Low Orbit Flux Logo 2 D

Snort Setup and Install

snort setup pig logo

Snort is an intrusion detection system (IDS) and intrusion prevention system (IPS). It is open source.

Update your repo information and optionally upgrade your system:

sudo apt update -y
sudo apt upgrade -y

Install some prerequisites:


sudo apt install -y build-essential automake libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev libnghttp2-dev

Install some recommended packages:


sudo apt install -y openssh-server ethtool

DAQ - Data Acquisition library

For Ubuntu 20.04 we had a newer version of aclocal and automake. The DAQ didn’t like this during build because it is configured to use a specific version. We created links to get around this.


sudo ln -s /usr/bin/aclocal-1.16 /usr/bin/aclocal-1.15
sudo ln -s /usr/bin/automake-1.16 /usr/bin/automake-1.15

Download, build, and install the DAQ:

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
cd
tar -zxvf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && sudo make install

Snort Install

Install a specific tested version of LuaJIT which is different from what is in the repo:


cd
wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
tar xvfz LuaJIT-2.0.2.tar.gz 
cd LuaJIT-2.0.2/
make
sudo make install

Download, build, and install Snort:


cd
wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz
tar xvzf snort-2.9.16.tar.gz
cd snort-2.9.16
./configure --enable-sourcefire && make && sudo make install

Run ldconfig to update shared libraries:


sudo ldconfig

Create a link if you want. The original binary was on my path by default so you might not need this.


sudo ln -s /usr/local/bin/snort /usr/sbin/snort

Test it:


snort -V

Snort Rules and Configuration

There are three types of rules that you can download for snort:

If you are just getting started you should probably be fine with the community rules. If you want a bit more and want to put in the effort you could register and get the registered rules. If you are an organization with a budget you might want to actually pay and get the subsriber rules.

Oinkcode - If you register for an account you will be given a code called an Oinkcode. This is unique to every user and will allow you to download registered rules or subscriber rules if you’ve paid for them.

PulledPork - This tool can help you keep your rules up to date.

sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Create expected files and directories:


sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /etc/snort/so_rules
sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map

Adjust permissions:


sudo chmod -R 5775 /etc/snort/
sudo chmod -R 5775 /var/log/snort/
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules/

Change ownership to snort user:


sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

cd ~/snort-2.9.16/etc
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort

cd ~/snort-2.9.16/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp -avr * /usr/local/lib/snort_dynamicpreprocessor/

Get the latest community Snort Rules:


cd
wget https://www.snort.org/downloads/community/community-rules.tar.gz -O community-rules.tar.gz
sudo tar -xvzf community-rules.tar.gz -C /etc/snort/rules

!!!!!!!! enable community rules in snort.conf !!!!!!!

Comment out rule includes in case you are using the PulledPork script. SKIP THIS if you aren’t using PulledPork:


sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

Edit your snort.conf file:


vi /etc/snort/snort.conf

# Setup the network address for the network you are watching:
ipvar HOME_NET 192.168.15.0/24


# Update these paths:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/

# Enable this rule file:
include $RULE_PATH/local.rules

Test the snort configuration:


snort -T -i eth0 -c /etc/snort/snort.conf

Writing Snort Rules


vi /etc/snort/rules/local.rules
alert tcp any any -> $HOME_NET 21 (msg:"FTP connection attempt"; GID:1; sid:10000001; rev:001;)
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000002; rev:001; classtype:icmp-event;)
alert tcp any any -> $HOME_NET 80 (msg:"TELNET connection attempt";  GID:1; sid:10000003; rev:001;)

Barnyard won’t read the alert description from local.rules which causes errors when running PulledPork. You may need to add your rule here if you use Barnyard and PulledPork.


vi /etc/snort/sid-msg.map
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

Test the snort configuration again:


snort -T -i eth0 -c /etc/snort/snort.conf

Start Snort in Network IDS mode from the terminal and tell it to output any alert to the console:


sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Barnyard2

Install MySQL and other prerequisites:


sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

Configure binary output:

After line 520……


sudo vi /etc/snort/snort.conf

output unified2: filename snort.u2, limit 128

cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-Master.tar.gz
tar zxvf barnyard2-Master.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
sudo ldconfig

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
sudo make install

Test it:


/usr/local/bin/barnyard2 -V

Copy the config in:


sudo cp ~/snort_src/barnyard2-master/etc/barnyard2.conf /etc/snort/

Create and chown files and directories some of which aren’t used but prevent errors:


sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

Create a Snort database and database user:


mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/snort_src/barnyard2-master/schemas/create_mysql
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD';
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit

Add database info to Barnyard2 config:


sudo vi /etc/snort/barnyard2.conf

output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost sensor name=sensor01

Tighten permissions since the password is in the config file:


sudo chmod o-r /etc/snort/barnyard2.conf

Try running Snort as a daemon with the new configs and database:


sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

Snort should write out binary files to the log dir that look like this: snort.u2.nnnnnnnnnn. These are to be processed by Barnyard2.

Test run Barnyard2 to load the Snort data into the database:


sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

Check the MySQL DB to verify that event data is being written:


mysql -u snort -p -D snort -e "select count(*) from event"

Pulled Pork

Install Prerequisites:


sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

Download, unpack, and copy PulledPork:


cd ~/snort_src
wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz
tar xzvf pulledpork-master.tar.gz
cd pulledpork-master/

sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

Test it:


/usr/local/bin/pulledpork.pl -V

Edit the config:


sudo vi /etc/snort/pulledpork.conf

Line 19:  enter your oinkcode where appropriate (or comment out if no oinkcode)
Line 29:  Un-comment for Emerging threats ruleset (not tested with this guide)
Line 74:  change to: rule_path=/etc/snort/rules/snort.rules
Line 89:  change to: local_rules=/etc/snort/rules/local.rules
Line 92:  change to: sid_msg=/etc/snort/sid-msg.map
Line 96:  change to: sid_msg_version=2
Line 119:  change to: config_path=/etc/snort/snort.conf
Line 133:  change to: distro=Ubuntu-12-04
Line 141:  change to: black_list=/etc/snort/rules/iplists/black_list.rules
Line 150:  change to: IPRVersion=/etc/snort/rules/iplists

Test it:


sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Rules will be pulled down to these locations:


sudo vi /etc/snort/snort.conf

include $RULE_PATH/snort.rules

Test the Snort config:


sudo snort -T -c /etc/snort/snort.conf -i eth0

Test Snort and Barnyard:


sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g s

Run a ping test ….. ….

Check the DB for events:


mysql -u snort -p -D snort -e "select count(*) from event"

Add it to your crontab:


sudo crontab -e

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

SystemD

vi /lib/systemd/system/snort.service


 [Unit]
   Description=Snort NIDS Daemon
   After=syslog.target network.target
 [Service]
   Type=simple
   ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens160
 [Install]
  WantedBy=multi-user.target

sudo vi /lib/systemd/system/barnyard2.service

[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs

[Install]
WantedBy=multi-user.target

sudo systemctl enable snort
sudo systemctl enable barnyard2

sudo systemctl start snort
sudo systemctl start barnyard2

systemctl status snort
systemctl status barnyard2

You can also check the status like this:


service snort status
service barnyard2 status

BASE - A Web Based Snort GUI

BASE is an abandoned project but it is still a decent tool. It is also one of the easier basic tools to setup. Read more HERE for Snort GUI info.

Install Apache, PHP, and some other needed packages. Note that we need to add a PPA because we need PHP5 which is ancient.


sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6-mysql php5.6-cli php5.6 php5.6-common php5.6-gd php5.6-cli php-pear php5.6-xml

Install Pear image Graph:


sudo pear install -f --alldeps Image_Graph

Install ADODB:


cd ~/snort_src
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
tar -xvzf adodb-5.20.8.tar.gz
sudo mv adodb5 /var/adodb
sudo chmod -R 755 /var/adodb

cd ~/snort_src
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar xzvf base-1.4.5.tar.gz
sudo mv base-1.4.5 /var/www/html/base/

cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php

sudo vi /var/www/html/base/base_conf.php

$BASE_urlpath = '/base';                   # line 50
$DBlib_path = '/var/adodb/';               #line 80
$alert_dbname     = 'snort';               # line 102
$alert_host       = 'localhost';
$alert_port       = '';
$alert_user       = 'snort';
$alert_password   = 'MySqlSNORTpassword';   # line 106

//$graph_font_name = "Verdana";
//$graph_font_name = "DejaVuSans";
//$graph_font_name = "Image_Graph_Font";
$graph_font_name = "";

sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php

sudo service apache2 restart

More

We may cover these in the future:

References