Snort Installation

Snort IDS, IPS Setup

Snort is a powerful intrusion prevention/detection system. This is a three part series going through the installation of Snort, the auto updating of rule sets via Pulledpork, configuration of Barnyard2 which will process Snort’s output, and the installation of a web front end gui called Snorby to help analyze those alerts.

Prior to installing Snort it is important to have accurate time configured. Check the current date with the command:

Install and test NTP server

date
yum install -y ntpdate
ntpdate 0.us.pool.ntp.org

Before installing Snort and Snorby you will need Ruby, ImageMagick, Rails, and Wkhtmltopdf

yum -y groupinstall "Development Tools"
yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man libdnet libdnet-devel

Next we need to install more dependencies.

wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm
wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Use the rpm command to install the dependencies we just downloaded.

rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm 
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

Install Snort

We start by downloading the tar.gz files from Snort.org and tcpdump.org

wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz

We start by libcap

tar -xzvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure
make
make install

Then we move to the daq

tar -xzvf daq-2.0.4.tar.gz
cd daq-2.0.4
./configure
make 
make install

Finally we instalal snort

tar -xzvf snort-2.9.7.0.tar.gz
cd snort-2.9.7.0
./configure --enable-sourcefire
make
make install

I recommend signing up on Snort.org to get the registered rules. You’ll receive something called an Oinkcode. The oinkcode acts as an api key for downloading rule packets from URLs provided by snort.

Download and extract the Community Rules:

wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xvf community.tar.gz -C /etc/snort/rules

Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running 2.9.6.2 so I am looking for the snort rules which contain the numbers 2962:

wget "https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=8c46218f47c16725e0e03efdd87562d46fc064ed" --no-check-certificate
wget "https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=8c46218f47c16725e0e03efdd87562d46fc064ed" --no-check-certificate
mkdir -p /etc/snort/rules
tar -xvfz snortrules-snapshot-2970.tar.gz -C /etc/snort/rules
tar -xvfz snortrules-snapshot-2962.tar.gz -C /etc/snort/rules

Paste your oincode after the = sign.

Now we need to add snort user and group

groupadd snort
useradd -g snort snort -s /sbin/nologin

Create and make the ownership of the Snort directories.

mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules

chown -R snort:snort /var/log/snort
chown -R snort:snort /etc/snort
chown -R snort:snort /usr/local/lib/snort_dynamicrules

Locate and Modify the snort.conf file

cp ~/snort-2.9.7.0/etc/* /etc/snort/
touch /etc/snort/rules/black_list.rules
touch /etc/snort/rules/white_list.rules
nano /etc/snort/snort.conf

There are many changes to make here. You can download an example of my snort.conf file and modify it to your environment. Some of the values are as follows. Just search for them in your configuration file:

ipvar HOME_NET 137.215.69.0/24

var RULE_PATH /etc/snort/rules/rules
var SO_RULE_PATH /etc/snort/rules/so_rules
var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

Comment this 5 lines:

#preprocessor normalize_ip4                                       
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

Modify the Output string under Step 6 of the snort.conf file:

output unified2: filename snort.log, limit 128

Test Snort

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

If you get this error:

snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory

Type in the following commands:

/sbin/ldconfig
updatedb

Installing PulledPork

Before you begin configuring PulledPork, I recommend you register on Snort.org because you will need the Oinkcode. The Oinkcode will be placed in some of the URLs we will be configuring in PulledPork’s configuration file.

yum -y install perl-libwww-perl perl-Crypt-SSLeay perl-Archive-Tar
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
tar -zxf pulledpork-0.7.0.tar.gz
cd pulledpork--0.7.0
cp pulledpork.pl /usr/sbin
chmod 755 /usr/sbin/pulledpork.pl
cp etc/* /etc/snort/

In the above commands, you have downloaded PulledPork, extracted it and copied files to their proper directories.

nano /etc/snort/pulledpork.conf

Change at the end of those lines by your oinkcode on those two lines:

rule_url=https://www.snort.org/snort-rules/|snortrules-snapshot.tar.gz|8c46218f47c16725e0e03efdd87562d46fc064ed
rule_url=https://www.snort.org/snort-rules/|opensource.tar.gz|8c46218f47c16725e0e03efdd87562d46fc064ed

Within the pulledpork.conf file, make the following changes:

snort_path=/usr/sbin/snort
rule_path=/etc/snort/rules/rules/snort.rules
out_path=/etc/snort/rules/rules/
local_rules=/etc/snort/rules/rules/local.rules
sid_msg=/etc/snort/rules/rules/sid-msg.map
config_path=/etc/snort/snort.conf
distro=Centos-5-4
black_list=/etc/snort/rules/black_list.rules

Comment this:

#IPRVersion=/usr/local/etc/snort/rules/iplists
snort_control=/usr/bin/snort_control

Uncomment those and change them:

enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf

Verify PulledPork

pulledpork.pl -vv -c /etc/snort/pulledpork.conf -T -l

Add PulledProk to Crontab

nano /etc/crontab

Add this line

0 0 * * * root /usr/sbin/pulledpork.pl -c /etc/snort/pulledpork.conf

Install Barnyard2

mkdir /var/log/barnyard2
mkdir /usr/local/src/firnsy-barnyard2
cd /usr/local/src/firnsy-barnyard2
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz
tar -zxvf v2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/
make
make install

Configure Bardbyard2.conf

nano /usr/local/etc/barnyard2.conf

Set the following

config logdir: /var/log/snort
config interface: eth0
config daemon
config waldo_file: /etc/snort/barnyard2-log.waldo
input unified2
output alert_full
output log_tcpdump: tcpdump.log
log, mysql, user=snort password=snort dbname=snort host=localhost
cp /usr/local/etc/barnyard2.conf /etc/snort/barnyard2.conf

Create startup scripts

cd /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13
cp rpm/barnyard2 /etc/init.d/
chmod +x /etc/init.d/barnyard2
cp rpm/barnyard2.config /etc/sysconfig/barnyard2
chkconfig --add barnyard2
chkconfig barnyard2 on

Modify the file /etc/sysconfig/barnyard2

LOG_FILE="snort.log"
SNORTDIR="/var/log/snort"
INTERFACES="eth0"
CONF=/etc/snort/barnyard2.conf
EXTRA_ARGS=""

MySQL srver setup:

service mysqld start
/usr/bin/mysql_secure_installation
mysql -u root -p
create database snort;
grant all on snort.* to snort@localhost;
set password for snort@localhost=password('snort');
use snort;
source /usr/local/src/firnsy-barnyard2/barnyard2-2-1.13/schemas/create_mysql
show tables;
flush privileges;
exit  

chkconfig --add mysqld
chkconfig mysqld on
touch /etc/snort/barnyard2-log.waldo

Test barnyard2:

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/barnyard2-log.waldo -D

Snorby Installation

Get The Snorby code from git:

git clone http://github.com/Snorby/snorby.git
cd snorby
bundle install

Edit Snorby configuration config/database.yml:

snorby: &snorby
    adapter: mysql
    username: root
    password: MYSQLPASS
    host: localhost
development:
    database: snorby
    <<: *snorby
test:
    database: snorby
    <<: *snorby
production:
    database: snorby
    <<: *snorby

Modify config/snorby_config.yml

development:
domain: localhost:3000
wkhtmltopdf: /Users/mephux/.rvm/gems/ruby-1.9.2-p0/bin/wkhtmltopdf
mailer_sender: 'snorby@snorby.org'
rules:
    - "/Users/mephux/.snort/rules"
    - "/Users/mephux/.snort/so_rules"
test:
    domain: localhost:3000
    wkhtmltopdf: /usr/local/bin/wkhtmltopdf
    mailer_sender: 'snorby@snorby.org'


production:
    domain: 'demo.snorby.org'
    wkhtmltopdf: /path/to/wkhtmltopdf
    mailer_sender: 'snorby@snorby.org'
    rules:
        - "/path/to/rules/folder"
        - "/path/to/so_rules/folder"

Other way to install Snort and Snorby

Snort Isntalaltion

wget http://pkgs.repoforge.org/libdnet/libdnet-1.11-1.1.el3.rf.x86_64.rpm
wget http://pkgs.repoforge.org/libdnet/libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm
rpm -i libdnet-1.11-1.1.el3.rf.x86_64.rpm 
rpm -i libdnet-devel-1.11-1.1.el3.rf.x86_64.rpm

yum install -y https://www.snort.org/downloads/snort/daq-2.0.2-1.centos6.x86_64.rpm
yum install -y https://www.snort.org/downloads/snort/snort-2.9.6.2-1.centos6.x86_64.rpm

or

yum install -y http://sourceforge.net/projects/snort.mirror/files/Snort%202.9.6.2/daq-2.0.2-1.centos6.x86_64.rpm
yum install -y http://sourceforge.net/projects/snort.mirror/files/Snort%202.9.6.2/snort-2.9.6.2-1.centos6.x86_64.rpm

wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xvf community.tar.gz -C /etc/snort/rules

Download and extract the Community Rules:

wget https://www.snort.org/downloads/community/community-rules.tar.gz
tar -xvf community.tar.gz -C /etc/snort/rules

Download the registered rules. Be aware of which file you need. It depends on which version of Snort you’re running. In this case, I am running 2.9.6.2 so I am looking for the snort rules which contain the numbers 2962:

wget "https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=8c46218f47c16725e0e03efdd87562d46fc064ed" --no-check-certificate
wget "https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=8c46218f47c16725e0e03efdd87562d46fc064ed" --no-check-certificate
mkdir -p /etc/snort/rules
tar -xvfz snortrules-snapshot-2970.tar.gz -C /etc/snort/rules
tar -xvfz snortrules-snapshot-2962.tar.gz -C /etc/snort/rules

Modify the ownership of the Snort directories.

cd /etc/snort
chown -R snort:snort *

Locate and Modify the snort.conf file

cd /etc/snort
nano snort.conf

Set those changes:

var RULE_PATH /etc/snort/rules
ipvar HOME_NET any #or set to a network such as 172.21.0.0/16
ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH /etc/snort/rules/so_rules
var PREPROC_RULE_PATH /etc/snort/rules/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
output unified2: filename snort.log, limit 128

Test snort:

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

Install ImageMagick

yum install -y ImageMagick

Download and Install Wkhtmltopdf

Wkhtmltopdf is used by Snorby to create reports. First download some prerequisites for Wkhtmltopdf:

yum -y install xz urw-fonts libXext openssl-devel libXrender xorg-x11-fonts-75dpi

Install Wkhtmltopdf

wget http://sourceforge.net/projects/wkhtmltopdf/files/0.12.2.1/wkhtmltox-0.12.2.1_linux-centos6-amd64.rpm/download
mv download wkhtmltox-0.12.2.1_linux-centos6-amd64.rpm
rpm -Uvh wkhtmltox-0.12.2.1_linux-centos6-amd64.rpm
export PATH=$PATH:/usr/local/bin
echo "export PATH=$PATH:/usr/local/bin" >> /etc/bashrc

You can verify the installation by running this command:

wkhtmltopdf http://www.google.com google.pdf

Install Ruby

First the prerequisites:

yum -y install libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel openssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git memcached-devel valgrind-devel mysql-devel ImageMagick-devel libyaml-devel
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

I’ll be installing Ruby with RVM:

curl -L get.rvm.io | bash -s stable 

Set up the RVM environment:

source /etc/profile.d/rvm.sh

Install Ruby version 1.9.3 which is required for Snorby:

rvm install 1.9.3
rvm use 1.9.3 --default

Install RubyGems

rvm rubygems current

Install Rails

gem install rails

Install Snorby

yum -y install httpd
service httpd start
chkconfig --add httpd
chkconfig httpd on
gem install bundler
cd /var/www/html
mkdir snorby
cd snorby
wget -O snorby.zip --no-check-certificate https://github.com/Snorby/snorby/archive/master.zip
unzip snorby.zip
mv snorby-master/* /var/www/snorby

Create a database for Snorby

mysql -u root -p
create database snorby;
createuser 'snorby'@'localhost' identified by 'snorby';
flush privileges;
exit 
cp config/database.yml.example config/database.yml
nano config/database.yml

Change the username and password to Snorby in the database.yml config file under snorby : &snorby

Edit Gemfile

nano Gemfile

Snort and Snorby on debian

As a first step we’re going to install Snort. Luckily it’s up in the repos, so we’re just going to apt-get it. I’m going to go with the snort-mysql package, as it gives a mysql DB support to snort which is a good thing. So first let’s get a mysql server up and running:

apt-get update
apt-get upgrade -y
apt-get install mysql-server mysql-client

Then we can get snorby up:

apt-get install snort-mysql

This will ask a few questions and it doesn’t matter what you answer as we’ll have to reconfigure it after Snorby has been installed anyway.

Moving on to installing Snorby. Prerequisites:

apt-get install libyaml-dev git-core default-jre imagemagick libmagickwand-dev wkhtmltopdf build-essential libssl-dev libreadline-gplv2-dev zlib1g-dev <linux-headers-686-pae> libsqlite3-dev libxslt1-dev libxml2-dev libmysqlclient-dev libmysql++-dev apache2-prefork-dev libcurl4-openssl-dev ruby ruby-dev

Don’t forget to use the linux headers for your kernel’s architecture…

gem install bundler rails 
gem install rake --version=0.9.2
cd /var/www/

Download the source for the application.

git clone http://github.com/Snorby/snorby.git
cd /var/www/snorby/config/

Set up configuration files.

cp database.yml.example database.yml
cp snorby_config.yml.example snorby_config.yml
sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g snorby_config.yml

Tell snorby the mysql database name, user and password that it should use.

nano database.yml

At this point you should also create the user and the database. I just used phpmyadmin, but it shouldn’t be too hard to create a new user from the command line.

cd /var/www/snorby/

Let’s install it.

bundle install --deployment
bundle exec rake snorby:setup

At this point Snorby should start when you type:

bundle exec rails server -e production -b 127.0.0.1

If you point your browser to

http://localhost:3000

the Snorby WebUI should pop up. You can access it with the default credentials:

snorby@snorby.org
snorby

Now if you look around the site you’ll notice that Snorby isn’t getting any data just yet. So we’ll have to configure Snort!

dpkg-reconfigure snort-mysql
mv /etc/snort/db-pending-config /etc/snort/db-pending-config_no_more
service snort start

cd /etc/init.d/
nano snorby

A simple script like this should do the trick:

#!/bin/bash
cd /var/www/snorby && bundle exec rails server -e production &

Let’s put it to start in runlevel 2:

chmod +x snorby
update-rc.d -f snorby start 2

Leave a Reply

Your email address will not be published. Required fields are marked *