Professional Documents
Culture Documents
Overview: Whats Snort? Scope and Limitations Assumptions Why Snort in VM? VMWare Settings Set up Fedora Core Build Get libnet, Snort, BASE and adodb Finish System Set-up and Compile Snort Set up Snort Environment Edit snort.conf Set up MySQL Gettin GUI with it Barnyard Output (not as bad as it sounds) A Few More Steps in the Barnyard Starting Snort and Finishing Barnyard Cong Test Snort Your Pig is Ready to Snort! Future Topics
4 4 4 4 5 5 6 7 7 8 8 9 10 10 10 11 12 13
Assumptions
This paper will cover the installation of Snort 2.8.4.1 on Fedora Core 11 with:
MySQL 5.0.77 Libnet 1.0.2a Libpcap 0.9.8 BASE 1.4.2 Barnyard2-1.5 Apache 2.2.11 Using VMWare
Last, snapshots are your friend. VMWare allows users to capture the virtual machines state at a point in time, which can be later restored. This is a huge advantage in the case that mistakes were made or the virtual machine has become unstable. If only real life was like that.... All of this being said, the instructions in this paper should also work for native Fedora systems. It just wont cover any of the machine specific details.
VMWare Settings
Within VMWare, the following settings are recommended: 512 MB RAM 12 GB Disk Eth0 host only network Eth1 bridged to host interface No sound device, printer or accessories
the *.pl script from a CLI as root user. For more information on this process, please see http://www.vmware.com/support/ws55/doc/ ws_newguest_tools_linux.html Reboot to allow kernel updates to take effect. This process should take about an hour. Once these steps are complete, the supporting applications need to be installed. Instead of yum, use the Fedora GUI add/remove programs tool: From System > Administration > Add/Remove Programs: pcre, pcre-devel, pcre-lib, php, php-common, php-gd, php-cli, php-mysql, flex, bison, php_pear_Numbers_roman, php_pear_Numbers_words, php_pear_Image_color, php_pear_Image_canvas, php_pear_Image_graph, libpcap, libpcap-devel, mysql, mysql-devel, mysqlbench, mysql-server Once these are done, run ntsysv from CLI. Select httpd, mysqld and sshd to autostart. As a recommendation, please consider statically defining the eth0 IP address, rather than letting the internal VMWare DHCP server define it for you. Also, make sure to edit the /etc/hosts file to reflect the fully qualified domain name of your server.
sourceforge.net/project/showfiles.php? group_id=103348&package_id=128846. Adodb is a database abstraction utility which allows multiple kinds of databases to interact with PHP. Get adodb4991.tar.gz from http:// sourceforge.net/project/showfiles.php? group_id=42718&package_id=34890&release_id=636415
tar zxvf /home/bubba/Download/snortrules-snapshot-CURRENT_s.tar.gz -C /etc/snort cp etc/* /etc/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort touch /var/log/snort/alert chown snort:snort /var/log/snort/alert chmod 600 /var/log/snort/alert cp /etc/snort/so_rules/precompiled/FC-9/i386/2.8.4/*.so /usr/local/lib/ snort_dynamicrules mv /usr/local/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrule The link created in the 6th step is going to be used when we set up snort to autostart on boot. The last step is to handle a misspelling.
Edit snort.conf
The snort.conf file defines how snort will run once the application is started. It is long and complex, but for this paper, we will only be working on a few of the features. vim /etc/snort/snort.conf Find the variable RULE_PATH and change to /etc/snort/rules Find output and comment out any output modules currently on. Find output log_unified. Insert the following below it: output unified2: filename snort.log, limit=128
Set up MySQL
MySQL will serve as the database for the snort application. While not required to run Snort on its own, a database makes it easier to track down events and is required by the BASE monitoring tool. One short note: this paper does not assume any expertise in database administration, nor does the author claim any significant skill in this area. The commands in this section are sufficient to install and run snort. The BASE tool provides some database maintenance tools; nothing additional is required to administer snort.
mysql SET PASSWORD FOR root@localhost=PASSWORD(password); create database snort; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; SET PASSWORD FOR snort@localhost=PASSWORD(password); Exit cd /usr/local/snort-2.8.4.1/schemas mysql -p < create_mysql snort Now we will check to see that the Snort database has been correctly installed: mysql -p SHOW DATABASES; There should be 4 rows use snort SHOW TABLES; There should be 16 rows
Click continue Path to adodb is /var/www/html/adodb Database Name=snort, Database Host=localhost, Database User=snort, Database Password=password Admin User Name=snort, Password=password, Full Name=snort Click Create BASE AG.
/var/log/snort snort.log <10 digit number from step 2 above> 0 Start barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
Test Snort
In this step, we will test Snort with a simple rule in the local.rules file. Local rules are rules that the administrator of Snort writes himself and have a convention of starting with SID (Snort ID) of 1,000,000-1,999,999. Open a third CLI vim /etc/snort/rules/local.rules Insert alert tcp any any <> any 80 (msg: "Test web activity"; sid:1000001;). Save and exit. Restart Snort Open a web browser In the browser, go to any web page. In the CLI, type [ctrl] + c Go to http://localhost/base-1.4.3.1 and look at your events If you see a number of events with SID 1000001, Snort works! vim /etc/snort/rules/local.rules and disable the Test web activity rule.
Future Topics
Some topics for the next revision are: Configuring Snort and Barnyard to start automatically Oinkmaster Updates or using Pulled Pork Shared Object Rules Preprocessor Tuning Rulebase Tuning Im open to suggestions for improving this document and will be revisiting it on at least an annual basis. I cannot answer support questions; these are best addressed by the Snort Users mailing list. Nick Moore, June 2009 nmoore@sourcefire.com