importing Key – Click OK
    4. OSSEC Agent Manager – Click on Manage -> Start OSSEC
    5. Close OSSEC Agent Manager

That’s it. OSSEC client installation completed. You can browse to http://ossec_srv_IP/ossec and see messages from your new OSSEC client.

To Install OSSEC client on Linux use the following guides:

  • OSSEC Client Installation on CentOS

099. Snort Error Messages

  1. Error Messge: testing snort configuration generate the following message:

...
ERROR: snort_stream5_tcp.c(906) Could not initialize tcp session memory pool.
Fatal Error, Quitting..
  • Fix: Add more memory or try to reduce max_tcp connections in snort configuration file
vi /usr/local/snort/etc/snort.conf
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 162144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

004. Configure Snort automatic rules updating with PulledPork

OS: CentOS-6.3 i386, Ubuntu 12.04 x86_64 LTS, Ubuntu 10.04 x86_64 LTS, Ubuntu 11.10 i386
Snort Version: Version 2.9.3.1 IPv6 GRE (Build 40)
Hardware: VirtualBox 4.1.22

About

PulledPork is an opensource perl script that can automatically update Snort rules.

Prerequisite

yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y
    • On Ubuntu
apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y

Install PulledPork

  • Download and extract PulledPork
cd /usr/local/src/snort
wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork
  • Generate Oinkcode at Snort web site
    • If you are not already register to snort web site so do it now at https://www.snort.org/signup
    • Login to Snort web site
    • Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links”  section
    • Click Generate Code and copy your new Oinkcode
  • Change the following in PulledPork configuration file
vi /usr/local/snort/pulledpork/etc/pulledpork.conf
...
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber
# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|
...
rule_path=/usr/local/snort/etc/rules/snort.rules
...
local_rules=/usr/local/snort/etc/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/snort/etc/sid-msg.map
...
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/snort/etc/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
...
distro=Ubuntu-10.04 # For CentOS 6.x you can use RHEL-6-0
...
pid_path=/var/run/snort_eth0.pid
...
  • Change RULE_PATH variable in snort configuration file
vi /usr/local/snort/etc/snort.conf
...
var RULE_PATH /usr/local/snort/etc/rules
...
  • Remove all snort include rules files
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
  • Add the following include files to snort configuration file
echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
  • Create rules directory
mkdir /usr/local/snort/etc/rules
  • Create your local rules file
    • If you have one, copy it
cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/
    • If you don’t have local rules file then create an empty one
touch /usr/local/snort/etc/rules/local.rules
  • Run PulledPork for the first time
/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
  • Schedule PulledPork to run every day. Add the following line to the end of crontab file
vi /etc/crontab
...
0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
...

PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.

For more information about PulledPork go to http://code.google.com/p/pulledpork/.

103. BASE Installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS, Ubuntu 11.10 i386, Ubuntu 11.10 x86_64, Ubuntu 10.04 x86_64 LTS, Ubuntu 10.04 i386 LTS, CentOS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

BASE is php frontend application for Snort. BASE let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install BASE

  • Install apache php and prerequisite packages
apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y
  • Install pear Image_Graph
pear install -f Image_Graph
  • Download ADODB
cd /usr/local/src/snort
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-514-for-php5/adodb514.zip
cd /var/
unzip /usr/local/src/snort/adodb514.zip
mv adodb5 adodb
  • Download and extract BASE
cd /usr/local/src/snort
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
cd /var/www/
tar zxvf /usr/local/src/snort/base-1.4.5.tar.gz
mv base-1.4.5 base
  • Configure BASE
cd /var/www/base
cp base_conf.php.dist base_conf.php
vi base_conf.php
....
$BASE_urlpath = '/base';
...
$DBlib_path = '/var/adodb/';
...
$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort'; 
$alert_password = 'snort';
...
  • Set permissions on base directory
chown -R www-data:www-data /var/www/base
  • Restart apache
service apache2 restart
  • Browse to snort_ip_address/base/index.php and click on “setup page” link
  • Click on “Create BASE AG” button on the upper right of the page
  • Click on the “Main page” line

Thats all. Now you can work with your new BASE system to analyze Snort data.

Please visit http://www.snort.org/ for more information about Snort configuration and usage.