You are on page 1of 13

Snort 2.8.4.

1 Fedora Core 11 Installation Guide

Overview: Whats Snort? Scope and Limitations Assumptions Why Snort in VM? VMWare Settings Set up Fedora Core Build Get libnet, Snort, BASE and adodb Finish System Set-up and Compile Snort Set up Snort Environment Edit snort.conf Set up MySQL Gettin GUI with it Barnyard Output (not as bad as it sounds) A Few More Steps in the Barnyard Starting Snort and Finishing Barnyard Cong Test Snort Your Pig is Ready to Snort! Future Topics

4 4 4 4 5 5 6 7 7 8 8 9 10 10 10 11 12 13

Overview: Whats Snort?


Snort is an open source Intrusion Detection/Prevention application (IPS) written in 1998 by Marty Roesch. It is the worlds most widely used IPS and has been downloaded over 4 million times. The 250,000+ active Snort users worldwide contribute new rules, plugins and complimentary applications to work with Snort.

Scope and Limitations


This paper covers Snort, not Linux system, web or database administration and is offered with no explicit or implied warranty. All code referenced in this paper is open source. This paper is focused on the initial installation of Snort with some supporting applications. Tuning, rule writing, policy definition and other operational issues are outside this scope.

Assumptions
This paper will cover the installation of Snort 2.8.4.1 on Fedora Core 11 with:
MySQL 5.0.77 Libnet 1.0.2a Libpcap 0.9.8 BASE 1.4.2 Barnyard2-1.5 Apache 2.2.11 Using VMWare

Why Snort in VM?


As a laptop user, I am mobile and often have to use public guest networks, such as those in hotels, coffee shops and others. One never knows when such an environment can be hostile (just because Im paranoid doesnt mean that people arent trying to get me). Also, using a web based GUI means that a web port has to be open, as well as MySQL. So I find that its helpful to have these on a virtual machine so that I dont have these ports open on my laptop OS.

Last, snapshots are your friend. VMWare allows users to capture the virtual machines state at a point in time, which can be later restored. This is a huge advantage in the case that mistakes were made or the virtual machine has become unstable. If only real life was like that.... All of this being said, the instructions in this paper should also work for native Fedora systems. It just wont cover any of the machine specific details.

VMWare Settings
Within VMWare, the following settings are recommended: 512 MB RAM 12 GB Disk Eth0 host only network Eth1 bridged to host interface No sound device, printer or accessories

Set up Fedora Core Build


First, Download FC11 from http://fedoraproject.org. Once the operating system is installed from defaults, several packages will have to be installed to support the Snort installation and its supporting applications. I created bubba as my non-root user and bubbas home directory is referred to throughout this paper. If another user account is used, simply replace bubba with the apporpriate user name. From a command line interface, enter the following command: yum install gcc gcc-c++ kernel-devel patch make vim ssh libxml2 libxml2dev After this step is complete, update the system by running the following: yum -y update Now its time to install VMWare tools. While not completely necessary, the enhanced display resolution alone is worth the effort. Install VMWare Tools from the perl script in the menu bar under Virtual Machine > Install VMWare Tools. Once the disk is mounted on your desktop, un-tar it and run

the *.pl script from a CLI as root user. For more information on this process, please see http://www.vmware.com/support/ws55/doc/ ws_newguest_tools_linux.html Reboot to allow kernel updates to take effect. This process should take about an hour. Once these steps are complete, the supporting applications need to be installed. Instead of yum, use the Fedora GUI add/remove programs tool: From System > Administration > Add/Remove Programs: pcre, pcre-devel, pcre-lib, php, php-common, php-gd, php-cli, php-mysql, flex, bison, php_pear_Numbers_roman, php_pear_Numbers_words, php_pear_Image_color, php_pear_Image_canvas, php_pear_Image_graph, libpcap, libpcap-devel, mysql, mysql-devel, mysqlbench, mysql-server Once these are done, run ntsysv from CLI. Select httpd, mysqld and sshd to autostart. As a recommendation, please consider statically defining the eth0 IP address, rather than letting the internal VMWare DHCP server define it for you. Also, make sure to edit the /etc/hosts file to reflect the fully qualified domain name of your server.

Get libnet, Snort, BASE and adodb


Download libnet-1.0.2a.tar.gz from http://www.filewatcher.com/m/ libnet-1.0.2a.tar.gz.140191.0.0.html. Be careful with this: there are other sources for libnet, even some with the same version, but saved as a .tgz file rather than a .tar.gz. The .tgz file will NOT work and neither will versions of libnet beyond 1.0.2a. Go to http://snort.org and download snort-2.8.4.1.tar.gz. If you have a registered account with snort.org, you can get more up to date rules. While this is very important for production systems, xxxxx - explain the difference between rules here. BASE provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. Get BASE 1.4.2.tar.gz from http://

sourceforge.net/project/showfiles.php? group_id=103348&package_id=128846. Adodb is a database abstraction utility which allows multiple kinds of databases to interact with PHP. Get adodb4991.tar.gz from http:// sourceforge.net/project/showfiles.php? group_id=42718&package_id=34890&release_id=636415

Finish System Set-up and Compile Snort


Now we will finish the system set up by installing libnet. For more information on libnet, please see http://libnet.sourceforge.net/. Take the following steps: cd /usr/local tar zxvf /home/bubba/Download/libnet-1.0.2a.tar.gz cd Libnet-1.0.2a ./configure && make && make install The && in the last step is a shellcode convention which means that if statement A is true and completes successfully, then execute statement B. In short, its a shortcut to compile and install the libnet code extensions. If youd like more information on configure, make and make install, please refer to http://www.codecoffee.com/tipsforlinux/articles/27.html. To install Snort, execute the following commands: cd /usr/local tar zxvf /home/bubba/Download/snort-2.8.4.1.tar.gz cd snort-2.8.4.1 ./configure --enable-targetbased && make && make install

Set up Snort Environment


There are a few steps that need to take place in order to have snort run properly, mostly setting up some directories, getting the snort rules, moving some files around and creating the snort user. Execute the following: mkdir /etc/snort mkdir /var/log/snort cd /etc/snort

tar zxvf /home/bubba/Download/snortrules-snapshot-CURRENT_s.tar.gz -C /etc/snort cp etc/* /etc/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort touch /var/log/snort/alert chown snort:snort /var/log/snort/alert chmod 600 /var/log/snort/alert cp /etc/snort/so_rules/precompiled/FC-9/i386/2.8.4/*.so /usr/local/lib/ snort_dynamicrules mv /usr/local/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrule The link created in the 6th step is going to be used when we set up snort to autostart on boot. The last step is to handle a misspelling.

Edit snort.conf
The snort.conf file defines how snort will run once the application is started. It is long and complex, but for this paper, we will only be working on a few of the features. vim /etc/snort/snort.conf Find the variable RULE_PATH and change to /etc/snort/rules Find output and comment out any output modules currently on. Find output log_unified. Insert the following below it: output unified2: filename snort.log, limit=128

Set up MySQL
MySQL will serve as the database for the snort application. While not required to run Snort on its own, a database makes it easier to track down events and is required by the BASE monitoring tool. One short note: this paper does not assume any expertise in database administration, nor does the author claim any significant skill in this area. The commands in this section are sufficient to install and run snort. The BASE tool provides some database maintenance tools; nothing additional is required to administer snort.

mysql SET PASSWORD FOR root@localhost=PASSWORD(password); create database snort; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; SET PASSWORD FOR snort@localhost=PASSWORD(password); Exit cd /usr/local/snort-2.8.4.1/schemas mysql -p < create_mysql snort Now we will check to see that the Snort database has been correctly installed: mysql -p SHOW DATABASES; There should be 4 rows use snort SHOW TABLES; There should be 16 rows

Gettin GUI with it


In this step, we will set up the web environment. The first set of steps involve un-tarring adodb and BASE into the web directory, followed by setting up BASE from a web prompt. From the CLI as root: cd /var/www/html tar zxvf /home/bubba/Download/adodb4991.tgz tar zxvf /home/bubba/Download/base-1.4.3.1.tar.gz chown apache base-1.4.3.1 chgrp apache base-1.4.3.1 chmod 777 /var/www/html/base-1.4.3.1 vim /etc/php.ini Find error_reporting. Make sure it is set to: error_reporting = E_ALL & ~E_NOTICE service httpd restart In a browser, go to http://localhost/base-1.4.3.1

Click continue Path to adodb is /var/www/html/adodb Database Name=snort, Database Host=localhost, Database User=snort, Database Password=password Admin User Name=snort, Password=password, Full Name=snort Click Create BASE AG.

Barnyard Output (not as bad as it sounds)


Barnyard was written to take over the various output processing tasks so that Snort could spend more resources on processing packets. From usr/local: tar zxvf /home/bubba/Download/barnyard2-1.5.tar.gz cd barnyard2-1.5 ./configure --with-mysql &&make && make install cp etc/barnyard2.conf /etc/snort

A Few More Steps in the Barnyard


vim /etc/snort/barnyard2.conf Look for config hostname replace thor with localhost look for config interface Make sure its eth0 Look for output database Edit the mysql line to read: output database: alert, mysql, user=snort password=password dbname=snort host=localhost

Starting Snort and Finishing Barnyard Config


In this section, we will start Snort and Barnyard. In the CLI, type snort -c /etc/snort/snort/conf -i eth1 Open a second CLI. ls -la /var/log/snort. Look for 10 digit suffix on snort.log. If there is more than one file, copyh the latest one. vim /var/log/snort/barnyard.waldo Enter the following, then save and exit:

/var/log/snort snort.log <10 digit number from step 2 above> 0 Start barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Test Snort
In this step, we will test Snort with a simple rule in the local.rules file. Local rules are rules that the administrator of Snort writes himself and have a convention of starting with SID (Snort ID) of 1,000,000-1,999,999. Open a third CLI vim /etc/snort/rules/local.rules Insert alert tcp any any <> any 80 (msg: "Test web activity"; sid:1000001;). Save and exit. Restart Snort Open a web browser In the browser, go to any web page. In the CLI, type [ctrl] + c Go to http://localhost/base-1.4.3.1 and look at your events If you see a number of events with SID 1000001, Snort works! vim /etc/snort/rules/local.rules and disable the Test web activity rule.

Your Pig is Ready to Snort!

Future Topics
Some topics for the next revision are: Configuring Snort and Barnyard to start automatically Oinkmaster Updates or using Pulled Pork Shared Object Rules Preprocessor Tuning Rulebase Tuning Im open to suggestions for improving this document and will be revisiting it on at least an annual basis. I cannot answer support questions; these are best addressed by the Snort Users mailing list. Nick Moore, June 2009 nmoore@sourcefire.com

You might also like