018-snortinstallguide2972

8/20/2019 018-snortinstallguide2972

1/13

Snort 2.9.7.2 and Snort Report 1.3.4on Ubuntu 14.04 LTS Installation Guide

Author !a"id Gullett

#ublished April 7$ 201%&ersion 1.0

'op(ri)ht 201%$ S(**etri+ Te,hnolo)ieshttp--.s(**etri+te,h.,o*

Table o/ 'ontents

A. Introdu,tion1. uip*ent Assu*ptions2. noled)e Assu*ptions3. Use o/ the a,slash4. nd Result

Figure 1 - Snort Network Topology

. #ro,edure

1. 5peratin) S(ste* A,uire Ubuntu LTSInstallation o/ 5peratin) S(ste*Ubuntu Updates

2. Snort Report!onload and Set up Snort Report

3. Snort!onload and Install the !ata A,uisition A#I!onload and Install libdnet!onload and Install Snort!onload the Latest Snort Rules'on/i)ure Snort!onload and Install arn(ard2Settin) up the 6etor 'ards'on/i)urin) and Runnin) SnortTestin) Snort

4. onitorin) 8our S(ste*at,hin) Snort ith Snort Report

'. :uture Tass1. #ulled #or2. AS and 5ther Tools

3. ;ust a e)innin)

http://www.symmetrixtech.com/http://www.symmetrixtech.com/


2/13

A. Introdu,tion

The purpose o/ this do,u*ent is to pro"ide the user ith a si*ple installation )uide to )et S(**etri+Te,hnolo)ies< Snort Report up and runnin) ith Sour,e/ire


3/13

Figure 1 – Snort Network Topology

In the /i)ure abo"e$ the netor ,ard /a,in) the tra//i, (ou ant to *onitor ill ha"e no I# address. This ill*ae it /ar *ore di//i,ult /or the I!S #' to be ,o*pro*ised /ro* an e+ternal sour,e. The netor ,ard /a,in)(our ad*inistrati"e orstation ill ha"e an internal nonroutable I# address and a,,ess to an( open ports illbe li*ited to (our ad*inistrati"e orstation.

It


4/13

*ultiple Snort I!S *a,hines hi,h is be(ond the s,ope o/ this do,u*ent. 'onsult http--.snort.or) /or *orein/or*ation.

. #ro,edure

1. 5peratin) S(ste*

A,uire Ubuntu Linu+

The /irst order o/ business is to donload Ubuntu Linu+. e then sele,t (our ti*e Eone.

8ou ill then be pro*pted to set up a user a,,ount. This ,an be an(thin) (ou ant @ Fust pi, one and set thepassord. 'hoose 6o hen ased to en,r(pt (our ho*e dire,tor( =it ill ,ontain nothin) "aluable and e.

The installer ill then tr( to deter*ine (our ti*e Eone. I/ it


5/13

A/ter SS? is installed (ou


6/13

Reboot the *a,hine

sudo reboot

At this point (ou should ha"e a orin) and updated installation o/ Ubuntu and e


7/13

!onload and Install libdnet

There are Ubuntu pa,a)es /or libdnet but this is an easier *ethod o/ installation. !onload the /olloin) /ile=http--libdnet.)oo)le,ode.,o* -/iles-libdnet1.12.t)E> and install it ith these ,o**ands /ro* (our donloaddire,tor(

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

sudo tar zxvf libdnet-1.12.tgzcd libdnet-1.12/sudo ./configuresudo makesudo make installsudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

!onload and Install Snort

hile e ,ould install the Snort pa,a)es /ro* the Ubuntu 14.04 repositories$ that doesn


8/13

!onload the Latest Snort Rules

The ne+t step is to donload the latest Snort ruleset. 8ou


9/13

'on/i)ure Snort

6o e need to edit the snort.,on/ ,on/i)uration /ile

sudo vi /usr/local/snort/etc/snort.conf

'han)e these lines /ro* thisvar WHITE_LIST_PATH ../rulesvar BLACK_LIST_PATH ../rules

To thisvar WHITE_LIST_PATH /usr/local/snort/rulesvar BLACK_LIST_PATH /usr/local/snort/rules

'han)e these lines /ro* thisdynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.sodynamicdetection directory /usr/local/lib/snort_dynamicrules

To thisdynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.sodynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

elo this line =this is to output the uni/ied2 lo)s /or arn(ard>#output unified2: filename merged.log, limit 128, nostamp, \

mpls_event_types, vlan_event_types

Add this lineoutput unified2: filename snort.u2, limit 128

Sa"e the /ile and e+it ba, to the ,o**and pro*pt.

!onload and Install arn(ard2

arn(ard2 i*pro"es the e//i,ien,( o/ Snort b( redu,in) the load on the *ain dete,tion en)ine. It reads Snort


10/13

sudo chmod 666 /var/log/barnyard2sudo touch /var/log/snort/barnyard2.waldosudo chown snort.snort /var/log/snort/barnyard2.waldo

6o let


11/13

Settin) up the netor ,ards

6o that e ha"e all the ne,essar( so/tare installed and read( to )o$ e ,an ,on/i)ure the netor ,ables$ I#addresses$ Snort and Snort Report. The e+a*ples belo ill re/le,t the in/or*ation in :i)ure 1 at the top o/ thisdo,u*ent so (ou ill liel( ha"e to tune the I# addresses$ subnet *ass et, in order to re/le,t (our netor.

To set the I# address on the /irst ,ard *odi/( the netor ,on/i)uration /ile ith this ,o**and

sudo vi /etc/network/interfaces

'han)e the /olloin) lines /ro* this

auto eth0iface eth0 inet dhcp

to these "alues

auto eth0iface eth0 inet staticaddress 192.168.1.1netmask 255.255.255.0network 192.168.1.0broadcast 192.168.1.255gateway 192.168.1.1

6o add the /olloin) lines at the end o/ the /ile to start the se,ond ,ard ithout an I# address

auto eth1iface eth1 inet manualifconfig eth1 up

Sa"e and e+it the /ile then reboot

sudo reboot

6o (ou ,an ,onne,t the netor ,ables as illustrated in :i)ure 1. th0 is ,onne,ted to the sa*e subnet as(our *onitorin) orstation and eth1 is ,onne,ted to the se)*ent that (ou ant to *onitor. 8ou ,an "eri/( thisb( usin) the Bi/,on/i)C ,o**and. 8our output should loo so*ethin) lie this =abbre"iated here>

eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 11:11:11:11:11:11UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

6oti,e ho eth1 does not ha"e an I# address but the inter/a,e has a status o/ Bup.C 6ote there is a ,han,e thateth1 ill not ,o*e up auto*ati,all( until (ou ,o*plete the r,.lo,al step listed belo.


12/13

Testin) Snort

8ou ,an test to see i/ Snort ill run b( usin) this ,o**and

sudo /usr/local/snort/bin/snort -u snort -g snort \-c /usr/local/snort/etc/snort.conf -i eth1

8ou should see a *essa)e sa(in) B'o**en,in) pa,et pro,essin).C 8ou ,an ,an,el out o/ it b( hittin) 'ontrol'. I/ it /ails to initialiEe please see the /oru*s at snort.or) to deter*ine the proble*. It ill usuall( be so*ethin)in the ,on/i)uration /ile.

To set Snort to start auto*ati,all( on (our *a,hine edit the r,.lo,al /ile ith the /olloin) ,o**and

sudo vi /etc/rc.local

Then paste the /olloin) ,ontent in the /ile =be/ore the Bexit 0C line>

/usr/local/snort/bin/snort -D -u snort -g snort \-c /usr/local/snort/etc/snort.conf -i eth1

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \-d /var/log/snort \-f snort.u2 \-w /var/log/snort/barnyard2.waldo \-D

Sa"e the /ile and e+it. Then either reboot or use the /olloin) ,o**and to start Snort

sudo /etc/init.d/rc.local start

4. onitorin) 8our S(ste*

at,hin) Snort ith Snort Report

:ro* (our ad*inistrati"e orstation (ou should no be able to pull up the Snort Report *ain pa)e b( brosin)to http--192.1DH.1.1-snortreport1.3. 4 -alerts.php. I/ (ou used di//erent I# addresses /or the Snort and ad*inorstation (ou


13/13

3. ;ust a e)innin)

As a re*inder$ this is a "er( basi, do,u*ent to )et (ou up and )oin) ith Snort and Snort Report. It ise+tre*el( ,riti,al that (ou learn all the options in the Snort ,on/i)uration /iles in order to set up an e//e,ti"eI!S-I#S. In parti,ular$ /a*iliariEe (oursel/ ith prepro,essors and per/or*an,e tunin) alon) ith the tools listedabo"e.

There ha"e been si)ni/i,ant ,han)es sin,e Snort 2.H.+ so (ou reall( need to do so*e additional resear,h.

'o**ents$ /eedba, and ,ontributions are el,o*e and en,oura)ed at arti,less(**etri+te,h.,o*.

&isit us on the eb at http--.s(**etri+te,h.,o* /or the latest nes on Snort Report and to donload theneest "ersion.

e also hi)hl( re,o**end si)nin) up /or the snortusers *ailin) list a"ailable at http--.snort.or) and/olloin) us on Titter /or ne )uides and updates to Snort Report here http--titter.,o*-s(**etri+te,h .

Re"ision ?istor(201%0407 @ 1.00 @ Initial release
mailto:[email protected]:[email protected]://www.symmetrixtech.com/http://www.symmetrixtech.com/http://www.snort.org/http://www.snort.org/http://twitter.com/symmetrixtechhttp://twitter.com/symmetrixtechmailto:[email protected]://www.symmetrixtech.com/http://www.snort.org/http://twitter.com/symmetrixtech

018-snortinstallguide2972

Documents