Difference between revisions of "Snort IDS installation"

(Oinkmaster)
Line 123: Line 123:
 
#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.9.tar.gz
 
#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.9.tar.gz
  
### Put your right version like 2960 for 2.9.6.0
+
######
url = http://www.snort.org/pub-bin/oinkmaster.cgi/f1...c7/snortrules-snapshot-2960.tar.gz
+
# Put your right version like 2960 for 2.9.6.0
 +
# You can check what are the available versions on https://www.snort.org/downloads/#rule-downloads
 +
#
 +
# Usually there is no 2960 but 2961,2962,... 2969 instead
 +
###
 +
url = http://www.snort.org/pub-bin/oinkmaster.cgi/f1...c7/snortrules-snapshot-2961.tar.gz
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 
You can get the latest rules manually too: https://www.snort.org/downloads/#rule-downloads
 
You can get the latest rules manually too: https://www.snort.org/downloads/#rule-downloads
 
 
  
 
==Download and install rules==
 
==Download and install rules==

Revision as of 10:57, 10 August 2014



Requirements


Sources


SNORT installation

Requirements

You need to add a new MySQL database and user for snort.

hint: you can use PHPMyAdmin or MySQL workbench to do so!


Installation

Packages

apt-get install snort snort-doc snort-rules-default snort-common snort-common-libraries oinkmaster


During the installation you will be ask for the $HOME_NET.

  • If plan to protect a network, use the Network IP@/Submask
  • For a single computer put IP@/32. Do that for servers that are hosted somewhere on the cloud (OVH, TripNet, ...).


Basic configuration

Interactive way

dpkg-reconfigure snort
  • Boot
  • Interface: eth0
  • set the IP@ of your server
  • Do NOT enable promiscuous mode
  • No custom options
  • (optional) daily reports by email


Manual way

Set attributes:

vim /etc/snort/snort.debian.conf

!! Note that settings are set in Debian configuration, the .conf is SNORT global configuration !!

DEBIAN_SNORT_HOME_NET="IP@/submask"


Know your version of snort

snort --help


you should see something like that at the beginning:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8



Configure rules and update

SNORT account

Get a SNORT account: https://www.snort.org


Each SNORT account has an OINKCODE, that is required to get the updates.


Oinkmaster

Get latest rules set

vim /etc/oinkmaster.conf


just comment line 53 and use:

#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.9.tar.gz

######
# Put your right version like 2960 for 2.9.6.0
# You can check what are the available versions on https://www.snort.org/downloads/#rule-downloads
#
# Usually there is no 2960 but 2961,2962,... 2969 instead
###
url = http://www.snort.org/pub-bin/oinkmaster.cgi/f1...c7/snortrules-snapshot-2961.tar.gz


You can get the latest rules manually too: https://www.snort.org/downloads/#rule-downloads

Download and install rules

oinkmaster -o /etc/snort/rules


Automatic rules update

crontab -e

Add 55 13 * * 6 /usr/sbin/oinkmaster -o /etc/snort/rules

Add rules to Snort

  1. echo "#EmergingThreats.net Rules" >> /etc/snort/snort.conf
  2. cd /etc/snort/rules
  3. for i in `ls emerging*` ; do echo "include \$RULE_PATH/"$i >> /etc/snort/snort.conf ; done;

Check result

  1. vim /etc/snort/snort.conf

→ You should see lots of emerging rules

Advice: you should comment the following

  1. include $RULE_PATH/emerging-botcc-BLOCK.rules
  1. include $RULE_PATH/emerging-compromised-BLOCK.rules
  1. include $RULE_PATH/emerging-drop-BLOCK.rules
  1. include $RULE_PATH/emerging-dshield-BLOCK.rules
  1. include $RULE_PATH/emerging-rbn-BLOCK.rules
  1. include $RULE_PATH/emerging-sid-msg.map
  1. include $RULE_PATH/emerging-sid-msg.map.txt

Start snort To test your configuration:

  1. snort -c /etc/snort/snort.conf

You should see a little pig :) (Ctrl+C to stop it)

If there's some errors, then you can check the /var/log/syslog > You might have to comment some rules, depending on your configuration.

Managing rules All the rules are not enable by default. According to your own policy, you might want to enable some specifics rules. Have a look to your configuration file

  1. vim /etc/snort/snort.conf

→ line 839: enable the required policies • Policy.rules • Community-policy.rules

Disable specific rules

  1. vim /etc/snort/snort.conf

You might be spam by false alerts such as “COMMUNITY SIP TCP/IP message flooding directed to SIP proxy”  To disable theses, you have to edit the corresponding ruleset community-sip.rules

  • -voip.rules
  • -sip.rules



Populate database

You have to use a MySQL script to init database schema and root content.

cd /usr/share/doc/snort-mysql
zcat create_mysql.gz | mysql -u snort -h localhost -p snort

...if ok, you will not see anything


Check that the database is OK.


If so, remove the pending installation flag:

rm /etc/snort/db-pending-config


Initial Configuration

Reconfigure Snort:


dpkg-reconfigure snort-mysql

Check the configuration!

  1. vim /etc/snort/snort.conf

→ line 46: var HOME_NET IP@/submask !! You need to specify something here !! → line 49: var EXTERNAL_NET !$HOME_NET

!! Do not do this on DEBIAN !! Uncomment and complete: output database: log, mysql, user=root password=test dbname=db host=localhost

 Caution: if you’re using custom ports configuration for some of your severs :  You have to adjust the port number of each services in this config file !

You might encounter some errors, don't panic ! :-) Adjust snort rules Source: http://doc.ubuntu-fr.org/snort

Rules web-site: http://rules.emergingthreats.net/open-nogpl/


Snort Graphical Front-End Required programs Add-ons, to display graphs and statistics

  1. pear upgrade
  2. pear install Image_Color
  3. pear install Image_Graph
  4. pear install Mail
  5. pear install Mail_Mime

Automatic installation

  1. apt-get install acidbase

→ Use the automatic configuration of the database with “dbconfig-common” MySQL UNIX Socket

Manual installation

Requirement ADODB (Database abstraction layer for PHP) Official website: http://adodb.sourceforge.net/ Downloads: http://sourceforge.net/projects/adodb/files/

  1. wget fileURL
  2. tar -xzvf adodb-php.tar.gz
  3. mv adodb5 /etc/php5

→ ADODB is now in /etc/php5/adodb5

Download BASE Official website: http://base.secureideas.net/ Download last version from the official website, even if it's a late one (since 2010)

Extract it to: /var/www/default/base

Create MySQL BASE tables into SNORT database.

  1. cd /var/www/default/base/sql

Run one of the following scripts (there are the same) create_base_tbls_mysql.sql acid2base_tbls_mysql.sql


Installation URL/base/setup/index.php

Step 1 of 5 • Language • Path to adodb: /etc/php5/adodb5 (manual) /usr/share/php/adodb

Step 2 of 5 MySQL configuration : please re-use the SNORT database

Step 3 of 5 It's not mandatory to create a new user

Step 4 of 5 Create required tables

Configuration

Edit the specific acidbase database settings

  1. vim /var/www/website/webapps/acidbase/base_conf.php

$BASE_urlpath = '/webapps/acidbaseids';

$action_email_smtp_host = 'smtp.example.com'; # smtp.gmail.com:587 $action_email_smtp_localhost = 'serverHostName'; # extranet.daxiongmao.eu $action_email_smtp_auth = 1;

$action_email_smtp_user = 'username';

$action_email_smtp_pw = 'password';

$action_email_from = 'snort@serverDomain.com'; # snort@extranet.daxiongmao.eu $action_email_subject = 'BASE Incident Report';

$action_email_msg = ;

$action_email_mode = 0;

Create the tables. https://server1.example.com/acidbase/base_db_setup.php

Adjust your php.ini settings

  1. vim /etc/php5/cli/php.ini

You need to adjust the “error reporting” variable as follow error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED

!! For cherokee you've to edit your PHP interpreter settings !! → vServers → target server → Rule management → select PHP rule → handler tab • Disable error Handler •

Reload Apache 2

  1. /etc/init.d/apache2 reload

Setup ACID https://server1.example.com/acidbase/setup/index.php

Delete acid bug You might have to disable some settings in /usr/share/acidbase/includes/base_cache.inc.php, lines 556 && 562. It might triggers false alerts. Important reminders You need to supervise your installation and check the log regularly!! You need to adjust your configuration to avoid too many false positive, keeping only the real alerts