Monday, March 18, 2013

How to Install and Configure Snort - Network based IDS


How to Install and Configure Snort - Network based IDS


Install Snort that is Network based IDS ( Intrusion Detection System ). MySQL is also required.  

Install required packages to build Snort first.

[root@www ~]#yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
  # install from EPEL  


Install Daq first. Make sure latest version on Snort site and download it.  
[root@www ~]#wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm

[root@www ~]#rpm -Uvh daq-0.5-1.src.rpm

 1:daq warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
########################################### [100%]
warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
[root@www ~]#cd rpmbuild/SPECS

[root@www SPECS]#sed -i 's/\/lib\//\/lib64\//g' daq.spec

[root@www SPECS]#rpmbuild -bb daq.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm
Preparing...
########################################### [100%]

    1:daq
########################################### [100%]

Install Snort. Make sure latest version on Snort site and download it.  
[root@www ~]#wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm
[root@www ~]#rpm -Uvh snort-2.9.0.5-1.src.rpm

 1:snort warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
########################################### [100%]
warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root

 [root@www ~]#cd rpmbuild/SPECS
[root@www SPECS]#vi snort.spec
SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-decoder-preprocessor-rules --enable-targetbased \
# near line 280: change like follows

 
                   --enable-zlib \
                   --enable-ipv6 \
                   --enable-normalizer \

                  "
[root@www SPECS]#ln -s /usr/lib64/mysql /usr/lib/mysql

 [root@www SPECS]#rpmbuild -bb --with mysql snort.spec

 [root@www SPECS]#rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm

 Preparing...
########################################### [100%]

    1:snort
########################################### [ 50%]

    2:snort-mysql
########################################### [100%]

Create a database for Snort  

[root@www ~]#mysql -u root -p

 
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
create database snort;

Query OK, 1 row affected (0.00 sec)
mysql>
grant all privileges on snort.* to snort@localhost identified by 'password';

Query OK, 0 rows affected (0.00 sec)
mysql>
flush privileges;

Query OK, 0 rows affected (0.00 sec)
mysql>
exit

Bye
[root@www ~]#
mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql

Enter password:
DB password for snort user

Configure Snort  
 [root@www ~]#vi /etc/snort/snort.conf
# line 39: change to internal network

 ipvar HOME_NET
10.0.0.0/24
# line 177: make it comment
#
dynamicdetection directory /usr/local/lib/snort_dynamicrules
# line 376: add settings for DB
output database: log, mysql, user=snort password=password dbname=snort host=localhost

[root@www ~]#vi /etc/sysconfig/snort
# line 69: make it comment ( output logs into MySQL )
#
ALERTMODE=fast

[root@www ~]#vi /etc/logrotate.d/snort
# line 4: change like follows ( remove unnecesarry section )

 /var/log/snort/alert /var/log/snort/*log {

Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" )

[root@www ~]#tar zxvf snortrules-snapshot-2905.tar.gz

[root@www ~]#cp rules/* /etc/snort/rules/

[root@www ~]#rm -rf rules snortrules-snapshot-2905.tar.gz

[root@www ~]#/etc/rc.d/init.d/snortd start

 Starting snort: Spawning daemon child...
My daemon child 21617 lives...
Daemon parent exiting
[ OK ]
Install BASE that you can watch Snort's logs on Web browser.
 [root@www ~]#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph
 
# install from EPEL

[root@www ~]#wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz
[root@www ~]#tar zxvf base-1.4.5.tar.gz

[root@www ~]#mv base-1.4.5 /var/www/base

[root@www ~]#chown -R apache. /var/www/base

[root@www ~]#cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php


[root@www ~]#vi /var/www/base/base_conf.php
# line 50: PATH to BASE

 $BASE_urlpath = '
/base
';
# line 80: PATH to adodb

 $DBlib_path = '
/usr/share/php/adodb
';
# line 102: change for your env
# snort database

 $alert_dbname = '
snort
';
$alert_host = 'localhost';
$alert_port = '';
# username for snort database

 $alert_user = '
snort
';
# DB password for snort

 $alert_password = '
password
';
[root@www ~]#vi /etc/httpd/conf.d/base.conf
# Create new

 
Alias /base /var/www/base

   Order Deny,Allow
   Deny from all
   Allow from 127.0.0.1 10.0.0.0/24
[root@www ~]#/etc/rc.d/init.d/httpd restart

 Stopping httpd:
[ OK ]

 Starting httpd:
[ OK ]

Access to "http://(hostname or IP address)/base/" and click "Setup page".



Click "Create BASE AG" button on upper right.  
Click "Main page" to move after finishing setup like follows.






Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)