Pular para o conteúdo principal

Installing Snort, Barnyard2, BASE, Snorby on Centos6.8


INTRODUCTION:

In this post we will walk through Installation of Snort,barnyard,BASE and snorby.Snort is basically an intrusion detection system but we can tune it to intrusion prevention system.This post is step by step procedure to configure snort as intrusion prevention system and configure log analysis tools for snort which is BASE and Snorby.
PREREQUESITE:

 Centos 6.8 minimal installed with internet connection.

INSTALLING SNORT

 Snort is an open source intrusion prevention system(IPS) capable of real-time  traffic analaysis and packet logging

Step 1 : UPDATE SERVER

 yum install -y epel-release

yum update -y

 Step 2 : INSTALL DEPENDENCIES

yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man make rpm-build autoconf automake  libdnet libdnet-devel   php-mysql tree

Step 3 : INSTALL DAQ

 cd /usr/src/

wget -c https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz

tar -xvzf daq-2.0.6.tar.gz

cd daq-2.0.6

./configure;make;make install

Step 4 : INSTALL SNORT

 cd /usr/src/

wget -c https://www.snort.org/downloads/archive/snort/snort-2.9.7.6.tar.gz

tar -zxvf snort-2.9.7.6.tar.gz

cd snort-2.9.7.6

./configure --enable-sourcefire;make;make install

Step 5 : PREPARING SNORT

 update libraries:
ldconfig

 Place a symlink to the Snort binary in /usr/sbin:
ln -s /usr/local/bin/snort /usr/sbin/snort

 Test Snort installation:
snort -V

    ,,_          -*> Snort! <*-
  o"  )~    Version 2.9.7.6 GRE (Build 285)
   ''''         By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
                Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reser                                                                                       ved.
                Copyright (C) 1998-2013 Sourcefire, Inc., et al.
                Using libpcap version 1.7.4
                Using PCRE version: 7.8 2008-09-05
                Using ZLIB version: 1.2.3
Step 6 : CONFIGURING SNORT

 groupadd snort
useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

 mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/preproc_rules
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules

 mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules

 chmod -R 777 /etc/snort
chmod -R 777 /var/log/snort
chmod -R 777 /usr/local/lib/snort_dynamicrules

 cp /usr/src/snort-2.9.7.6/etc/*.conf* /etc/snort
cp /usr/src/snort-2.9.7.6/etc/*.map /etc/snort

 Our Snort directory listing looks like this:

 tree /etc/snort

/etc/snort
|-- classification.config
|-- file_magic.conf
|-- gen-msg.map
|-- preproc_rules
|-- reference.config
|-- rules
|
|-- black_list.rules
|
|-- local.rules
|
|-- white_list.rules
|-- snort.conf
|-- threshold.conf
|-- unicode.map

Step 7 : Sample rule testing

 comment the other rules:
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

 open snort.conf and goto line 45 and define home and external network:
ipvar HOME_NET xx.xx.xx.xx/24
ipvar EXTERNAL_NET !$HOME_NET

 Set the following file paths, beginning at line 104:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

 goto line 545:
include $RULE_PATH/local.rules

 test the configurations:
snort -T -c /etc/snort/snort.conf

 (...)
Snort successfully validated the configuration!
Snort exiting
Paste the following line into the empty local rules file: /etc/snort/rules/local.rules:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

 We will run Snort from the command line, using
the following flags:
-A console The 'console' option prints fast mode alerts to stdout
-q         Quiet mode. Don’t show banner and status report. 
-u snort   Run Snort as the following user after startup
-g snort   Run Snort as the following group after startup
-c /etc/snort/snort.conf The path to our snort.conf file
-i eth0   The interface to listen on

 /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

 Use ctrl-c to stop Snort from running.

INSTALLING BARNYARD2

 Barnyard2 is an open source interpreter for Snort unified2 binary output files.Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into
various formats to a separate process that will not cause Snort to miss network traffic.

Step 1 : Preparing Snort for Barnyard2 

 goto line 520 in /etc/snort/snort.conf and add the following line:

 output unified2: filename snort.u2, limit 128

 So that lines 520 and 521 now looks like:

 # output unified2: filename merged.log, limit 128, nostamp, mpls event types, vlan event types
output unified2: filename snort.u2, limit 128

Step 2 : Extract and install barnyard2:

 cd /usr/src

wget https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13

tar -zxvf barnyard2-2-1.13.tar.gz

cd barnyard2-master

autoreconf -fvi -I ./m4

./configure --with-mysql --with-mysql-libraries=/usr/lib64 ; make ; make install

Step 3 : We need to copy and create some files for Barnyard2 to run:

cd /usr/src/barnyard2-master

cp etc/barnyard2.conf /etc/snort

mkdir /var/log/barnyard2

chown snort.snort /var/log/barnyard2

touch /var/log/snort/barnyard2.waldo

chown snort.snort /var/log/snort/barnyard2.waldo

touch /etc/snort/sid-msg.map
Step 4 : Database setup and setting permission:

 service mysqld start

mysqladmin -u root password  /*set root password for mysql*/

 echo "create database snort;" | mysql -u root -p

mysql -u root -p -D snort < /usr/src/barnyard2-master/schemas/create_mysql

echo "grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'snort'" | mysql -u root -p
We need to tell Barnyard2 how to connect to the MySQL database. Edit /etc/snort/barnyard2.conf and at the end of the file add this line:

 output database: log, mysql, user=snort password=snort dbname=snort host=localhost
Since the password is stored in cleartext in the barnyard2.conf file, we should prevent other users from reading it:

 chmod o-r /etc/snort/barnyard2.conf

Step 5 : Testing Barnyard2

 Run Snort in alert mode (the command we run below is how Snort will normally be run when we set it up
as a daemon, except we aren’t using the -D flag which causes it to run as a daemon).

 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Ping the interface eth0 from another computer.After pinging The snort.log is the output file we created before):

 user@snortserver:/var/log/snort$ls -l /var/log/snort/
total 8
-rw-r--r-- 1 snort snort   0  Nov 11 14:07 barnyard2.waldo
-rw------- 1 snort snort 744  Nov 11 13:49 snort.log.1415710140
-rw------- 1 snort snort 1360 Nov 11 14:10 snort.u2.1415711432

 We now run Barnyard2 and tell it to look at these events and load into the Snort database. We use the
following flags with Barnyard2:
-c /etc/snort/barnyard2.conf        The path to the barnyard2.conf file
-d /var/log/snort                   The folder to look for Snort output files
-f snort.u2                         The Filename to look for in the above directory (snort.u2.nnnnnnnnnn)
-w /var/log/snort/barnyard2.waldo   The location of the waldo file (bookmark file)
-u snort                            Run Barnyard2 as the following user after startup
-g snort                            Run Barnyard2 as the following group after startup

 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

 We now want to check the MySQL database to see if Barnyard2 wrote the events. Run the following
command to query the MySQL database, you will be prompted for the MySQL Snort user password:
MYSQLSNORTPASSWORD (not the MySQL root password):

 mysql -u snort -psnort -D snort -e "select count(*) from event"

Step 9 : Adding rules to Snort

 mkdir /usr/src/snortrules
mv snortrules-snapshot-2983.tar.gz /usr/src/snortrules

cd /usr/src/snortrules
tar -zxvf snortrules-snapshot-2983.tar.gz

mkdir /usr/local/lib/snort_dynamicrules/.so_rules

cp so_rules/* /usr/local/lib/snort_dynamicrules/.so_rules/
cp rules/* /etc/snort/rules/
cp preproc_rules/* /etc/snort/preproc_rules/
cp -r /usr/local/lib/snort_dynamicrules/.so_rules /etc/snort/so_rules

INSTALLING BASE:

 BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

 Install pear Image Graph, with the following commands.

 pear install -f Image_Graph

 cd /usr/src
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download-O adodb518.tgz
tar -xvzf adodb518.tgz
mv adodb5 /var/adodb
cd /usr/src
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar -zxvf base-1.4.5.tar.gz
mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
cp base_conf.php.dist base_conf.php

 Make the following edits to the base conf.php configuration file:

 vim /var/www/html/base/base_conf.php
$BASE_urlpath = '/base';        # line 50
$DBlib_path = '/var/adodb/';    # line 80
$alert_dbname= 'snort';         # line 102
$alert_host= 'localhost';    
$alert_port= '3306';
$alert_user= 'snort';
$alert_password = 'snort';      # line 106

 Set permissions on the BASE folder

 chown -R apache:apache /var/www/html/base

 Since the MySQL password is stored in plaintext in the base conf.php file, we should prevent other users
from reading it:

 chmod o-r /var/www/html/base/base_conf.php

 BASE is now configured work with our database, restart Apapche:

 service httpd restart


Snorby

Snorby is the GUI to display the processed Snort to Barnyard2 output files. It's a ROR application but you can read about it in more details somewhere else.
Most of the below are probably already installed by this point but some may still not be.
yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server  
\  urw-fonts libX11-devel libXext-devel git \
 fontconfig-devel libXrender-devel unzip wget \
 xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel \
 db4-devel libffi-devel ethtool httpd  httpd-devel \
 ImageMagick ImageMagick-devel curl libcurl \ 
libcurl-devel libmnl-devel gcc zlib-devel \  
jansson-dev  
el libnet-devel libnetfilter_queue-devel  
yum install xorg-x11-fonts-Type1  
yum install xorg-x11-fonts-75dpi  
yum install postgresql-devel  
yum install java-1.8.0-openjdk 

wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2/wkhtmltox-0.12.2_linux-centos7-amd64.rpm

rpm -ivh wkhtmltox-0.12.2_linux-centos7-amd64.rpm

curl -L get.rvm.io | bash -s stable  
gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3  
curl -L get.rvm.io | bash -s stable  
source /etc/profile.d/rvm.sh  
rvm reload  
rvm requirements run  
rvm install 2.2.2  
gem install bundler  
gem install rails

cd /var/www/html  
git clone git://github.com/Snorby/snorby.git

vi /var/www/html/snorby/config/snorby_config.yml  
production:  
  baseuri: ''
  domain: 'snorby.nfsec.co.uk:8080'
  wkhtmltopdf: /usr/local/bin/wkhtmltopdf
  ssl: false
  mailer_sender: 'snorby@nfsec.com'
  geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
  rules:
    - ""
  authentication_mode: database
  timezone_search: true
  time_zone: 'Europe/London'

CREATE DATABASE snorby;  
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY '****';  
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY '****';  
FLUSH PRIVILEGES;

vi /var/www/html/snorby/config/database.yml  
snorby: &snorby  
  adapter: mysql
  username: snorby
  password: "*****"
  host: localhost

production:  
  database: snorby
  <<: *snorby

cd /var/www/html/snorby/  
bundle install  
bundle exec rake snorby:setup RAILS_ENV=production

gem install passenger  
passenger-install-apache2-module -a

cat /etc/httpd/conf.modules.d/passenger.conf  
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1/buildout/apache2/mod_passenger.so

cat /etc/httpd/conf/httpd.conf |grep "Listen 8080"  
Listen 8080

cat /etc/httpd/conf.d/passenger.conf  
<IfModule mod_passenger.c>  
  PassengerRoot /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1
  PassengerDefaultRuby /usr/local/rvm/gems/ruby-2.2.2/wrappers/ruby
</IfModule>

cat /etc/httpd/conf.d/snorby.conf  
<VirtualHost *:8080>  
      ServerName snorby.hextrim.com
      DocumentRoot /var/www/html/snorby/public
      RailsEnv production
      <Directory /var/www/html/snorby/public>
        AllowOverride all
        Options -MultiViews
      </Directory>
        ServerSignature Off
        LogLevel info
        CustomLog /var/log/httpd/snorby.nfsec.co.uk-access.log combined
        ErrorLog /var/log/httpd/snorby.nfsec.co.uk-error.log
</VirtualHost>

cd /var/www/html/snorby

Refresh the Snorby Rails app: $ rake snorby:refresh
Start Snorby: $ rails s -e production -p 8080 Browse to http://{IP ADDRESS}:8080 login with username 'snorby@snorby.org' and password 'snorby'

So what we just did above?
Installed dependencies, rvm and RUBY 2.2.2, wkhtmltox, gem bundler, gem rails.
We then configured snorby and created new DB called snorby.
Then we installed gem passenger and configured apache passenger module and created configuration files for apache to use it and point it to snorby HOME_DIR.
Barnyard2 with Snorby - of course - just change as below: 
vim /etc/snort/barnyard2.conf  
output database: log, mysql, user=snorby password=********** dbname=snorby host=localhost sensor_name=sensor1

#output database: log, mysql, user=snort password=********** dbname=snort host=localhost

service barnyard2 restart
Now all should work nicely - the only thing to start manually is the snorby worker which can be started from SnorbyGUI > Administration > Worker & Job Queue Start Worker.

Comentários

Postar um comentário

Postagens mais visitadas deste blog

Upgrading Iomega ix2-200 to Cloud Edition

You just got your ix2-200 from eBay and there are no disks inside the NAS. Or you have a brand new ix2-200 -yet you could not afford Cloud Edition. No problem. With just a USB stick and a SATA adapter or desktop PC, you will easily upgrade your ix2-200 to ix2-200 Cloud Edition. Not only your ix2-200 will have a brand new interface and Cloud options, but also will become Mac OS X Lion compatible! What do we need? Decrypted! ix2-200 Cloud Edition Firmware 3.1.12.47838 S endSpace or RapidShare * USB Flash Drive with at least 2 GB capacity and LED indicator** SATA to USB adapter or desktop PC Toothpick or paperclip Preparing Hard Drives Preparing hard drives is the first step because you have to wipe all the data inside the hard drives and make them just like brand new. We used 2 x Seagate 2 TB 5900 RPM Drives. Backup any files if you have and then remove both disks from ix2-200 and attach them to SATA to USB adapter or your desktop PC's SATA port. Using ...
Postar um comentário
Leia mais

How to Fix sub-process /usr/bin/dpkg returned an error code (1)

Introduction The error message “Sub-process /usr/bin/dpkg returned an error code (1)” indicates a problem with the package installer. This can happen in Ubuntu after a failed software installation, or if the installer becomes corrupted. The key phrase in this error is /usr/bin/dpkg. This refers to the dpkg package installer for Linux. A package installer is an application that tracks software, updates, and dependencies. If it is damaged, any new software installation will cause this error message. We cover several possible solutions, from easily-solved and straightforward solutions to more complex processes. This guide will help you resolve the dpkg returned an error code 1 on an Ubuntu operating system. Prerequisites A user account with sudo privileges A terminal window/command-line ( Ctrl - Alt - T ) Options to Fix sub-process /usr/bin/dpkg returned an error code (1) Method 1: Reconfigure dpkg Database ...
Postar um comentário
Leia mais

How to Create Reports from Audit Logs Using ‘aureport’ on CentOS/RHEL

  What is aureport? aureport is a command line utility used for creating useful summary reports from the audit log files stored in /var/log/audit/ . Like ausearch , it also accepts raw log data from stdin. It is an easy-to-use utility; simply pass an option for a specific kind of report that you need, as shown in the examples below. Create Report Concerning Audit Rule Keys The aurepot command will produce a report about all keys you specified in audit rules, using the -k flag. # aureport -k Report Audit Rule Keys You can enable interpreting of numeric entities into text (for example convert UID to account name) using the -i option. # aureport -k -i Create Report About Attempted Authentications If you need a report about all events relating to attempted authentications for all users, use the -au option. # aureport -au OR # aureport -au -i   Summary of Login Authentication Produce Report Concerning Logins The -l option tells aureport to ge...
Postar um comentário
Leia mais