SNORT: Compile SNORT dan BASE

Download SNORT & SNORT RULES versi terakhir dari

http://125.160.17.21/speedyorari/index.php?dir=snort/rules RULES JADOEL untuk Percobaan
http://www.snort.org/snort-downloads
http://www.snort.org/dl/
http://www.snort.org/start/rules
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz
http://base.secureideas.net/

Siapkan Aplikasi Pendukung

Siapkan software pendukung

sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-image-graph php-image-canvas php-pear

Untuk Ubuntu 9.04 tampaknya menggunakan

sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear

Untuk Ubuntu 10.04

sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \
mysql-client

Untuk Ubuntu 10.10

sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \
mysql-client libdumbnet1 libdumbnet-dev

Untuk Ubuntu 14.04

sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm-dev php5-mysql \
php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \
mysql-client libdumbnet1 libdumbnet-dev

pear install Numbers_Roman-1.0.2
pear install Numbers_Words-0.16.2
pear install Image_Canvas-0.3.2
pear install Image_Graph-0.7.2
pear install --alldeps mail

Restart Server

/etc/init.d/apache2 restart
/etc/init.d/mysql restart

Install snort

Compile snort yang terbaru (TIDAK RECOMMENDED SERING GAGAL)

apt-get install libdumbnet1 libdumbnet-dev libnet-libdnet-perl libnet-ping-external-perl
cp snort-2.9.0.4.tar.gz /usr/local/src/
cd /usr/local/src
tar zxvf snort-2.9.0.4.tar.gz 

cd /usr/local/src/snort-2.9.0.4/
./configure --with-mysql --with-dnet-includes --with-dnet-libraries
make
make install

groupadd snort
useradd -g snort snort
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Kadang kala kita masih kesulitan untuk menset parameter snort.conf agar bisa deteksi dengan baik. Versi yang baru entah kenapa tidak terlalu tersambung ke database rules. Mungkin sesudah compile snort yang baru akan agak aman kalau compile lagi yang lama.

cp -Rf snort-2.8.0.tar.gz /usr/local/src/
cd /usr/local/src
tar zxvf snort-2.8.0.tar.gz

cd /usr/local/src/snort-2.8.0
./configure --with-mysql
make
make install

groupadd snort
useradd -g snort snort
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Instalasi Rules

Ambil Snort Rules dari

http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz
http://125.160.17.21/speedyorari/index.php?dir=snort/rules

Tampaknya alamat di atas sudah tidak valid lagi. Perlu di cari community rules snort yang bebas / gratis :( .. Jika anda berhasil memperoleh community rules snort, lakukan copy Snort Rules

cp snortrules-snapshot-CURRENT.tar.gz /etc/snort/
cd /etc/snort
tar zxvf snortrules-snapshot-CURRENT.tar.gz

Konfigurasi Snort

Siapkan konfigurasi Snort

Versi 2.8.0

cp /usr/local/src/snort-2.8.0/etc/* /etc/snort
cd /etc/snort/
mkdir /etc/snort/preproc_rules
vi /etc/snort/snort.conf

Versi 2.8.6.1

cp /usr/local/src/snort-2.8.6.1/etc/* /etc/snort
cd /etc/snort/
mkdir /etc/snort/preproc_rules
vi /etc/snort/snort.conf

Versi 2.9.0.4

cp /usr/local/src/snort-2.9.0.4/etc/* /etc/snort
cd /etc/snort/
mkdir /etc/snort/preproc_rules
vi /etc/snort/snort.conf

Ubah

var RULE_PATH ../rules                  var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules            var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules  var PREPROC_RULE_PATH /etc/snort/preproc_rules
output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Ujicoba jalankan snort, karena Snort rules yang digunakan biasanya masih banyak bug / error dan harus dibuang supaya hanya rules yang baik yang digunakan

/usr/local/bin/snort -dev -c /etc/snort/snort.conf

Contoh error

Initializing rule chains...
ERROR: (/etc/snort/rules/web-misc.rules)98 => Cannot use 'rawbytes' and  'http_uri' as modifiers for the same "content" nor use 'rawbytes' with   "uricontent".
Fatal Error, Quitting..

Artinya

• file /etc/snort/rules/web-misc.rules mengandung error pada line 98
• edit file /etc/snort/rules/web-misc.rules dan buang line yang ada error-nya

sampai keluar error terakhir

ERROR: database: mysql_error: Access denied for user 'snort'@'localhost' (using password: YES)
Fatal Error, Quitting..

Autoexec

Siapkan snort di rc.local

# vi /etc/rc.local

masukan

/usr/local/bin/snort -dev -c /etc/snort/snort.conf -D

Siapkan Database

Siapkan database MySQL

mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');

Selanjutnya dengan database MySQL

# mysql -u root -p
Enter password:
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost IDENTIFIED BY 'snortpass' ;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort IDENTIFIED BY 'snortpass' ;
exit

Atau jika anda masih dalam tahap ujicoba bukan untuk operasional, dengan asumsi root password 123456, username snort, password snort, database snort; dapat menggunakan perintah

# mysql -u root -p123456
create database snort;
grant ALL on root.* to snort@localhost;
grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ;
grant ALL on snort.* to snort IDENTIFIED BY 'snort' ;
exit

Siapkan tabel di database snort

# mysql -u root -p < /usr/local/src/snort-2.8.0/schemas/create_mysql snort
password:

Atau kalau sedang belajar dengan password root 123456 dapat menggunakan perintah

# mysql -u root -p123456 < /usr/local/src/snort-2.8.0/schemas/create_mysql snort

atau

# mysql -u root -p123456 < /usr/local/src/snort-2.8.6.1/schemas/create_mysql snort

Cek database snort

# mysql -p
Enter password: 
show databases;
use snort
show tables;
exit

Siapkan BASE

Download dari

• http://base.secureideas.net/
• http://sourceforge.net/projects/secureideas/

Install BASE untuk versi 1.4.5

cp base-1.4.5.tar.gz /var/www/
cd /var/www
tar zxvf base-1.4.5.tar.gz
mv base-1.4.5 base
cd /var/www/base
cp base_conf.php.dist base_conf.php

Edit konfigurasi BASE

# vi base_conf.php

isi dengan

$BASE_urlpath = "/base";
$DBlib_path = "/usr/share/php/adodb/";
$DBlib_path = "/var/adodb/"; - gunakan ini untuk instalasi adodb manual
$DBtype = "mysql"; 

$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = ;
$alert_user     = 'snort';
$alert_password = 'snort'; 

$archive_exists   = 0;
$archive_dbname   = 'snort';
$archive_host     = 'localhost';
$archive_port     = ;
$archive_user     = 'snort';
$archive_password = 'snort';

Beri ijin Apache Web Server mengakses folder BASE

# chown -Rf www-data.www-data /var/www/base

Akses Web SNORT & BASE

http://localhost/base

Setup page
CREATE BASE AG
Main page

Bacaan

• http://jogja.linux.or.id/berita/arsip/2010/01/14/kustomisasi-konfigurasi-ids-snort/

Referensi

• http://125.160.17.21/speedyorari/index.php?dir=snort/rules RULES JADOEL untuk Percobaan
• http://www.snort.org/snort-downloads
• http://www.snort.org/dl/
• http://www.snort.org/start/rules
• http://base.secureideas.net/

Pranala Menarik

• Linux Howto