[root@www ~]# wget http://www.snort.org/dl/binaries/linux/snort-2.8.2.1-1.RH5.i386.rpm
[root@www ~]# rpm -Uvh snort-2.8.2.1-1.RH5.i386.rpm
Preparing...############################ [100%]
1:snort############################ [100%]
[root@www ~]# vi /etc/snort/snort.conf
# line 46: change to LAN
var HOME_NET 192.168.0.0/24
# line 49: change
var EXTERNAL_NET !$HOME_NET
[root@www ~]# vi /etc/logrotate.d/snort
# line 4: change
/var/log/snort/alert /var/log/snort/*log {
[2] Register from here for free in order to get snort rule files. After registration, download "snortrules-snapshot-CURRENT.tar.gz" and upload it on your server.
[3] Install the file that is uploaded on [2] and start Snort.
[root@www ~]# tar zxvf snortrules-snapshot-CURRENT.tar.gz
[root@www ~]# cp -r rules/* /etc/snort/rules/
[root@www ~]# rm -rf doc etc rules so_rules
[root@www ~]# /etc/rc.d/init.d/snortd start
Starting snort: [ OK ]
[root@www ~]# chkconfig snortd on
[4] Install SnortSnarf in order to watch logs of Snort from Web browser.
[root@www ~]# yum --enablerepo=dag install perl-Time-module
[root@www ~]# wget http://www.snort.org/dl/contrib/data_analysis/snortsnarf/SnortSnarf-050314.1.tar.gz
[root@www ~]# tar zxvf SnortSnarf-050314.1.tar.gz
[root@www ~]# mkdir /usr/local/bin/snortsnarf
[root@www ~]# cp SnortSnarf-050314.1/snortsnarf.pl /usr/local/bin/snortsnarf/
[root@www ~]# cp -r SnortSnarf-050314.1/include /usr/local/bin/snortsnarf/
[root@www ~]# vi /usr/local/bin/snortsnarf/include/SnortSnarf/HTMLMemStorage.pm
# line 290: change (remove '->')
return @arr[($first-1)..$end];
[root@www ~]# vi /usr/local/bin/snortsnarf/include/SnortSnarf/HTMLAnomMemStorage.pm
# line 266: change (remove '->')
return @arr[($first-1)..$end];
[root@www ~]# vi /etc/httpd/conf.d/snort.conf
Alias /snort /var/www/snort
Order deny,allow
Deny from all
# IP address you allow
Allow from 127.0.0.1 192.168.0
[root@www ~]# /etc/rc.d/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@www ~]# vi snortsnarf.sh# create init script
#!/bin/bash
cd /usr/local/snortsnarf
if [ -s /var/log/snort/alert ]; then
if [ -s /var/log/snort/portscan.log ]; then
./snortsnarf.pl -dns -d /var/www/snort /var/log/snort/alert /var/log/snort/portscan.log
else
./snortsnarf.pl -dns -d /var/www/snort /var/log/snort/alert
fi
fi
[root@www ~]# chmod 700 snortsnarf.sh
[root@www ~]# ./snortsnarf.sh# run
[root@www ~]# crontab -e
*/10 * * * * /root/snortsnarf.sh# run every 10 minutes
[5] Access to the page you set with web browser, then SnortSnarf start page is shown and you can watch the logs of Snort.
[6] Try to portscan with nmap from your another Host to your Snort Server and verify Snort logs.
[7] Install Oinkmaster in order to update rule files automatically. A code is necessarry for it, Login and push "Get Code" in the site and remember it.
[root@www ~]# wget http://jaist.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-2.0.tar.gz 
[root@www ~]# tar zxvf oinkmaster-2.0.tar.gz
[root@www ~]# cp oinkmaster-2.0/oinkmaster.pl /usr/local/bin/
[root@www ~]# cp oinkmaster-2.0/oinkmaster.conf /etc/
[root@www ~]# rm -rf oinkmaster-2.0
[root@www ~]# vi /etc/oinkmaster.conf
# line 55: change code you got
url = http://www.snort.org/pub-bin/oinkmaster.cgi/(your code)/snortrules-snapshot-CURRENT.tar.gz
[root@www ~]# oinkmaster.pl -o /etc/snort/rules/ # run
Loading /etc/oinkmaster.conf
Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-CURRENT.tar.gz... done.
Archive successfully downloaded, unpacking... done.
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
done.
Processing downloaded rules... disabled 0, enabled 0, modified 0, total=12183
Setting up rules structures...
WARNING: duplicate SID in your local rules, SID 3017 exists multiple times, you may need to fix this manually!
done.
Comparing new files to the old ones... done.
[***] Results from Oinkmaster started 20080621 23:56:39 [***]
[*] Rules modifications: [*]
None.
[*] Non-rule line modifications: [*]
None.
[*] Added files: [*]
None.
[root@www ~]# vi oinkmaster.sh# create init script
#!/bin/sh
/usr/bin/oinkmaster.pl -o /etc/snort/rules/ 2>&1 | logger -t oinkmaster
/etc/rc.d/init.d/snortd restart > /dev/null
[root@www ~]# chmod 700 oinkmaster.sh
[root@www ~]# ./oinkmaster.sh# run
[root@www ~]# crontab -e
0 1 * * * /root/oinkmaster.sh# run every 1:00 AM
Great server. I have long been using its services to provide the required information.
ReplyDeleteWonderful server for novices and professional users!