Scribd
Upload
318 views8 pages

Install Snort and Snorby

This document provides instructions for installing and configuring Snort and related tools on Ubuntu 14.04. It includes steps to download and compile Snort, DAQ, nghttp2, and Barnyard2. It also creates MySQL database schemas for logging and storing Snort alerts and traffic data. Directories and configuration files are created and permissions set up before testing the Snort installation.

Uploaded by

محمد لقمان هدايةالله
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
318 views8 pages

Install Snort and Snorby

This document provides instructions for installing and configuring Snort and related tools on Ubuntu 14.04. It includes steps to download and compile Snort, DAQ, nghttp2, and Barnyard2. It also creates MySQL database schemas for logging and storing Snort alerts and traffic data. Directories and configuration files are created and permissions set up before testing the Snort installation.

Uploaded by

محمد لقمان هدايةالله
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 8

Ubuntu 14.

04 64 bit

sudo apt-get update


sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev
bison flex zlib1g-dev liblzma-dev openssl libssl-dev

mkdir ~/snort_src
cd ~/snort_src

# Ubuntu 14 only (not Ubuntu 16)


sudo apt-get install -y autoconf libtool pkg-config
cd ~/snort_src
wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-
1.17.0.tar.gz
tar -xzvf nghttp2-1.17.0.tar.gz
cd nghttp2-1.17.0
autoreconf -i --force
automake
autoconf
./configure --enable-lib-only
make
sudo make install

#
mkdir ~/snort_src
cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install

cd ~/snort_src
wget https://distfiles.macports.org/snort/snort-2.9.8.0.tar.gz
tar -xvzf snort-2.9.8.0.tar.gz
cd snort-2.9.8.0
./configure --enable-sourcefire
make
sudo make install

sudo ldconfig

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

/usr/sbin/snort -V

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

sudo groupadd snort


sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# Create the Snort directories:


sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map

# Create our logging directories:


sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:


sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

cd ~/snort_src/snort-2.9.8.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort

cd ~/snort_src/snort-2.9.8.0/src/dynamic-
preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

nano /etc/snort/snort.conf

ipvar HOME_NET 10.0.0.0/24 # line 45


var RULE_PATH /etc/snort/rules # line 104
var SO_RULE_PATH /etc/snort/so_rules # line 105
var PREPROC_RULE_PATH /etc/snort/preproc_rules # line 106

var WHITE_LIST_PATH /etc/snort/rules/iplists # line 113


var BLACK_LIST_PATH /etc/snort/rules/iplists # line 114

include $RULE_PATH/local.rules # line 546

sudo snort -T -c /etc/snort/snort.conf -i venet0

nano /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001;
rev:001; classtype:icmp-event;)

sudo snort -T -c /etc/snort/snort.conf -i venet0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf
libtool

nano /etc/snort/snort.conf

output unified2: filename snort.u2, limit 128

cd ~/snort_src
wget
https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6be948f88afb74040f6dc
9.tar.gz -O barnyard2-2-1.14-336.tar.gz
tar zxvf barnyard2-2-1.14-336.tar.gz
mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336
cd barnyard2-2-1.14-336
autoreconf -fvi -I ./m4

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h


sudo ldconfig

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu


./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

make
sudo make install

cd ~/snort_src/barnyard2-2-1.14-336
sudo cp etc/barnyard2.conf /etc/snort

# the /var/log/barnyard2 folder is never used or referenced


# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo


sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map

$ mysql -u root -p
mysql> create database snort;
mysql> use snort;

CREATE TABLE `schema` ( vseq INT UNSIGNED NOT NULL,


ctime DATETIME NOT NULL,
PRIMARY KEY (vseq));
INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());

CREATE TABLE event ( sid INT UNSIGNED NOT NULL,


cid INT UNSIGNED NOT NULL,
signature INT UNSIGNED NOT NULL,
timestamp DATETIME NOT NULL,
PRIMARY KEY (sid,cid),
INDEX sig (signature),
INDEX time (timestamp));

CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL


AUTO_INCREMENT,
sig_name VARCHAR(255) NOT NULL,
sig_class_id INT UNSIGNED NOT NULL,
sig_priority INT UNSIGNED,
sig_rev INT UNSIGNED,
sig_sid INT UNSIGNED,
sig_gid INT UNSIGNED,
PRIMARY KEY (sig_id),
INDEX sign_idx (sig_name(20)),
INDEX sig_class_id_idx (sig_class_id));

CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,


ref_seq INT UNSIGNED NOT NULL,
ref_id INT UNSIGNED NOT NULL,
PRIMARY KEY(sig_id, ref_seq));

CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL


AUTO_INCREMENT,
ref_system_id INT UNSIGNED NOT NULL,
ref_tag TEXT NOT NULL,
PRIMARY KEY (ref_id));

CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL


AUTO_INCREMENT,
ref_system_name VARCHAR(20),
PRIMARY KEY (ref_system_id));

CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL


AUTO_INCREMENT,
sig_class_name VARCHAR(60) NOT NULL,
PRIMARY KEY (sig_class_id),
INDEX (sig_class_id),
INDEX (sig_class_name));

# store info about the sensor supplying data


CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname TEXT,
interface TEXT,
filter TEXT,
detail TINYINT,
encoding TINYINT,
last_cid INT UNSIGNED NOT NULL,
PRIMARY KEY (sid));

# All of the fields of an ip header


CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
ip_src INT UNSIGNED NOT NULL,
ip_dst INT UNSIGNED NOT NULL,
ip_ver TINYINT UNSIGNED,
ip_hlen TINYINT UNSIGNED,
ip_tos TINYINT UNSIGNED,
ip_len SMALLINT UNSIGNED,
ip_id SMALLINT UNSIGNED,
ip_flags TINYINT UNSIGNED,
ip_off SMALLINT UNSIGNED,
ip_ttl TINYINT UNSIGNED,
ip_proto TINYINT UNSIGNED NOT NULL,
ip_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX ip_src (ip_src),
INDEX ip_dst (ip_dst));
# All of the fields of a tcp header
CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
tcp_sport SMALLINT UNSIGNED NOT NULL,
tcp_dport SMALLINT UNSIGNED NOT NULL,
tcp_seq INT UNSIGNED,
tcp_ack INT UNSIGNED,
tcp_off TINYINT UNSIGNED,
tcp_res TINYINT UNSIGNED,
tcp_flags TINYINT UNSIGNED NOT NULL,
tcp_win SMALLINT UNSIGNED,
tcp_csum SMALLINT UNSIGNED,
tcp_urp SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX tcp_sport (tcp_sport),
INDEX tcp_dport (tcp_dport),
INDEX tcp_flags (tcp_flags));

# All of the fields of a udp header


CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
udp_sport SMALLINT UNSIGNED NOT NULL,
udp_dport SMALLINT UNSIGNED NOT NULL,
udp_len SMALLINT UNSIGNED,
udp_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX udp_sport (udp_sport),
INDEX udp_dport (udp_dport));

# All of the fields of an icmp header


CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
icmp_type TINYINT UNSIGNED NOT NULL,
icmp_code TINYINT UNSIGNED NOT NULL,
icmp_csum SMALLINT UNSIGNED,
icmp_id SMALLINT UNSIGNED,
icmp_seq SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX icmp_type (icmp_type));

# Protocol options
CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
optid INT UNSIGNED NOT NULL,
opt_proto TINYINT UNSIGNED NOT NULL,
opt_code TINYINT UNSIGNED NOT NULL,
opt_len SMALLINT,
opt_data TEXT,
PRIMARY KEY (sid,cid,optid));

# Packet payload
CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
data_payload TEXT,
PRIMARY KEY (sid,cid));

# encoding is a lookup table for storing encoding types


CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
encoding_text TEXT NOT NULL,
PRIMARY KEY (encoding_type));
INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');

# detail is a lookup table for storing different detail levels


CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
detail_text TEXT NOT NULL,
PRIMARY KEY (detail_type));
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD';


mysql> grant create, insert, select, delete, update on snort.* to
'snort'@'localhost';
mysql> exit

output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort


host=localhost

sudo chmod o-r /etc/snort/barnyard2.conf

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i venet0


-D

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w


/var/log/snort/barnyard2.waldo -g snort -u snort

ps aux | grep snort

sudo kill 1296

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

cd ~/snort_src
wget
https://github.com/finchy/pulledpork/archive/66241690356d54faa509625a78f80f326b75c3
39.tar.gz -O pulledpork-0.7.2-194.tar.gz
tar xvfvz pulledpork-0.7.2-194.tar.gz
mv pulledpork-66241690356d54faa509625a78f80f326b75c339 pulledpork-0.7.2-194

cd pulledpork-0.7.2-194/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

sudo vi /etc/snort/pulledpork.conf

Line 19 & 26: enter your oinkcode where appropriate (or comment out if no
oinkcode)
Line 29: Un-comment for Emerging threats ruleset (not tested with this guide)
Line 74: change to: rule_path=/etc/snort/rules/snort.rules
Line 89: change to: local_rules=/etc/snort/rules/local.rules
Line 92: change to: sid_msg=/etc/snort/sid-msg.map
Line 96: change to: sid_msg_version=2

Line 119: change to: config_path=/etc/snort/snort.conf

Line 133: change to: distro=Ubuntu-12-04

Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules


Line 150: change to: IPRVersion=/etc/snort/rules/iplists

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

sudo vi /etc/snort/snort.conf

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

sudo snort -T -c /etc/snort/snort.conf -i venet0

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D


sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort -D

mysql -u snort -p -D snort -e "select count(*) from event"

MYSQLSNORTPASSWORD

sudo crontab -e

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

ps aux | grep snort

sudo kill 1296

sudo apt-get install -y imagemagick apache2 libyaml-dev libxml2-dev libxslt-dev git


ruby1.9.3

echo "gem: --no-rdoc --no-ri" > ~/.gemrc


sudo sh -c "echo gem: --no-rdoc --no-ri > /etc/gemrc"

# These gems will also install other required gems


sudo gem install wkhtmltopdf
sudo gem install bundler -v 1.0.10
sudo gem install rails -v 3.0
sudo gem install rake --version=0.9.2

cd ~/snort_src/
wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz -O snorby-2.6.2.tar.gz
tar xzvf snorby-2.6.2.tar.gz
sudo cp -r ./snorby-2.6.2/ /var/www/html/snorby/
cd /var/www/html/snorby
sudo bundle install

sudo cp /var/www/html/snorby/config/database.yml.example
/var/www/html/snorby/config/database.yml
sudo vi /var/www/html/snorby/config/database.yml

MySqlROOTpassword

sudo cp /var/www/html/snorby/config/snorby_config.yml.example
/var/www/html/snorby/config/snorby_config.yml
sudo sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g
/var/www/html/snorby/config/snorby_config.yml

cd /var/www/html/snorby
sudo bundle exec rake snorby:setup

$ mysql -u root -p
myslq> create user 'snorby'@'localhost' IDENTIFIED BY 'PASSWORD123';
myslq> grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;
myslq> flush privileges;
myslq> exit

sudo vi /var/www/html/snorby/config/database.yml

cd /var/www/html/snorby/
sudo bundle exec rails server -e production

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy