In this post we will walk through Installation of Snort,barnyard,BASE and snorby.Snort is basically an intrusion detection system but we can tune it to intrusion prevention system.This post is step by step procedure to configure snort as intrusion prevention system and configure log analysis tools for snort which is BASE and Snorby.
PREREQUESITE:
Centos 6.8 minimal installed with internet connection.
INSTALLING SNORT
Snort is an open source intrusion prevention system(IPS) capable of real-time traffic analaysis and packet logging
Step 1 : UPDATE SERVER
yum install -y epel-release
yum update -y
Step 2 : INSTALL DEPENDENCIES
yum install -y wget gcc flex bison zlib zlib-devel libpcap libpcap-devel pcre pcre-devel tcpdump mysql mysql-server mysql-devel git libtool curl man make rpm-build autoconf automake libdnet libdnet-devel php-mysql tree
Step 3 : INSTALL DAQ
cd /usr/src/
wget -c https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure;make;make install
Step 4 : INSTALL SNORT
cd /usr/src/
wget -c https://www.snort.org/downloads/archive/snort/snort-2.9.7.6.tar.gz
tar -zxvf snort-2.9.7.6.tar.gz
cd snort-2.9.7.6
./configure --enable-sourcefire;make;make install
Step 5 : PREPARING SNORT
update libraries:
ldconfig
Place a symlink to the Snort binary in /usr/sbin:
ln -s /usr/local/bin/snort /usr/sbin/snort
Test Snort installation:
snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.7.6 GRE (Build 285)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reser ved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Step 6 : CONFIGURING SNORT
groupadd snort
useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/preproc_rules
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
mkdir /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
chmod -R 777 /etc/snort
chmod -R 777 /var/log/snort
chmod -R 777 /usr/local/lib/snort_dynamicrules
cp /usr/src/snort-2.9.7.6/etc/*.conf* /etc/snort
cp /usr/src/snort-2.9.7.6/etc/*.map /etc/snort
Our Snort directory listing looks like this:
tree /etc/snort
/etc/snort
|-- classification.config
|-- file_magic.conf
|-- gen-msg.map
|-- preproc_rules
|-- reference.config
|-- rules
|
|-- black_list.rules
|
|-- local.rules
|
|-- white_list.rules
|-- snort.conf
|-- threshold.conf
|-- unicode.map
Step 7 : Sample rule testing
comment the other rules:
sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
open snort.conf and goto line 45 and define home and external network:
ipvar HOME_NET xx.xx.xx.xx/24
ipvar EXTERNAL_NET !$HOME_NET
Set the following file paths, beginning at line 104:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
goto line 545:
include $RULE_PATH/local.rules
test the configurations:
snort -T -c /etc/snort/snort.conf
(...)
Snort successfully validated the configuration!
Snort exiting
Paste the following line into the empty local rules file: /etc/snort/rules/local.rules:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
We will run Snort from the command line, using
the following flags:
-A console The 'console' option prints fast mode alerts to stdout
-q Quiet mode. Don’t show banner and status report.
-u snort Run Snort as the following user after startup
-g snort Run Snort as the following group after startup
-c /etc/snort/snort.conf The path to our snort.conf file
-i eth0 The interface to listen on
/usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Use ctrl-c to stop Snort from running.
INSTALLING BARNYARD2
Barnyard2 is an open source interpreter for Snort unified2 binary output files.Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into
various formats to a separate process that will not cause Snort to miss network traffic.
Step 1 : Preparing Snort for Barnyard2
goto line 520 in /etc/snort/snort.conf and add the following line:
output unified2: filename snort.u2, limit 128
So that lines 520 and 521 now looks like:
# output unified2: filename merged.log, limit 128, nostamp, mpls event types, vlan event types
output unified2: filename snort.u2, limit 128
Step 2 : Extract and install barnyard2:
cd /usr/src
wget https://codeload.github.com/firnsy/barnyard2/tar.gz/v2-1.13
tar -zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib64 ; make ; make install
Step 3 : We need to copy and create some files for Barnyard2 to run:
cd /usr/src/barnyard2-master
cp etc/barnyard2.conf /etc/snort
mkdir /var/log/barnyard2
chown snort.snort /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
touch /etc/snort/sid-msg.map
Step 4 : Database setup and setting permission:
service mysqld start
mysqladmin -u root password /*set root password for mysql*/
echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < /usr/src/barnyard2-master/schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'snort'" | mysql -u root -p
We need to tell Barnyard2 how to connect to the MySQL database. Edit /etc/snort/barnyard2.conf and at the end of the file add this line:
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
Since the password is stored in cleartext in the barnyard2.conf file, we should prevent other users from reading it:
chmod o-r /etc/snort/barnyard2.conf
Step 5 : Testing Barnyard2
Run Snort in alert mode (the command we run below is how Snort will normally be run when we set it up
as a daemon, except we aren’t using the -D flag which causes it to run as a daemon).
/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Ping the interface eth0 from another computer.After pinging The snort.log is the output file we created before):
user@snortserver:/var/log/snort$ls -l /var/log/snort/
total 8
-rw-r--r-- 1 snort snort 0 Nov 11 14:07 barnyard2.waldo
-rw------- 1 snort snort 744 Nov 11 13:49 snort.log.1415710140
-rw------- 1 snort snort 1360 Nov 11 14:10 snort.u2.1415711432
We now run Barnyard2 and tell it to look at these events and load into the Snort database. We use the
following flags with Barnyard2:
-c /etc/snort/barnyard2.conf The path to the barnyard2.conf file
-d /var/log/snort The folder to look for Snort output files
-f snort.u2 The Filename to look for in the above directory (snort.u2.nnnnnnnnnn)
-w /var/log/snort/barnyard2.waldo The location of the waldo file (bookmark file)
-u snort Run Barnyard2 as the following user after startup
-g snort Run Barnyard2 as the following group after startup
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
We now want to check the MySQL database to see if Barnyard2 wrote the events. Run the following
command to query the MySQL database, you will be prompted for the MySQL Snort user password:
MYSQLSNORTPASSWORD (not the MySQL root password):
mysql -u snort -psnort -D snort -e "select count(*) from event"
Step 9 : Adding rules to Snort
mkdir /usr/src/snortrules
mv snortrules-snapshot-2983.tar.gz /usr/src/snortrules
cd /usr/src/snortrules
tar -zxvf snortrules-snapshot-2983.tar.gz
mkdir /usr/local/lib/snort_dynamicrules/.so_rules
cp so_rules/* /usr/local/lib/snort_dynamicrules/.so_rules/
cp rules/* /etc/snort/rules/
cp preproc_rules/* /etc/snort/preproc_rules/
cp -r /usr/local/lib/snort_dynamicrules/.so_rules /etc/snort/so_rules
INSTALLING BASE:
BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
Install pear Image Graph, with the following commands.
pear install -f Image_Graph
cd /usr/src
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download-O adodb518.tgz
tar -xvzf adodb518.tgz
mv adodb5 /var/adodb
cd /usr/src
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar -zxvf base-1.4.5.tar.gz
mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
cp base_conf.php.dist base_conf.php
Make the following edits to the base conf.php configuration file:
vim /var/www/html/base/base_conf.php
$BASE_urlpath = '/base'; # line 50
$DBlib_path = '/var/adodb/'; # line 80
$alert_dbname= 'snort'; # line 102
$alert_host= 'localhost';
$alert_port= '3306';
$alert_user= 'snort';
$alert_password = 'snort'; # line 106
Set permissions on the BASE folder
chown -R apache:apache /var/www/html/base
Since the MySQL password is stored in plaintext in the base conf.php file, we should prevent other users
from reading it:
chmod o-r /var/www/html/base/base_conf.php
BASE is now configured work with our database, restart Apapche:
service httpd restart
Snorby
Snorby is the GUI to display the processed Snort to Barnyard2 output files. It's a ROR application but you can read about it in more details somewhere else.Most of the below are probably already installed by this point but some may still not be.
yum install openssl-devel readline-devel libxml2-devel libxslt-devel mariadb mariadb-devel mariadb-server
\ urw-fonts libX11-devel libXext-devel git \
fontconfig-devel libXrender-devel unzip wget \
xorg-x11-server-Xvfb libyaml libyaml-devel gdbm-devel \
db4-devel libffi-devel ethtool httpd httpd-devel \
ImageMagick ImageMagick-devel curl libcurl \
libcurl-devel libmnl-devel gcc zlib-devel \
jansson-dev
el libnet-devel libnetfilter_queue-devel
yum install xorg-x11-fonts-Type1
yum install xorg-x11-fonts-75dpi
yum install postgresql-devel
yum install java-1.8.0-openjdk
wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2/wkhtmltox-0.12.2_linux-centos7-amd64.rpm
rpm -ivh wkhtmltox-0.12.2_linux-centos7-amd64.rpm
curl -L get.rvm.io | bash -s stable
gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -L get.rvm.io | bash -s stable
source /etc/profile.d/rvm.sh
rvm reload
rvm requirements run
rvm install 2.2.2
gem install bundler
gem install rails
cd /var/www/html
git clone git://github.com/Snorby/snorby.git
vi /var/www/html/snorby/config/snorby_config.yml
production:
baseuri: ''
domain: 'snorby.nfsec.co.uk:8080'
wkhtmltopdf: /usr/local/bin/wkhtmltopdf
ssl: false
mailer_sender: 'snorby@nfsec.com'
geoip_uri: "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
rules:
- ""
authentication_mode: database
timezone_search: true
time_zone: 'Europe/London'
CREATE DATABASE snorby;
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'%' IDENTIFIED BY '****';
GRANT ALL PRIVILEGES ON snorby.* TO snorby@'localhost' IDENTIFIED BY '****';
FLUSH PRIVILEGES;
vi /var/www/html/snorby/config/database.yml
snorby: &snorby
adapter: mysql
username: snorby
password: "*****"
host: localhost
production:
database: snorby
<<: *snorby
cd /var/www/html/snorby/
bundle install
bundle exec rake snorby:setup RAILS_ENV=production
gem install passenger
passenger-install-apache2-module -a
cat /etc/httpd/conf.modules.d/passenger.conf
LoadModule passenger_module /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1/buildout/apache2/mod_passenger.so
cat /etc/httpd/conf/httpd.conf |grep "Listen 8080"
Listen 8080
cat /etc/httpd/conf.d/passenger.conf
<IfModule mod_passenger.c>
PassengerRoot /usr/local/rvm/gems/ruby-2.2.2/gems/passenger-5.1.1
PassengerDefaultRuby /usr/local/rvm/gems/ruby-2.2.2/wrappers/ruby
</IfModule>
cat /etc/httpd/conf.d/snorby.conf
<VirtualHost *:8080>
ServerName snorby.hextrim.com
DocumentRoot /var/www/html/snorby/public
RailsEnv production
<Directory /var/www/html/snorby/public>
AllowOverride all
Options -MultiViews
</Directory>
ServerSignature Off
LogLevel info
CustomLog /var/log/httpd/snorby.nfsec.co.uk-access.log combined
ErrorLog /var/log/httpd/snorby.nfsec.co.uk-error.log
</VirtualHost>
cd /var/www/html/snorby
Refresh the Snorby Rails app: $ rake snorby:refresh
Start Snorby: $ rails s -e production -p 8080 Browse to http://{IP ADDRESS}:8080 login with username 'snorby@snorby.org' and password 'snorby'
So what we just did above?
Installed dependencies, rvm and RUBY 2.2.2, wkhtmltox, gem bundler, gem rails.
We then configured snorby and created new DB called snorby.
Then we installed gem passenger and configured apache passenger module and created configuration files for apache to use it and point it to snorby HOME_DIR.
Barnyard2 with Snorby - of course - just change as below:
vim /etc/snort/barnyard2.conf
output database: log, mysql, user=snorby password=********** dbname=snorby host=localhost sensor_name=sensor1
#output database: log, mysql, user=snort password=********** dbname=snort host=localhost
service barnyard2 restart
Comentários
Postar um comentário