Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
2 février 2014 7 02 /02 /février /2014 19:42

Ubuntu 14.04 LTS is here, let's see how to setup our SNORT® IDS for this new LTS.

 

We'll setup here a basic setup, using the Barnyard2 Spooler. The full softwares chain will be :

SNORT / Barnyard2 / Mysql / Apache2 / BASE

I4a

 

This configuration is a little more complicated to setup and troubleshoot than the now deprecated SNORT-MySQL, and requires some software compilation. But only then do we have a real robust and reliable SNORT functionning. Furthermore, SNORT MySQL direct output has been removed since SNORT 2.9.3.0

I assume eth0 is the SNORT IDS sniffing interface through this post.

 

We'll be using three passwords here :

MySQL Server root password                                                          secret1

SNORT MySQL databases user password                                  secret2

BASE GUI access                                                                               secret3

I'll be using secret1, secret2 and secret3 as example passwords through this post.

Tested under Ubuntu 14.04 LTS / Edited May 30 2014

 

Debian users see here for equivalent Debian config ( there are differences )

 

1. SNORT Install and Setup

We first do the usual apt-get update / upgrade :

 

sudo apt-get update

sudo apt-get upgrade

 

We set the SNORT machine with a static IP : 192.168.1.240
and reboot.

we apply some networking fine tunings ( not all options may be available to your NIC ) :

 

sudo apt-get install ethtool

 

sudo ethtool -K eth0 gro off
sudo ethtool -K eth0 lro off

and begin snort installation :

sudo apt-get install snort


During snort install, we answer the questions about the protected subnet, here :

    192.168.1.0/24


we edit snort.conf :

sudo gedit /etc/snort/snort.conf


Line #51 :

ipvar HOME_NET 192.168.1.0/24

Line #536 we modify the line into :

output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types

 

we restart SNORT :

 

sudo service snort restart

 

we delete previous log entries ( we changed the log format, to use time-stamps ) :

 

sudo rm /var/log/snort/snort.log

 

 

( nb: line #51 is not really needed, as it's overriden by /etc/snort/snort.debian.conf. I do it for coherency.

Likewise, edit /etc/snort/snort.debian.conf for sniffing interface choice if several NICs are present. )

 

We edit /etc/snort/rules/local.rules to include those two test rules :

sudo gedit /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:1000001; rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:1000002;  rev:1;)

 

 

 

2. First test of Snort

sudo snort -i eth0 -v

( normally we get a live packet sniffing ). CTRL+C to stop.

We do a config loading test :

sudo snort -A console -u snort -g snort -c /etc/snort/snort.conf -i eth0 -T

Let's finally launch SNORT in live alert console mode :

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

If we ping our SNORT IDS or try to browse it from another computer, alerts should be displayed.

CTRL+C to stop


3. Barnyard2 Setup

We first install the compile dependencies, and barnyard2 dependencies :

 sudo apt-get install autoconf

 sudo apt-get install libtool                                                               (##number to check)

 sudo apt-get install libpcap-dev

 sudo apt-get install libmysqlclient-dev

 

we get and install barnyard2 :

 cd /usr/src

 sudo wget https://github.com/firnsy/barnyard2/tarball/master

 sudo tar -zxf master

 cd firnsy-barnyard2*

 sudo autoreconf -fvi -I ./m4

 sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

 sudo make

 sudo make install

 sudo cp /usr/local/etc/barnyard2.conf /etc/snort

 sudo cp schemas/create_mysql /usr/src

 sudo mkdir /var/log/barnyard2

 

We edit Barnyard2.conf :

sudo gedit /etc/snort/barnyard2.conf


Line #227 change to :
output alert_fast                                      ( instead of output alert_fast: stdout )


near the end, line #348, uncomment and complete :

output database: log, mysql, user=snort password=secret2 dbname=snort host=localhost

( Replace secret2 with your choosen MySQL user-password. )


4. MySQL setup

sudo apt-get install mysql-server

    [ enter Mysql-server root password here : secret1 ]

We setup our database :

sudo mysql -u root -p

    [ Enter Mysql-server root password : secret1 ]

We enter these lines in the SQL> console :

create database snort;
create database archive;

grant usage on snort.* to snort@localhost;
grant usage on archive.* to snort@localhost;

set password for snort@localhost=PASSWORD('secret2');

grant all privileges on snort.* to snort@localhost;
grant all privileges on archive.* to snort@localhost;

flush privileges;

exit

 

 

We Populate The MySQL Database with Snort structure :

sudo mysql -u root -p

              [ enter mysql root-password here : secret1 ]

mysql>

use snort;

source /usr/src/create_mysql;

show tables;                                                 # you should see the list of new tables you just imported.

exit



5. Snort and Barnyard testing

We check the SNORT service is started :

 

sudo service snort restart

 

We manually launch Barnyard2 :

sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config



Barnyard2 will probably fatally exit due to a missing sid-msg.map file. This file is no longer included in the Snort source but is required by Barnyard2.

To solve this problem, we will use a oinkmaster script named create-sidmap.pl to generate the sid-msg.map
( we will later install and configure PulledPork which manages sid-msg.map file )

sid-msg.map creation :

cd /usr/share/oinkmaster

sudo bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"


we launch barnyard2, and this time we should get no error :

sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/bylog.waldo -C /etc/snort/classification.config

CRTL+C to exit barnyard2

 

 

6. Barnyard2 boot-time autorun

 

We need Barnyard2 to be automatically started at boot-time. Let's make a quick and easy boot-time script.

( This is a very light and easy script, not to use in a production environment ).

This script is very sensitive to the name you use. I advice you to keep with runbarnyard2.

 

sudo touch /etc/init.d/runbarnyard2

sudo gedit /etc/init.d/runbarnyard2

-----------------------------------------------------------------------------------------------

#!/bin/sh

case $1 in
    start)
        echo "Starting Barnyard2"
        sudo bash -c "barnyard2 -D -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -n"
        echo 'Barnyard2 started.'
    ;;
    stop)
        echo "Stopping Barnyard2"
        sudo killall barnyard2
        echo 'Barnyard2 stopped.'
    ;;
    restart)
        $0 stop

        sleep 4
        $0 start
    ;;
    *)
        echo "usage: $0 (start|stop|restart)"
    ;;
esac

exit 0
-----------------------------------------------------------------------------------------------

 

sudo chmod 700 /etc/init.d/runbarnyard2

sudo update-rc.d runbarnyard2 defaults 21 00

 

We modify Barnyard2 to launch as a daemon, by uncommenting the daemon line:

sudo gedit /etc/snort/barnyard2.conf
------------------------------------------------------------

# enable daemon mode
#
config daemon
-------------------------------------------------------------

 

Usage :

sudo /etc/init.d/runbarnyard2 start/stop/restart

 

( Do note Barnyard2 is launched with the -n switch : Only new records are processed ). 

 

For more ideas about Barnyard2 boot-time run, see here

 

 

7. Apache2 / BASE GUI frontend setup

Apache2 setup :

sudo apt-get install apache2

sudo apt-get install libapache2-mod-php5

sudo apt-get install libphp-adodb

( info message is OK )


Edit "/etc/php5/apache2/php.ini", look for the line "error_reporting" and change it to:

error_reporting = E_ALL & ~E_NOTICE

We edit /etc/apache2/apache2.conf to add authorizations for www/base :

 

-----------------------------------------------------------------------------------------------------

<Directory /var/www/html/base>
    AllowOverride All
    Require all granted
</Directory>
-----------------------------------------------------------------------------------------------------

 

 

We restart apache2 :


sudo service apache2 restart

 

We install the BASE dependencies :

sudo apt-get install php-pear

sudo apt-get install libwww-perl                                                       ( usually already installed )

sudo apt-get install php5-gd



sudo pear config-set preferred_state alpha

sudo pear channel-update pear.php.net

sudo pear install --alldeps Image_Color Image_Canvas Image_Graph

 

at this point you will get an error, facing the very annoying ' could not extract the package.xml file ' bug. This is due to an evolution in pear that did breack something. Let's dodge this problem :

 

Dodging the PEAR not valid .xml bug

 

We have to get in the pear download directory, and manually install the 6 pear packages ( 3 + 3 dependencies ).

Here's how :

 

cd /build/buildd/php5-5.5.9+dfsg/pear-build-download

ls

 

there should be the 6 .tgz packages here. Let's manually install them :

 

sudo tar zxf Image_Color*.tgz

sudo cp package.xml ./Image_Color*/

cd Image_Color*

sudo pear install package.xml

cd ..

 

do this for the 6 packages in this order :

 

Image_Color

Image_Canvas

Numbers_Roman

 

Math_BigInteger

Numbers_Words

Image_Graph

 

 

 

 

BASE install :

cd /usr/src

sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

sudo tar -zxf base-1.4.5.tar.gz

sudo cp -r base-1.4.5 /var/www/html/base

sudo chown -R www-data:www-data /var/www/html/base

sudo service apache2 restart


BASE setup :

we launch a local web browser :

http://localhost/base

 

Step 1) path : /usr/share/php/adodb

Step 2)  Database Name :                                         snort

               Database Host :                                            localhost


               Database User Name:                                snort

               Database Password :                                  secret2


       ( tick 'Use Archive Database' )

               Archive Database Name :                            archive

               Archive Database Host :                               localhost


               Archive Database User Name :                  snort

               Archive Database Password :                     secret2

Step 3)    tick 'use authentication system' ( it enables BASE login screen lock )

    Full admin name ( john )

    [GUI password]    ( Secret3 )

    Full admin name ( John Doe )

Step 4)    Click ' Create baseAG'

Step 5)    Click ' Now continue to Step 5 ' and login ( john / secret3 )  

 

 

A few ping and http alerts should be displayed ( red bar ). The web page is refreshed every 3 minutes.

 

Note : there is a pb with Ubuntu 14.04 LTS : In the BASE GUI, Graph Alert Data seem broken.

 

8. syslog logging


To setup snort syslog logging ( usefull for debuging snort ) :

we uncomment this line in snort.conf :

output alert_syslog: LOG_AUTH LOG_ALERT

+ restart snort ( sudo service snort restart or use your /etc.init.d/ script )

the log can by viewed using :

sudo grep snort /var/log/auth.log

nb :     LOG_AUTH is the logging facility ( configurable )

            LOG_ALERT is the severity level ( configurable )

 

Except for debugging purpose, logging should be performed at Barnyard2 level. The syntax is the same :

 

sudo gedit /etc/snort/barnyard2.conf

--------------------------------------------------------------------------

output alert_syslog: LOG_AUTH LOG_ALERT

--------------------------------------------------------------------------

 

+ restart barnyard2 ( using your /etc/init.d script )

It is usefull for Barnyard2 debugging too.

 

9. Basic Portscan detection

Complete Portscan detection requires SNORT Shared Objects / Shared Object Rules, which we'll be seeing later. Still, we can implement a basic function :

sudo gedit /etc/snort/snort.conf

We uncomment and modify this line ( #428 usually ) :

# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log }

 

 

We restart snort :

 

sudo service snort restart

 

 

A regular Nmap/Zenmap scan ( nmap 192.168.1.240) on the SNORT IDS will trigger alerts.

 

portscans can be checked using :

sudo cat /var/log/snort/portscan.log

( check /var/log/snort/portscan.log permissions. chown snort:snort portscan.log is necessary )


we then enable portscan.log lookups by BASE :

sudo gedit /var/www/html/base/base_conf.php

 

#line 290 :

 

$portscan_file = '/var/log/snort/portscan.log';                using an absolute path

sudo service apache2 restart

sudo chmod a+r /var/log/snort/portscan.log

sudo chmod 755 /var/log/snort



10. DNS resolution, Alert coloring and Database Emptying


Some BASE GUI option interesting options :

sudo gedit /var/www/html/base/base_conf.php

To resolve IP to FQDN :

/* Resolve IP to FQDN (on certain queries?)
     *    1 : yes
     *    0 : no
     */
    $resolve_IP = 1;
 

To have alert-priority coloring :

* This option is used to set if BASE will use colored results
     * based on the priority of alerts
     * 0 : no
     * 1 : yes
     */
    $colored_alerts = 1;



To empty the SNORT MySQL alerts database

We can do this using the BASE GUI :

Cache & Status ) Clear Data Tables

sudo /etc/init.d/runbarnyard2 restart

 


( The Barnyard2 restart is mandatory for alerts to get displayed again )

 

Do note that logs and alerts may need to be deleted too. Read Next.

 

11. To delete all alerts and logs

 

Emptying the MySQL database is enough to clear the BASE GUI display, still the next Barnyard2 launch will review recorded snorts alerts, skipping old ones. Furthermore, the portscan.log won't get deleted. To avoid this, here is what is needed to empty all the logged alerts :

 

sudo service snort stop
sudo /etc/init.d/runbarnyard2 stop


sudo rm /var/log/snort/snort.log.*

sudo bash -c "cat /dev/null > /var/log/snort/portscan.log"
sudo rm /var/log/barnyard2/*

Then cleanup the MySQL database using the BASE GUI.

 

Then, either reboot or restart Snort and Barnyard2.

 

This cleanup may be integrated as a fourth option in your /etc/init.d/runbarnyard2 script.

 

See here for some exemples.

 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

dhafer 11/03/2017 15:19

./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

ERROR: unable to find mysqlclient library (libmysqlclient.*)

EKO 27/01/2017 08:45

thanks very much,,

Henry 02/10/2015 20:58

sorry, in the step 3
>sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
>sudo make
>sudo make install
what we have to install?

rez 17/03/2015 19:10

Hi there,

I installed base in ubuntu 14.04 but I want to remove it how i can do it?
this command does not work:
sudo apt-get --purge remove base or sudo apt-get remove base

anthonygallina1@gmail.com 22/02/2015 06:50

I am on a Ubuntu 14.04 LTS system,and having trouble with the install. In this part here there is no /usr/local/etc/barnyard2.conf.
Stuck here sudo cp /usr/local/etc/barnyard2.conf /etc/snort cant stat file.
Thanks.

Laurent 03/03/2015 15:43

Hi,
sudo cp /usr/src/firnsy-barnyard2-ce3c022/etc/barnyard2.conf /etc/snort

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens