SNORT: Install SNORT untuk BARNYARD2: Difference between revisions

Asumsi:

• IP address 192.168.0.100
• nama server : refserver

sudo su
vi /etc/network/interfaces

auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.223
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8

Instalasi

apt-get update -y
apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \
php5-gd php-pear libphp-adodb php5-cli

Jika masih belajar dapat menggunakan

• MySQL Root password 123456

Instalasi dependency

apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl \
libtool libssl-dev build-essential automake gcc make flex bison git

Download dan Install libdnet:

mkdir /usr/local/snort
cd /usr/local/snort
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xzvf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Install libcap, kita harus instalasi libcap sebelum DAQ.

cd /usr/local/snort
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
tar -xzvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure
make
make install
echo “/usr/local/lib” >> /etc/ld.so.conf
ldconfig -v

Downloading & Installing DAQ:

cd /usr/local/snort
wget https://www.snort.org/downloads/snort/daq-2.0.5.tar.gz
tar zxvf daq-2.0.5.tar.gz
cd daq-2.0.5
./configure
make
make install

Download & Install Snort:

cd /usr/local/snort
wget https://www.snort.org/downloads/snort/snort-2.9.7.3.tar.gz
tar -xzvf snort-2.9.7.3.tar.gz
cd snort-2.9.7.3
./configure -prefix=/usr/local/snort -enable-sourcefire
make
make install
mkdir /var/log/snort
mkdir /var/snort
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort

Download the Latest Snort Rules:

Download latest Tools by signing in as shown in fig below: 9 - Sign In to get Snort Rules Snapshot Extract & Copy Rules to Snort directory.

1. cd /usr/local/src
2. tar zxf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
3. mkdir /usr/local/snort/lib/snort_dynamicrules
4. cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.6.2/* /usr/local/snort/lib/snort_dynamicrules
5. touch /usr/local/snort/rules/white_list.rules
6. touch /usr/local/snort/rules/black_list.rules
7. ldconfig -v

Now we need to edit the snort.conf configuration file:

   # vim /usr/local/snort/etc/snort.conf

== Set Values as given Below:

var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename snort.u2, limit 128

Also shown in Figure below how to set these values. 10 - Snort ConfigChanges

Download and Install Barnyard2:

Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all data when the database comes back online so no alerts will be lost. Download Barnyard2 from GitHub & Install:

cd /usr/local/src
git clone  http://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
autoreconf -fvi -I ./m4
./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
make install
cp etc/barnyard2.conf /usr/local/snort/etc
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo

Create Database for Snort to be used by Barnyard for Storage:

mysql –u root –p

mysql> create database snortdb;
mysql> grant create, insert, select, delete, update on snortdb.* to snortuser@localhost identified by ‘3ngin33r';
mysql> flush privileges;

11 - Create Snort DB Populate Snort DB:

mysql -u root -p -D snortdb < ./schemas/create_mysql

Modify the Barnyard2 configuration file with the following command:

vim /usr/local/snort/etc/barnyard2.conf

Set Values as given below:

config  reference_file: /usr/local/snort/etc/reference.config
config  classification_file: /usr/local/snort/etc/classification.config
config  gen_file: /usr/local/snort/etc/gen-msg.map
config  sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0

output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost

== SAVE & Quit

12 - Barnyard2 ConfigChange Copy Required Files from Snort Source Directory:::

1. cp /usr/local/snort/snort-2.9.6.2/etc/gen-msg.map /usr/local/snort/etc/

Testing Snort:

It’s time to test if Snort has been installed and configured correctly by using this command:

1. /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0

“Commencing packet processing” must be shown at the end of the execution of the command, this means Snort is Installed & configured correctly. 13 - Test Snort To set Snort to start automatically on your machine edit the rc.local file with the following command:

1. vim /etc/rc.local

Add following lines before “exit” command.

ifconfig eth0 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

SAVE & Quit by :wq!

14 - AutoStart at boot Download and Set up Snort Report (Optional):

Download Snort Report from: http://www.symmetrixtech.com/

or

1. wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
2. tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
3. vim /var/www/html/snortreport-1.3.4/srconf.php

Set Database details: $server = “localhost”; $user = “snortuser”; $pass = “3ngin33r”; $dbname = “snortdb”;

15 - SnortGraph ConfigEdit Download and Install JPGraph:

1. wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
2. tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
3. mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph

Download and Install ADODB5:

1. wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
2. tar -xzf adodb519.tar.gz -C /var/www/html

1. mv adodb519 adodb5

Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)

1. cd /usr/local/src
2. wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
3. tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
4. cd /var/www/html/acid/
5. vim acid_conf.php

– Set Options as:

$DBlib_path = “/var/www/html/adodb5″;

$alert_dbname = “snortdb”; $alert_host = “localhost”; $alert_port = “”; $alert_user = “snortuser”; $alert_password = “3ngin33r”;

/* Archive DB connection parameters */ $archive_dbname = “snortdb”; $archive_host = “localhost”; $archive_port = “”; $archive_user = “snortuser”; $archive_password = “3ngin33r”;

$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;

— SAVE and Quit

16 - Acid ConfigEdit – Restart Apache and Browse following URL in Browser:

http://<ServerIP>/acid

Installing BASE for Snort Front-end : RECOMMENDED for Snort

— I used BASE as ACID didn’t work for me.

– Check if all dependencies are installed or else install them by following command:

1. apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y

– Install pear Image_Graph

1. pear install -f Image_Graph

Download and extract BASE

1. cd /var/www/html/
2. wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
3. tar zxvf base-1.4.5.tar.gz
4. mv base-1.4.5 base

Configure BASE

1. cd base
2. cp base_conf.php.dist base_conf.php
3. vim base_conf.php

– Set Directives as:

$BASE_urlpath = ‘/base';

$DBlib_path = ‘/var/www/html/adodb5′;

$alert_dbname = ‘snortdb'; $alert_host = ‘localhost'; $alert_port = ”; $alert_user = ‘snortuser'; $alert_password = ‘3ngin33r';

17 - Base ConfigEdit Change the Ownership of all files to www-data:

1. chown -R www-data:www-data /var/www/html

1. service apache2 restart

– Browse to: http://<snort_ip_address>/base/ and click on “setup page” link – Click on “Create BASE AG” button on the upper right of the page

18 - Base ConfigPage – Click on the “Main page” link

19 - Config complete

— Now, we should see BASE Dashboard like shown below:

20 - BASE Dashboard

More HoTos:

– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS

– Installing Snorby on Ubuntu for Snort with Barnyard2

• http://blog.muhammadattique.com/install-configure-snort-hids-barnyard2-base-mysql-ubuntu/