Академический Документы
Профессиональный Документы
Культура Документы
6 Installation Guide
Overview: Whats Snort?" Scope and Limitations " Why CentOS instead of Fedora?" Assumptions " Why Snort in VM?" VMWare Settings " Set up CentOS Build" Get libnet, libdnet, daq, Snort, BASE, adodb and Barnyard2" Finish System Set-up and Compile Snort " Set up Snort Environment " Edit snort.conf " Set up MySQL" Gettin GUI with it " Barnyard Output (not as bad as it sounds)" A Few More Steps in the Barnyard" Starting Snort and Finishing Barnyard Cong" Test Snort "
4 4 4 4 4 5 5 7 8 9 10 11 11 12 12 12 13
Starting Snort Automatically " Starting Barnyard2 Automatically " Updating Rules Automatically " Future Topics "
13 14 15 18
Assumptions
This paper will cover the installation of Snort 2.9.1 on CentOS 5.6 with:
MySQL 5.0.77 Libdnet Libpcap 1.0.0-5 SnortReport 1.3.1 Barnyard2-1.9 Apache 2.2.11 Using VMWare
such an environment can be hostile (just because Im paranoid doesnt mean that people arent trying to get me). Also, using a web based GUI means that a web port has to be open, as well as MySQL. So I find that its helpful to have these on a virtual machine so that I dont have these ports open on my laptop OS. Last, snapshots are your friend. VMWare allows users to capture the virtual machines state at a point in time, which can be later restored. This is a huge advantage in the case that mistakes were made or the virtual machine has become unstable. If only real life was like that.... All of this being said, the instructions in this paper should also work for native Fedora and Red Hat systems. It just wont cover any of the machine specific details.
VMWare Settings
Within VMWare, the following settings are recommended: 1024 MB RAM 20 GB Disk Eth0 host only network Eth1 bridged to host interface No sound device, printer or accessories
eth1 did not come up on its own. I had to go into system > administration > network and configure it to connect at startup. I also changed eth0 to a static IP address at this time. sshd is up and running when the system boots for the first time; no need to install it and start the service. Once these steps are complete, the supporting applications need to be installed. At this point, I like to ssh into the system so I can cut and paste. Please enter the following command: yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison mysql mysql-devel mysql-bench mysql-server php-pear.noarch phppear-DB.noarch php-pear-File.noarch kernel-devel libxml2-devel vimenhanced.i386 Please note that if you are installing in 64 bit systems, change commands ending in .i386 to .x86_64, e.g. vim-enhanced.i386 vim-enhanced.x86_64. After this step is complete, update the system by running the following: yum -y update Since youve updated your kernel, you will need to reboot the system. Now its time to install VMWare tools. While not completely necessary, the enhanced display resolution alone is worth the effort. Make sure you reboot your machine after the update and before you start the VMWare Tools install in order to have all the paths set properly. Install VMWare Tools from the perl script in the menu bar under Virtual Machine > Install VMWare Tools. Once the disk is mounted on your desktop, un-tar it and run the *.pl script from a CLI as root user. For more information on this process, please see http://www.vmware.com/support/ ws55/doc/ws_newguest_tools_linux.html If you would like to download libnet, Snort, BASE and adodb from a command line rather than manually from a browser, use wget. Once these are done, run ntsysv from CLI. Select httpd and mysqld to autostart. At this point, it would be a good idea to start these services. You can do this by issuing the following command:
SnortReport requires nbtscan and nmap. nmap is already set up, but nbtscan needs to be installed. It is somewhat different from other source code in that make is required, but configure and make install are not. cd /usr/local mkdir nbtscan cd nbtscan tar zxvf /home/bubba/nbtscan-1-3-1.tar.gz make New in Snort 2.9 are the Data Acquisition libraries, referred to as daq. Download from http://www.snort.org/snort-downloads and install these: cd /usr/local tar zxvf /home/bubba/daq-0.6.1.tar.gz cd daq-0.6.1 ./configure && make && make install To install Snort, execute the following commands: cd /usr/local tar zxvf /home/bubba/snort-2.9.1.tar.gz cd snort-2.9.1 ./configure && make && make install The compile options now built in, so Snort just got a little easier. You can see these options in snort.conf in the rules tarball. If you need more information, please see /usr/local/snort-2.9.1/doc/INSTALL.
useradd -g snort snort chown snort:snort /var/log/snort touch /var/log/snort/alert chown snort:snort /var/log/snort/alert chmod 600 /var/log/snort/alert mkdir /usr/local/lib/snort_dynamicrules cp /etc/snort/so_rules/precompiled/Centos-5-4/i386/2.9.1.0/*.so /usr/local/ lib/snort_dynamicrules cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules
Edit snort.conf
The snort.conf file defines how snort will run once the application is started. It is long and complex, but for this paper, we will only be working on a few of the features. vim /etc/snort/snort.conf Find the variable RULE_PATH and change to /etc/snort/rules Find the variable PREPROC_RULE_PATH and change to /etc/snort/ preproc_rules Find the variable SO_RULE_PATH and change to /etc/snort/so_rules Fine reputation and comment out all the lines of this preprocessor. If you want to use it, you will need to create whitelist and blacklist rules. Details for this are laid out in the readme file. Find unified2. Uncomment the line, change merged.log to snort.log and make sure to delete the nostamp option. Failing to remove nostamp will cause problems with Barnyard2 parsing the log files. Also, unless you are planning on using mpls and vlan event types, remove those statements as well. When done, it should read: output unified2: filename snort.log, limit 128 A brief note on the the mpls_event_types and vlan_event_types parameters: If you know you want to include these, you may want to use a patch to Barnyard2 provided by Niels Horn on http://blog.nielshorn.net/ 2010/10/barnyard2-solving-the-unknown-record-type-errors/.
Set up MySQL
MySQL will serve as the database for the snort application. While not required to run Snort on its own, a database makes it easier to track down events and is required by the Snort Report monitoring tool. One short note: this paper does not assume any expertise in database administration, nor does the author claim any significant skill in this area. The commands in this section are sufficient to install and run snort. The Snort Report tool provides some database maintenance tools; nothing additional is required to administer snort. mysql SET PASSWORD FOR root@localhost=PASSWORD(password); create database snort; grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option; SET PASSWORD FOR snort@localhost=PASSWORD(password); exit cd /usr/local/snort-2.9.1/schemas mysql -p < create_mysql snort Now we will check to see that the Snort database has been correctly installed: mysql -p SHOW DATABASES; There should be 4 rows use snort; SHOW TABLES; There should be 16 rows exit;
cd snortreport-1.3.1 vim srconf.php Find $pass and change the password from YOURPASS to password Find JPGRAPH_PATH and change the line to read define ("JPGRAPH_PATH", "../jpgraph/src/"); Find NMAP_PATH and change the line to read define("NMAP_PATH", "/ usr/bin/nmap -v"); Change the line immediately below to read define("NBTSCAN_PATH", "/ usr/local/nbtscan/nbtscan"); Save the file and exit.
cp /dev/null /var/log/snort/barnyard.waldo mkdir /var/log/barnyard2 Start barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d / var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
Test Snort
In this step, we will test Snort with a simple rule in the local.rules file. Local rules are rules that the administrator of Snort writes himself and have a convention of starting with SID (Snort ID) of 1,000,000-1,999,999. Open a third CLI vim /etc/snort/rules/local.rules Insert alert tcp any any <> any 80 (msg: "Test web activity"; sid: 1000001;). Save and exit. Restart Snort Open a web browser In the browser, go to any web page. In the CLI, type [ctrl] + c Go to http://localhost/snortreport-1.3.1/alerts.php and look at your events If you see a number of events with SID 1000001, Snort works! vim /etc/snort/rules/local.rules and disable the Test web activity rule.
chmod 755 /etc/init.d/snortd Now we have to edit the /etc/sysconfig/snort file to start snort with the proper options, in our case using the eth1 interface and the /etc/snort/ snort.conf file. vim /etc/sysconfig/snort Find eth0 and change to eth1 Find and comment out ALERTMODE=FAST, DUMP_APP=1, BINARY_LOG=1 Save and close the file. To test this, type the following: /etc/init.d/snortd start If snort starts OK, then youve done everything right.
ln -s ../init.d/barnyard2d S99barnyard2d cd ../rc0.d ln -s ../init.d/barnyard2d K99barnyard2d cd /etc/rc5.d ln -s ../init.d/barnyard2d S99barnyard2d cd ../rc6.d ln -s ../init.d/barnyard2d K99barnyard2d chmod 755 /etc/init.d/barnyard2 To test, type /etc/init.d/barnyard2 start.
Shared object (SO) rules were introduced in Snort 2.6.0 in early 2006 to provide a means to obscure the exact detection mechanism used in the rule and allow for more flexible detection criteria. For the most part, these rules are obfuscated because of contracts between Sourcefire and various software vendors providing advanced notice of vulnerabilities. In addition, the Sourcefire VRT provides SO rules for unannounced vulnerabilities it has discovered through research. In order to update your rules automatically, you will need an oinkcode. You can get one on the snort.org website. Look on the bottom of the home page under Snort Links for the link Get an Oinkcode. Just one note on oinkcodes: you will only be permitted to download snort rules once every 15 minutes. This means that if your download fails for any reason, you will have to wait 15 minutes before trying again. This is to prevent denial of service attacks or thoughtless users from making the downloads section of snort.org unavailable to other users. In order to get Pulled_Pork running on the CentOS system weve built here, follow these steps: Download Pulled_Pork: wget http://pulledpork.googlecode.com/files/ pulledpork-0.6.1.tar.gz cd /usr/local tar zxvf /home/bubba/pulledpork-0.6.1.tar.gz cd pulledpork-0.6.1/etc vim pulledpork.conf Find oinkcode. Replace with your own oinkcode. Find and uncomment the line that reads ips_policy=security. Find and change the rule_path to /etc/snort/rules/snort.rules Find and change local_rules path to /etc/snort/rules/local.rules Find and change sid_msg path to /etc/snort/sid-msg.map. Find and change config_path to /etc/snort/snort.conf Find and change sostub_path to /etc/snort/rules/so_rules.rules Find and change the distro to Centos-5-4 Find pid_path. Change the statement to read pid_path=/var/run/ snort_eth1.pid,/var/run/barnyard2_eth1.pid. Save and exit cp pulledpork.conf /etc/snort/
Now well have to install CPAN, the Comprehensive Perl Archive Network. It can be done from the CLI, but its much easier from the GUI by going to System > Adminstration > Add/Remove Software. Search for CPAN and select the following: perl-CPAN perl-App-cpanminus perl-parse-CPAN-meta perl-pip perl-CPANPLUS Once installed, we will need some additional modules. To get these, issue the following commands: cpan. This will cause an install script to run with several questions and default answers suggested. Accept the defaults and dont be concerned with what appears to be several error messages. Install Test::More Install Crypt::SSLeay Install LWP::Simple exit Now test the application by running: /usr/local/pulledpork-0.4.2/pulledpork.pl -c /etc/snort/pulledpork.conf If you get a message saying Fly Piggy Fly!, Pulled_Pork works.
Future Topics
Some topics for the next revision are: More on using Pulled_Pork to maintain disabled rules. Rulebase Tuning - I presented this topic on the Snort Webcast series. For more info, please see http://www.snort.org/community/snort-webcastseries/ 64 Bit Systems Inline configuration Im open to suggestions for improving this document and will be revisiting it on at least an annual basis. I cannot answer support questions; these are best addressed by the Snort Users mailing list. If you dont already have a subscription to snort users, please go to https://lists.sourceforge.net/lists/ listinfo/snort-users. Also, if you do email the snort users list, make sure to include your snort.conf and barnyard2.conf files as well as the command string you use to start Snort with your inquiry. In many cases, people WAY smarter than me that monitor the list can answer questions right away with this information. Nick Moore, September 2011