Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Snort related tools

Installing oinkmaster

Oinkmaster can be used to download latest snort rules from snort website automatically and install them on your system.

1. Download latest oinkmaster source code from http://oinkmaster.sourceforge.net/download.shtml
2. Extract tar.gz file with something like 'tar xzf oinkmaster-2.0.tar.gz'
3. cp oinkmaster.pl /usr/local/bin
4. cp oinkmaster.conf /etc
5. cp oinkmaster.1 /usr/share/man/man1
6. Test 'man oinkmaster'
7. Login on http://www.snort.org/ with your snort username and password
8. Go to 'My account -> My Oinkcode' section. If you have not generated Oinkcode so far then generate one for your account.
9. Copy URL from 'Configuring oinkmaster' to /etc/oinkmaster.conf file. It will look like

   url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2900.tar.gz

10. Export http_proxy using 'export http_proxy=http://facultyproxy.iiit.ac.in:8080/'
11. Use 'oinkmaster.pl -o /etc/snort/rules -v'. Note that you can download rules only once in 15 minutes. So do not stop this command in between as it will take some time to finish
12. crontab -e

    Add 01 4 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1 | mail -s “oinkmaster” root@localhost

    For cron method to work system must have direct connection to Internet

Setting up MySQL database

1. service mysqld start
2. mysql -u root
3. create database snort;
4. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to 'snort'@'localhost' identified by 'snortpass';
5. Go to folder 'schemas' located in extracted snort source code directory.
6. Use 'mysql -u root snort < create_mysql' to update snort database

Configure snort to log to database

One should ideally use barnyard to do this. But since working barnyard configuration method needs to be determined we will use snort to log directly into database.

1. Edit /etc/snort/snort.conf and use these lines

   output database: alert, mysql, user=snort password=snortpass dbname=snort host=localhost
   output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

Installing base

1. Download latest base from http://sourceforge.net/projects/secureideas/
2. yum install php-adodb php-gd
3. pear install --alldeps Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
4. Copy base source code to /var/www/html
5. Extract base source code
6. Move source directory name to base using something like 'mv base-1.4.5 base'
7. cp base_conf.php.dist base_conf.php
8. Set following variables in 'base_conf.php' file:

   $BASE_urlpath = '/base';
   $DBlib_path = '/var/www/adodb/';
   $DBtype = 'mysql';
   $alert_dbname   = 'snort';
   $alert_host     = 'localhost';
   $alert_port     = '';
   $alert_user     = 'snort';
   $alert_password = 'snortpass';

   Sometimes adodb can get installed in other locations like '/usr/share/php/adodb/'. Use 'locate' and 'updatedb' combo to get things done in this case.

9. service httpd start
10. Allow connections to port 80 through firewall
11. Open http://<IP>/base from browser
12. Use 'Base Setup Page' link
13. Click on 'Create Base AG' button
14. Click on 'Main page' link to start using BASE

Testing setup

1. Add following rules to '/etc/snort/rules/local.rules' file

   alert tcp any any <> 10.100.1.107 80 (msg: "HTTP password access on vm7"; sid:1000001; rev:1; content:"PASSWORD";)

2. Create few HTML pages with content PASSWORD on them
3. Try to access those pages and check if logs are getting generated or not.

Most steps learned from http://www.freelinuxtutorials.com/tutorials/installing-ids-using-snort-with-oinkmaster-barnyard-and-base-on-rhelcentos-64-bit/

Installing barnyard2

After basic snort to database logging is working, we can insert barnyard2 in between and ask snort to log in unified2 format instead. Steps for configuring barnyard2 are:

1. Go to /var/log/snort and delete all files
2. Create directory named processed using 'mkdir -p /var/log/snort/processed'
3. mkdir -p /var/log/barnyard2
4. Configure snort to log both alerts and logs into single file using unified2 file format. Configuration line should be something like:

   output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types

5. Download latest source code from http://www.securixlive.com/barnyard2/download.php The site seems to be down hence barnyard2 can be downloaded from https://github.com/firnsy/barnyard2#readme In this case first run ./autogen.sh to get configure scripts created.
6. Use './configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --libdir=/usr/lib64' to configure.
7. make clean; make; make install
8. Edit file '/usr/local/etc/barnyard2.conf' so that it has following configuration

   config reference_file:      /etc/snort/reference.config
   config classification_file: /etc/snort/classification.config
   config gen_file:            /etc/snort/gen-msg.map
   config sid_file:                /etc/snort/sid-msg.map
   config hostname:        vm5
   config interface:       eth0
   config alert_with_interface_name
   config daemon
   config show_year
   config waldo_file: /etc/snort/barnyard2.waldo
   config archivedir: /var/log/snort/processed
   config process_new_records_only
   input unified2
   output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

9. Use following command to start barnyard2

   barnyard2 -c /usr/local/etc/barnyard2.conf -f merged.log -d /var/log/snort -n -w /etc/snort/barnyard2.waldo -v  -l /var/log/barnyard2 -D

10. Access more pages with content 'PASSWORD' and verify that new logs are shown in base

Lot of things learned from http://www.securixlive.com/barnyard2/docs/manual.php

Home > CentOS > CentOS 6.x > Security tools > Snort configuration > Snort related tools