Download as PDF, PPTX
![Snort Installation & Rule Creation
● By Balasubramaniam Natarajan
● bala150985 AT gmail [DOT] com
● www.etutorshop.com/moodle](https://image.slidesharecdn.com/snort-120422021030-phpapp01/75/Snort-1-2048.jpg)
More Related Content
Snort
- 1. Snort Installation &Rule Creation ● By Balasubramaniam Natarajan ● bala150985 AT gmail [DOT] com ● www.etutorshop.com/moodle
- 2. Introduction ● Snort is a Signature based Intrusion Detection Prevention System. ● We are going to see IDS component of Snort. ● I am getting Snort installed inside a VM. 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 2
- 3. Let's Install Snort ● We will add a user called Snort ● #useradd snort ● We will create directory where we want snort to be installed. ● #mkdir p /var/scripts ● #mkdir p /usr/local/lib/snort_dynamicrules ● #mkdir p /store/snort/log ● #cd /store/snort ● #mkdir etc; mkdir rules; mkdir so_rules; mkdir archive;mkdir preproc_rules; mkdir src; 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 3
- 4. Installation Continues ● Let us create a local.rules file for our own rules. ● #touch /store/snort/rules/local.rules ● Let us make all the folder owned by user snort ● #chown R snort:snort /store/snort ● Let install all that snort needs. ● #aptget install bison flex g++ libpcap0.8dev libpcre3dev libpcapruby zlib1gdev ● We need to export this Variable for snort to work ● #export LD_LIBRARY_PATH=/usr/local/lib 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 4
- 5. Installation Continues ● Let us get Snort and DAQ from ● http://www.snort.org/snortdownloads ● Let us get libdnet from ● http://libdnet.sourceforge.net/ ● Let us get Oinkmaster from ● http://oinkmaster.sourceforge.net/download.shtml ● Let us move all to /store/snort/src untar and install them ● #tar xzvf <package.tar>; ./configure; make; make install 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 5
- 6. Download Snort Rules ● We will wget to dowload snort rules. ● #wget http://www.snort.org/subrules/snortrulessnapshot 2910.tar.gz/7c2ce5593e7cc40balad21792725ee08e56d1c5450fe O /store/snort/archive/snortrules snapshot2910.tar.gz ● You would need Oinkcodes to download, so subscribe and download. 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 6
- 7. Move Rules toappropriate place ● Untar archive & cp into snort directory. ● #tar xvf snortrulessnapshot2910.tar.gz ● /store/snort/archive# cd etc ● /store/snort/archive/etc# cp * /store/snort/etc ● /store/snort/archive/etc# cd ../preproc_rules/ ● /store/snort/archive/preproc_rules# cp * /store/snort/preproc_rules/ ● # touch /store/snort/rules/black_list.rules ● # touch /store/snort/rules/white_list.rules ● #gedit /store/snort/rules/emergingcurrent_events.rules ● Change all !$DNS_SERVERS to $DNS_SERVERS ● Select rules as per OS Architecture ● #cp /store/snort/archive/so_rules/precompiled/Ubuntu104/i386/2.9.0.5/* /usr/local/lib/snort_dynamicrules/ ● #cp /store/snort/archive/so_rules/*rules /store/snort/so_rules/ 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 7
- 8. Editing snort.conf file ● We are running in IDS mode, comment out IPS #preprocessor normalize_ip4 #preprocessor normalize_tcp: ips ecn stream #preprocessor normalize_icmp4 #preprocessor normalize_ip6 #preprocessor normalize_icmp6 ● Fix certain variables var RULE_PATH /store/snort/rules var SO_RULE_PATH /store/snort/so_rules var PREPROC_RULE_PATH /store/snort/preproc_rules var WHITE_LIST_PATH /store/snort/rules var BLACK_LIST_PATH /store/snort/rules 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 8
- 9. Editing snort.conf filecont.. ● Let us add in some Emerging Threat Rules. include $RULE_PATH/emerging-trojan.rules include $RULE_PATH/emerging-user_agents.rules ● include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-voip.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-web_server.rules include $RULE_PATH/emerging-web_specific_apps.rules ● include $RULE_PATH/emerging-worm.rules ● Let us create a small Snort Rules update script. ● #!/bin/bash ● wget q http://www.snort.org/subrules/snortrulessnapshot 2910.tar.gz/7c2ce5593e7cc40balad21792725ee08e56d1c5450fe O /store/snort/archive/snortrules snapshot2910.tar.gz ● oinkmaster.pl o /store/snort/rules/ Q 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 9
- 10. Snort Rules updating ● Change the permissions of the script. ● #chmod 755 /var/scripts/sn0rt_update.sh ● Add a cronjob entry ● 23 0,12 * * * /var/scripts/sn0rt_update.sh ● Edit /urs/local/etc/oinkmaster.conf ● Add these two rule URLs: ● url = http://rules.emergingthreats.net/opennogpl/snort2.9.1/emerging.rules.tar.gz ● url = file:///store/snort/archive/snortrulessnapshot2910.tar.gz ● Ddisable a few noncompliant ET rules, #ET (! any not allowed in snort 2.9) ● Disablesid 2011802,2003195,2000328,2002087 ● Run Oinmaster.conf manually once. ● #oinkmaster.pl o /store/snort/rules/ 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 10
- 11. Let us replaya pcap file ● We use the following to replay ● #snort r /tmp/example.pcap c /store/snort/etc/snort.conf l /store/snort/log u snort ● Here ● r is for replaying a PCAP file. ● c is for using a snort configuration file. ● l is for showing which directory we need snort to log alerts on to. ● u is for running snort as user snort. 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 11
- 12. BASE Installation 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 12
- 13. Installing Apache, PHP, Base&Mysql ● To get to work with snort's alert in a workable manner we need to access all the components to access snort's alert through Base. ● #aptget install apache2 php5 php5mysql php5gd phppear libmysqlclient16dev ● #aptget install mysqlserver snortmysql ● After tweaking with Mysql recompile snort ● /store/snort/src/snort2.9.1# make clean ● /store/snort/src/snort2.9.1#make distclean ● /store/snort/src/snort2.9.1# reset && ./configure withmysql ● Configure Snort for Mysql logging ● Output database: log, mysql, user=snort password=snortpassword dbname=snort host=localhost ● Snort u snort c /store/snort/etc/snort.conf i eth0 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 13
- 14. Configure MYSQL Database ● Set up root's password ● #mysqladmin u root password new_root_password ● Create the MySQL database and tables in order to receive the Snort logs: ● #mysql u root p ● >create database snort; ● Create a user who has permissions on the snort DB: ● >grant all on snort.* to snortuser@localhost identified by 'snortpassword'; ● reload mysql privileges: ● >flush privileges; ● >exit; ● Create the tables inside the snort database ● #mysql u root p snort < /store/snort/src/snort2.9.1/schemas/create_mysql 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 14
- 15. Configuring & Installing Base ● Download Base from base.secureideas.net ● Untar it to /var/www/base/ ● Download AdOdb from adodb.sourceforge.net/#download ● Untar & move to /var/www/base/adodb ● We will configure Base using the wizard. 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 15
- 16. Base Configuration ● Access http://localhost/base 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 16
- 17. Base config cont... ● Give path to Adodb 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 17
- 18. Base config cont... 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 18
- 19. Base configuration ● Give a Admin name 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 19
- 20. Base Config cont... ● Step4 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 20
- 21. All Red Allis well :-) 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 21
- 22. Rules Creation ● Snort Rule creation is not that difficult once you understand what to look for. ● We have two part one of them is the header and the other is body. ● Here we detect if some one visits youtube.com 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 22
- 23. Thank You 22/04/12 Balasubramaniam Natarajan bala150985 AT gmail DOT com 23