1/27/2011

Network based IDS - Snort

[1] Install and configure Snort
[root@www ~]# wget http://www.snort.org/dl/binaries/linux/snort-2.8.2.1-1.RH5.i386.rpm

[root@www ~]# rpm -Uvh snort-2.8.2.1-1.RH5.i386.rpm
Preparing...############################ [100%]
1:snort############################ [100%]
[root@www ~]# vi /etc/snort/snort.conf

# line 46: change to LAN
var HOME_NET 192.168.0.0/24

# line 49: change
var EXTERNAL_NET !$HOME_NET

[root@www ~]# vi /etc/logrotate.d/snort

# line 4: change
/var/log/snort/alert /var/log/snort/*log {
[2] Register from here for free in order to get snort rule files. After registration, download "snortrules-snapshot-CURRENT.tar.gz" and upload it on your server.

[3] Install the file that is uploaded on [2] and start Snort.
[root@www ~]# tar zxvf snortrules-snapshot-CURRENT.tar.gz
[root@www ~]# cp -r rules/* /etc/snort/rules/
[root@www ~]# rm -rf doc etc rules so_rules
[root@www ~]# /etc/rc.d/init.d/snortd start
Starting snort: [ OK ]
[root@www ~]# chkconfig snortd on
[4] Install SnortSnarf in order to watch logs of Snort from Web browser.
[root@www ~]# yum --enablerepo=dag install perl-Time-module
[root@www ~]# wget http://www.snort.org/dl/contrib/data_analysis/snortsnarf/SnortSnarf-050314.1.tar.gz
[root@www ~]# tar zxvf SnortSnarf-050314.1.tar.gz
[root@www ~]# mkdir /usr/local/bin/snortsnarf
[root@www ~]# cp SnortSnarf-050314.1/snortsnarf.pl /usr/local/bin/snortsnarf/
[root@www ~]# cp -r SnortSnarf-050314.1/include /usr/local/bin/snortsnarf/
[root@www ~]# vi /usr/local/bin/snortsnarf/include/SnortSnarf/HTMLMemStorage.pm

# line 290: change (remove '->')
return @arr[($first-1)..$end];

[root@www ~]# vi /usr/local/bin/snortsnarf/include/SnortSnarf/HTMLAnomMemStorage.pm

# line 266: change (remove '->')
return @arr[($first-1)..$end];

[root@www ~]# vi /etc/httpd/conf.d/snort.conf

Alias /snort /var/www/snort


Order deny,allow
Deny from all
# IP address you allow
Allow from 127.0.0.1 192.168.0


[root@www ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@www ~]# vi snortsnarf.sh# create init script

#!/bin/bash

cd /usr/local/snortsnarf
if [ -s /var/log/snort/alert ]; then
if [ -s /var/log/snort/portscan.log ]; then
./snortsnarf.pl -dns -d /var/www/snort /var/log/snort/alert /var/log/snort/portscan.log
else
./snortsnarf.pl -dns -d /var/www/snort /var/log/snort/alert
fi
fi

[root@www ~]# chmod 700 snortsnarf.sh
[root@www ~]# ./snortsnarf.sh# run
[root@www ~]# crontab -e

*/10 * * * * /root/snortsnarf.sh# run every 10 minutes
[5] Access to the page you set with web browser, then SnortSnarf start page is shown and you can watch the logs of Snort.
[6] Try to portscan with nmap from your another Host to your Snort Server and verify Snort logs.


[7] Install Oinkmaster in order to update rule files automatically. A code is necessarry for it, Login and push "Get Code" in the site and remember it.
[root@www ~]# wget http://jaist.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-2.0.tar.gz 
[root@www ~]# tar zxvf oinkmaster-2.0.tar.gz
[root@www ~]# cp oinkmaster-2.0/oinkmaster.pl /usr/local/bin/
[root@www ~]# cp oinkmaster-2.0/oinkmaster.conf /etc/
[root@www ~]# rm -rf oinkmaster-2.0
[root@www ~]# vi /etc/oinkmaster.conf

# line 55: change code you got
url = http://www.snort.org/pub-bin/oinkmaster.cgi/(your code)/snortrules-snapshot-CURRENT.tar.gz

[root@www ~]# oinkmaster.pl -o /etc/snort/rules/   # run
Loading /etc/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-CURRENT.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
done.
Processing downloaded rules... disabled 0, enabled 0, modified 0, total=12183
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
done.
Comparing new files to the old ones... done.

[***] Results from Oinkmaster started 20080621 23:56:39 [***]

[*] Rules modifications: [*]
   None.

[*] Non-rule line modifications: [*]
   None.

[*] Added files: [*]
   None.

[root@www ~]# vi oinkmaster.sh# create init script

#!/bin/sh

/usr/bin/oinkmaster.pl -o /etc/snort/rules/ 2>&1 | logger -t oinkmaster
/etc/rc.d/init.d/snortd restart > /dev/null

[root@www ~]# chmod 700 oinkmaster.sh
[root@www ~]# ./oinkmaster.sh# run
[root@www ~]# crontab -e

0 1 * * * /root/oinkmaster.sh# run every 1:00 AM

1 comment:

  1. Great server. I have long been using its services to provide the required information.
    Wonderful server for novices and professional users!

    ReplyDelete