https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Myoung&feedformat=atomAlpine Linux - User contributions [en]2024-03-29T10:43:08ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&diff=4441Intrusion Detection using Snort2010-10-01T19:39:20Z<p>Myoung: /* Configure Snort and Ruleset */</p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard (maybe)<br />
* BASE<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist).<br />
* You have Alpine 2.0.2 installed and working with networking setup.<br />
* You have had at least three cups of coffee this morning. And not decaf.<br />
<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages '''<br />
<br />
For the purpose of this document we will assume you download these files to /usr/src.<br />
<br />
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.<br />
:Download the snort rules from http://www.snort.org/snort-rules/<br />
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download<br />
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download<br />
<br />
== Compile Snort ==<br />
<br />
Uncompress snort with something like: <br />
<br />
tar -zxvf snort-2.8.6.1.tar.gz<br />
<br />
Then do the following:<br />
<br />
cd snort-2.8.6.1<br />
./configure -enable-dynamicplugin --with-mysql<br />
make<br />
make install<br />
<br />
== Configure Snort and Ruleset ==<br />
<br />
mkdir /etc/snort<br />
cd /etc/snort<br />
cp /usr/src/snort-2.8.6.1/etc/* .<br />
mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/.<br />
tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz<br />
<br />
Now edit the snort.conf file:<br />
<br />
vi snort.conf<br />
<br />
and change the following:<br />
<br />
* Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)<br />
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)<br />
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"<br />
* Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"<br />
* Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"<br />
* Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)<br />
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.<br />
* Edit this line to look like this:<br />
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost<br />
* Make note of the username, password, and dbname. You will need this information when we set up mysql.<br />
* Find this line (line 194 in current version)<br />
::preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480<br />
:and remove from "compress_depth" to the end of the line. When done, the line will read:<br />
::preprocessor http_inspect: global iis_unicode_map unicode.map 1252<br />
* Find this line (line 207 in current version)<br />
::inspect_gzip \<br />
:and remove it.<br />
* Save and quit.<br />
<br />
== Start and Setup MySQL ==<br />
<br />
(Need to add detail here on starting up MySQL for the first time)<br />
<br />
/usr/bin/mysql_install_db --user=mysql<br />
rc-update add mysql<br />
/etc/init.d/mysql start<br />
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)<br />
mysql -u root -p<br />
<br />
Once in mysql, type the following commands:<br />
<br />
mysql> create database snort;<br />
mysql> exit<br />
<br />
Now create the database schema:<br />
<br />
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql<br />
<br />
== Configure PHP and PEAR ==<br />
<br />
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".<br />
<br />
extension=mysql.so<br />
extension=gd.so<br />
<br />
Save and exit. From the command line, type the following:<br />
<br />
pear install Image_Color<br />
pear install Image_Canvas-alpha<br />
pear install Image_Graph-alpha<br />
pear install mail<br />
pear install mail_mime<br />
<br />
== Start Apache or lighttpd ==<br />
<br />
Need to decide which of these to use in production.<br />
<br />
== Setup BASE ==<br />
<br />
mv /usr/src/adodb5 /var/www/localhost/htdocs/.<br />
mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.<br />
<br />
Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)<br />
<br />
:Click continue on the first page.<br />
:Step 1 of 5: Enter the path to ADODB.<br />
::This is /var/www/localhost/htdocs/adodb5.<br />
:Step 2 of 5:<br />
::Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD<br />
:Step 3 of 5: If you want to use authentication enter a username and password here.<br />
:Step 4 of 5: Click on Create BASE AG.<br />
:Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.<br />
:Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.<br />
<br />
<br />
== Configure Barnyard ==<br />
<br />
To improve performance.</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&diff=4440Intrusion Detection using Snort2010-10-01T19:38:48Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard (maybe)<br />
* BASE<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist).<br />
* You have Alpine 2.0.2 installed and working with networking setup.<br />
* You have had at least three cups of coffee this morning. And not decaf.<br />
<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages '''<br />
<br />
For the purpose of this document we will assume you download these files to /usr/src.<br />
<br />
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.<br />
:Download the snort rules from http://www.snort.org/snort-rules/<br />
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download<br />
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download<br />
<br />
== Compile Snort ==<br />
<br />
Uncompress snort with something like: <br />
<br />
tar -zxvf snort-2.8.6.1.tar.gz<br />
<br />
Then do the following:<br />
<br />
cd snort-2.8.6.1<br />
./configure -enable-dynamicplugin --with-mysql<br />
make<br />
make install<br />
<br />
== Configure Snort and Ruleset ==<br />
<br />
mkdir /etc/snort<br />
cd /etc/snort<br />
cp /usr/src/snort-2.8.6.1/etc/* .<br />
mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/.<br />
tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz<br />
<br />
Now edit the snort.conf file:<br />
<br />
vi snort.conf<br />
<br />
and change the following:<br />
<br />
* Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)<br />
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)<br />
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"<br />
* Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"<br />
* Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"<br />
* Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)<br />
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.<br />
* Edit this line to look like this:<br />
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost<br />
* Make note of the username, password, and dbname. You will need this information when we set up mysql.<br />
* Find this line (line 194 in current version)<br />
:preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480<br />
::and remove from "compress_depth" to the end of the line. When done, the line will read:<br />
:preprocessor http_inspect: global iis_unicode_map unicode.map 1252<br />
* Find this line (line 207 in current version)<br />
:inspect_gzip \<br />
::and remove it.<br />
* Save and quit.<br />
<br />
== Start and Setup MySQL ==<br />
<br />
(Need to add detail here on starting up MySQL for the first time)<br />
<br />
/usr/bin/mysql_install_db --user=mysql<br />
rc-update add mysql<br />
/etc/init.d/mysql start<br />
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)<br />
mysql -u root -p<br />
<br />
Once in mysql, type the following commands:<br />
<br />
mysql> create database snort;<br />
mysql> exit<br />
<br />
Now create the database schema:<br />
<br />
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql<br />
<br />
== Configure PHP and PEAR ==<br />
<br />
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".<br />
<br />
extension=mysql.so<br />
extension=gd.so<br />
<br />
Save and exit. From the command line, type the following:<br />
<br />
pear install Image_Color<br />
pear install Image_Canvas-alpha<br />
pear install Image_Graph-alpha<br />
pear install mail<br />
pear install mail_mime<br />
<br />
== Start Apache or lighttpd ==<br />
<br />
Need to decide which of these to use in production.<br />
<br />
== Setup BASE ==<br />
<br />
mv /usr/src/adodb5 /var/www/localhost/htdocs/.<br />
mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.<br />
<br />
Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)<br />
<br />
:Click continue on the first page.<br />
:Step 1 of 5: Enter the path to ADODB.<br />
::This is /var/www/localhost/htdocs/adodb5.<br />
:Step 2 of 5:<br />
::Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD<br />
:Step 3 of 5: If you want to use authentication enter a username and password here.<br />
:Step 4 of 5: Click on Create BASE AG.<br />
:Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.<br />
:Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.<br />
<br />
<br />
== Configure Barnyard ==<br />
<br />
To improve performance.</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&diff=4439Intrusion Detection using Snort2010-10-01T19:22:16Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard (maybe)<br />
* BASE<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist).<br />
* You have Alpine 2.0.2 installed and working with networking setup.<br />
* You have had at least three cups of coffee this morning. And not decaf.<br />
<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages '''<br />
<br />
For the purpose of this document we will assume you download these files to /usr/src.<br />
<br />
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.<br />
:Download the snort rules from http://www.snort.org/snort-rules/<br />
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download<br />
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download<br />
<br />
== Compile Snort ==<br />
<br />
Uncompress snort with something like: <br />
<br />
tar -zxvf snort-2.8.6.1.tar.gz<br />
<br />
Then do the following:<br />
<br />
cd snort-2.8.6.1<br />
./configure -enable-dynamicplugin --with-mysql<br />
make<br />
make install<br />
<br />
== Configure Snort and Ruleset ==<br />
<br />
mkdir /etc/snort<br />
cd /etc/snort<br />
cp /usr/src/snort-2.8.6.1/etc/* .<br />
mv /usr/src/snortrules-snapshot-2860.tar.gz /etc/snort/.<br />
tar -zxvf /usr/src/snortrules-snapshot-2680.tar.gz<br />
<br />
Now edit the snort.conf file:<br />
<br />
vi snort.conf<br />
<br />
and change the following:<br />
<br />
* Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)<br />
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)<br />
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"<br />
* Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)<br />
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.<br />
* Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort", "host=localhost"<br />
* When done, the line should look like this:<br />
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost<br />
* Make note of the username, password, and dbname. You will need this information when we set up mysql.<br />
* Save and quit.<br />
<br />
== Start and Setup MySQL ==<br />
<br />
(Need to add detail here on starting up MySQL for the first time)<br />
<br />
/usr/bin/mysql_install_db --user=mysql<br />
rc-update add mysql<br />
/etc/init.d/mysql start<br />
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)<br />
mysql -u root -p<br />
<br />
Once in mysql, type the following commands:<br />
<br />
mysql> create database snort;<br />
mysql> exit<br />
<br />
Now create the database schema:<br />
<br />
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql<br />
<br />
== Configure PHP and PEAR ==<br />
<br />
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".<br />
<br />
extension=mysql.so<br />
extension=gd.so<br />
<br />
Save and exit. From the command line, type the following:<br />
<br />
pear install Image_Color<br />
pear install Image_Canvas-alpha<br />
pear install Image_Graph-alpha<br />
pear install mail<br />
pear install mail_mime<br />
<br />
== Start Apache or lighttpd ==<br />
<br />
Need to decide which of these to use in production.<br />
<br />
== Setup BASE ==<br />
<br />
mv /usr/src/adodb5 /var/www/localhost/htdocs/.<br />
mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.<br />
<br />
Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)<br />
<br />
:Click continue on the first page.<br />
:Step 1 of 5: Enter the path to ADODB.<br />
::This is /var/www/localhost/htdocs/adodb5.<br />
:Step 2 of 5:<br />
::Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD<br />
:Step 3 of 5: If you want to use authentication enter a username and password here.<br />
:Step 4 of 5: Click on Create BASE AG.<br />
:Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.<br />
:Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.<br />
<br />
<br />
== Configure Barnyard ==<br />
<br />
To improve performance.</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&diff=4438Intrusion Detection using Snort2010-10-01T19:15:57Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard (maybe)<br />
* BASE<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist).<br />
* You have Alpine 2.0.2 installed and working with networking setup.<br />
* You have had at least three cups of coffee this morning. And not decaf.<br />
<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages '''<br />
<br />
For the purpose of this document we will assume you download these files to /usr/src.<br />
<br />
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.<br />
:Download the snort rules from http://www.snort.org/snort-rules/<br />
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download<br />
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download<br />
<br />
== Compile Snort ==<br />
<br />
Uncompress snort with something like: <br />
<br />
tar -zxvf snort-2.8.6.1.tar.gz<br />
<br />
Then do the following:<br />
<br />
cd snort-2.8.6.1<br />
./configure -enable-dynamicplugin --with-mysql<br />
make<br />
make install<br />
<br />
== Configure Snort and Ruleset ==<br />
<br />
mkdir /etc/snort<br />
cd /etc/snort<br />
cp /usr/src/snort-2.8.6.1/etc/* .<br />
mv /usr/src/snortrules-snapshot-2860.tar.gz /etc/snort/.<br />
tar -zxvf /usr/src/snortrules-snapshot-2680.tar.gz<br />
<br />
Now edit the snort.conf file:<br />
<br />
vi snort.conf<br />
<br />
and change the following:<br />
<br />
* Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)<br />
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)<br />
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"<br />
* Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)<br />
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.<br />
* Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort", "host=localhost"<br />
* When done, the line should look like this:<br />
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost<br />
* Make note of the username, password, and dbname. You will need this information when we set up mysql.<br />
* Save and quit.<br />
<br />
== Start and Setup MySQL ==<br />
<br />
(Need to add detail here on starting up MySQL for the first time)<br />
<br />
/usr/bin/mysql_install_db --user=mysql<br />
rc-update add mysql<br />
/etc/init.d/mysql start<br />
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)<br />
mysql -u root -p<br />
<br />
Once in mysql, type the following commands:<br />
<br />
mysql> create database snort;<br />
mysql> exit<br />
<br />
Now create the database schema:<br />
<br />
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql<br />
<br />
== Configure PHP and PEAR ==<br />
<br />
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".<br />
<br />
extension=mysql.so<br />
extension=gd.so<br />
<br />
Save and exit. From the command line, type the following:<br />
<br />
pear install Image_Color<br />
pear install Image_Canvas-alpha<br />
pear install Image_Graph-alpha<br />
pear install mail<br />
pear install mail_mime<br />
<br />
== Start Apache or lighttpd ==<br />
<br />
Need to decide which of these to use in production.</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&diff=4437Intrusion Detection using Snort2010-10-01T19:14:54Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard (maybe)<br />
* BASE<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist).<br />
* You have Alpine 2.0.2 installed and working with networking setup.<br />
* You have had at least three cups of coffee this morning. And not decaf.<br />
<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages '''<br />
<br />
For the purpose of this document we will assume you download these files to /usr/src.<br />
<br />
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.<br />
:Download the snort rules from http://www.snort.org/snort-rules/<br />
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download<br />
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download<br />
<br />
== Compile Snort ==<br />
<br />
Uncompress snort with something like: <br />
<br />
tar -zxvf snort-2.8.6.1.tar.gz<br />
<br />
Then do the following:<br />
<br />
cd snort-2.8.6.1<br />
./configure -enable-dynamicplugin --with-mysql<br />
make<br />
make install<br />
<br />
== Configure Snort and Ruleset ==<br />
<br />
mkdir /etc/snort<br />
cd /etc/snort<br />
cp /usr/src/snort-2.8.6.1/etc/* .<br />
mv /usr/src/snortrules-snapshot-2860.tar.gz /etc/snort/.<br />
tar -zxvf /usr/src/snortrules-snapshot-2680.tar.gz<br />
<br />
Now edit the snort.conf file:<br />
<br />
vi snort.conf<br />
<br />
and change the following:<br />
<br />
* Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)<br />
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)<br />
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"<br />
* Comment out the line that says dynamicdetection directory /usr/local/lib/snort_dynamicrules (by placing a "#" in front of the line)<br />
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.<br />
* Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort", "host=localhost"<br />
* When done, the line should look like this:<br />
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost<br />
* Make note of the username, password, and dbname. You will need this information when we set up mysql.<br />
* Save and quit.<br />
<br />
== Start and Setup MySQL ==<br />
<br />
(Need to add detail here on starting up MySQL for the first time)<br />
<br />
/usr/bin/mysql_install_db --user=mysql<br />
rc-update add mysql<br />
/etc/init.d/mysql start<br />
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)<br />
mysql -u root -p<br />
<br />
Once in mysql, type the following commands:<br />
<br />
mysql> create database snort;<br />
mysql> exit<br />
<br />
Now create the database schema:<br />
<br />
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql<br />
<br />
== Configure PHP and PEAR ==<br />
<br />
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".<br />
<br />
extension=mysql.so<br />
extension=gd.so<br />
<br />
Save and exit. From the command line, type the following:<br />
<br />
pear install Image_Color<br />
pear install Image_Canvas-alpha<br />
pear install Image_Graph-alpha<br />
pear install mail<br />
pear install mail_mime<br />
<br />
== Start Apache or lighttpd ==<br />
<br />
Need to decide which of these to use in production.</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&diff=4436Intrusion Detection using Snort2010-10-01T19:04:32Z<p>Myoung: Created page with "Category:Networking {{Draft}} This guide will set up (list subject to change): * Snort * Barnyard (maybe) * BASE This guide will assume: * You have a knowledge of your net..."</p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard (maybe)<br />
* BASE<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist).<br />
* You have Alpine 2.0.2 installed and working with networking setup.<br />
* You have had at least three cups of coffee this morning. And not decaf.<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages '''<br />
<br />
For the purpose of this document we will assume you download these files to /usr/src.<br />
<br />
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.<br />
:Download the snort rules from http://www.snort.org/snort-rules/<br />
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download<br />
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download<br />
<br />
== Compile Snort ==<br />
<br />
Uncompress snort with something like: <br />
<br />
tar -zxvf snort-2.8.6.1.tar.gz<br />
<br />
Then do the following:<br />
<br />
cd snort-2.8.6.1<br />
./configure -enable-dynamicplugin --with-mysql<br />
make<br />
make install<br />
<br />
== Configure Snort and Ruleset ==<br />
<br />
mkdir /etc/snort<br />
cd /etc/snort<br />
cp /usr/src/snort-2.8.6.1/etc/* .<br />
mv /usr/src/snortrules-snapshot-2860.tar.gz /etc/snort/.<br />
tar -zxvf /usr/src/snortrules-snapshot-2680.tar.gz<br />
<br />
Now edit the snort.conf file:<br />
<br />
vi snort.conf<br />
<br />
and change the following:<br />
<br />
* Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)<br />
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)<br />
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"<br />
* Comment out the line that says dynamicdetection directory /usr/local/lib/snort_dynamicrules (by placing a "#" in front of the line)<br />
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.<br />
* Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort", "host=localhost"<br />
* When done, the line should look like this:<br />
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost<br />
* Make note of the username, password, and dbname. You will need this information when we set up mysql.<br />
* Save and quit.<br />
<br />
== Start and Setup MySQL ==<br />
<br />
(Need to add detail here on starting up MySQL for the first time)<br />
<br />
/usr/bin/mysql_install_db --user=mysql<br />
rc-update add mysql<br />
/etc/init.d/mysql start<br />
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)<br />
mysql -u root -p<br />
<br />
Once in mysql, type the following commands:<br />
<br />
mysql> create database snort;<br />
mysql> exit<br />
<br />
Now create the database schema:<br />
<br />
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql<br />
<br />
== Configure PHP and PEAR ==<br />
<br />
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".<br />
<br />
extension=mysql.so<br />
extension=gd.so<br />
<br />
Save and exit. From the command line, type the following:<br />
<br />
pear install Image_Color<br />
pear install Image_Canvas-alpha<br />
pear install Image_Graph-alpha<br />
pear install mail<br />
pear install mail_mime<br />
<br />
== Start Apache or lighttpd ==<br />
<br />
Need to decide which of these to use in production.</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=4435Tutorials and Howtos2010-10-01T18:27:55Z<p>Myoung: /* Drafts */</p>
<hr />
<div>[[Image:package_edutainment.svg|left|link=]]<br />
{{TOC right}}'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good examples. The output in one step is the starting point for the following step.<br/><br />
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux. We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page [[Talk:Tutorials_and_Howtos|Discussion]]. <br />
<br />
== Installation ==<br />
* [[Setting up Logical Volumes with LVM]]<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[Installing XFCE as a VirtualBox guest]]<br />
* [[Enable Serial Console on Boot]]<br />
* [[How to enable APK caching]]<br />
* [[Install Alpine on VirtualBox]]<br />
* [[Upgrading to Edge]]<br />
<br />
== Networking ==<br />
* [[Howto Configure a Network Bridge]]<br />
* [[Setting up a OpenVPN-server with Alpine]]<br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]]<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
* [[Using HSDPA modem]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
== Web Applications ==<br />
* [[2600hz]] ''FreeSWITCH, Asterisk GUI web acces tool.''<br />
* [[Awstats]] ''Free log file analyzer.''<br />
* [[Drupal]] ''Content Management System (CMS) written in PHP.''<br />
* [[EyeOS]] ''Cloud Computing Desktop.''<br />
* [[FreePBX_V3]] ''FreeSWITCH, Asterisk GUI web acces tool.''<br />
* [[Glpi]] ''Information Resource-Manager.''<br />
* [[MediaWiki]] ''Free web-based wiki software application''<br />
* [[Phpizabi]] ''Social Networking Platform.''<br />
* [[PhpPgAdmin]] ''Web-based administration tool for PostgreSQL.''<br />
* [[Phpmyadmin]] ''Web-based administration tool for MYSQL.''<br />
* [[Statusnet]] ''Microblogging Platform.''<br />
* [[Sqstat]] ''Script to look active squid users connections.''<br />
* [[Webmin]] ''A web-based interface for Linux system.''<br />
* [[WordPress]] ''Web software to create website or blog. ''<br />
<br />
== Misc ==<br />
* [[Setting up lm_sensors]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Formatting HD/Floppy/Other]]<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
* [[Hosting services on Alpine]] ''(This applies to hosting mail, webservices and other services)''<br />
** [[Setting up postfix with virtual domains]]<br />
** [[Protecting your email server with Alpine]]<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[Running Alpine Linux As a QEMU networked Guest ]]<br />
* [[Screen on console]]<br />
* [[Using espeak on Alpine Linux]]<br />
* [[Generating SSL certs with ACF]]<br />
* [[Setting up a ssh-server]]<br />
* [[Changing passwords for ACF]]<br />
* [[Multiple Instances of Services]]<br />
* [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)''<br />
* [[IPTV How To]]<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
* [[XFCE Setup]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[Setting up Smokeping]] ''(Smokeping network latency monitoring)''<br />
* [[Apache authentication: NTLM Single Signon]]<br />
<br />
== iSCSI ==<br />
* [[iSCSI Target and Initiator Configuration]]<br />
* [[iSCSI Raid and Clustered File Systems]]<br />
<br />
== Vserver ==<br />
* [[Setting up a basic vserver]]<br />
<br />
== Drafts ==<br />
Those are not finished yet.<br />
* [[AlpineSystem:CoLinux_Setup | Installing Alpine on CoLinux ]]<br />
* [[Using Racoon for Remote Sites]]<br />
* [[High Performance and Fault Tolerant Routing with Alpine Linux]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)''<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''((Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''Installing and configuring Snort and related applications on Alpine 2.0.x''<br />
<br />
== Obsolete Docs ==<br />
Those are candidates for rewriting/removal.<br />
* [[Bootstrapping Alpine on Soekris net4xxx]]<br />
* [[Bootstrapping Alpine on PC Engines ALIX.3]]<br />
* [[Setting up a software raid1 array]]<br />
* [[Setting up a /var partition on software IDE raid1]]<br />
* [[Booting Alpine on an HP ML350 G6]]<br />
<br />
* [[Native Harddisk Install]]<br />
* [[Installing XUbuntu using Alpine boot floppy]]<br />
* [[Setting up trac wiki]]</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4434Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:34:38Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard<br />
* Sguil<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist)<br />
* You have Alpine 2.0.2 installed and working with networking setup<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages using wget'''<br />
<br />
cd /usr/src<br />
wget itcl3.4b1.tar.gz<br />
wget tcl8.4.19-src.tar.gz<br />
wget tk8.4.19-src.tar.gz<br />
wget mysqltcl-3.02.tar.gz<br />
wget tclx8.4.tar.bz2<br />
wget tls1.6-src.tar.gz<br />
wget barnyard-0.2.0.tar.gz<br />
wget tcllib-1.12.tar.gz<br />
wget p0f.tgz<br />
wget iwidgets4.0.1.tar.gz<br />
<br />
(need to add source locations for all the packages above)<br />
<br />
<br />
== sguild Configuration Steps ==<br />
<br />
'''Configure sguild'''<br />
<br />
mkdir -p /home/sguil/sguild_data/archive<br />
mkdir /home/sguil/sguild_data/rules<br />
mkdir /home/sguil/sguild_data/load<br />
chown -R sguil.sguil /home/sguil/sguild_data<br />
<br />
Now, start mysql using: mysql -u root -p<br />
<br />
GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password";<br />
GRANT FILE ON *.* to sguil@localhost;<br />
update user set Password = OLD_PASSWORD("password") where User = "sguil";<br />
FLUSH PRIVILEGES;<br />
QUIT;<br />
<br />
From the command line:<br />
<br />
mysql -u sguil -p -e "CREATE DATABASE sguildb"<br />
mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql<br />
mysql -u sguil -p -D sguildb -e "show tables"<br />
<br />
mkdir /var/run/sguil<br />
chown sguil.sguil /var/run/sguil<br />
<br />
mkdir -p /etc/sguild/certs<br />
cp /usr/local/sguil/server/sguild.conf /etc/sguild<br />
cp /usr/local/sguil/server/autocat.conf /etc/sguild<br />
cp /usr/local/sguil/server/sguild.users /etc/sguild<br />
cp /usr/local/sguil/server/sguild.queries /etc/sguild<br />
cp /usr/local/sguil/server/sguild.access /etc/sguild<br />
cp /usr/local/sguil/server/sguild.email /etc/sguild<br />
cp /usr/local/sguil/server/sguild.reports /etc/sguild<br />
chown -R sguil.sguil /etc/sguild<br />
<br />
Now edit /etc/sguild/sguild.conf and change the following lines to match the below:<br />
<br />
set SGUILD_LIB_PATH /usr/local/sguil/server/lib<br />
set DEBUG 0<br />
set SENSOR_AGGREGATION_ON 0<br />
set RULESDIR /home/sguil/sguild_data/rules<br />
set DBPASS "password"<br />
set DBUSER sguil<br />
set LOCAL_LOG_DIR /home/sguil/sguild_data/archive<br />
set TCPFLOW /usr/bin/tcpflow<br />
set P0F 1<br />
set P0F_PATH /usr/local/bin/p0f<br />
set TMP_LOAD_DIR /home/sguil/sguild_data/load</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4433Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:33:58Z<p>Myoung: /* sguild Configuration Steps */</p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard<br />
* Sguil<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist)<br />
* You have Alpine 2.0.2 installed and working with networking setup<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages using wget'''<br />
<br />
cd /usr/src<br />
wget itcl3.4b1.tar.gz<br />
wget tcl8.4.19-src.tar.gz<br />
wget tk8.4.19-src.tar.gz<br />
wget mysqltcl-3.02.tar.gz<br />
wget tclx8.4.tar.bz2<br />
wget tls1.6-src.tar.gz<br />
wget barnyard-0.2.0.tar.gz<br />
wget tcllib-1.12.tar.gz<br />
wget p0f.tgz<br />
wget iwidgets4.0.1.tar.gz<br />
<br />
(need to add source locations for all the packages above)<br />
<br />
<br />
== sguild Configuration Steps ==<br />
<br />
'''Configure sguild'''<br />
<br />
mkdir -p /home/sguil/sguild_data/archive<br />
mkdir /home/sguil/sguild_data/rules<br />
mkdir /home/sguil/sguild_data/load<br />
chown -R sguil.sguil /home/sguil/sguild_data<br />
<br />
Now, start mysql using: mysql -u root -p<br />
<br />
GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "password";<br />
GRANT FILE ON *.* to sguil@localhost;<br />
update user set Password = OLD_PASSWORD("password") where User = "sguil";<br />
FLUSH PRIVILEGES;<br />
QUIT;<br />
<br />
From the command line:<br />
<br />
mysql -u sguil -p -e "CREATE DATABASE sguildb"<br />
mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql<br />
mysql -u sguil -p -D sguildb -e "show tables"<br />
<br />
mkdir /var/run/sguil<br />
chown sguil.sguil /var/run/sguil<br />
<br />
mkdir -p /etc/sguild/certs<br />
cp /usr/local/sguil/server/sguild.conf /etc/sguild<br />
cp /usr/local/sguil/server/autocat.conf /etc/sguild<br />
cp /usr/local/sguil/server/sguild.users /etc/sguild<br />
cp /usr/local/sguil/server/sguild.queries /etc/sguild<br />
cp /usr/local/sguil/server/sguild.access /etc/sguild<br />
cp /usr/local/sguil/server/sguild.email /etc/sguild<br />
cp /usr/local/sguil/server/sguild.reports /etc/sguild<br />
chown -R sguil.sguil /etc/sguild<br />
<br />
Now edit /etc/sguild/sguild.conf and change the following lines to match the below:<br />
<br />
set SGUILD_LIB_PATH /usr/local/sguil/server/lib<br />
set DEBUG 0<br />
set SENSOR_AGGREGATION_ON 0<br />
set RULESDIR /home/sguil/sguild_data/rules<br />
set DBPASS "867s309"<br />
set DBUSER sguil<br />
set LOCAL_LOG_DIR /home/sguil/sguild_data/archive<br />
set TCPFLOW /usr/bin/tcpflow<br />
set P0F 1<br />
set P0F_PATH /usr/local/bin/p0f<br />
set TMP_LOAD_DIR /home/sguil/sguild_data/load</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4432Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:31:28Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard<br />
* Sguil<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist)<br />
* You have Alpine 2.0.2 installed and working with networking setup<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages using wget'''<br />
<br />
cd /usr/src<br />
wget itcl3.4b1.tar.gz<br />
wget tcl8.4.19-src.tar.gz<br />
wget tk8.4.19-src.tar.gz<br />
wget mysqltcl-3.02.tar.gz<br />
wget tclx8.4.tar.bz2<br />
wget tls1.6-src.tar.gz<br />
wget barnyard-0.2.0.tar.gz<br />
wget tcllib-1.12.tar.gz<br />
wget p0f.tgz<br />
wget iwidgets4.0.1.tar.gz<br />
<br />
(need to add source locations for all the packages above)<br />
<br />
<br />
== sguild Configuration Steps ==<br />
<br />
'''Configure sguild'''<br />
<br />
mkdir -p /home/sguil/sguild_data/archive<br />
mkdir /home/sguil/sguild_data/rules<br />
mkdir /home/sguil/sguild_data/load<br />
chown -R sguil.sguil /home/sguil/sguild_data<br />
<br />
GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY "867s309";<br />
GRANT FILE ON *.* to sguil@localhost;<br />
update user set Password = OLD_PASSWORD("867s309") where User = "sguil";<br />
FLUSH PRIVILEGES;<br />
<br />
mysql -u sguil -p -e "CREATE DATABASE sguildb"<br />
mysql -u sguil -p -D sguildb < /usr/local/sguil/server/sql_scripts/create_sguildb.sql<br />
mysql -u sguil -p -D sguildb -e "show tables"<br />
<br />
mkdir /var/run/sguil<br />
chown sguil.sguil /var/run/sguil<br />
<br />
mkdir -p /etc/sguild/certs<br />
cp /usr/local/sguil/server/sguild.conf /etc/sguild<br />
cp /usr/local/sguil/server/autocat.conf /etc/sguild<br />
cp /usr/local/sguil/server/sguild.users /etc/sguild<br />
cp /usr/local/sguil/server/sguild.queries /etc/sguild<br />
cp /usr/local/sguil/server/sguild.access /etc/sguild<br />
cp /usr/local/sguil/server/sguild.email /etc/sguild<br />
cp /usr/local/sguil/server/sguild.reports /etc/sguild<br />
chown -R sguil.sguil /etc/sguild<br />
<br />
vi /etc/sguild/sguild.conf<br />
set SGUILD_LIB_PATH /usr/local/sguil/server/lib<br />
set DEBUG 0<br />
set SENSOR_AGGREGATION_ON 0<br />
set RULESDIR /home/sguil/sguild_data/rules<br />
set DBPASS "867s309"<br />
set DBUSER sguil<br />
set LOCAL_LOG_DIR /home/sguil/sguild_data/archive<br />
set TCPFLOW /usr/bin/tcpflow<br />
set P0F 1<br />
set P0F_PATH /usr/local/bin/p0f<br />
set TMP_LOAD_DIR /home/sguil/sguild_data/load</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4431Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:29:55Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard<br />
* Sguil<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist)<br />
* You have Alpine 2.0.2 installed and working with networking setup<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs<br />
<br />
<br />
== Download Non-Packaged Applications ==<br />
<br />
'''Download the following packages using wget'''<br />
<br />
cd /usr/src<br />
wget itcl3.4b1.tar.gz<br />
wget tcl8.4.19-src.tar.gz<br />
wget tk8.4.19-src.tar.gz<br />
wget mysqltcl-3.02.tar.gz<br />
wget tclx8.4.tar.bz2<br />
wget tls1.6-src.tar.gz<br />
wget barnyard-0.2.0.tar.gz<br />
wget tcllib-1.12.tar.gz<br />
wget p0f.tgz<br />
wget iwidgets4.0.1.tar.gz<br />
<br />
(need to add source locations for all the packages above)</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4430Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:25:22Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard<br />
* Sguil<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist)<br />
* You have Alpine 2.0.2 installed and working with networking setup<br />
<br />
== Get Development Packages ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4429Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:24:37Z<p>Myoung: </p>
<hr />
<div>[[Category:Networking]]<br />
<br />
{{Draft}}<br />
<br />
This guide will set up (list subject to change):<br />
* Snort<br />
* Barnyard<br />
* Sguil<br />
<br />
This guide will assume:<br />
* You have a knowledge of your network setup (at least know which subnets exist)<br />
* You have Alpine 2.0.2 installed and working with networking setup<br />
<br />
== Installing Working Environment ==<br />
<br />
'''Install Alpine and Pre-packaged components'''<br />
<br />
apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort,_Sguil,_Barnyard_and_more&diff=4428Intrusion Detection using Snort, Sguil, Barnyard and more2010-10-01T11:20:06Z<p>Myoung: Created page with "NOTE: This is a work-in-progress, draft document... Use at your own risk. Step 1: Install Alpine 2.0.2 Step 2: apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump..."</p>
<hr />
<div>NOTE: This is a work-in-progress, draft document... Use at your own risk.<br />
<br />
Step 1: Install Alpine 2.0.2<br />
<br />
Step 2: apk add alpine-sdk mysql-dev openssl-dev snort wireshark tcpdump tcpflow cvs</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=4427Tutorials and Howtos2010-10-01T11:17:52Z<p>Myoung: /* Drafts */</p>
<hr />
<div>[[Image:package_edutainment.svg|left|link=]]<br />
{{TOC right}}'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good examples. The output in one step is the starting point for the following step.<br/><br />
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux. We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page [[Talk:Tutorials_and_Howtos|Discussion]]. <br />
<br />
== Installation ==<br />
* [[Setting up Logical Volumes with LVM]]<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[Installing XFCE as a VirtualBox guest]]<br />
* [[Enable Serial Console on Boot]]<br />
* [[How to enable APK caching]]<br />
* [[Install Alpine on VirtualBox]]<br />
* [[Upgrading to Edge]]<br />
<br />
== Networking ==<br />
* [[Howto Configure a Network Bridge]]<br />
* [[Setting up a OpenVPN-server with Alpine]]<br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]]<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
* [[Using HSDPA modem]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
== Web Applications ==<br />
* [[2600hz]] ''FreeSWITCH, Asterisk GUI web acces tool.''<br />
* [[Awstats]] ''Free log file analyzer.''<br />
* [[Drupal]] ''Content Management System (CMS) written in PHP.''<br />
* [[EyeOS]] ''Cloud Computing Desktop.''<br />
* [[FreePBX_V3]] ''FreeSWITCH, Asterisk GUI web acces tool.''<br />
* [[Glpi]] ''Information Resource-Manager.''<br />
* [[MediaWiki]] ''Free web-based wiki software application''<br />
* [[Phpizabi]] ''Social Networking Platform.''<br />
* [[PhpPgAdmin]] ''Web-based administration tool for PostgreSQL.''<br />
* [[Phpmyadmin]] ''Web-based administration tool for MYSQL.''<br />
* [[Statusnet]] ''Microblogging Platform.''<br />
* [[Sqstat]] ''Script to look active squid users connections.''<br />
* [[Webmin]] ''A web-based interface for Linux system.''<br />
* [[WordPress]] ''Web software to create website or blog. ''<br />
<br />
== Misc ==<br />
* [[Setting up lm_sensors]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Formatting HD/Floppy/Other]]<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
* [[Hosting services on Alpine]] ''(This applies to hosting mail, webservices and other services)''<br />
** [[Setting up postfix with virtual domains]]<br />
** [[Protecting your email server with Alpine]]<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[Running Alpine Linux As a QEMU networked Guest ]]<br />
* [[Screen on console]]<br />
* [[Using espeak on Alpine Linux]]<br />
* [[Generating SSL certs with ACF]]<br />
* [[Setting up a ssh-server]]<br />
* [[Changing passwords for ACF]]<br />
* [[Multiple Instances of Services]]<br />
* [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)''<br />
* [[IPTV How To]]<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
* [[XFCE Setup]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[Setting up Smokeping]] ''(Smokeping network latency monitoring)''<br />
* [[Apache authentication: NTLM Single Signon]]<br />
<br />
== iSCSI ==<br />
* [[iSCSI Target and Initiator Configuration]]<br />
* [[iSCSI Raid and Clustered File Systems]]<br />
<br />
== Vserver ==<br />
* [[Setting up a basic vserver]]<br />
<br />
== Drafts ==<br />
Those are not finished yet.<br />
* [[AlpineSystem:CoLinux_Setup | Installing Alpine on CoLinux ]]<br />
* [[Using Racoon for Remote Sites]]<br />
* [[High Performance and Fault Tolerant Routing with Alpine Linux]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)''<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''((Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort, Sguil, Barnyard and more]] ''Installing and configuring Snort and related applications on Alpine 2.0.x''<br />
<br />
== Obsolete Docs ==<br />
Those are candidates for rewriting/removal.<br />
* [[Bootstrapping Alpine on Soekris net4xxx]]<br />
* [[Bootstrapping Alpine on PC Engines ALIX.3]]<br />
* [[Setting up a software raid1 array]]<br />
* [[Setting up a /var partition on software IDE raid1]]<br />
* [[Booting Alpine on an HP ML350 G6]]<br />
<br />
* [[Native Harddisk Install]]<br />
* [[Installing XUbuntu using Alpine boot floppy]]<br />
* [[Setting up trac wiki]]</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine_on_HDD_overwriting_everything&diff=4422Installing Alpine on HDD overwriting everything2010-09-27T14:10:33Z<p>Myoung: /* Installing Alpine to a new machine, overwriting everything on the harddisk */</p>
<hr />
<div>== Installing Alpine to a new machine, ''overwriting everything on the harddisk'' ==<br />
<br />
<br />
'''Warning''' This will erase everything on your machine's harddisk. Don't blame me if someone sues you for this, your cat dies etc. You are warned. <br />
<br />
The following is meant to be an absolute newbie guide<br />
<br />
* Burn the alpine iso image to a CD<br />
* Put the CD into the new computer and turn on the power.<br />
* Wait for the text "login:" to appear, type "root" and press enter twice (blank password)<br />
* [OPTIONAL, SEE NOTE BELOW] Run the setup-alpine script to choose your keyboard, network and password options.<br />
* Type "setup-disk" and press enter. <br />
* You will be asked where to install. If you don't understand the question, press y and enter.<br />
<br />
The system is now installed and after a while you will see a message saying "Please reboot"<br />
<br />
Type "reboot" and press enter. You can remove the CD now, since the system is installed. Your system is ready. You can have fries with that, although there are healthier alternatives.<br />
<br />
NOTE: If you run setup-disk before setup-alpine, the setup-alpine script won't be available to you when you reboot.<br />
<br />
=== Continue Setting up your Computer ===<br />
<br />
* [[Alpine Linux package management]] ''(How to add/remove packages on your Alpine)''<br />
* [[Alpine boot services]] ''(Configure a service to automatically boot at next reboot)''<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''</div>Myounghttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_SSH_server&diff=4421Setting up a SSH server2010-09-27T11:31:21Z<p>Myoung: fixed typo</p>
<hr />
<div>= General =<br />
If you need to administer a Alpine Linux box, you can install and use openssh.<BR><br />
Openssh is used to provide a secure encrypted communications between you and the host where openssh is running (the ssh-server is called ''sshd'' and the ssh-client is called ''ssh'').<br />
<br />
== Install programs ==<br />
Install package:<BR><br />
apk add openssh<br />
<br />
'''''Note:''' If you want the ACF-frontend for openssh, you should install 'acf-openssh' instead (assuming that you have setup-webconf)''<br />
<br />
== Make it autostart ==<br />
Next time you reboot your Linux box, you would probably want your ''sshd'' to automatically start.<br />
rc-update add sshd<br />
<br />
You can check your boot services:<br />
rc-status<br />
<br />
== Start it up now ==<br />
The reason we want to manually start ''sshd'' at this moment is that we want ''sshd'' to create some initial files that he needs. After they are created, we can permanently save them.<BR><br />
Next reason is... we don't have time to wait for the box to reboot ;-)<br />
/etc/init.d/sshd start<br />
'''''Note:''' Don't forget to permanently save your settings by using the 'lbu ci' command when you are done.''<br />
<br />
= Fine tuning =<br />
The default config that comes with openssh has pretty good default values.<BR><br />
But sometimes you would like to fine-tune things. We show some examples below on what you might want to do.<BR><br />
'''''Note:''' You are _not_ required to follow this [[#Fine_tuning]] section. You can skip it if you want to make things easy!''<br />
<br />
The fine-tuning is done by editing '''/etc/ssh/sshd_config'''<BR><br />
"#" marks that the rest of the line should be ignored by ''sshd''. Everything right to the "#" is treated as comments.<br />
UseDNS no # By setting this to no, you could increase speed when the client starts to connect to this ssh-server<br />
PasswordAuthentication no # Instead you could use private/public keys to authenticate to this box (this increases security for the box)<br />
Many other options are found in '''/etc/ssh/sshd_config'''. The describing text that comes in the same file will guide you in your fine-tuning.<br />
<br />
= Firewalling =<br />
As default, sshd will communicate on port ''''22'''' using protocol ''''TCP''''.<BR><br />
You would need to make sure that the box where ''sshd'' is running, doesn't block your connection attempts on '''22TCP'''.<BR><br />
If you still have trouble accessing your box, make sure that there is no other firewall blocking your connection.<br />
<br />
Sometimes '''22TCP''' is blocked by some firewall that you can not control. In those cases you might want to configure '''sshd''' to communicate on some other port.<BR><br />
In that case you change '''/etc/ssh/sshd_config''' to reflect your needs.<BR><br />
But before you do so, you need to check so you don't use a port that already is in use. (You can check this by using the command ''''netstat -ln'''' on the box where you plan to run ''sshd'')<br />
Port 443 # Use whatever port number that fits your needs<br />
<br />
You need to restart ''sshd'' after you done you modifications.<br />
/etc/init.d/sshd restart<br />
<br />
= Save settings =<br />
If you already haven't done so, save all your settings<br />
lbu ci</div>Myoung