 How to Install and Configure Snort - Network based IDSInstall Snort that is Network based IDS ( Intrusion Detection System ). MySQL is also required. |
How to Install and configure Snort - Intrusion Detection System
Install required packages to build Snort first.
[root@www ~]#yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
# install from EPEL
| Install Daq first. Make sure latest version on Snort site and download it. |
[root@www ~]#wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm
[root@www ~]#rpm -Uvh daq-0.5-1.src.rpm
1:daq warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
########################################### [100%]
warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
[root@www ~]#cd rpmbuild/SPECS
[root@www SPECS]#sed -i 's/\/lib\//\/lib64\//g' daq.spec
[root@www SPECS]#rpmbuild -bb daq.spec
[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm
Preparing...
########################################### [100%]
1:daq
########################################### [100%]
[root@www ~]#wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm
[root@www ~]#rpm -Uvh snort-2.9.0.5-1.src.rpm
1:snort warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
########################################### [100%]
warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
[root@www ~]#cd rpmbuild/SPECS
[root@www SPECS]#vi snort.spec
SNORT_BASE_CONFIG="--prefix=%{_prefix} \
--bindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir}/snort \
--with-libpcap-includes=%{_includedir} \
--enable-decoder-preprocessor-rules --enable-targetbased \
# near line 280: change like follows
--enable-zlib \
--enable-ipv6 \
--enable-normalizer \
"
[root@www SPECS]#ln -s /usr/lib64/mysql /usr/lib/mysql
[root@www SPECS]#rpmbuild -bb --with mysql snort.spec
[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm
Preparing...
########################################### [100%]
1:snort
########################################### [ 50%]
2:snort-mysql
########################################### [100%]
Create a database for Snort
[root@www ~]#mysql -u root -p
mysql>
Bye
[root@www ~]#
Enter password:
ipvar HOME_NET
dynamicdetection directory /usr/local/lib/snort_dynamicrules
ALERTMODE=fast
/var/log/snort/alert /var/log/snort/*log {
[root@www ~]#tar zxvf snortrules-snapshot-2905.tar.gz
[root@www ~]#cp rules/* /etc/snort/rules/
[root@www ~]#rm -rf rules snortrules-snapshot-2905.tar.gz
[root@www ~]#/etc/rc.d/init.d/snortd start
Starting snort: Spawning daemon child...
My daemon child 21617 lives...
Daemon parent exiting
[ OK ]
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52 Source distribution
Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Query OK, 1 row affected (0.00 sec)
create database snort;
Query OK, 1 row affected (0.00 sec)
mysql>
Query OK, 0 rows affected (0.00 sec)
grant all privileges on snort.* to snort@localhost identified by 'password';
Query OK, 0 rows affected (0.00 sec)
mysql>
Query OK, 0 rows affected (0.00 sec)
flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql>
exit
Bye
[root@www ~]#
mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql
Enter password:
DB password for snort user
| Configure Snort |
[root@www ~]#vi /etc/snort/snort.conf
# line 39: change to internal network
ipvar HOME_NET
10.0.0.0/24
# line 177: make it comment
#
dynamicdetection directory /usr/local/lib/snort_dynamicrules
# line 376: add settings for DB
output database: log, mysql, user=snort password=password dbname=snort host=localhost
[root@www ~]#vi /etc/sysconfig/snort
# line 69: make it comment ( output logs into MySQL )
#
ALERTMODE=fast
[root@www ~]#vi /etc/logrotate.d/snort
# line 4: change like follows ( remove unnecesarry section )
/var/log/snort/alert /var/log/snort/*log {
| Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" ) |
[root@www ~]#tar zxvf snortrules-snapshot-2905.tar.gz
[root@www ~]#cp rules/* /etc/snort/rules/
[root@www ~]#rm -rf rules snortrules-snapshot-2905.tar.gz
[root@www ~]#/etc/rc.d/init.d/snortd start
Starting snort: Spawning daemon child...
My daemon child 21617 lives...
Daemon parent exiting
[ OK ]
| Install BASE that you can watch Snort's logs on Web browser. [root@www ~]#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph # install from EPEL [root@www ~]#wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz [root@www ~]#tar zxvf base-1.4.5.tar.gz [root@www ~]#mv base-1.4.5 /var/www/base [root@www ~]#chown -R apache. /var/www/base [root@www ~]#cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php [root@www ~]#vi /var/www/base/base_conf.php # line 50: PATH to BASE $BASE_urlpath = ' /base '; # line 80: PATH to adodb $DBlib_path = ' /usr/share/php/adodb '; # line 102: change for your env # snort database $alert_dbname = ' snort '; $alert_host = 'localhost'; $alert_port = ''; # username for snort database $alert_user = ' snort '; # DB password for snort $alert_password = ' password '; [root@www ~]#vi /etc/httpd/conf.d/base.conf # Create new Alias /base /var/www/base[root@www ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
 Click "Create BASE AG" button on upper right.  |
| Click "Main page" to move after finishing setup like follows. |
No comments:
Post a Comment