Snort related tools

From Notes_Wiki
Revision as of 07:33, 22 January 2019 by Saurabh (talk | contribs)

<yambe:breadcrumb self="Snort related tools">Snort configuration|Snort configuration</yambe:breadcrumb>

Installing oinkmaster

Oinkmaster can be used to download latest snort rules from snort website automatically and install them on your system.

  1. Download latest oinkmaster source code from http://oinkmaster.sourceforge.net/download.shtml
  2. Extract tar.gz file with something like 'tar xzf oinkmaster-2.0.tar.gz'
  3. cp oinkmaster.pl /usr/local/bin
  4. cp oinkmaster.conf /etc
  5. cp oinkmaster.1 /usr/share/man/man1
  6. Test 'man oinkmaster'
  7. Login on http://www.snort.org/ with your snort username and password
  8. Go to 'My account -> My Oinkcode' section. If you have not generated Oinkcode so far then generate one for your account.
  9. Copy URL from 'Configuring oinkmaster' to /etc/oinkmaster.conf file. It will look like
    url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2900.tar.gz
  10. Export http_proxy using 'export http_proxy=http://facultyproxy.iiit.ac.in:8080/'
  11. Use 'oinkmaster.pl -o /etc/snort/rules -v'. Note that you can download rules only once in 15 minutes. So do not stop this command in between as it will take some time to finish
  12. crontab -e
    Add 01 4 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1 | mail -s “oinkmaster” root@localhost
    For cron method to work system must have direct connection to Internet


Setting up MySQL database

  1. service mysqld start
  2. mysql -u root
  3. create database snort;
  4. GRANT CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to 'snort'@'localhost' identified by 'snortpass';
  5. Go to folder 'schemas' located in extracted snort source code directory.
  6. Use 'mysql -u root snort < create_mysql' to update snort database


Configure snort to log to database

One should ideally use barnyard to do this. But since working barnyard configuration method needs to be determined we will use snort to log directly into database.

  1. Edit /etc/snort/snort.conf and use these lines
    output database: alert, mysql, user=snort password=snortpass dbname=snort host=localhost
    output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost


Installing base

  1. Download latest base from http://sourceforge.net/projects/secureideas/
  2. yum install php-adodb php-gd
  3. pear install --alldeps Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
  4. Copy base source code to /var/www/html
  5. Extract base source code
  6. Move source directory name to base using something like 'mv base-1.4.5 base'
  7. cp base_conf.php.dist base_conf.php
  8. Set following variables in 'base_conf.php' file:
    $BASE_urlpath = '/base';
    $DBlib_path = '/var/www/adodb/';
    $DBtype = 'mysql';
    $alert_dbname = 'snort';
    $alert_host = 'localhost';
    $alert_port = '';
    $alert_user = 'snort';
    $alert_password = 'snortpass';
    Sometimes adodb can get installed in other locations like '/usr/share/php/adodb/'. Use 'locate' and 'updatedb' combo to get things done in this case.
  9. service httpd start
  10. Allow connections to port 80 through firewall
  11. Open http://<IP>/base from browser
  12. Use 'Base Setup Page' link
  13. Click on 'Create Base AG' button
  14. Click on 'Main page' link to start using BASE


Testing setup

  1. Add following rules to '/etc/snort/rules/local.rules' file
    alert tcp any any <> 10.100.1.107 80 (msg: "HTTP password access on vm7"; sid:1000001; rev:1; content:"PASSWORD";)
  2. Create few HTML pages with content PASSWORD on them
  3. Try to access those pages and check if logs are getting generated or not.


Most steps learned from http://www.freelinuxtutorials.com/tutorials/installing-ids-using-snort-with-oinkmaster-barnyard-and-base-on-rhelcentos-64-bit/


Installing barnyard2

After basic snort to database logging is working, we can insert barnyard2 in between and ask snort to log in unified2 format instead. Steps for configuring barnyard2 are:

  1. Go to /var/log/snort and delete all files
  2. Create directory named processed using 'mkdir -p /var/log/snort/processed'
  3. mkdir -p /var/log/barnyard2
  4. Configure snort to log both alerts and logs into single file using unified2 file format. Configuration line should be something like:
    output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
  5. Download latest source code from http://www.securixlive.com/barnyard2/download.php The site seems to be down hence barnyard2 can be downloaded from https://github.com/firnsy/barnyard2#readme In this case first run ./autogen.sh to get configure scripts created.
  6. Use './configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql --libdir=/usr/lib64' to configure.
  7. make clean; make; make install
  8. Edit file '/usr/local/etc/barnyard2.conf' so that it has following configuration
    config reference_file: /etc/snort/reference.config
    config classification_file: /etc/snort/classification.config
    config gen_file: /etc/snort/gen-msg.map
    config sid_file: /etc/snort/sid-msg.map
    config hostname: vm5
    config interface: eth0
    config alert_with_interface_name
    config daemon
    config show_year
    config waldo_file: /etc/snort/barnyard2.waldo
    config archivedir: /var/log/snort/processed
    config process_new_records_only
    input unified2
    output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
  9. Use following command to start barnyard2
    barnyard2 -c /usr/local/etc/barnyard2.conf -f merged.log -d /var/log/snort -n -w /etc/snort/barnyard2.waldo -v -l /var/log/barnyard2 -D
  10. Access more pages with content 'PASSWORD' and verify that new logs are shown in base

Lot of things learned from http://www.securixlive.com/barnyard2/docs/manual.php


<yambe:breadcrumb self="Snort related tools">Snort configuration|Snort configuration</yambe:breadcrumb>