Difference between revisions of "Snort related tools"
m |
m |
||
Line 1: | Line 1: | ||
<yambe:breadcrumb>Snort configuration</yambe:breadcrumb> | <yambe:breadcrumb self="Snort related tools">Snort configuration|Snort configuration</yambe:breadcrumb> | ||
=Installing oinkmaster= | =Installing oinkmaster= | ||
Line 129: | Line 129: | ||
<yambe:breadcrumb>Snort configuration</yambe:breadcrumb> | <yambe:breadcrumb self="Snort related tools">Snort configuration|Snort configuration</yambe:breadcrumb> |
Revision as of 07:33, 22 January 2019
<yambe:breadcrumb self="Snort related tools">Snort configuration|Snort configuration</yambe:breadcrumb>
Installing oinkmaster
Oinkmaster can be used to download latest snort rules from snort website automatically and install them on your system.
- Download latest oinkmaster source code from http://oinkmaster.sourceforge.net/download.shtml
- Extract tar.gz file with something like 'tar xzf oinkmaster-2.0.tar.gz'
- cp oinkmaster.pl /usr/local/bin
- cp oinkmaster.conf /etc
- cp oinkmaster.1 /usr/share/man/man1
- Test 'man oinkmaster'
- Login on http://www.snort.org/ with your snort username and password
- Go to 'My account -> My Oinkcode' section. If you have not generated Oinkcode so far then generate one for your account.
- Copy URL from 'Configuring oinkmaster' to /etc/oinkmaster.conf file. It will look like
- url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2900.tar.gz
- Export http_proxy using 'export http_proxy=http://facultyproxy.iiit.ac.in:8080/'
- Use 'oinkmaster.pl -o /etc/snort/rules -v'. Note that you can download rules only once in 15 minutes. So do not stop this command in between as it will take some time to finish
- crontab -e
- Add 01 4 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1 | mail -s “oinkmaster” root@localhost
- For cron method to work system must have direct connection to Internet
Setting up MySQL database
- service mysqld start
- mysql -u root
- create database snort;
- GRANT CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to 'snort'@'localhost' identified by 'snortpass';
- Go to folder 'schemas' located in extracted snort source code directory.
- Use 'mysql -u root snort < create_mysql' to update snort database
Configure snort to log to database
One should ideally use barnyard to do this. But since working barnyard configuration method needs to be determined we will use snort to log directly into database.
- Edit /etc/snort/snort.conf and use these lines
- output database: alert, mysql, user=snort password=snortpass dbname=snort host=localhost
- output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
Installing base
- Download latest base from http://sourceforge.net/projects/secureideas/
- yum install php-adodb php-gd
- pear install --alldeps Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
- Copy base source code to /var/www/html
- Extract base source code
- Move source directory name to base using something like 'mv base-1.4.5 base'
- cp base_conf.php.dist base_conf.php
- Set following variables in 'base_conf.php' file:
- $BASE_urlpath = '/base';
- $DBlib_path = '/var/www/adodb/';
- $DBtype = 'mysql';
- $alert_dbname = 'snort';
- $alert_host = 'localhost';
- $alert_port = '';
- $alert_user = 'snort';
- $alert_password = 'snortpass';
- Sometimes adodb can get installed in other locations like '/usr/share/php/adodb/'. Use 'locate' and 'updatedb' combo to get things done in this case.
- service httpd start
- Allow connections to port 80 through firewall
- Open http://<IP>/base from browser
- Use 'Base Setup Page' link
- Click on 'Create Base AG' button
- Click on 'Main page' link to start using BASE
Testing setup
- Add following rules to '/etc/snort/rules/local.rules' file
- alert tcp any any <> 10.100.1.107 80 (msg: "HTTP password access on vm7"; sid:1000001; rev:1; content:"PASSWORD";)
- Create few HTML pages with content PASSWORD on them
- Try to access those pages and check if logs are getting generated or not.
Most steps learned from http://www.freelinuxtutorials.com/tutorials/installing-ids-using-snort-with-oinkmaster-barnyard-and-base-on-rhelcentos-64-bit/
Installing barnyard2
After basic snort to database logging is working, we can insert barnyard2 in between and ask snort to log in unified2 format instead. Steps for configuring barnyard2 are:
- Go to /var/log/snort and delete all files
- Create directory named processed using 'mkdir -p /var/log/snort/processed'
- mkdir -p /var/log/barnyard2
- Configure snort to log both alerts and logs into single file using unified2 file format. Configuration line should be something like:
- output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
- Download latest source code from http://www.securixlive.com/barnyard2/download.php The site seems to be down hence barnyard2 can be downloaded from https://github.com/firnsy/barnyard2#readme In this case first run ./autogen.sh to get configure scripts created.
- Use './configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --libdir=/usr/lib64' to configure.
- make clean; make; make install
- Edit file '/usr/local/etc/barnyard2.conf' so that it has following configuration
- config reference_file: /etc/snort/reference.config
- config classification_file: /etc/snort/classification.config
- config gen_file: /etc/snort/gen-msg.map
- config sid_file: /etc/snort/sid-msg.map
- config hostname: vm5
- config interface: eth0
- config alert_with_interface_name
- config daemon
- config show_year
- config waldo_file: /etc/snort/barnyard2.waldo
- config archivedir: /var/log/snort/processed
- config process_new_records_only
- input unified2
- output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
- Use following command to start barnyard2
- barnyard2 -c /usr/local/etc/barnyard2.conf -f merged.log -d /var/log/snort -n -w /etc/snort/barnyard2.waldo -v -l /var/log/barnyard2 -D
- Access more pages with content 'PASSWORD' and verify that new logs are shown in base
Lot of things learned from http://www.securixlive.com/barnyard2/docs/manual.php
<yambe:breadcrumb self="Snort related tools">Snort configuration|Snort configuration</yambe:breadcrumb>