Intrusion Detection using Snort: Difference between revisions
No edit summary |
(replace /etc/init.d with rc-service) |
||
(14 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
{{Draft}} | {{Draft}} | ||
Line 18: | Line 16: | ||
'''Install Alpine and Pre-packaged components''' | '''Install Alpine and Pre-packaged components''' | ||
{{Cmd|apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex}} | |||
== Download Non-Packaged Applications == | == Download Non-Packaged Applications == | ||
Line 28: | Line 25: | ||
:Download snort from www.snort.org. We used version 2.8.6.1 in this document. | :Download snort from www.snort.org. We used version 2.8.6.1 in this document. | ||
:Download the snort rules from | :Download the snort rules from https://www.snort.org/downloads/#rule-downloads | ||
:Download BASE from | :Download BASE from https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download | ||
:Download adodb5 from | :Download adodb5 from https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download | ||
== Compile Snort == | == Compile Snort == | ||
Line 36: | Line 33: | ||
Uncompress snort with something like: | Uncompress snort with something like: | ||
{{Cmd|tar -zxvf snort-2.8.6.1.tar.gz}} | |||
Then do the following: | Then do the following: | ||
{{Cmd|cd snort-2.8.6.1 | |||
./configure -enable-dynamicplugin --with-mysql | |||
make | |||
make install}} | |||
== Configure Snort and Ruleset == | == Configure Snort and Ruleset == | ||
{{Cmd|mkdir /etc/snort | |||
cd /etc/snort | |||
cp /usr/src/snort-2.8.6.1/etc/* . | |||
mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/. | |||
tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz}} | |||
Now edit the snort.conf file: | Now edit the snort.conf file: | ||
{{Cmd|vi snort.conf}} | |||
and change the following: | and change the following: | ||
Line 62: | Line 59: | ||
* Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external) | * Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external) | ||
* Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules" | * Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules" | ||
* Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules" | |||
* Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules" | |||
* Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line) | * Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line) | ||
* Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line. | * Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line. | ||
* | * Edit this line to look like this: | ||
:output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost | :output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost | ||
* Make note of the username, password, and dbname. You will need this information when we set up mysql. | * Make note of the username, password, and dbname. You will need this information when we set up mysql. | ||
* Find this line (line 194 in current version) | |||
::preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480 | |||
:and remove from "compress_depth" to the end of the line. When done, the line will read: | |||
::preprocessor http_inspect: global iis_unicode_map unicode.map 1252 | |||
* Find this line (line 207 in current version) | |||
::inspect_gzip \ | |||
:and remove it. | |||
* Save and quit. | * Save and quit. | ||
Line 74: | Line 79: | ||
(Need to add detail here on starting up MySQL for the first time) | (Need to add detail here on starting up MySQL for the first time) | ||
{{Cmd|<nowiki>/usr/bin/mysql_install_db --user=mysql | |||
rc-update add mysql | |||
rc-service mysql start | |||
/usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file) | |||
mysql -u root -p</nowiki>}} | |||
Once in mysql, type the following commands: | Once in mysql, type the following commands: | ||
{{Cmd|mysql> create database snort; | |||
mysql> exit}} | |||
Now create the database schema: | Now create the database schema: | ||
{{Cmd|mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql}} | |||
== Configure PHP and PEAR == | == Configure PHP and PEAR == | ||
Line 93: | Line 98: | ||
Edit /etc/php/php.ini and add the following under "Dynamic Extensions". | Edit /etc/php/php.ini and add the following under "Dynamic Extensions". | ||
extension=mysql.so | |||
extension=gd.so | |||
Save and exit. From the command line, type the following: | Save and exit. From the command line, type the following: | ||
{{Cmd|pear install Image_Color | |||
pear install Image_Canvas-alpha | |||
pear install Image_Graph-alpha | |||
pear install mail | |||
pear install mail_mime}} | |||
== Start Apache or lighttpd == | == Start Apache or lighttpd == | ||
Line 110: | Line 115: | ||
== Setup BASE == | == Setup BASE == | ||
^{{Cmd|mv /usr/src/adodb5 /var/www/localhost/htdocs/. | |||
mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.}} | |||
Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address) | Now, open your web browser and navigate to <nowiki>http://X.X.X.X/setup</nowiki> (where x.x.x.x is your server's IP address) | ||
:Click continue on the first page. | :Click continue on the first page. | ||
Line 124: | Line 129: | ||
:Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5. | :Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5. | ||
:Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file. | :Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file. | ||
== Configure Barnyard == | == Configure Barnyard == | ||
To improve performance. | To improve performance. | ||
[[Category:Server]] | |||
[[Category:Monitoring]] | |||
[[Category:PHP]] | |||
[[Category:SQL]] | |||
[[Category:Security]] |
Latest revision as of 10:41, 17 November 2023
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
This guide will set up (list subject to change):
- Snort
- Barnyard (maybe)
- BASE
This guide will assume:
- You have a knowledge of your network setup (at least know which subnets exist).
- You have Alpine 2.0.2 installed and working with networking setup.
- You have had at least three cups of coffee this morning. And not decaf.
Get Development Packages
Install Alpine and Pre-packaged components
apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex
Download Non-Packaged Applications
Download the following packages
For the purpose of this document we will assume you download these files to /usr/src.
- Download snort from www.snort.org. We used version 2.8.6.1 in this document.
- Download the snort rules from https://www.snort.org/downloads/#rule-downloads
- Download BASE from https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
- Download adodb5 from https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download
Compile Snort
Uncompress snort with something like:
tar -zxvf snort-2.8.6.1.tar.gz
Then do the following:
cd snort-2.8.6.1 ./configure -enable-dynamicplugin --with-mysql make make install
Configure Snort and Ruleset
mkdir /etc/snort cd /etc/snort cp /usr/src/snort-2.8.6.1/etc/* . mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/. tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz
Now edit the snort.conf file:
vi snort.conf
and change the following:
- Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
- Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
- Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
- Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
- Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
- Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)
- Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
- Edit this line to look like this:
- output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost
- Make note of the username, password, and dbname. You will need this information when we set up mysql.
- Find this line (line 194 in current version)
- preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
- and remove from "compress_depth" to the end of the line. When done, the line will read:
- preprocessor http_inspect: global iis_unicode_map unicode.map 1252
- Find this line (line 207 in current version)
- inspect_gzip \
- and remove it.
- Save and quit.
Start and Setup MySQL
(Need to add detail here on starting up MySQL for the first time)
/usr/bin/mysql_install_db --user=mysql rc-update add mysql rc-service mysql start /usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file) mysql -u root -p
Once in mysql, type the following commands:
mysql> create database snort; mysql> exit
Now create the database schema:
mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql
Configure PHP and PEAR
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".
extension=mysql.so extension=gd.so
Save and exit. From the command line, type the following:
pear install Image_Color pear install Image_Canvas-alpha pear install Image_Graph-alpha pear install mail pear install mail_mime
Start Apache or lighttpd
Need to decide which of these to use in production.
Setup BASE
^
mv /usr/src/adodb5 /var/www/localhost/htdocs/. mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.
Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)
- Click continue on the first page.
- Step 1 of 5: Enter the path to ADODB.
- This is /var/www/localhost/htdocs/adodb5.
- Step 2 of 5:
- Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD
- Step 3 of 5: If you want to use authentication enter a username and password here.
- Step 4 of 5: Click on Create BASE AG.
- Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
- Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.
Configure Barnyard
To improve performance.