Monday, March 18, 2013

How to Install and Configure Snort - Network based IDS












How to Install and Configure Snort - Network based IDS



 

Install Snort that is Network based IDS ( Intrusion Detection System ). MySQL is also required.  

How to Install and configure Snort - Intrusion Detection System


Install required packages to build Snort first.


[root@www ~]#yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
# install from EPEL  










Install Daq first. Make sure latest version on Snort site and download it.  

 
[root@www ~]#wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm

 

[root@www ~]#rpm -Uvh daq-0.5-1.src.rpm

1:daq warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
########################################### [100%]
warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
[root@www ~]#cd rpmbuild/SPECS

[root@www SPECS]#sed -i 's/\/lib\//\/lib64\//g' daq.spec

[root@www SPECS]#rpmbuild -bb daq.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm
Preparing...
########################################### [100%]


   1:daq
########################################### [100%]

 



[root@www ~]#wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm

[root@www ~]#rpm -Uvh snort-2.9.0.5-1.src.rpm


1:snort warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
########################################### [100%]
warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root



[root@www ~]#cd rpmbuild/SPECS


[root@www SPECS]#vi snort.spec

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
--bindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir}/snort \
--with-libpcap-includes=%{_includedir} \
--enable-decoder-preprocessor-rules --enable-targetbased \


# near line 280: change like follows

 
                   --enable-zlib \
--enable-ipv6 \
--enable-normalizer \


                  "

[root@www SPECS]#ln -s /usr/lib64/mysql /usr/lib/mysql

[root@www SPECS]#rpmbuild -bb --with mysql snort.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm

Preparing...
########################################### [100%]


   1:snort
########################################### [ 50%]


   2:snort-mysql
########################################### [100%]

 

Create a database for Snort  

 

[root@www ~]#mysql -u root -p


Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql>
create database snort;


Query OK, 1 row affected (0.00 sec)


mysql>
grant all privileges on snort.* to snort@localhost identified by 'password';


Query OK, 0 rows affected (0.00 sec)


mysql>
flush privileges;


Query OK, 0 rows affected (0.00 sec)


mysql>
exit


Bye
[root@www ~]#
mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql


Enter password:

DB password for snort user

 









Configure Snort  



 [root@www ~]#vi /etc/snort/snort.conf


# line 39: change to internal network


ipvar HOME_NET
10.0.0.0/24



# line 177: make it comment

 
#

dynamicdetection directory /usr/local/lib/snort_dynamicrules



# line 376: add settings for DB

 
output database: log, mysql, user=snort password=password dbname=snort host=localhost

 


[root@www ~]#vi /etc/sysconfig/snort


# line 69: make it comment ( output logs into MySQL )

 
#

ALERTMODE=fast


 

[root@www ~]#vi /etc/logrotate.d/snort

# line 4: change like follows ( remove unnecesarry section )


/var/log/snort/alert /var/log/snort/*log {


 













Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" )



[root@www ~]#tar zxvf snortrules-snapshot-2905.tar.gz

[root@www ~]#cp rules/* /etc/snort/rules/

[root@www ~]#rm -rf rules snortrules-snapshot-2905.tar.gz

[root@www ~]#/etc/rc.d/init.d/snortd start

Starting snort: Spawning daemon child...
My daemon child 21617 lives...
Daemon parent exiting
[ OK ]









Install BASE that you can watch Snort's logs on Web browser.
 [root@www ~]#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph

# install from EPEL

 


[root@www ~]#wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz

[root@www ~]#tar zxvf base-1.4.5.tar.gz

[root@www ~]#mv base-1.4.5 /var/www/base

[root@www ~]#chown -R apache. /var/www/base

[root@www ~]#cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
[root@www ~]#vi /var/www/base/base_conf.php


# line 50: PATH to BASE


$BASE_urlpath = '
/base

';



# line 80: PATH to adodb


$DBlib_path = '
/usr/share/php/adodb

';



# line 102: change for your env



# snort database


$alert_dbname = '
snort

';
$alert_host = 'localhost';
$alert_port = '';
# username for snort database


$alert_user = '
snort

';
# DB password for snort


$alert_password = '
password

';


[root@www ~]#vi /etc/httpd/conf.d/base.conf

# Create new

 

Alias /base /var/www/base

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 10.0.0.0/24



[root@www ~]#/etc/rc.d/init.d/httpd restart

Stopping httpd:
[ OK ]


Starting httpd:
[ OK ]

 









Access to "http://(hostname or IP address)/base/" and click "Setup page".





 

 

Click "Create BASE AG" button on upper right.  

 













Click "Main page" to move after finishing setup like follows.











No comments:

Post a Comment