Difference between revisions of "Snort IDS installation"
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Linux]] | [[Category:Linux]] | ||
− | + | ||
=Requirements= | =Requirements= | ||
Line 7: | Line 7: | ||
* Database server (MySQL). See [[MySQL server]] | * Database server (MySQL). See [[MySQL server]] | ||
+ | |||
+ | |||
+ | =Sources= | ||
+ | |||
+ | * Ubuntu-FR Snort: http://doc.ubuntu-fr.org/snort | ||
+ | * Ubuntu-FR Snort-inline [IPS]: http://doc.ubuntu-fr.org/snort_inline | ||
Line 16: | Line 22: | ||
You need to add a '''new MySQL database and user for snort'''. | You need to add a '''new MySQL database and user for snort'''. | ||
− | ''hint'': you can use [[Web app PhpMyAdmin|PHPMyAdmin]] or [[MySQL | + | ''hint'': you can use [[Web app PhpMyAdmin|PHPMyAdmin]] or [[MySQL workbench]] to do so! |
Line 24: | Line 30: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | apt-get install snort-doc | + | apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster |
+ | apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
During the installation you will be ask for the $HOME_NET. | During the installation you will be ask for the $HOME_NET. | ||
Line 32: | Line 40: | ||
− | |||
− | + | ==Basic configuration== | |
+ | |||
+ | '''Interactive way''' | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | dpkg-reconfigure snort | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | * Boot | ||
+ | * Interface: eth0 | ||
+ | * set the IP@ of your server | ||
+ | * Do '''NOT''' enable promiscuous mode | ||
+ | * No custom options | ||
+ | * (optional) daily reports by email | ||
+ | |||
+ | |||
+ | '''Manual way''' | ||
+ | |||
+ | Set attributes: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | vim /etc/snort/snort.debian.conf | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | !! Note that settings are set in ''Debian'' configuration, the ''.conf'' is SNORT global configuration !! | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | DEBIAN_SNORT_HOME_NET="IP@/submask" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | ==Know your version of snort== | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | snort -V | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | you should see something like that: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | ,,_ -*> Snort! <*- | ||
+ | o" )~ Version 2.9.6.0 GRE (Build 47) | ||
+ | '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team | ||
+ | Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. | ||
+ | Copyright (C) 1998-2013 Sourcefire, Inc., et al. | ||
+ | Using libpcap version 1.5.3 | ||
+ | Using PCRE version: 8.31 2012-07-06 | ||
+ | Using ZLIB version: 1.2.8 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =Configure rules and update= | ||
+ | |||
+ | |||
+ | ==SNORT account== | ||
+ | |||
+ | Get a SNORT account: https://www.snort.org | ||
+ | |||
+ | |||
+ | Each SNORT account has an OINKCODE, that is required to get the updates. | ||
+ | |||
+ | |||
+ | |||
+ | ==Oinkmaster== | ||
+ | |||
+ | Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'( | ||
+ | |||
+ | |||
+ | Instead of that, the community as created [https://code.google.com/p/pulledpork/ Pulled Pork]: that's a script that does the configuration for you. | ||
+ | |||
+ | |||
+ | |||
+ | ==Pulled Pork== | ||
+ | |||
+ | |||
+ | ===Preparation=== | ||
+ | |||
+ | PulledPork required specifics files & folders: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | + | mkdir -p /etc/snort/rules/iplists | |
− | + | touch /etc/snort/rules/iplists/default.blacklist | |
+ | chmod 777 /etc/snort/rules/iplists/default.blacklist | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
+ | ===Get Pulled Pork=== | ||
− | + | Get the latest version of Pulled Pork: https://code.google.com/p/pulledpork/downloads/list | |
+ | <syntaxhighlight lang="bash"> | ||
+ | cd /tmp && wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz | ||
+ | </syntaxhighlight> | ||
− | + | ||
+ | ===Installation=== | ||
+ | |||
+ | Unzip the archive and open it | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | + | tar xvf pulledpork-0.7.0.tar.gz | |
+ | cd pulledpork-0.7.0 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | = | + | Copy configuration files to the /etc/snort + start script (pulledpork.pl) to the /usr/local/bin/ directory. |
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | cp pulledpork.pl /usr/local/bin/pulledpork.pl | ||
+ | chmod 755 /usr/local/bin/pulledpork.pl | ||
+ | cp etc/* /etc/snort/ | ||
+ | </syntaxhighlight> | ||
+ | |||
− | + | ||
+ | ===Configuration=== | ||
+ | |||
+ | Edit PulledPork configuration | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | + | vim /etc/snort/pulledpork.conf | |
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | + | Set / adjust the following settings: | |
− | |||
− | |||
− | |||
− | + | <syntaxhighlight lang="bash"> | |
− | + | ## Set your OinkCode | |
− | + | ## Lines 19,21,24,26 replace <oinkcode> by your own. | |
+ | rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> | ||
+ | rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community | ||
+ | rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open | ||
+ | rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> | ||
+ | |||
+ | ## Line 72 (default = /usr/local/etc/snort/rules/snort.rules) | ||
+ | rule_path=/etc/snort/rules/snort.rules | ||
+ | |||
+ | ## Line 87 (default = /usr/local/etc/snort/rules/local.rules) | ||
+ | local_rules=/etc/snort/rules/local.rules | ||
+ | |||
+ | ## Line 90 (default = /usr/local/etc/snort/sid-msg.map) | ||
+ | sid_msg=/etc/snort/sid-msg.map | ||
+ | |||
+ | ## Line 110 (default = /usr/local/lib/snort_dynamicrules/) | ||
+ | sorule_path=/usr/lib/snort_dynamicrules/ | ||
+ | |||
+ | ## Line 113 (default = /usr/local/bin/snort) | ||
+ | snort_path=/usr/sbin/snort | ||
+ | |||
+ | ## Line 117 (default = /usr/local/etc/snort/snort.conf) | ||
+ | config_path=/etc/snort/snort.conf | ||
+ | |||
+ | ## Line 120 uncomment and adjust (default = /usr/local/etc/snort/rules/so_rules.rules) | ||
+ | sostub_path=/etc/snort/rules/so_rules.rules | ||
+ | |||
+ | ## Line 131 | ||
+ | distro=Ubuntu-14.04 | ||
− | + | ## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist) | |
− | + | black_list=/etc/snort/rules/iplists/default.blacklist | |
− | + | ## Line 148 (default = /usr/local/etc/snort/rules/iplists) | |
− | + | IPRVersion=/etc/snort/rules/iplists | |
− | |||
− | + | ## Line 190 uncomment the snort_version line | |
+ | ###### | ||
+ | # Put your right version like 2.9.6.0 | ||
+ | # You can check what are the available versions on https://www.snort.org/downloads/#rule- | ||
+ | # Usually there is no 2.9.6.0 but 2.9.6.1, 2.9.6.2,... instead | ||
+ | ### | ||
+ | snort_version=2.9.6.1 | ||
+ | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | + | ==Get rules== | |
− | + | Execute Pulled Pork | |
− | |||
− | + | <syntaxhighlight lang="bash"> | |
− | + | pulledpork.pl -c /etc/snort/pulledpork.conf | |
+ | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | You should see something like: | |
− | + | ||
− | + | <syntaxhighlight lang="bash"> | |
+ | |||
+ | http://code.google.com/p/pulledpork/ | ||
+ | _____ ____ | ||
+ | `----,\ ) | ||
+ | `--==\\ / PulledPork v0.7.0 - Swine Flu! | ||
+ | `--==\\/ | ||
+ | .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings | ||
+ | @_/ / 66\_ cummingsj@gmail.com | ||
+ | | \ \ _(") | ||
+ | \ /-| ||'--' Rules give me wings! | ||
+ | \_\ \_\\ | ||
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
+ | |||
+ | ... | ||
+ | |||
+ | Fly Piggy Fly! | ||
+ | |||
+ | </syntaxhighlight> | ||
+ | |||
− | |||
− | |||
− | + | ==Test snort== | |
− | # | + | You can check that SNORT is working with your rules by launching it. See [[#Run SNORT]] |
− | |||
− | |||
− | + | ==Get rules periodically== | |
− | + | The best way to get rules periodically is to setup a cronjob. | |
− | + | Create an entry in crontab to automate the process of keeping the Snort rules up to date. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Edit crontab | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <syntaxhighlight lang="bash"> | |
+ | crontab -e | ||
+ | </syntaxhighlight> | ||
− | |||
− | + | Add | |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | 0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules | ||
+ | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | =Run SNORT= | |
− | |||
− | |||
− | |||
− | + | This is how you can start SNORT manually: | |
− | |||
− | |||
− | + | <syntaxhighlight lang="bash"> | |
+ | snort -c /etc/snort/snort.conf | ||
+ | </syntaxhighlight> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | if OK you should see: | ||
− | + | <syntaxhighlight lang="bash"> | |
− | + | ... | |
− | + | 4150 Snort rules read | |
− | + | 3476 detection rules | |
− | + | 0 decoder rules | |
− | + | 0 preprocessor rules | |
+ | 3476 Option Chains linked into 271 Chain Headers | ||
+ | 0 Dynamic rules | ||
+ | +++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
− | + | ... | |
− | |||
− | + | --== Initialization Complete ==-- | |
− | + | </syntaxhighlight> | |
− | |||
− | |||
− | + | 'Ctrl + C' to exit. | |
− | |||
− | |||
− | |||
− | + | If there's some errors, then you can check the /var/log/syslog | |
− | |||
− | |||
− | |||
− | |||
− | + | .. You might have to comment some rules, depending on your configuration... | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | =Managing rules= | |
− | + | All the rules are not enable by default. According to your own policy, you might want to enable / disable some specifics rules. | |
− | |||
− | + | Have a look to your configuration file | |
− | |||
− | + | <syntaxhighlight lang="bash"> | |
− | + | vim /etc/snort/snort.conf | |
+ | </syntaxhighlight> | ||
− | + | Cf STEP 7 (~ line 555). | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Don't forget to restart SNORT ! | |
− | |||
− | + | <syntaxhighlight lang="bash"> | |
− | + | service snort restart | |
− | + | </syntaxhighlight> | |
− | |||
− |
Latest revision as of 12:28, 10 August 2014
Contents
Requirements
- Database server (MySQL). See MySQL server
Sources
- Ubuntu-FR Snort: http://doc.ubuntu-fr.org/snort
- Ubuntu-FR Snort-inline [IPS]: http://doc.ubuntu-fr.org/snort_inline
SNORT installation
Requirements
You need to add a new MySQL database and user for snort.
hint: you can use PHPMyAdmin or MySQL workbench to do so!
Installation
Packages
apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
During the installation you will be ask for the $HOME_NET.
- If plan to protect a network, use the Network IP@/Submask
- For a single computer put IP@/32. Do that for servers that are hosted somewhere on the cloud (OVH, TripNet, ...).
Basic configuration
Interactive way
dpkg-reconfigure snort
- Boot
- Interface: eth0
- set the IP@ of your server
- Do NOT enable promiscuous mode
- No custom options
- (optional) daily reports by email
Manual way
Set attributes:
vim /etc/snort/snort.debian.conf
!! Note that settings are set in Debian configuration, the .conf is SNORT global configuration !!
DEBIAN_SNORT_HOME_NET="IP@/submask"
Know your version of snort
snort -V
you should see something like that:
,,_ -*> Snort! <*-
o" )~ Version 2.9.6.0 GRE (Build 47)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.31 2012-07-06
Using ZLIB version: 1.2.8
Configure rules and update
SNORT account
Get a SNORT account: https://www.snort.org
Each SNORT account has an OINKCODE, that is required to get the updates.
Oinkmaster
Oinkmaster is THE reference tool to get the rules updates. However, that's a pain to configure. :'(
Instead of that, the community as created Pulled Pork: that's a script that does the configuration for you.
Pulled Pork
Preparation
PulledPork required specifics files & folders:
mkdir -p /etc/snort/rules/iplists
touch /etc/snort/rules/iplists/default.blacklist
chmod 777 /etc/snort/rules/iplists/default.blacklist
Get Pulled Pork
Get the latest version of Pulled Pork: https://code.google.com/p/pulledpork/downloads/list
cd /tmp && wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
Installation
Unzip the archive and open it
tar xvf pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
Copy configuration files to the /etc/snort + start script (pulledpork.pl) to the /usr/local/bin/ directory.
cp pulledpork.pl /usr/local/bin/pulledpork.pl
chmod 755 /usr/local/bin/pulledpork.pl
cp etc/* /etc/snort/
Configuration
Edit PulledPork configuration
vim /etc/snort/pulledpork.conf
Set / adjust the following settings:
## Set your OinkCode
## Lines 19,21,24,26 replace <oinkcode> by your own.
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
## Line 72 (default = /usr/local/etc/snort/rules/snort.rules)
rule_path=/etc/snort/rules/snort.rules
## Line 87 (default = /usr/local/etc/snort/rules/local.rules)
local_rules=/etc/snort/rules/local.rules
## Line 90 (default = /usr/local/etc/snort/sid-msg.map)
sid_msg=/etc/snort/sid-msg.map
## Line 110 (default = /usr/local/lib/snort_dynamicrules/)
sorule_path=/usr/lib/snort_dynamicrules/
## Line 113 (default = /usr/local/bin/snort)
snort_path=/usr/sbin/snort
## Line 117 (default = /usr/local/etc/snort/snort.conf)
config_path=/etc/snort/snort.conf
## Line 120 uncomment and adjust (default = /usr/local/etc/snort/rules/so_rules.rules)
sostub_path=/etc/snort/rules/so_rules.rules
## Line 131
distro=Ubuntu-14.04
## Line 139 (default = /usr/local/etc/snort/rules/iplists/default.blacklist)
black_list=/etc/snort/rules/iplists/default.blacklist
## Line 148 (default = /usr/local/etc/snort/rules/iplists)
IPRVersion=/etc/snort/rules/iplists
## Line 190 uncomment the snort_version line
######
# Put your right version like 2.9.6.0
# You can check what are the available versions on https://www.snort.org/downloads/#rule-
# Usually there is no 2.9.6.0 but 2.9.6.1, 2.9.6.2,... instead
###
snort_version=2.9.6.1
Get rules
Execute Pulled Pork
pulledpork.pl -c /etc/snort/pulledpork.conf
You should see something like:
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.7.0 - Swine Flu!
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
Fly Piggy Fly!
Test snort
You can check that SNORT is working with your rules by launching it. See #Run SNORT
Get rules periodically
The best way to get rules periodically is to setup a cronjob.
Create an entry in crontab to automate the process of keeping the Snort rules up to date.
Edit crontab
crontab -e
Add
0 2 * * * pulledpork.pl -c /etc/snort/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules
Run SNORT
This is how you can start SNORT manually:
snort -c /etc/snort/snort.conf
if OK you should see:
...
4150 Snort rules read
3476 detection rules
0 decoder rules
0 preprocessor rules
3476 Option Chains linked into 271 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
...
--== Initialization Complete ==--
'Ctrl + C' to exit.
If there's some errors, then you can check the /var/log/syslog
.. You might have to comment some rules, depending on your configuration...
Managing rules
All the rules are not enable by default. According to your own policy, you might want to enable / disable some specifics rules.
Have a look to your configuration file
vim /etc/snort/snort.conf
Cf STEP 7 (~ line 555).
Don't forget to restart SNORT !
service snort restart