018-snortinstallguide2972
TRANSCRIPT
-
8/20/2019 018-snortinstallguide2972
1/13
Snort 2.9.7.2 and Snort Report 1.3.4on Ubuntu 14.04 LTS Installation Guide
Author !a"id Gullett
#ublished April 7$ 201%&ersion 1.0
'op(ri)ht 201%$ S(**etri+ Te,hnolo)ieshttp--.s(**etri+te,h.,o*
Table o/ 'ontents
A. Introdu,tion1. uip*ent Assu*ptions2. noled)e Assu*ptions3. Use o/ the a,slash4. nd Result
Figure 1 - Snort Network Topology
. #ro,edure
1. 5peratin) S(ste* A,uire Ubuntu LTSInstallation o/ 5peratin) S(ste*Ubuntu Updates
2. Snort Report!onload and Set up Snort Report
3. Snort!onload and Install the !ata A,uisition A#I!onload and Install libdnet!onload and Install Snort!onload the Latest Snort Rules'on/i)ure Snort!onload and Install arn(ard2Settin) up the 6etor 'ards'on/i)urin) and Runnin) SnortTestin) Snort
4. onitorin) 8our S(ste*at,hin) Snort ith Snort Report
'. :uture Tass1. #ulled #or2. AS and 5ther Tools
3. ;ust a e)innin)
http://www.symmetrixtech.com/http://www.symmetrixtech.com/
-
8/20/2019 018-snortinstallguide2972
2/13
A. Introdu,tion
The purpose o/ this do,u*ent is to pro"ide the user ith a si*ple installation )uide to )et S(**etri+Te,hnolo)ies< Snort Report up and runnin) ith Sour,e/ire
-
8/20/2019 018-snortinstallguide2972
3/13
Figure 1 – Snort Network Topology
In the /i)ure abo"e$ the netor ,ard /a,in) the tra//i, (ou ant to *onitor ill ha"e no I# address. This ill*ae it /ar *ore di//i,ult /or the I!S #' to be ,o*pro*ised /ro* an e+ternal sour,e. The netor ,ard /a,in)(our ad*inistrati"e orstation ill ha"e an internal nonroutable I# address and a,,ess to an( open ports illbe li*ited to (our ad*inistrati"e orstation.
It
-
8/20/2019 018-snortinstallguide2972
4/13
*ultiple Snort I!S *a,hines hi,h is be(ond the s,ope o/ this do,u*ent. 'onsult http--.snort.or) /or *orein/or*ation.
. #ro,edure
1. 5peratin) S(ste*
A,uire Ubuntu Linu+
The /irst order o/ business is to donload Ubuntu Linu+. e then sele,t (our ti*e Eone.
8ou ill then be pro*pted to set up a user a,,ount. This ,an be an(thin) (ou ant @ Fust pi, one and set thepassord. 'hoose 6o hen ased to en,r(pt (our ho*e dire,tor( =it ill ,ontain nothin) "aluable and e.
The installer ill then tr( to deter*ine (our ti*e Eone. I/ it
-
8/20/2019 018-snortinstallguide2972
5/13
A/ter SS? is installed (ou
-
8/20/2019 018-snortinstallguide2972
6/13
Reboot the *a,hine
sudo reboot
At this point (ou should ha"e a orin) and updated installation o/ Ubuntu and e
-
8/20/2019 018-snortinstallguide2972
7/13
!onload and Install libdnet
There are Ubuntu pa,a)es /or libdnet but this is an easier *ethod o/ installation. !onload the /olloin) /ile=http--libdnet.)oo)le,ode.,o* -/iles-libdnet1.12.t)E> and install it ith these ,o**ands /ro* (our donloaddire,tor(
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
sudo tar zxvf libdnet-1.12.tgzcd libdnet-1.12/sudo ./configuresudo makesudo make installsudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
!onload and Install Snort
hile e ,ould install the Snort pa,a)es /ro* the Ubuntu 14.04 repositories$ that doesn
-
8/20/2019 018-snortinstallguide2972
8/13
!onload the Latest Snort Rules
The ne+t step is to donload the latest Snort ruleset. 8ou
-
8/20/2019 018-snortinstallguide2972
9/13
'on/i)ure Snort
6o e need to edit the snort.,on/ ,on/i)uration /ile
sudo vi /usr/local/snort/etc/snort.conf
'han)e these lines /ro* thisvar WHITE_LIST_PATH ../rulesvar BLACK_LIST_PATH ../rules
To thisvar WHITE_LIST_PATH /usr/local/snort/rulesvar BLACK_LIST_PATH /usr/local/snort/rules
'han)e these lines /ro* thisdynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.sodynamicdetection directory /usr/local/lib/snort_dynamicrules
To thisdynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.sodynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
elo this line =this is to output the uni/ied2 lo)s /or arn(ard>#output unified2: filename merged.log, limit 128, nostamp, \
mpls_event_types, vlan_event_types
Add this lineoutput unified2: filename snort.u2, limit 128
Sa"e the /ile and e+it ba, to the ,o**and pro*pt.
!onload and Install arn(ard2
arn(ard2 i*pro"es the e//i,ien,( o/ Snort b( redu,in) the load on the *ain dete,tion en)ine. It reads Snort
-
8/20/2019 018-snortinstallguide2972
10/13
sudo chmod 666 /var/log/barnyard2sudo touch /var/log/snort/barnyard2.waldosudo chown snort.snort /var/log/snort/barnyard2.waldo
6o let
-
8/20/2019 018-snortinstallguide2972
11/13
Settin) up the netor ,ards
6o that e ha"e all the ne,essar( so/tare installed and read( to )o$ e ,an ,on/i)ure the netor ,ables$ I#addresses$ Snort and Snort Report. The e+a*ples belo ill re/le,t the in/or*ation in :i)ure 1 at the top o/ thisdo,u*ent so (ou ill liel( ha"e to tune the I# addresses$ subnet *ass et, in order to re/le,t (our netor.
To set the I# address on the /irst ,ard *odi/( the netor ,on/i)uration /ile ith this ,o**and
sudo vi /etc/network/interfaces
'han)e the /olloin) lines /ro* this
auto eth0iface eth0 inet dhcp
to these "alues
auto eth0iface eth0 inet staticaddress 192.168.1.1netmask 255.255.255.0network 192.168.1.0broadcast 192.168.1.255gateway 192.168.1.1
6o add the /olloin) lines at the end o/ the /ile to start the se,ond ,ard ithout an I# address
auto eth1iface eth1 inet manualifconfig eth1 up
Sa"e and e+it the /ile then reboot
sudo reboot
6o (ou ,an ,onne,t the netor ,ables as illustrated in :i)ure 1. th0 is ,onne,ted to the sa*e subnet as(our *onitorin) orstation and eth1 is ,onne,ted to the se)*ent that (ou ant to *onitor. 8ou ,an "eri/( thisb( usin) the Bi/,on/i)C ,o**and. 8our output should loo so*ethin) lie this =abbre"iated here>
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 11:11:11:11:11:11UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
6oti,e ho eth1 does not ha"e an I# address but the inter/a,e has a status o/ Bup.C 6ote there is a ,han,e thateth1 ill not ,o*e up auto*ati,all( until (ou ,o*plete the r,.lo,al step listed belo.
-
8/20/2019 018-snortinstallguide2972
12/13
Testin) Snort
8ou ,an test to see i/ Snort ill run b( usin) this ,o**and
sudo /usr/local/snort/bin/snort -u snort -g snort \-c /usr/local/snort/etc/snort.conf -i eth1
8ou should see a *essa)e sa(in) B'o**en,in) pa,et pro,essin).C 8ou ,an ,an,el out o/ it b( hittin) 'ontrol'. I/ it /ails to initialiEe please see the /oru*s at snort.or) to deter*ine the proble*. It ill usuall( be so*ethin)in the ,on/i)uration /ile.
To set Snort to start auto*ati,all( on (our *a,hine edit the r,.lo,al /ile ith the /olloin) ,o**and
sudo vi /etc/rc.local
Then paste the /olloin) ,ontent in the /ile =be/ore the Bexit 0C line>
/usr/local/snort/bin/snort -D -u snort -g snort \-c /usr/local/snort/etc/snort.conf -i eth1
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \-d /var/log/snort \-f snort.u2 \-w /var/log/snort/barnyard2.waldo \-D
Sa"e the /ile and e+it. Then either reboot or use the /olloin) ,o**and to start Snort
sudo /etc/init.d/rc.local start
4. onitorin) 8our S(ste*
at,hin) Snort ith Snort Report
:ro* (our ad*inistrati"e orstation (ou should no be able to pull up the Snort Report *ain pa)e b( brosin)to http--192.1DH.1.1-snortreport1.3. 4 -alerts.php. I/ (ou used di//erent I# addresses /or the Snort and ad*inorstation (ou
-
8/20/2019 018-snortinstallguide2972
13/13
3. ;ust a e)innin)
As a re*inder$ this is a "er( basi, do,u*ent to )et (ou up and )oin) ith Snort and Snort Report. It ise+tre*el( ,riti,al that (ou learn all the options in the Snort ,on/i)uration /iles in order to set up an e//e,ti"eI!S-I#S. In parti,ular$ /a*iliariEe (oursel/ ith prepro,essors and per/or*an,e tunin) alon) ith the tools listedabo"e.
There ha"e been si)ni/i,ant ,han)es sin,e Snort 2.H.+ so (ou reall( need to do so*e additional resear,h.
'o**ents$ /eedba, and ,ontributions are el,o*e and en,oura)ed at arti,less(**etri+te,h.,o*.
&isit us on the eb at http--.s(**etri+te,h.,o* /or the latest nes on Snort Report and to donload theneest "ersion.
e also hi)hl( re,o**end si)nin) up /or the snortusers *ailin) list a"ailable at http--.snort.or) and/olloin) us on Titter /or ne )uides and updates to Snort Report here http--titter.,o*-s(**etri+te,h .
Re"ision ?istor(201%0407 @ 1.00 @ Initial release
mailto:[email protected]:[email protected]://www.symmetrixtech.com/http://www.symmetrixtech.com/http://www.snort.org/http://www.snort.org/http://twitter.com/symmetrixtechhttp://twitter.com/symmetrixtechmailto:[email protected]://www.symmetrixtech.com/http://www.snort.org/http://twitter.com/symmetrixtech