Intrusion Detection using Snort: Difference between revisions

From Alpine Linux
No edit summary
(replace /etc/init.d with rc-service)
 
(13 intermediate revisions by 7 users not shown)
Line 1: Line 1:
[[Category:Networking]]
{{Draft}}
{{Draft}}


Line 18: Line 16:
'''Install Alpine and Pre-packaged components'''
'''Install Alpine and Pre-packaged components'''


    apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex
{{Cmd|apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex}}
 


== Download Non-Packaged Applications ==
== Download Non-Packaged Applications ==
Line 28: Line 25:


:Download snort from www.snort.org. We used version 2.8.6.1 in this document.
:Download snort from www.snort.org. We used version 2.8.6.1 in this document.
:Download the snort rules from http://www.snort.org/snort-rules/
:Download the snort rules from https://www.snort.org/downloads/#rule-downloads
:Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
:Download BASE from https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
:Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download
:Download adodb5 from https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download


== Compile Snort ==
== Compile Snort ==
Line 36: Line 33:
Uncompress snort with something like:  
Uncompress snort with something like:  


    tar -zxvf snort-2.8.6.1.tar.gz
{{Cmd|tar -zxvf snort-2.8.6.1.tar.gz}}


Then do the following:
Then do the following:


    cd snort-2.8.6.1
{{Cmd|cd snort-2.8.6.1
    ./configure -enable-dynamicplugin --with-mysql
./configure -enable-dynamicplugin --with-mysql
    make
make
    make install
make install}}


== Configure Snort and Ruleset ==
== Configure Snort and Ruleset ==


    mkdir /etc/snort
{{Cmd|mkdir /etc/snort
    cd /etc/snort
cd /etc/snort
    cp /usr/src/snort-2.8.6.1/etc/* .
cp /usr/src/snort-2.8.6.1/etc/* .
    mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/.
mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/.
    tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz
tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz}}


Now edit the snort.conf file:
Now edit the snort.conf file:


    vi snort.conf
{{Cmd|vi snort.conf}}


and change the following:
and change the following:
Line 70: Line 67:
* Make note of the username, password, and dbname. You will need this information when we set up mysql.
* Make note of the username, password, and dbname. You will need this information when we set up mysql.
* Find this line (line 194 in current version)
* Find this line (line 194 in current version)
:preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
::preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
::and remove from "compress_depth" to the end of the line. When done, the line will read:
:and remove from "compress_depth" to the end of the line. When done, the line will read:
:preprocessor http_inspect: global iis_unicode_map unicode.map 1252
::preprocessor http_inspect: global iis_unicode_map unicode.map 1252
* Find this line (line 207 in current version)
* Find this line (line 207 in current version)
:inspect_gzip \
::inspect_gzip \
::and remove it.
:and remove it.
* Save and quit.
* Save and quit.


Line 82: Line 79:
(Need to add detail here on starting up MySQL for the first time)
(Need to add detail here on starting up MySQL for the first time)


    /usr/bin/mysql_install_db --user=mysql
{{Cmd|<nowiki>/usr/bin/mysql_install_db --user=mysql
    rc-update add mysql
rc-update add mysql
    /etc/init.d/mysql start
rc-service mysql start
    /usr/bin/mysqladmin -u root password 'password'  (set password to the same password you specified in the snort.conf file)
/usr/bin/mysqladmin -u root password 'password'  (set password to the same password you specified in the snort.conf file)
    mysql -u root -p
mysql -u root -p</nowiki>}}


Once in mysql, type the following commands:
Once in mysql, type the following commands:


    mysql> create database snort;
{{Cmd|mysql> create database snort;
    mysql> exit
mysql> exit}}


Now create the database schema:
Now create the database schema:


    mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql
{{Cmd|mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql}}


== Configure PHP and PEAR ==
== Configure PHP and PEAR ==
Line 101: Line 98:
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".


    extension=mysql.so
extension=mysql.so
    extension=gd.so
extension=gd.so


Save and exit. From the command line, type the following:
Save and exit. From the command line, type the following:


    pear install Image_Color
{{Cmd|pear install Image_Color
    pear install Image_Canvas-alpha
pear install Image_Canvas-alpha
    pear install Image_Graph-alpha
pear install Image_Graph-alpha
    pear install mail
pear install mail
    pear install mail_mime
pear install mail_mime}}


== Start Apache or lighttpd ==
== Start Apache or lighttpd ==
Line 118: Line 115:
== Setup BASE ==
== Setup BASE ==


    mv /usr/src/adodb5 /var/www/localhost/htdocs/.
^{{Cmd|mv /usr/src/adodb5 /var/www/localhost/htdocs/.
    mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.
mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.}}


Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)
Now, open your web browser and navigate to <nowiki>http://X.X.X.X/setup</nowiki> (where x.x.x.x is your server's IP address)


:Click continue on the first page.
:Click continue on the first page.
Line 132: Line 129:
:Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
:Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
:Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.
:Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.


== Configure Barnyard ==
== Configure Barnyard ==


To improve performance.
To improve performance.
[[Category:Server]]
[[Category:Monitoring]]
[[Category:PHP]]
[[Category:SQL]]
[[Category:Security]]

Latest revision as of 10:41, 17 November 2023

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Sertonix on 17 Nov 2023.)

This guide will set up (list subject to change):

  • Snort
  • Barnyard (maybe)
  • BASE

This guide will assume:

  • You have a knowledge of your network setup (at least know which subnets exist).
  • You have Alpine 2.0.2 installed and working with networking setup.
  • You have had at least three cups of coffee this morning. And not decaf.


Get Development Packages

Install Alpine and Pre-packaged components

apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex

Download Non-Packaged Applications

Download the following packages

For the purpose of this document we will assume you download these files to /usr/src.

Download snort from www.snort.org. We used version 2.8.6.1 in this document.
Download the snort rules from https://www.snort.org/downloads/#rule-downloads
Download BASE from https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
Download adodb5 from https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download

Compile Snort

Uncompress snort with something like:

tar -zxvf snort-2.8.6.1.tar.gz

Then do the following:

cd snort-2.8.6.1 ./configure -enable-dynamicplugin --with-mysql make make install

Configure Snort and Ruleset

mkdir /etc/snort cd /etc/snort cp /usr/src/snort-2.8.6.1/etc/* . mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/. tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz

Now edit the snort.conf file:

vi snort.conf

and change the following:

  • Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
  • Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
  • Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
  • Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
  • Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
  • Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)
  • Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
  • Edit this line to look like this:
output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost
  • Make note of the username, password, and dbname. You will need this information when we set up mysql.
  • Find this line (line 194 in current version)
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
and remove from "compress_depth" to the end of the line. When done, the line will read:
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
  • Find this line (line 207 in current version)
inspect_gzip \
and remove it.
  • Save and quit.

Start and Setup MySQL

(Need to add detail here on starting up MySQL for the first time)

/usr/bin/mysql_install_db --user=mysql rc-update add mysql rc-service mysql start /usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file) mysql -u root -p

Once in mysql, type the following commands:

mysql> create database snort; mysql> exit

Now create the database schema:

mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql

Configure PHP and PEAR

Edit /etc/php/php.ini and add the following under "Dynamic Extensions".

extension=mysql.so
extension=gd.so

Save and exit. From the command line, type the following:

pear install Image_Color pear install Image_Canvas-alpha pear install Image_Graph-alpha pear install mail pear install mail_mime

Start Apache or lighttpd

Need to decide which of these to use in production.

Setup BASE

^

mv /usr/src/adodb5 /var/www/localhost/htdocs/. mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.

Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)

Click continue on the first page.
Step 1 of 5: Enter the path to ADODB.
This is /var/www/localhost/htdocs/adodb5.
Step 2 of 5:
Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD
Step 3 of 5: If you want to use authentication enter a username and password here.
Step 4 of 5: Click on Create BASE AG.
Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.

Configure Barnyard

To improve performance.