Difference between revisions of "Snort IDS installation"
(→Oinkmaster) |
|||
Line 31: | Line 31: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster | apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster | ||
+ | apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 75: | Line 76: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | snort - | + | snort -V |
</syntaxhighlight> | </syntaxhighlight> | ||
− | you should see something like that | + | you should see something like that: |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | |||
,,_ -*> Snort! <*- | ,,_ -*> Snort! <*- | ||
o" )~ Version 2.9.6.0 GRE (Build 47) | o" )~ Version 2.9.6.0 GRE (Build 47) | ||
Line 91: | Line 91: | ||
Using PCRE version: 8.31 2012-07-06 | Using PCRE version: 8.31 2012-07-06 | ||
Using ZLIB version: 1.2.8 | Using ZLIB version: 1.2.8 | ||
− | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 110: | Line 109: | ||
==Oinkmaster== | ==Oinkmaster== | ||
+ | |||
+ | Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'( | ||
+ | |||
+ | |||
+ | Instead of that, the community as created [https://code.google.com/p/pulledpork/|"Pulled Pork"]: that's a script that does the configuration for you. | ||
+ | |||
+ | |||
+ | ==Pulled Pork== | ||
+ | |||
+ | Get the latest version of Pulled Pork: https://code.google.com/p/pulledpork/downloads/list | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | cd /tmp && wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Unzip the archive and open it | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | tar xvf pulledpork-0.7.0.tar.gz | ||
+ | cd pulledpork-0.7.0 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Copy configuration files to the /etc/snort + start script (pulledpork.pl) to the /usr/local/bin/ directory. | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | cp pulledpork.pl /usr/local/bin/pulledpork.pl | ||
+ | chmod 755 /usr/local/bin/pulledpork.pl | ||
+ | cp etc/* /etc/snort/ | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Edit PulledPork configuration | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | vim /etc/snort/pulledpork.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Set / adjust the following settings: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | ## Set your OinkCode | ||
+ | ## Lines 19,21,24,26 replace <oinkcode> by your own. | ||
+ | rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> | ||
+ | rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community | ||
+ | rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open | ||
+ | rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> | ||
+ | |||
+ | ## Line 72 (default = /usr/local/etc/snort/rules/snort.rules) | ||
+ | rule_path=/etc/snort/rules/snort.rules | ||
+ | |||
+ | ## Line 87 (default = /usr/local/etc/snort/rules/local.rules) | ||
+ | local_rules=/etc/snort/rules/local.rules | ||
+ | |||
+ | ## Line 90 (default = /usr/local/etc/snort/sid-msg.map) | ||
+ | sid_msg=/etc/snort/sid-msg.map | ||
+ | |||
+ | ## Line 110 (default = /usr/local/lib/snort_dynamicrules/) | ||
+ | sorule_path=/usr/lib/snort_dynamicrules/ | ||
+ | |||
+ | ## Line 113 (default = /usr/local/bin/snort) | ||
+ | snort_path=/usr/sbin/snort | ||
+ | |||
+ | ## Line 117 (default = /usr/local/etc/snort/snort.conf) | ||
+ | config_path=/etc/snort/snort.conf | ||
+ | |||
+ | ## Line 131 | ||
+ | distro=Ubuntu-14.04 | ||
+ | |||
+ | ## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist) | ||
+ | black_list=/etc/snort/rules/iplists/default.blacklist | ||
+ | |||
+ | ## Line 148 (default = /usr/local/etc/snort/rules/iplists) | ||
+ | IPRVersion=/etc/snort/rules/iplists | ||
+ | |||
+ | ## Line 190 uncomment the snort_version line | ||
+ | ###### | ||
+ | # Put your right version like 2.9.6.0 | ||
+ | # You can check what are the available versions on https://www.snort.org/downloads/#rule- | ||
+ | # Usually there is no 2.9.6.0 but 2.9.6.1, 2.9.6.2,... instead | ||
+ | ### | ||
+ | snort_version=2.9.6.1 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Create an entry in crontab to automate the process of keeping the Snort rules up to date. | ||
+ | |||
+ | 0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cd /usr/local/bin | ||
+ | wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl | ||
+ | chmod 755 pulledpork.pl | ||
+ | |||
+ | |||
+ | mkdir /etc/pulledpork | ||
+ | cd /etc/pulledpork | ||
+ | wget http://www.rivy.org/custom/pulledpork.conf | ||
+ | |||
+ | |||
+ | cd /usr/local/src/snort | ||
+ | wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz | ||
+ | cd /usr/local/snort | ||
+ | tar zxvf /usr/local/src/snort/pulledpork.tar.gz | ||
+ | mv pulledpork-0.6.1 pulledpork | ||
+ | |||
+ | installation | ||
+ | |||
+ | |||
Get latest rules set | Get latest rules set | ||
Line 123: | Line 236: | ||
#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.9.tar.gz | #url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.9.tar.gz | ||
− | + | ||
− | |||
− | |||
− | |||
− | |||
− | |||
url = http://www.snort.org/pub-bin/oinkmaster.cgi/f1...c7/snortrules-snapshot-2961.tar.gz | url = http://www.snort.org/pub-bin/oinkmaster.cgi/f1...c7/snortrules-snapshot-2961.tar.gz | ||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 12:05, 10 August 2014
Requirements
- Database server (MySQL). See MySQL server
Sources
- Ubuntu-FR Snort: http://doc.ubuntu-fr.org/snort
- Ubuntu-FR Snort-inline [IPS]: http://doc.ubuntu-fr.org/snort_inline
SNORT installation
Requirements
You need to add a new MySQL database and user for snort.
hint: you can use PHPMyAdmin or MySQL workbench to do so!
Installation
Packages
apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
During the installation you will be ask for the $HOME_NET.
- If plan to protect a network, use the Network IP@/Submask
- For a single computer put IP@/32. Do that for servers that are hosted somewhere on the cloud (OVH, TripNet, ...).
Basic configuration
Interactive way
dpkg-reconfigure snort
- Boot
- Interface: eth0
- set the IP@ of your server
- Do NOT enable promiscuous mode
- No custom options
- (optional) daily reports by email
Manual way
Set attributes:
vim /etc/snort/snort.debian.conf
!! Note that settings are set in Debian configuration, the .conf is SNORT global configuration !!
DEBIAN_SNORT_HOME_NET="IP@/submask"
Know your version of snort
snort -V
you should see something like that:
,,_ -*> Snort! <*-
o" )~ Version 2.9.6.0 GRE (Build 47)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.31 2012-07-06
Using ZLIB version: 1.2.8
Configure rules and update
SNORT account
Get a SNORT account: https://www.snort.org
Each SNORT account has an OINKCODE, that is required to get the updates.
Oinkmaster
Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'(
Instead of that, the community as created "Pulled Pork": that's a script that does the configuration for you.
Pulled Pork
Get the latest version of Pulled Pork: https://code.google.com/p/pulledpork/downloads/list
cd /tmp && wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
Unzip the archive and open it
tar xvf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
Copy configuration files to the /etc/snort + start script (pulledpork.pl) to the /usr/local/bin/ directory.
cp pulledpork.pl /usr/local/bin/pulledpork.pl
chmod 755 /usr/local/bin/pulledpork.pl
cp etc/* /etc/snort/
Edit PulledPork configuration
vim /etc/snort/pulledpork.conf
Set / adjust the following settings:
## Set your OinkCode
## Lines 19,21,24,26 replace <oinkcode> by your own.
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
## Line 72 (default = /usr/local/etc/snort/rules/snort.rules)
rule_path=/etc/snort/rules/snort.rules
## Line 87 (default = /usr/local/etc/snort/rules/local.rules)
local_rules=/etc/snort/rules/local.rules
## Line 90 (default = /usr/local/etc/snort/sid-msg.map)
sid_msg=/etc/snort/sid-msg.map
## Line 110 (default = /usr/local/lib/snort_dynamicrules/)
sorule_path=/usr/lib/snort_dynamicrules/
## Line 113 (default = /usr/local/bin/snort)
snort_path=/usr/sbin/snort
## Line 117 (default = /usr/local/etc/snort/snort.conf)
config_path=/etc/snort/snort.conf
## Line 131
distro=Ubuntu-14.04
## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist)
black_list=/etc/snort/rules/iplists/default.blacklist
## Line 148 (default = /usr/local/etc/snort/rules/iplists)
IPRVersion=/etc/snort/rules/iplists
## Line 190 uncomment the snort_version line
######
# Put your right version like 2.9.6.0
# You can check what are the available versions on https://www.snort.org/downloads/#rule-
# Usually there is no 2.9.6.0 but 2.9.6.1, 2.9.6.2,... instead
###
snort_version=2.9.6.1
Create an entry in crontab to automate the process of keeping the Snort rules up to date.
0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules
cd /usr/local/bin wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl chmod 755 pulledpork.pl
mkdir /etc/pulledpork
cd /etc/pulledpork
wget http://www.rivy.org/custom/pulledpork.conf
cd /usr/local/src/snort
wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork
installation
Get latest rules set
vim /etc/oinkmaster.conf
just comment line 53 and use:
#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.9.tar.gz
url = http://www.snort.org/pub-bin/oinkmaster.cgi/f1...c7/snortrules-snapshot-2961.tar.gz
You can get the latest rules manually too: https://www.snort.org/downloads/#rule-downloads
Download and install rules
oinkmaster -o /etc/snort/rules
Automatic rules update
crontab -e
Add 55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules
Add rules to Snort
- echo "#EmergingThreats.net Rules" >> /etc/snort/snort.conf
- cd /etc/snort/rules
- for i in `ls emerging*` ; do echo "include \$RULE_PATH/"$i >> /etc/snort/snort.conf ; done;
Check result
- vim /etc/snort/snort.conf
→ You should see lots of emerging rules
Advice: you should comment the following
- include $RULE_PATH/emerging-botcc-BLOCK.rules
- include $RULE_PATH/emerging-compromised-BLOCK.rules
- include $RULE_PATH/emerging-drop-BLOCK.rules
- include $RULE_PATH/emerging-dshield-BLOCK.rules
- include $RULE_PATH/emerging-rbn-BLOCK.rules
- include $RULE_PATH/emerging-sid-msg.map
- include $RULE_PATH/emerging-sid-msg.map.txt
Start snort To test your configuration:
- snort -c /etc/snort/snort.conf
You should see a little pig :) (Ctrl+C to stop it)
If there's some errors, then you can check the /var/log/syslog > You might have to comment some rules, depending on your configuration.
Managing rules All the rules are not enable by default. According to your own policy, you might want to enable some specifics rules. Have a look to your configuration file
- vim /etc/snort/snort.conf
→ line 839: enable the required policies • Policy.rules • Community-policy.rules
Disable specific rules
- vim /etc/snort/snort.conf
You might be spam by false alerts such as “COMMUNITY SIP TCP/IP message flooding directed to SIP proxy” To disable theses, you have to edit the corresponding ruleset community-sip.rules
- -voip.rules
- -sip.rules
Populate database
You have to use a MySQL script to init database schema and root content.
cd /usr/share/doc/snort-mysql
zcat create_mysql.gz | mysql -u snort -h localhost -p snort
...if ok, you will not see anything
Check that the database is OK.
If so, remove the pending installation flag:
rm /etc/snort/db-pending-config
Initial Configuration
Reconfigure Snort:
dpkg-reconfigure snort-mysql
Check the configuration!
- vim /etc/snort/snort.conf
→ line 46: var HOME_NET IP@/submask !! You need to specify something here !! → line 49: var EXTERNAL_NET !$HOME_NET
!! Do not do this on DEBIAN !! Uncomment and complete: output database: log, mysql, user=root password=test dbname=db host=localhost
Caution: if you’re using custom ports configuration for some of your severs : You have to adjust the port number of each services in this config file !
You might encounter some errors, don't panic ! :-) Adjust snort rules Source: http://doc.ubuntu-fr.org/snort
Rules web-site: http://rules.emergingthreats.net/open-nogpl/
Snort Graphical Front-End
Required programs
Add-ons, to display graphs and statistics
- pear upgrade
- pear install Image_Color
- pear install Image_Graph
- pear install Mail
- pear install Mail_Mime
Automatic installation
- apt-get install acidbase
→ Use the automatic configuration of the database with “dbconfig-common” MySQL UNIX Socket
Manual installation
Requirement ADODB (Database abstraction layer for PHP) Official website: http://adodb.sourceforge.net/ Downloads: http://sourceforge.net/projects/adodb/files/
- wget fileURL
- tar -xzvf adodb-php.tar.gz
- mv adodb5 /etc/php5
→ ADODB is now in /etc/php5/adodb5
Download BASE Official website: http://base.secureideas.net/ Download last version from the official website, even if it's a late one (since 2010)
Extract it to: /var/www/default/base
Create MySQL BASE tables into SNORT database.
- cd /var/www/default/base/sql
Run one of the following scripts (there are the same) create_base_tbls_mysql.sql acid2base_tbls_mysql.sql
Installation
URL/base/setup/index.php
Step 1 of 5 • Language • Path to adodb: /etc/php5/adodb5 (manual) /usr/share/php/adodb
Step 2 of 5 MySQL configuration : please re-use the SNORT database
Step 3 of 5 It's not mandatory to create a new user
Step 4 of 5 Create required tables
Configuration
Edit the specific acidbase database settings
- vim /var/www/website/webapps/acidbase/base_conf.php
$BASE_urlpath = '/webapps/acidbaseids';
$action_email_smtp_host = 'smtp.example.com'; # smtp.gmail.com:587 $action_email_smtp_localhost = 'serverHostName'; # extranet.daxiongmao.eu $action_email_smtp_auth = 1;
$action_email_smtp_user = 'username';
$action_email_smtp_pw = 'password';
$action_email_from = 'snort@serverDomain.com'; # snort@extranet.daxiongmao.eu $action_email_subject = 'BASE Incident Report';
$action_email_msg = ;
$action_email_mode = 0;
Create the tables. https://server1.example.com/acidbase/base_db_setup.php
Adjust your php.ini settings
- vim /etc/php5/cli/php.ini
You need to adjust the “error reporting” variable as follow error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
!! For cherokee you've to edit your PHP interpreter settings !! → vServers → target server → Rule management → select PHP rule → handler tab • Disable error Handler •
Reload Apache 2
- /etc/init.d/apache2 reload
Setup ACID https://server1.example.com/acidbase/setup/index.php
Delete acid bug You might have to disable some settings in /usr/share/acidbase/includes/base_cache.inc.php, lines 556 && 562. It might triggers false alerts. Important reminders You need to supervise your installation and check the log regularly!! You need to adjust your configuration to avoid too many false positive, keeping only the real alerts