Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
14 janvier 2014 2 14 /01 /janvier /2014 20:37

It is sometimes handy to be able to have the latest build. We'll see here how to Install SNORT

from sources for Debian 7.5 and Ubuntu 14.04 LTS, as well as some basic issues ( Autostart, Log, Syslog ).

 

I1b

 

 

We'll see two ways to install from sources, either using checkinstall/dpkg or using make install.

We'll only see SNORT install here. The rest of the software chain ( Barnyard2 - MySQL - Apache2 - BASE ) is the same as in the previous parts.

 

All commands are implicitely done root ( either sudo -s or sudo [ command ] ). The SNORT IDS Interface is supposed to be eth0.


The SNORT IDS has all IP addresses set static.

SNORT has two dependencies : DAQ and Libdnet. The install is done using the latest versions of the

three softwares. As time moves, check for latest links/versions to move version numbers.

 

Tested with Debian 7.5 and Ubuntu 14.04 LTS / Edited June 05 2014



1. SNORT install using checkinstall/dpkg

The checkinstall/dpkg method is usefull as it create a package file, that is maintained by the package manager, can be cleanly removed, and is dependencies cared. Do note that It is not fit for packages distribution.


sudo -s

 

networking fine-tuning :

 

apt-get install ethtool

 

ethtool -K eth0 gro off

ethtool -K eth0 lro off

 

( some commands might not get suported by your NIC. It's OK )

 

 

 

Data AcQuisition library :
 

checkinstall will ask questions during the package creation process.

---------------------------------------------------------------------------------------------

default set ? : y

comments ? : Data-Acquisition API 2.0.2+ ENTER

                          ENTER

any change ? :   5 + ENTER

                             GPLv2
----------------------------------------------------------------------------------------------

 

apt-get install flex bison build-essential checkinstall libpcap0.8-dev libnet1-dev
wget http://www.snort.org/downloads/2778
tar zxf 2778
cd daq-2.0.2/
./configure
make
checkinstall

 

to remove the package : dpkg -r daq

to reinstall the package : dpkg -i daq_2.0.2-1_i386.deb

----
cd ..
-----

Libdnet :
 

---------------------------------------------------------------------------------------------

default set ? : y

comments ? : Libdnet API 1.11+ ENTER

                          ENTER

any change ? :   5 + ENTER

                             Copyright (c) 2000-2006 Dug Song <dugsong@monkey.org> All rights reserved, all wrongs reversed.
----------------------------------------------------------------------------------------------

 

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
checkinstall
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1


( be carefull to the version number of the symbolic link. Check /usr/local/lib to see the libdnet
version )

 

to remove the package : dpkg -r libdnet

to reinstall the package : dpkg -i libdnet_1.12-1_i386.deb

 

----
cd ..
----

SNORT :
 

Debian users : some extra steps are needed at the end of the process. See Note 1.

---------------------------------------------------------------------------------------------

default set ? : y

comments ? : SNORT 2.9.6.0+ ENTER

                          ENTER

any change ? :   5 + ENTER

                             GPLv2

 

                             10 + ENTER

                             daq,libdnet

 

Some files are inside the home directory.
should I list them ? : n
should I exclude them ? : y
----------------------------------------------------------------------------------------------

 

 

apt-get install libpcre3-dev zlib1g-dev
wget http://www.snort.org/downloads/2787
tar zxf 2787
cd snort-2.9.6.0
./configure --enable-sourcefire
make
checkinstall
ldconfig
 

to remove the package : dpkg -r snort

to reinstall the package : dpkg -i snort_2.9.6.0-1_i386.deb

 

 

note 1 : Debian specific

 

The checkinstall will fail, due to some writing permissions problems. Message :

ranlib: could not create temporary file whilst writing archive: No more archived files
There are two solutions :

 

a. Easy and lazy :

 

make install

checkinstall

 

b. Manual folders creation :

 

sudo mkdir /usr/local/lib/snort_dynamicengine
sudo mkdir /usr/local/include/snort
sudo mkdir /usr/local/lib/snort
sudo mkdir /usr/local/lib/snort/dynamic_preproc
sudo mkdir /usr/local/lib/snort_dynamicpreprocessor/
sudo mkdir /usr/local/lib/snort/dynamic_output/
sudo mkdir /usr/local/share/doc
checkinstall

 

 

nb2 : since Snort 2.9.3.0, direct SNORT output to MySQL is removed, thus the ./configure --my-sql

option is no longer supported ( configure: WARNING: unrecognized options: --with-mysql )

nb3 : Thus libmysqlclient15-dev is unneeded

nb4 : There's a problem with libdnet that gets upgraded ( DECnet Libraries parallel name ) which breaks snort.
To prevent libdnet upgrade :
sudo apt-mark hold libdnet

To restore libdnet upgrade :
sudo apt-mark unhold libdnet

nb5 : The package can be found in the Ubuntu Software Center ( Ubuntu Software Center > Installed > Show technical items > System Category )


. Check down the ' show technical items... '
. Search for the package true name or given name ( snort or Comment Name )



2. SNORT Install using Make Install

Another way to install SNORT and its two dependencies is to use the regular make install.

sudo -s

 

networking fine-tuning :

 

apt-get install ethtool

 

ethtool -K eth0 gro off

ethtool -K eth0 lro off

 

( some commands might not get suported by the NIC. It's OK )

 

 

Data AcQuisition library :

apt-get install flex bison build-essential checkinstall libpcap0.8-dev libnet1-dev
wget http://www.snort.org/downloads/2778
tar zxf 2778
cd daq-2.0.2/
./configure
make
make install

----
cd ..
-----

Libdnet :

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1


( be carefull to the version number of the symbolic link. Check /usr/local/lib to see the libdnet

version )


----
cd ..
----

SNORT :

apt-get install libpcre3-dev zlib1g-dev
wget http://www.snort.org/downloads/2787
tar zxf 2787
cd snort-2.9.6.0
./configure --enable-sourcefire
make
make install
ldconfig


nb : since Snort 2.9.3.0, direct SNORT output to MySQL is removed, thus the ./configure --my-sql

option is no longer supported ( configure: WARNING: unrecognized options: --with-mysql )

nb2 : Thus libmysqlclient15-dev is unneeded
 

 

 

3. SNORT Setup

Snort needs some folders, config files, and user/group setup :

sudo -s

mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules


Moving the Snort config files from the compilation folder :

Make sure that you are in the directory that you downloaded all files.

cd /home/[user]

cd snort-2.9.6.0/etc

cp * /etc/snort

sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules

finally some group / user / permission setup :

sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort


4. Quick Rules download

To perform quick tests, we'll download the community rules :

Let's quickly get them :
 

cd /tmp

 

 

wget https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz

tar -zxf community-rules.tar.gz

rm community-rules.tar.gz

cd community-rules

now we copy all files into /etc/snort/rules

cp * /etc/snort/rules
 

 

Let's finally edit the local.rules file to put four test rules :

gedit /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP IN Test NOW!!!"; sid: 1000001; classtype:not-suspicious; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP IN Test NOW!!!"; sid: 1000002; classtype:not-suspicious; rev:1;)
 

alert icmp $HOME_NET any -> any any (msg:"ICMP OUT Test NOW!!!"; sid: 1000003; classtype:not-suspicious; rev:1;)
alert tcp $HOME_NET any -> any 80 (msg:"HTTP OUT Test NOW!!!"; sid: 1000004; classtype:not-suspicious; rev:1;)

 

5. SNORT.conf Setup

We'll finally setup the SNORT config file :

gedit /etc/snort/snort.conf

change "ipvar HOME_NET any" to "ipvar HOME_NET [192.168.1.0/24,2001:db8:0:1:0:0:0:0/64]"
change "ipvar EXTERNAL_NET any" to "ipvar EXTERNAL_NET !$HOME_NET"
change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
 

we add this words to the end after decompress_depth 65535 ( near line #298 ) :

 

max_gzip_mem 104857600

 

we setup the output plugin in the output section ( line #520 ) :

 

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

 

 

we comment out all .rules, except local.rules and community.rules

 

 

create-sidmap.pl script

 

The create-sidmap.pl may be usefull for sidmap creation. Let's quickly get it :

 

cd /usr/src

sudo wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz

sudo tar -zxf oinkmaster-2.0.tar.gz

cd oinkmaster-2.0

cd contrib

sudo mkdir /usr/share/oinkmaster

cp create-sidmap.pl /usr/share/oinkmaster/
 


6. SNORT test

snort --help                                                                                                                   snort help

 

we do a config loading test :

snort -c /etc/snort/snort.conf -i eth0 -T

 

we launch a live sniffing ( CTRL+C to exit ) :

snort -i eth0 -v

 

we launch in alert console output ( CTRL+C to exit ) :

snort -A console -u snort -g snort -q -c /etc/snort/snort.conf -i eth0


Pinging or Web Browsing to the SNORT IDS IP should launch alerts

 

CTRL+C to exit

 

Do notice the use of -u snort -g snort, for proper permissions managements. It is to be remembered. 

 

7. SNORT logging
 

Let's quickly see how to have SNORT perform HDD or Syslog logging, as it's Barnyard2 role to perform these tasks.It still may be usefull for debugging purpose, or for some special-case installations.

 

Local log file :

Let's add a log file by ading to /etc/snort/snort.conf in the output plugin section :

output alert_fast

the alerts will be logged in the file /var/log/snort/alert
( defaults setup )
 

Do note use -A console, or logging won't be performed. Ie use :

 

sudo snort -u snort -g snort -q -c /etc/snort/snort.conf -i eth0

 

Remote Syslogging capability :

leafpad /etc/snort/snort.conf

# syslog
output alert_syslog: LOG_LOCAL3 LOG_NOTICE

we edit the rsyslog conf file :

gedit /etc/rsyslog.conf

LOCAL3.NOTICE    @192.168.1.10:514
LOCAL3.NOTICE    @[2001:db8:0:1::10]:514

 

sudo service rsyslog restart

 

Do note use -A console, or logging won't be performed. Ie use :

 

sudo snort -u snort -g snort -q -c /etc/snort/snort.conf -i eth0

 

 

 

8. SNORT Boot-time Autostart

We wish for SNORT to automatically start. Let's see a quick and easy way, as the next blog post will explore this issue more extensively.

A quick easy way :

sudo gedit /etc/init.d/snortautorun

-------------------------------------------------------------------
#!/bin/bash

sudo snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0

exit 0
--------------------------------------------------------------------
 

 

sudo chmod +x /etc/init.d/snortautorun

sudo update-rc.d snortautorun defaults

Nb : the snort is working before login.



9. Barnyard2 Integration

Lets' quiclky review how to integrate the Barnyard2 Spooler.

 

/etc/snort/snort.conf modifications :

 

We modify the output plugins by removing any :

 

output alert_fast

output alert_syslog

 

And make sure we have unified2 output setup ( line #520) :

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

The following of the setup ( Barnyard2 / MySQL / Apache2 / BASE ) is documented here :

 

For Debian 7.5 / Get to Part 3 : Barnyard2 Setup

 

For Ubuntu 14.04 LTS / Get to Part 3 : Barnyard2 Setup

 

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens