|
|
| Line 1: |
Line 1: |
| {{Draft}} | | {{Draft|Last update before this one is 2013 so this page is probably outdated}} |
| | |
| This guide will set up (list subject to change):
| |
| * Snort
| |
| * Barnyard (maybe)
| |
| * BASE
| |
| | |
| This guide will assume:
| |
| * You have a knowledge of your network setup (at least know which subnets exist).
| |
| * You have Alpine 2.0.2 installed and working with networking setup.
| |
| * You have had at least three cups of coffee this morning. And not decaf.
| |
| | |
| | |
| == Get Development Packages ==
| |
| | |
| '''Install Alpine and Pre-packaged components'''
| |
| | |
| {{Cmd|apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex}}
| |
| | |
| == Download Non-Packaged Applications ==
| |
| | |
| '''Download the following packages '''
| |
| | |
| For the purpose of this document we will assume you download these files to /usr/src.
| |
| | |
| :Download snort from www.snort.org. We used version 2.8.6.1 in this document.
| |
| :Download the snort rules from http://www.snort.org/snort-rules/
| |
| :Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
| |
| :Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download
| |
| | |
| == Compile Snort ==
| |
| | |
| Uncompress snort with something like:
| |
| | |
| {{Cmd|tar -zxvf snort-2.8.6.1.tar.gz}}
| |
| | |
| Then do the following:
| |
| | |
| {{Cmd|cd snort-2.8.6.1
| |
| ./configure -enable-dynamicplugin --with-mysql
| |
| make
| |
| make install}}
| |
| | |
| == Configure Snort and Ruleset ==
| |
| | |
| {{Cmd|mkdir /etc/snort
| |
| cd /etc/snort
| |
| cp /usr/src/snort-2.8.6.1/etc/* .
| |
| mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/.
| |
| tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz}}
| |
| | |
| Now edit the snort.conf file:
| |
| | |
| {{Cmd|vi snort.conf}}
| |
| | |
| and change the following:
| |
| | |
| * Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
| |
| * Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
| |
| * Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
| |
| * Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
| |
| * Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
| |
| * Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)
| |
| * Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
| |
| * Edit this line to look like this:
| |
| :output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost
| |
| * Make note of the username, password, and dbname. You will need this information when we set up mysql.
| |
| * Find this line (line 194 in current version)
| |
| ::preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
| |
| :and remove from "compress_depth" to the end of the line. When done, the line will read:
| |
| ::preprocessor http_inspect: global iis_unicode_map unicode.map 1252
| |
| * Find this line (line 207 in current version)
| |
| ::inspect_gzip \
| |
| :and remove it.
| |
| * Save and quit.
| |
| | |
| == Start and Setup MySQL ==
| |
| | |
| (Need to add detail here on starting up MySQL for the first time)
| |
| | |
| {{Cmd|<nowiki>/usr/bin/mysql_install_db --user=mysql
| |
| rc-update add mysql
| |
| /etc/init.d/mysql start
| |
| /usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file)
| |
| mysql -u root -p</nowiki>}}
| |
| | |
| Once in mysql, type the following commands:
| |
| | |
| {{Cmd|mysql> create database snort;
| |
| mysql> exit}}
| |
| | |
| Now create the database schema:
| |
| | |
| {{Cmd|mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql}}
| |
| | |
| == Configure PHP and PEAR ==
| |
| | |
| Edit /etc/php/php.ini and add the following under "Dynamic Extensions".
| |
| | |
| extension=mysql.so
| |
| extension=gd.so
| |
| | |
| Save and exit. From the command line, type the following:
| |
| | |
| {{Cmd|pear install Image_Color
| |
| pear install Image_Canvas-alpha
| |
| pear install Image_Graph-alpha
| |
| pear install mail
| |
| pear install mail_mime}}
| |
| | |
| == Start Apache or lighttpd ==
| |
| | |
| Need to decide which of these to use in production.
| |
| | |
| == Setup BASE ==
| |
| | |
| ^{{Cmd|mv /usr/src/adodb5 /var/www/localhost/htdocs/.
| |
| mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.}}
| |
| | |
| Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)
| |
| | |
| :Click continue on the first page.
| |
| :Step 1 of 5: Enter the path to ADODB.
| |
| ::This is /var/www/localhost/htdocs/adodb5.
| |
| :Step 2 of 5:
| |
| ::Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD
| |
| :Step 3 of 5: If you want to use authentication enter a username and password here.
| |
| :Step 4 of 5: Click on Create BASE AG.
| |
| :Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
| |
| :Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.
| |
| | |
| == Configure Barnyard ==
| |
| | |
| To improve performance.
| |
| | |
| [[Category:Server]]
| |
| [[Category:Monitoring]]
| |
| [[Category:PHP]]
| |
| [[Category:SQL]]
| |
| [[Category:Security]]
| |
