004. Snorby Installation on CentOS

Tested On

OS: CentOS 6.2 i386
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.14

About

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install Snorby

  • Install apache and prerequisite packages
yum install libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel readline-devel -y
  • Download and install Ruby
cd /usr/local/src/snort
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p327.tar.gz
tar xvzf ruby-1*
cd ruby-1*
./configure && make && make install
  • Install openssl extension
cd ext/openssl/
ruby extconf.rb
make && make install
  • Install gem dependencies
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail rack-mount rails --no-rdoc --no-ri
gem install rake --version=0.9.2 --no-rdoc --no-ri
gem uninstall rake --version=0.9.2.2
  • Download and install wkhtmltopdf
cd /usr/local/src/snort
  • For i386:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-i386.tar.bz
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-i386 /usr/local/bin/wkhtmltopdf
  • For X86_64:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltopdf-0.9.9-static-amd64.tar.bz2
tar jxvf wkhtmltopdf-0*
mv wkhtmltopdf-amd64 /usr/local/bin/wkhtmltopdf
chown root:root /usr/local/bin/wkhtmltopdf
  • Download and configure snorby
cd /var/www/html/
git clone http://github.com/Snorby/snorby.git
cd /var/www/html/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
chown -R apache:apache /var/www/html/snorby
  • Set mysql root password
mysqladmin password humus
  • Configure snorby database username and password
vi database.yml
....
snorby: &snorby
 adapter: mysql
 username: root
 password: humus
 host: localhost
...
  • Install Snorby
cd /var/www/html/snorby
bundle install --deployment
rake snorby:setup
  • Configure Barnyard to output alerts to snorby database
vi /etc/snort/barnyard.conf
...
output database: log, mysql, user=root password=humus dbname=snorby host=localhost
...
  • Restart Barnyard
service barnyard2 stop
service barnyard2 start
  • Install Passenger module for apache
gem install passenger
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin
./passenger-install-apache2-module
  • Configure and restart apache
vi /etc/httpd/conf/httpd.conf
...
#<VirtualHost *:80>
#    ServerAdmin [email protected]
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
        ServerAdmin [email protected]
        ServerName snorby.nachum234.com
        DocumentRoot /var/www/html/snorby/public

        <Directory "/var/www/html/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>
service httpd restart
  • Configure DNS name snorby.nachum234.com to resolve the IP address of the snorby server (DNS or hosts file)
  • Browse to http://snorby.nachum234.com and login to snorby with the default username/password [email protected]/snorby

That’s all. Now you can work with your new Snorby system to analyze Snort data.

If you don’t already configure your snort system to get automatic updates you can do it using the following guide: Configure Snort Automatic Rules Updating With Pulledpork

Please visit http://www.snorby.org/ for more information about Snorby configuration and usage.

104. Snorby Installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.14

About

Snorby is a frontend application for Snort. Snorby let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install Snorby

  • Install apache and prerequisite packages
apt-get install apache2 libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf gcc g++ build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev -y
  • Download and install Ruby
cd /usr/local/src/snort
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p194.tar.gz
tar xvzf ruby-1*
cd ruby-1*
./configure && make && make install
  • Install openssl extension
cd ext/openssl/
ruby extconf.rb
make && make install
  • Install gem dependencies
gem install thor i18n bundler tzinfo builder memcache-client rack rack-test erubis mail text-format sqlite3 rack-mount rails
gem install rake --version=0.9.2
gem uninstall rake --version=0.9.2.2
  • Download and configure snorby
cd /var/www/
git clone http://github.com/Snorby/snorby.git
cd /var/www/snorby/config/
cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
  • Change wkhtmltopdf path
sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/snorby/config/snorby_config.yml
  • Configure snorby database username and password
vi database.yml
....
snorby: &snorby
 adapter: mysql
 username: root
 password: humus
 host: localhost
...
  • Install Snorby
cd /var/www/snorby
bundle install --deployment
rake snorby:setup
  • Configure Barnyard to output alerts to snorby database
vi /etc/snort/barnyard.conf
...
output database: log, mysql, user=root password=humus dbname=snorby host=localhost
...
  • Restart Barnyard
service barnyard2 stop
service barnyard2 start
  • Install Passenger module for apache
gem install passenger
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin
./passenger-install-apache2-module
  • Configure and restart apache
vi /etc/apache2/apache2.conf
...
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so 
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19 
PassengerRuby /usr/local/bin/ruby
# Include generic snippets of statements
...
vi /etc/apache2/sites-available/234-snorby
<VirtualHost *:80>
        ServerAdmin [email protected]
        ServerName snorby.nachum234.com
        DocumentRoot /var/www/snorby/public

        <Directory "/var/www/snorby/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>
ln -s /etc/apache2/sites-available/234-snorby /etc/apache2/sites-enabled/234-snorby
service apache2 restart
  • Configure snorby.nachum234.com to resolve the IP address of the snorby server (DNS or hosts file)
  • Browse to http://snorby.nachum234.com and login to snorby with the default username/password [email protected]/snorby

That’s all. Now you can work with your new Snorby system to analyze Snort data.

If you don’t already configure your snort system to get automatic updates you can do it using the following guide: Configure Snort Automatic Rules Updating With Pulledpork

Please visit http://www.snorby.org/ for more information about Snorby configuration and usage.

001. Snort Installation on CentOS 6.3

Tested On

OS: CentOS 6.3 i386, CentOS x86_64, CentOS 5.7, Ubuntu 10.04 TLS
Snort Version: Version 2.9.4.6 GRE (Build 73)
Hardware: Virtual Machine (VirtualBox 4.1.22)

About

Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that is build from tcpdump (linux sniffer tool).

This installation guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.

Prerequisite

  • Update your system using yum update and reboot
yum update -y
reboot
  • Install EPEL repository
rpm -Uvh http://ftp.uninett.no/linux/epel/6/i386/epel-release-6-8.noarch.rpm
  • Install PCRE, libdnet and more prerequisite packages
yum install libdnet libdnet-devel pcre pcre-devel gcc make flex byacc bison kernel-devel libxml2-devel wget -y
  • Create dir for Snort prerequisite sources
mkdir /usr/local/src/snort
cd /usr/local/src/snort
  • Download and install libpcap
wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz -O libpcap.tar.gz
tar zxvf libpcap.tar.gz
cd libpcap-*
./configure && make && make install
echo "/usr/local/lib" >> /etc/ld.so.conf
ldconfig -v
  • Download and install DAQ
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq.tar.gz
tar zxvf daq.tar.gz
cd daq-*
./configure && make && make install
ldconfig -v
  • Create snort user and group
groupadd snort
useradd -g snort snort

Install Snort

  • Download and install Snort
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/snort-2.9.4.6.tar.gz -O snort.tar.gz
tar zxvf snort.tar.gz 
cd snort-2*
./configure --prefix /usr/local/snort --enable-sourcefire && make && make install
  • Create links for Snort files
ln -s /usr/local/snort/bin/snort /usr/sbin/snort
ln -s /usr/local/snort/etc /etc/snort
  • Configure Snort startup script to run at startup
cp rpm/snortd /etc/init.d/
chmod +x /etc/init.d/snortd
cp rpm/snort.sysconfig /etc/sysconfig/snort
chkconfig --add snortd
  • Delete following lines from snort startup file
vi /etc/init.d/snortd
...
# check if more than one interface is given 
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then
...
else 
 # Run with a single interface (default) 
 daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF 
fi
  • Comment out the following variable in /etc/sysconfig/snort and add / to the LOGDIR variable
vi /etc/sysconfig/snort
...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
...
#BINARY_LOG=1
...
  • Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snort
You have to register to the site in order to get the free register user rules
or you can pay and get the most update rules as a "Subscriber user"
  • Extract rules file in the new created directory
cd /usr/local/snort
tar zxvf /usr/local/src/snort/snortrules-snapshot-2*
  • Create directory for snort logging
mkdir -p /usr/local/snort/var/log
chown snort:snort /usr/local/snort/var/log
ln -s /usr/local/snort/var/log /var/log/snort
  • Create links for dynamic rules files and directories
ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
  • Set snort permissions
chown -R snort:snort /usr/local/snort
  • Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin
vi /usr/local/snort/etc/snort.conf
...
#preprocessor reputation: \
#   memcap 500, \
#   priority whitelist, \
#   nested_ip inner, \
#    whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules
...
output unified2: filename snort.log, limit 128
...
  • Create Dynamicrules directory
mkdir /usr/local/snort/lib/snort_dynamicrules
  • Copy dynamicrules files
    • On i386 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/i386/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/
    • On x86_64 system
cp /usr/local/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9*/*so /usr/local/snort/lib/snort_dynamicrules/
  • Dump the stub rules
snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules
  • Enable snort dynamic rules configuration in the end of snort.conf file
vi /usr/local/snort/etc/snort.conf
...
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
...
  • Test Snort configuration
snort -c /usr/local/snort/etc/snort.conf -T
  • Update Snort rules automatically

PulledPork is an opensource perl script that can update your rules files automatically. To install PulledPork please go to this guide Configure Snort automatic rules updating with PulledPork.

Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

Here is a link for Barnyard Installation.

Please visit http://www.snort.org/ for more information about Snort configuration and usage.

099. Snort Error Messages

  1. Error Messge: testing snort configuration generate the following message:

...
ERROR: snort_stream5_tcp.c(906) Could not initialize tcp session memory pool.
Fatal Error, Quitting..
  • Fix: Add more memory or try to reduce max_tcp connections in snort configuration file
vi /usr/local/snort/etc/snort.conf
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 162144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

004. Configure Snort automatic rules updating with PulledPork

OS: CentOS-6.3 i386, Ubuntu 12.04 x86_64 LTS, Ubuntu 10.04 x86_64 LTS, Ubuntu 11.10 i386
Snort Version: Version 2.9.3.1 IPv6 GRE (Build 40)
Hardware: VirtualBox 4.1.22

About

PulledPork is an opensource perl script that can automatically update Snort rules.

Prerequisite

yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y
    • On Ubuntu
apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y

Install PulledPork

  • Download and extract PulledPork
cd /usr/local/src/snort
wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork
  • Generate Oinkcode at Snort web site
    • If you are not already register to snort web site so do it now at https://www.snort.org/signup
    • Login to Snort web site
    • Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links”  section
    • Click Generate Code and copy your new Oinkcode
  • Change the following in PulledPork configuration file
vi /usr/local/snort/pulledpork/etc/pulledpork.conf
...
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber
# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|
...
rule_path=/usr/local/snort/etc/rules/snort.rules
...
local_rules=/usr/local/snort/etc/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/snort/etc/sid-msg.map
...
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/snort/etc/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
...
distro=Ubuntu-10.04 # For CentOS 6.x you can use RHEL-6-0
...
pid_path=/var/run/snort_eth0.pid
...
  • Change RULE_PATH variable in snort configuration file
vi /usr/local/snort/etc/snort.conf
...
var RULE_PATH /usr/local/snort/etc/rules
...
  • Remove all snort include rules files
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
  • Add the following include files to snort configuration file
echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
  • Create rules directory
mkdir /usr/local/snort/etc/rules
  • Create your local rules file
    • If you have one, copy it
cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/
    • If you don’t have local rules file then create an empty one
touch /usr/local/snort/etc/rules/local.rules
  • Run PulledPork for the first time
/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
  • Schedule PulledPork to run every day. Add the following line to the end of crontab file
vi /etc/crontab
...
0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
...

PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.

For more information about PulledPork go to http://code.google.com/p/pulledpork/.

103. BASE Installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS, Ubuntu 11.10 i386, Ubuntu 11.10 x86_64, Ubuntu 10.04 x86_64 LTS, Ubuntu 10.04 i386 LTS, CentOS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

BASE is php frontend application for Snort. BASE let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install BASE

  • Install apache php and prerequisite packages
apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y
  • Install pear Image_Graph
pear install -f Image_Graph
  • Download ADODB
cd /usr/local/src/snort
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-514-for-php5/adodb514.zip
cd /var/
unzip /usr/local/src/snort/adodb514.zip
mv adodb5 adodb
  • Download and extract BASE
cd /usr/local/src/snort
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
cd /var/www/
tar zxvf /usr/local/src/snort/base-1.4.5.tar.gz
mv base-1.4.5 base
  • Configure BASE
cd /var/www/base
cp base_conf.php.dist base_conf.php
vi base_conf.php
....
$BASE_urlpath = '/base';
...
$DBlib_path = '/var/adodb/';
...
$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort'; 
$alert_password = 'snort';
...
  • Set permissions on base directory
chown -R www-data:www-data /var/www/base
  • Restart apache
service apache2 restart
  • Browse to snort_ip_address/base/index.php and click on “setup page” link
  • Click on “Create BASE AG” button on the upper right of the page
  • Click on the “Main page” line

Thats all. Now you can work with your new BASE system to analyze Snort data.

Please visit http://www.snort.org/ for more information about Snort configuration and usage.

102. Barnyard Installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS, Ubuntu 11.10 i386, Ubuntu 11.10 x86_64, Ubuntu 10.04 x86_64 LTS, Ubuntu 10.04 i386 LTS, CentOS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

Barnyard is an addon for snort. Barnyard let snort to write its log and alert data very fast in a binary files and then Barnyard read those files and send them to whatever output you configure it, here we will configure to output the data to a mysql database in oreder to watch the data using php application called BASE.

Prerequisite

Install Barnyard

  • Install MySQL
apt-get install mysql-client libmysqlclient-dev mysql-server git autoconf2.13 libtool -y
  • Create MySQL DB and Set permission
mysqladmin create snort -p
mysql -p
grant ALL PRIVILEGES on snort.* to [email protected] with GRANT option;
SET PASSWORD FOR [email protected]=PASSWORD('snort');
\q
  • Download Barnyard and run autogen
cd /usr/local/src/snort
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
  • Configure Barnyard
    • On i386 system
./configure --with-mysql
    • On x86_64 system
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
  • Install Barnyard
make && make install
  • Create MySQL DB and Set permission
mysqladmin create snort -p
mysql -p
grant ALL PRIVILEGES on snort.* to [email protected] with GRANT option;
SET PASSWORD FOR [email protected]=PASSWORD('snort');
\q
cd /usr/local/src/snort/barnyard2/schemas
mysql -p < create_mysql snort
  • Create Barnyard2 start script
vi /etc/init.d/barnyard2
#!/bin/sh
#
# Init file for Barnyard2
#
#
# chkconfig: 2345 40 60
# description:  Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid


[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1

### Default variables
SYSCONFIG="/etc/default/barnyard2"

### Read configuration
[ -r "$SYSCONFIG" ] && . "$SYSCONFIG"

RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"

start() {
        echo -n $"Starting $desc ($prog): "
        for INT in $INTERFACES; do
                PIDFILE="/var/lock/barnyard2-$INT.pid"
                ARCHIVEDIR="$SNORTDIR/$INT/archive"
                WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
                BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
                $prog $BARNYARD_OPTS
        done
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/$prog
        return $RETVAL
}

stop() {
        echo -n $"Shutting down $desc ($prog): "
        killall $prog
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/$prog
        return $RETVAL
}

restart() {
        stop
        start
}


reload() {
        echo -n $"Reloading $desc ($prog): "
        killall $prog -HUP
        RETVAL=$?
        echo
        return $RETVAL
}


case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload)
        reload
        ;;
  condrestart)
        [ -e /var/lock/$prog ] && restart
        RETVAL=$?
        ;;
  status)
        status $prog
        RETVAL=$?
        ;;
  dump)
        dump
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
        RETVAL=1
esac

exit $RETVAL
  • Configure Barnyard start script to run at startup
cd /usr/local/src/snort/barnyard2
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/default/barnyard2
update-rc.d barnyard2 defaults 98
  • Create links for Barnyard files and directory for archive files
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir -p /var/log/snort/eth0/archive/
  • Edit LOG_FILE variable in Barnyard default config file
vi /etc/default/barnyard2
...
LOG_FILE="snort.log"
...
  • Edit Barnyard config file and change the output line to
vi /usr/local/etc/barnyard2.conf
...
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
...
  • Start Snort and Barnyard
service snortd start
service barnyard2 start

Barnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs and alerts to a MySQL database we can install frontend application like BASE to see and analyze snort data in aconvenient web application.

Here is a link forBASE Installation.

101. Snort installation on Ubuntu

Tested On

OS: Ubuntu 12.04 x86_64 LTS, Ubuntu 11.10 i386, Ubuntu 11.10 x86_64, Ubuntu 10.04 x86_64 LTS, Ubuntu 10.04 i386 LTS, CentOS
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that was build from tcpdump (linux sniffer tool).

This guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.

Prerequisite

  • su to root user
sudo su -
  • Install PCRE and libdnet
apt-get install libdnet libdnet-dev libpcre3 libpcre3-dev gcc make flex byacc bison linux-headers-generic libxml2-dev libdumbnet-dev zlib1g zlib1g-dev -y
  • If you are using VirtualBox on windows in network bridge mode like me when I wrote this, maybe you lost your network connection after intalling libdnet, when the “Starting DECnet…” message appears then you need to do the following steps:
    • In the virtual machine console check what is the new MAC address of your network card
ifconfig eth0
eth0 Link encap:Ethernet HWaddr aa:00:04:00:0b:04
inet addr:10.4.1.11 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::a800:4ff:fe00:b04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22693 errors:0 dropped:0 overruns:0 frame:0
TX packets:14585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27589885 (27.5 MB) TX bytes:1760895 (1.7 MB)
    • Power off the virtual machine
poweroff
    • Change the MAC address of your network interface in VirtualBoxto the new one you get after installing libdnet package
- In VirtualBox manager click on the snort guest to highlight it
- Click on Setting
- Click on Network
- Click Advanced to expand more option
- Enter your new network MAC address in the "Mac Address:" field
- Click OK
    • Start your virtual machine
- In VirtualBox manager click on the snort guest to highlight it
- Click on Start to start the virtual machine
  • Create dir for Snort prerequisite sources
mkdir /usr/local/src/snort
  • Change dir to the new created directory
cd /usr/local/src/snort
  • Download and install libpcap
wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
tar zxvf libpcap*
cd libpcap*
./configure && make && make install
ldconfig -v
  • Download and install DAQ
cd /usr/local/src/snort
wget http://snort.org/downloads/2103 -O daq.tar.gz
tar zxvf daq.tar.gz
cd daq*
./configure && make && make install
ldconfig -v

Install Snort

  • Download Snort
cd /usr/local/src/snort
wget http://snort.org/downloads/2112 -O snort.tar.gz
  • Extract and install Snort
tar zxvf snort.tar.gz
cd snort-2*
./configure --enable-sourcefire --prefix /usr/local/snort && make && make install
  • Create snort user and group
groupadd snort
useradd -g snort snort
  • Create links for Snort files
ln -s /usr/local/snort/bin/snort /usr/sbin/
ln -s /usr/local/snort/etc /etc/snort
  • Configure Snort startup script to run at startup
cp rpm/snortd /etc/init.d/
chmod +x /etc/init.d/snortd
cp rpm/snort.sysconfig /etc/default/snort
update-rc.d snortd defaults
  • Make the following changes in snort startup file
vi /etc/init.d/snortd
...
# Source function library.
. /etc/rc.d/init.d/functions
...
. /etc/default/snort
...
# check if more than one interface is given
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then 
...
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
...
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
...
else
# Run with a single interface (default) 
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
fi
...
        touch /var/lock/snort
        echo
        ;;
...
        killall snort
        rm -f /var/lock/snort
        echo
        ;;
...
        condrestart)
        [ -e /var/lock/snort ] && $0 restart
        ;;
...
  • Comment out the following variable in /etc/default/snort and add / to the LOGDIR variable
vi /etc/default/snort
...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
...
#BINARY_LOG=1
...
  • Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snort
You have to register to the site in order to get the free register user rules
or you can pay and get the most update rules as a "Subscriber user"
  • Extract rules file in the new created directory
cd /usr/local/snort
tar zxvf /usr/local/src/snort/snortrules-snapshot-2*
  • Download snort latest configuration file
wget http://labs.snort.org/snort/2940/snort.conf -O /usr/local/snort/etc/snort.conf
  • Create directory for snort logging
mkdir -p /usr/local/snort/var/log
chown snort:snort /usr/local/snort/var/log
ln -s /usr/local/snort/var/log /var/log/snort

Configure Snort dynamic rules

  • Create links for dynamic rules files and directories
ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
  • Set snort permissions
chown -R snort:snort /usr/local/snort
  • Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin
vi /usr/local/snort/etc/snort.conf
...
#preprocessor reputation: \
# memcap 500, \
# priority whitelist, \
# nested_ip inner, \
#  whitelist $WHITE_LIST_PATH/white_list.rules, \
# blacklist $BLACK_LIST_PATH/black_list.rules
...
output unified2: filename snort.log, limit 128 
...
  • Create Dynamicrules directory
mkdir /usr/local/snort/lib/snort_dynamicrules
  • Copy dynamicrules files
    • i386 system:
cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/i386/2.9*/*so /usr/local/snort/lib/snort_dynamicrules
    • x86_64 system:
cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9*/*so /usr/local/snort/lib/snort_dynamicrules
  • Dump the stub rules
snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules
  • Enable snort dynamic rules configuration in the end of snort.conf file
vi /usr/local/snort/etc/snort.conf
...
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
...
  • Test Snort configuration
snort -c /usr/local/snort/etc/snort.conf -T
  • Update Snort rules automatically

PulledPork is an opensource perl script that can update your rules files automatically. To install PulledPork please go to this guide Configure Snort automatic rules updating with PulledPork.

Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

Here is a link for Barnyard Installation.

Please visithttp://www.snort.org/for more information about Snort configuration and usage.

003. BASE Installation on CentOS

OS: CentOS 6.2 i386, CentOS 5.7 i386, CentOS 5.7 x86_64, Ubuntu 10.04 TLS
Snort Version: 2.9.3.1 IPv6 GRE (Build 40)
Barnyard2: 2-1.10
BASE: 1.4.5
Hardware: VirtualBox 4.1.22

About

BASE is php frontend application for Snort. BASE let you check and analyze your Snort events and alerts from a web browser.

Prerequisite

Install BASE

  • Install apache, php, mysql server and prerequisite packages
yum install httpd php php-common php-gd php-cli php-mysql  php-pear php-gd php-pear-DB php-pear-File unzip mysql-server -y
  • Install pear Image_Graph
pear install -f Image_Graph
  • Configure mysql server to start at boot

 

chkconfig mysqld on
service mysqld start
  • Create MySQL DB and Set permission
mysqladmin create snort
mysql
grant ALL PRIVILEGES on snort.* to [email protected] with GRANT option;
SET PASSWORD FOR [email protected]=PASSWORD('snort'); 
\q
cd /usr/local/src/snort/barnyard2/schemas/ 
mysql < create_mysql snort
  • Edit Barnyard config file and change the output line
vi /usr/local/etc/barnyard2.conf
....
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
...
  • Restart Barnyard
service barnyard2 restart
  • Configure apache to run at startup and start it
chkconfig httpd on
service httpd start
  • Download ADODB
cd /usr/local/src/snort
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-515-for-php5/adodb515.zip -O adodb.zip
cd /var/www
unzip /usr/local/src/snort/adodb.zip
mv adodb5 adodb
  • Download and extract BASE
cd /usr/local/src/snort
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
cd /var/www/html
tar zxvf /usr/local/src/snort/base-1.4.5.tar.gz
mv base-1.4.5 base
  • Configure BASE
cd /var/www/html/base
cp base_conf.php.dist base_conf.php
vi base_conf.php
....
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/";
$DBtype = "mysql";
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort"; 
$alert_password = "snort";
...
  • Browse to snort_ip_address/base and click on “setup page” link
  • Click on “Create BASE AG” button on the upper right of the page
  • Click on the “Main page” link

Thats all. Now you can work with your new BASE system to analyze Snort data.

Please visit http://www.snort.org/ for more information about Snort configuration and usage.

002. Barnyard Installation on CentOS

Tested On

OS: CentOS 6.2 i386, CentOS 6.2 x86_64, CentOS 5.7 i386, CentOS 5.7 x86_64, Ubuntu 11.10 32bit
Snort Version: Version 2.9.3.1 IPv6 GRE (Build 40)
Banyard Version: 2-1.10
Hardware: Virtual Machine (VirtualBox 4.1.22)

About

Barnyard is an addon for snort. Barnyard let snort to write its log and alert data very fast in a binary files and then Barnyard read those files  and send them to whatever output you configure it, here we will configure to output the data to a mysql database in oreder to watch the data using php application called BASE.

Prerequisite

Install Barnyard

  • Install MySQL
yum install mysql mysql-devel git libtool -y
  • Download Barnyard and run autogen
cd /usr/local/src/snort
git clone https://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
./autogen.sh
  • Configure Barnyard
    • On i386 system
./configure --with-mysql
    • On x86_64 system
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
  • Install Barnyard
make && make install
  • Configure Barnyard start script to run at startup
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
  • Create links for Barnyard files and create archive directory
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
ln -s /usr/local/bin/barnyard2 /usr/bin/
mkdir /var/log/snort/eth0/archive/
  • Change barnyard running time and change -L to -l in barnyard2 startup script on “BARNY_OPTS=” line
vi /etc/init.d/barnyard2
...
# chkconfig: 2345 70 60
...
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
...
chkconfig barnyard2 reset
  • Edit LOG_FILE variable in Barnyard sysconfig file
vi /etc/sysconfig/barnyard2
...  
LOG_FILE="snort.log"
...
  • Start Snort and Barnyard
service snortd start
service barnyard2 start

Barnyard installation completed. Now that we have Snort server and Barnyard writing Snort logs. We can now install frontend application like BASE or Snorby to see and analyze snort data in a convenient  web application.

Here is a link for Snorby Installation.
Here is a link for BASE Installation.