Snort

9,567 views

Published on

In this small presentation I have presented how to install Snort along with Base to Indian Linux User's Group Chennai ilugc

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
9,567
On SlideShare
0
From Embeds
0
Number of Embeds
248
Actions
Shares
0
Downloads
232
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Snort

  1. 1. Snort Installation & Rule Creation● By Balasubramaniam Natarajan● bala150985 AT gmail [DOT] com● www.etutorshop.com/moodle
  2. 2. Introduction ● Snort is a Signature based Intrusion Detection  Prevention System. ● We are going to see IDS component of Snort. ● I am getting Snort installed inside a VM.22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 2
  3. 3. Lets Install Snort ● We will add a user called Snort ● #useradd snort ● We will create directory where we want snort to be  installed. ● #mkdir ­p /var/scripts ● #mkdir ­p /usr/local/lib/snort_dynamicrules ● #mkdir ­p /store/snort/log ● #cd /store/snort ● #mkdir etc; mkdir rules; mkdir so_rules; mkdir archive;mkdir preproc_rules; mkdir src;22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 3
  4. 4. Installation Continues ● Let us create a local.rules file for our own rules. ● #touch /store/snort/rules/local.rules ● Let us make all the folder owned by user snort ● #chown ­R snort:snort /store/snort ● Let install all that snort needs. ● #apt­get install bison flex g++  libpcap0.8­dev libpcre3­dev libpcap­ruby zlib1g­dev  ● We need to export this Variable for snort to work ● #export LD_LIBRARY_PATH=/usr/local/lib22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 4
  5. 5. Installation Continues ● Let us get Snort and DAQ from ●  http://www.snort.org/snort­downloads ● Let us get libdnet from ●  http://libdnet.sourceforge.net/   ● Let us get Oinkmaster from ●  http://oinkmaster.sourceforge.net/download.shtml ● Let us move all to /store/snort/src untar and install  them ● #tar ­xzvf <package.tar>; ./configure; make; make install22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 5
  6. 6. Download Snort Rules ● We will wget to dowload snort rules. ●  #wget  http://www.snort.org/sub­rules/snortrules­snapshot­ 2910.tar.gz/7c2ce5593e7cc40balad21792725ee08e56d1c5450fe ­O /store/snort/archive/snortrules­ snapshot­2910.tar.gz ● You would need Oinkcodes to download, so  subscribe and download.22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 6
  7. 7. Move Rules to appropriateplace ● Untar archive & cp into snort directory. ● #tar xvf snortrules­snapshot­2910.tar.gz ● /store/snort/archive# cd etc ● /store/snort/archive/etc# cp * /store/snort/etc ● /store/snort/archive/etc# cd ../preproc_rules/ ● /store/snort/archive/preproc_rules# cp * /store/snort/preproc_rules/ ● # touch /store/snort/rules/black_list.rules ● # touch /store/snort/rules/white_list.rules ● #gedit /store/snort/rules/emerging­current_events.rules ● Change all !$DNS_SERVERS to $DNS_SERVERS ● Select rules as per OS Architecture ● #cp /store/snort/archive/so_rules/precompiled/Ubuntu­10­4/i386/2.9.0.5/*  /usr/local/lib/snort_dynamicrules/ ● #cp /store/snort/archive/so_rules/*rules /store/snort/so_rules/22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 7
  8. 8. Editing snort.conf file ● We are running in IDS mode, comment out IPS #preprocessor normalize_ip4 #preprocessor normalize_tcp: ips ecn stream #preprocessor normalize_icmp4 #preprocessor normalize_ip6 #preprocessor normalize_icmp6 ● Fix certain variables var RULE_PATH /store/snort/rules var SO_RULE_PATH /store/snort/so_rules var PREPROC_RULE_PATH /store/snort/preproc_rules var WHITE_LIST_PATH /store/snort/rules var BLACK_LIST_PATH /store/snort/rules22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 8
  9. 9. Editing snort.conf file cont.. ● Let us add in some Emerging Threat Rules. include $RULE_PATH/emerging-trojan.rules include $RULE_PATH/emerging-user_agents.rules ● include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-voip.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-web_server.rules include $RULE_PATH/emerging-web_specific_apps.rules ● include $RULE_PATH/emerging-worm.rules ● Let us create a small Snort Rules update script. ● #!/bin/bash ● wget ­q http://www.snort.org/sub­rules/snortrules­snapshot­ 2910.tar.gz/7c2ce5593e7cc40balad21792725ee08e56d1c5450fe ­O /store/snort/archive/snortrules­ snapshot­2910.tar.gz ● oinkmaster.pl ­o /store/snort/rules/ ­Q22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 9
  10. 10. Snort Rules updating ● Change the permissions of the script. ● #chmod 755 /var/scripts/sn0rt_update.sh ● Add a cronjob entry ● 23 0,12 * * * /var/scripts/sn0rt_update.sh ● Edit /urs/local/etc/oinkmaster.conf ● Add these two rule URLs: ● url = http://rules.emergingthreats.net/open­nogpl/snort­2.9.1/emerging.rules.tar.gz ● url = file:///store/snort/archive/snortrules­snapshot­2910.tar.gz ● Ddisable a few non­compliant ET rules, #ET (! any not allowed in snort 2.9) ● Disablesid 2011802,2003195,2000328,2002087 ● Run Oinmaster.conf manually once. ● #oinkmaster.pl ­o /store/snort/rules/22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 10
  11. 11. Let us replay a pcap file ● We use the following to replay ● #snort ­r /tmp/example.pcap ­c /store/snort/etc/snort.conf ­l /store/snort/log ­u snort ● Here ● ­r is for replaying a PCAP file. ● ­c is for using a snort configuration file. ● ­l is for showing which directory we need snort to log alerts on to. ● ­u is for running snort as user snort.22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 11
  12. 12. BASE Installation22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 12
  13. 13. Installing Apache, PHP,Base& Mysql ● To get to work with snorts alert in a workable  manner we need to access all the components to  access snorts alert through Base. ● #apt­get install apache2 php5 php5­mysql php5­gd php­pear libmysqlclient16­dev  ● #apt­get install mysql­server snort­mysql ● After tweaking with Mysql recompile snort ● /store/snort/src/snort­2.9.1# make clean ● /store/snort/src/snort­2.9.1#make distclean ● /store/snort/src/snort­2.9.1# reset && ./configure ­­with­mysql ● Configure Snort for Mysql logging ● Output database: log, mysql, user=snort password=snortpassword dbname=snort host=localhost ● Snort ­u snort ­c /store/snort/etc/snort.conf ­i eth022/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 13
  14. 14. Configure MYSQL Database ● Set up roots password ● #mysqladmin ­u root password new_root_password ● Create the MySQL database and tables in order to  receive the Snort logs: ● #mysql ­u root ­p ● >create database snort; ● Create a user who has permissions on the snort DB: ● >grant all on snort.* to snortuser@localhost identified by snortpassword; ● reload mysql privileges: ● >flush privileges; ● >exit; ● Create the tables inside the snort database  ● #mysql ­u root ­p snort < /store/snort/src/snort­2.9.1/schemas/create_mysql22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 14
  15. 15. Configuring & InstallingBase ● Download Base from base.secureideas.net ● Untar it to /var/www/base/ ● Download AdOdb from  adodb.sourceforge.net/#download ● Untar & move to /var/www/base/adodb ● We will configure Base using the wizard.22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 15
  16. 16. Base Configuration ● Access http://localhost/base22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 16
  17. 17. Base config cont... ● Give path to Adodb22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 17
  18. 18. Base config cont...22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 18
  19. 19. Base configuration ● Give a Admin name22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 19
  20. 20. Base Config cont... ● Step422/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 20
  21. 21. All Red All is well :-)22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 21
  22. 22. Rules Creation ● Snort Rule creation is not that difficult once you  understand what to look for. ● We have two part one of them is the header and the  other is body. ● Here we detect if some one visits youtube.com22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 22
  23. 23. Thank You22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 23

×