Snort - Network based IDS
2011/06/05 |
Instal Snort that is Network based IDS ( Intrusion Detection System ).
MySQL is also required.
|
|
[1] | Install required packages first. |
[root@dlp ~]# yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql # install from EPEL
|
[2] | Install Daq first. Make sure latest version on Snort site and download it. |
[root@dlp ~]#
[root@dlp ~]# wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm rpm -Uvh daq-0.5-1.src.rpm 1:daq warning: user rjordan does not exist - using root warning: group rjordan does not exist - using root ########################################### [100%] warning: user rjordan does not exist - using root warning: group rjordan does not exist - using root [root@dlp ~]# cd rpmbuild/SPECS [root@dlp SPECS]# sed -i 's/\/lib\//\/lib64\//g' daq.spec [root@dlp SPECS]# rpmbuild -bb daq.spec [root@dlp SPECS]# rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm Preparing... ########################################### [100%] 1:daq ########################################### [100%] |
[3] | Install Snort. Make sure latest version on Snort site and download it. |
[root@dlp ~]#
[root@dlp ~]# wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm rpm -Uvh snort-2.9.0.5-1.src.rpm 1:snort warning: user ssturges does not exist - using root warning: group ssturges does not exist - using root ########################################### [100%] warning: user ssturges does not exist - using root warning: group ssturges does not exist - using root [root@dlp ~]# cd rpmbuild/SPECS
[root@dlp SPECS]#
vi snort.spec # near line 280: change like follows SNORT_BASE_CONFIG="--prefix=%{_prefix} \ --bindir=%{_sbindir} \ --sysconfdir=%{_sysconfdir}/snort \ --with-libpcap-includes=%{_includedir} \ --enable-decoder-preprocessor-rules --enable-targetbased \ --enable-zlib \ --enable-ipv6 \ --enable-normalizer \ --with-mysql-lib=/usr/lib64/mysql rpmbuild -bb --with mysql snort.spec [root@dlp SPECS]# rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm Preparing... ########################################### [100%] 1:snort ########################################### [ 50%] 2:snort-mysql ########################################### [100%] |
[4] | Create a database for Snort |
[root@dlp ~]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.1.52 Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
create database snort; Query OK, 1 row affected (0.00 sec)
mysql>
grant all privileges on snort.* to snort@localhost identified by 'password'; Query OK, 0 rows affected (0.00 sec)
mysql>
mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) exit Bye [root@dlp ~]# mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql Enter password: DB password for snort user |
[5] | Configure Snort |
[root@dlp ~]#
vi /etc/snort/snort.conf # line 39: change to internal network ipvar HOME_NET 10.0.0.0/24
# line 177: make it comment # dynamicdetection directory /usr/local/lib/snort_dynamicrules
# line 376: add settings for DB output database: log, mysql, user=snort password=password dbname=snort host=localhost
[root@dlp ~]#
vi /etc/sysconfig/snort # line 69: make it comment ( output logs into MySQL ) # ALERTMODE=fast
[root@dlp ~]#
vi /etc/logrotate.d/snort # line 4: change like follows ( remove unnecesarry section ) /var/log/snort/alert /var/log/snort/*log { |
[6] | Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" ) |
[root@dlp ~]# tar zxvf snortrules-snapshot-2905.tar.gz [root@dlp ~]# cp rules/* /etc/snort/rules/ [root@dlp ~]# rm -rf rules snortrules-snapshot-2905.tar.gz [root@dlp ~]# /etc/rc.d/init.d/snortd start Starting snort: Spawning daemon child... My daemon child 19430 lives... Daemon parent exiting [ OK ]
|
[7] | Install BASE that you can watch Snort's logs on Web browser. |
[root@dlp ~]#
[root@dlp ~]# wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz tar zxvf base-1.4.5.tar.gz [root@dlp ~]# mv base-1.4.5 /var/www/base [root@dlp ~]# chown -R apache. /var/www/base [root@dlp ~]# cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
[root@dlp ~]#
vi /var/www/base/base_conf.php # line 50: PATH to BASE $BASE_urlpath = ' /base ';
# line 80: PATH to adodb $DBlib_path = ' /usr/share/php/adodb ';
# line 102: change for your env # snort database $alert_dbname = ' snort ';$alert_host = 'localhost'; $alert_port = ''; # username for snort database $alert_user = ' snort ';# DB password for snort $alert_password = ' password ';
[root@dlp ~]#
vi /etc/httpd/conf.d/base.conf # Create new Alias /base /var/www/base <Directory /var/www/base/> Order Deny,Allow Deny from all Allow from 127.0.0.1 10.0.0.0/24 </Directory> /etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] |
[8] | Access to "http://(hostname or IP address)/base/" and click "Setup page". |
[9] | Click "Create BASE AG" button on upper right. |
[10] | Click "Main page" to move after finishing setup like follows. |
[11] | This is main site of BASE. It's possible to watch Snort's logs on here. |