Introduction
This
article describes the process of setting up a Snort Intrusion Detection System 2.9.2 (IDS) with Red Hat Enterprise Linux (RHEL) Server 6.2 on x86/64 hardware.
Install
Dependencies
Some or all of these may be already on your
system (depending on your installation options). Best to make sure, though.
$ yum install pcre pcre-devel php
php-common php-gd php-cli php-mysql flex bison
$ yum install libxml2-devel php-pear.noarch
vim-enhanced.x86_64 gcc gcc-cpp gcc-c++
$ rpm -Uvh
http://ftp.riken.jp/Linux/fedora/epel/6/i386/epel-release-6-7.noarch.rpm
$ rpm -Uvh
http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
$ yum install php-pear-DB.noarch
php-pear-File.noarch
$yum -y install iptables-devel
mysql-devel
Update the system:
$ yum -y update
Reboot the system :
$reboot
Downloading
pre-requisites
Download the following packages:
$ wget
http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
$
wget http://www.snort.org/downloads/1221 -O daq-0.6.2.tar.gz
$
wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
$
wget http://www.snort.org/downloads/1347 -O snort-2.9.2.tar.gz
$
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
$ wget
http://ftp.netfilter.org/pub/libnfnetlink/libnfnetlink-0.0.41.tar.bz2
$
wget http://ftp.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.1.tar.bz2
$
wget
http://www.snort.org/reg-rules/snortrules-snapshot-2912.tar.gz/64ff58897b3a5c5296261a7eb3feeb5d75266124
-O snortrules-snapshot-2912.tar.gz
Installing Pre-Requisites
Install the Libdnet
package
$tar zxvf
/root/snort-packages/libdnet-1.12.tgz
$cd /root/snort-packages/libdnet-1.12
$ ./configure "CFLAGS=-fPIC
-g -O2" --prefix=/usr
$make
$make install
$ yum install libdnet-devel
$
locate libdnet
$
ln -s libdnet.1 libdnet.so.1
$
cp /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.so.1
Install the
Libnfnetlink and libnetfilter_queue package
$cd /root/snort-packages
$tar xf
/root/snort-packages/libnfnetlink-0.0.41.tar.bz2
$cd /root/snort-packages/libnfnetlink-0.0.41
$./configure --prefix=/usr
$make
$make install
$export
PKG_CONFIG_PATH=/usr/lib/pkgconfig/
$cd /root/snort-packages
$tar xf /root/snort-packages/libnetfilter_queue-1.0.1.tar.bz2
$cd /root/snort-packages/libnetfilter_queue-1.0.1
$./configure --prefix=/usr/local
$make
$make install
Uninstall
libpcap old version and install the new version
$yum remove libpcap libpcap-devel
$cd /usr
$tar zxvf
/root/snort-packages/libpcap-1.1.1.tar.gz
$cd libpcap-1.1.1
$./configure
$make
$make
install
$cp
/usr/local/lib/libpcap.a /usr/lib64/
Install DAQ
$cd /usr
$tar zxvf
/root/snort-packages/daq-0.6.2.tar.gz
$cd daq-0.6.2
$./configure
$vi /usr/include/linux/netlink.h
Note: Add the below lines in the file :
#ifndef
SOL_NETLINK
#define
SOL_NETLINK 270
#endif
$make
$make install
Snort
Installation
$cd /usr
$tar zxvf
/root/snort-packages/snort-2.9.2.tar.gz
$cd snort-2.9.2
$./configure
--with-mysql-libraries=/usr/lib64/mysql/
$ make
$ make install
Set up Snort Environment
Create directory for storing snort
configuration file:
$ mkdir /etc/snort
Create
directory for storing snort logs:
$
mkdir /var/log/snort
Install the
Snort rules
$cd /etc/snort
$tar zxvf
/root/snort-packages/snortrules-snapshot-2912.tar.gz -C /etc/snort
Note: Create a group snort.
$groupadd snort
Note: Add a user snort and assign
it to group snort.
$useradd -g snort snort -s
/bin/false
Note: Change the ownership of the
/var/log/snort
$chown snort:snort /var/log/snort
$touch /var/log/snort/alert
$chown snort:snort
/var/log/snort/alert
$chmod 600 /var/log/snort/alert
$mkdir
/usr/local/lib/snort_dynamicrules
$cd
/usr/local/lib/snort_dynamicrules
$cp
/etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.2/*.so /usr/local/lib/snort_dynamicrules
Note:
Enable snort rules using below command
$cd /usr/local/lib/snort_dynamicrules
$ cat /etc/snort/so_rules/*.rules
>> /etc/snort/rules/so-rules.rules
Configuring Snort and Snort Rules
Note: The
snort.conf file defines how snort will run once the application is started.
$ vi /etc/snort/etc/snort.conf
Find the variable RULE_PATH and
change to /etc/snort/rules
Find the variable
PREPROC_RULE_PATH and change to /etc/snort/preproc_rules
Find the variable SO_RULE_PATH
and change to /etc/snort/so_rules
Search
for Reputation and comment all the
lines of preprocessor. If you want to use it, you have to create white list and
blacklist rules.
Note: The above modifications will cause Snort to
generate unified2 log files named "snort.u2.<timestamp> (eg
snort.u2.1245910233), limited to 128MB each, and place them in /var/log/snort.
You can now run Snort the same way you always have and the unified2 files
should be visible.
Test the snort installation by using below
command:
$snort
-c /etc/snort/etc/snort.conf –T
Barnyard Installation
$cd /usr
$tar zxvf
/root/snort-packages/barnyard2-1.9.tar.gz
$cd barnyard2-1.9
Note: Compile the
source and let barnyard2 know that you want mysql awareness.
$./configure
--with-mysql-libraries=/usr/lib64/mysql/
$make
Note: this will place the barnyard2 binary
in /usr/local/bin by default
$make install
$cp /usr/barnyard2-1.9/etc/barnyard2.conf /etc/snort
Note: you can check the version of snort and
barnyard2
snort --version
barnyard2 --version
Configure barnyard
$mkdir -p /var/log/barnyard2
$chmod 666 /var/log/barnyard2
$touch
/var/log/snort/barnyard2.waldo
chown snort:snort
/var/log/snort/barnyard2.waldo
$mv /usr/barnyard2-1.9/etc/barnyard2.conf /etc/snort
Note: Edit the /etc/snort/barnyard2.conf & add
db details like below, Here host name will be the IP address of the RDS.
$vi /etc/snort/barnyard2.conf
output database: log, mysql,
user=user_name password=passwd dbname=snorby host=localhost
Uncomment the below two lines
config hostname: localhost
config interface: eth0
Comment the below line
$output alert_fast: stdout
Starting Snort during boot
$ln -s /usr/local/bin/snort /usr/sbin/snort
$cp
/usr/snort-2.9.2/rpm/snortd /etc/init.d
$cp
/usr/snort-2.9.2/rpm/snort.sysconfig /etc/sysconfig/snort
$cd /etc/rc3.d
$ln -s ../init.d/snortd S99snortd
$cd ../rc0.d
$ln -s ../init.d/snortd K99snortd
$cd /etc/rc5.d
$ln -s ../init.d/snortd S99snortd
$cd ../rc6.d
$ln -s ../init.d/snortd K99snortd
$chmod 755 /etc/init.d/snortd
$chkconfig snortd on
Note: Edit
the snort sysconfig file.
$vim /etc/sysconfig/snort
Find and comment ALERTMODE=FAST,
DUMP_APP=1, BINARY_LOG=1
Save and close the file.
To test this, type the following:
$cd /etc/snort/etc
$cp * /etc/snort
$/etc/init.d/snortd start
Barnyard configuration
$vim /etc/snort/barnyard2.conf
Uncomment config daemon
Uncomment and set the path to
your waldo file, /var/log/snort/barnyard2.waldo.
$vim
/usr/barnyard2-1.9/rpm/barnyard2.config
Change
the LOG_FILE to snort.log and change the CONF variable to /etc/
snort/barnyard2.conf
Starting Barnyard2 during boot
$ln -s /usr/local/bin/barnyard2
/usr/sbin/barnyard2
$cp
/usr/barnyard2-1.9/rpm/barnyard2 /etc/init.d
Edit barnyard2 file.
$vim /etc/init.d/barnyard2
Change the BARNYARD_OPTS line to
read BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE
-X $PIDFILE $EXTRA_ARGS". Save and close file.
$cp
/usr/barnyard2-1.9/rpm/barnyard2.config /etc/sysconfig/barnyard2
$chmod 755
/usr/local/bin/barnyard2
$cd /etc/rc3.d
$ln -s ../init.d/barnyard2d
S99barnyard2d
$cd ../rc0.d
$ln -s ../init.d/barnyard2d
K99barnyard2d
$cd /etc/rc5.d
$ln -s ../init.d/barnyard2d
S99barnyard2d
$cd ../rc6.d
$ln -s ../init.d/barnyard2d
K99barnyard2d
$chmod 755 /etc/init.d/barnyard2
$chkconfig --add barnyard2
$chkconfig barnyard2 on
To test, type
$/etc/init.d/barnyard2 start
No comments:
Post a Comment