SNORT: Compile SNORT dan BASE
Download SNORT & SNORT RULES versi terakhir dari
http://125.160.17.21/speedyorari/index.php?dir=snort/rules RULES JADOEL untuk Percobaan http://www.snort.org/snort-downloads http://www.snort.org/dl/ http://www.snort.org/start/rules http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz http://base.secureideas.net/
Siapkan Aplikasi Pendukung
Siapkan software pendukung
sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \ mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \ php5-gd php-image-graph php-image-canvas php-pear
Untuk Ubuntu 9.04 tampaknya menggunakan
sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \ mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \ php5-gd php-pear
Untuk Ubuntu 10.04
sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \ mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \ php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \ mysql-client
Untuk Ubuntu 10.10
sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \ mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \ php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \ mysql-client libdumbnet1 libdumbnet-dev
Untuk Ubuntu 14.04
sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \ mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm-dev php5-mysql \ php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \ mysql-client libdumbnet1 libdumbnet-dev
pear install Numbers_Roman-1.0.2 pear install Numbers_Words-0.16.2 pear install Image_Canvas-0.3.2 pear install Image_Graph-0.7.2 pear install --alldeps mail
Restart Server
/etc/init.d/apache2 restart /etc/init.d/mysql restart
Install snort
Compile snort yang terbaru (TIDAK RECOMMENDED SERING GAGAL)
apt-get install libdumbnet1 libdumbnet-dev libnet-libdnet-perl libnet-ping-external-perl cp snort-2.9.0.4.tar.gz /usr/local/src/ cd /usr/local/src tar zxvf snort-2.9.0.4.tar.gz
cd /usr/local/src/snort-2.9.0.4/ ./configure --with-mysql --with-dnet-includes --with-dnet-libraries make make install
groupadd snort useradd -g snort snort mkdir /etc/snort mkdir /etc/snort/rules mkdir /var/log/snort
Kadang kala kita masih kesulitan untuk menset parameter snort.conf agar bisa deteksi dengan baik. Versi yang baru entah kenapa tidak terlalu tersambung ke database rules. Mungkin sesudah compile snort yang baru akan agak aman kalau compile lagi yang lama.
cp -Rf snort-2.8.0.tar.gz /usr/local/src/ cd /usr/local/src tar zxvf snort-2.8.0.tar.gz
cd /usr/local/src/snort-2.8.0 ./configure --with-mysql make make install
groupadd snort useradd -g snort snort mkdir /etc/snort mkdir /etc/snort/rules mkdir /var/log/snort
Instalasi Rules
Ambil Snort Rules dari
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz http://125.160.17.21/speedyorari/index.php?dir=snort/rules
Tampaknya alamat di atas sudah tidak valid lagi. Perlu di cari community rules snort yang bebas / gratis :( .. Jika anda berhasil memperoleh community rules snort, lakukan copy Snort Rules
cp snortrules-snapshot-CURRENT.tar.gz /etc/snort/ cd /etc/snort tar zxvf snortrules-snapshot-CURRENT.tar.gz
Konfigurasi Snort
Siapkan konfigurasi Snort
Versi 2.8.0
cp /usr/local/src/snort-2.8.0/etc/* /etc/snort cd /etc/snort/ mkdir /etc/snort/preproc_rules vi /etc/snort/snort.conf
Versi 2.8.6.1
cp /usr/local/src/snort-2.8.6.1/etc/* /etc/snort cd /etc/snort/ mkdir /etc/snort/preproc_rules vi /etc/snort/snort.conf
Versi 2.9.0.4
cp /usr/local/src/snort-2.9.0.4/etc/* /etc/snort cd /etc/snort/ mkdir /etc/snort/preproc_rules vi /etc/snort/snort.conf
Ubah
var RULE_PATH ../rules var RULE_PATH /etc/snort/rules var SO_RULE_PATH ../so_rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH ../preproc_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules output database: alert, mysql, user=snort password=snort dbname=snort host=localhost output database: log, mysql, user=snort password=snort dbname=snort host=localhost output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128
Ujicoba jalankan snort, karena Snort rules yang digunakan biasanya masih banyak bug / error dan harus dibuang supaya hanya rules yang baik yang digunakan
/usr/local/bin/snort -dev -c /etc/snort/snort.conf
Contoh error
Initializing rule chains... ERROR: (/etc/snort/rules/web-misc.rules)98 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". Fatal Error, Quitting..
Artinya
- file /etc/snort/rules/web-misc.rules mengandung error pada line 98
- edit file /etc/snort/rules/web-misc.rules dan buang line yang ada error-nya
sampai keluar error terakhir
ERROR: database: mysql_error: Access denied for user 'snort'@'localhost' (using password: YES) Fatal Error, Quitting..
Autoexec
Siapkan snort di rc.local
# vi /etc/rc.local
masukan
/usr/local/bin/snort -dev -c /etc/snort/snort.conf -D
Siapkan Database
mysql mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
Selanjutnya dengan database MySQL
# mysql -u root -p Enter password: create database snort; grant INSERT,SELECT on root.* to snort@localhost; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost IDENTIFIED BY 'snortpass' ; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort IDENTIFIED BY 'snortpass' ; exit
Atau jika anda masih dalam tahap ujicoba bukan untuk operasional,
dengan asumsi root password 123456, username snort, password snort, database snort; dapat menggunakan perintah
# mysql -u root -p123456 create database snort; grant ALL on root.* to snort@localhost; grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ; grant ALL on snort.* to snort IDENTIFIED BY 'snort' ; exit
Siapkan tabel di database snort
# mysql -u root -p < /usr/local/src/snort-2.8.0/schemas/create_mysql snort password:
Atau kalau sedang belajar dengan password root 123456 dapat menggunakan perintah
# mysql -u root -p123456 < /usr/local/src/snort-2.8.0/schemas/create_mysql snort
atau
# mysql -u root -p123456 < /usr/local/src/snort-2.8.6.1/schemas/create_mysql snort
# mysql -p Enter password: show databases; use snort show tables; exit
Siapkan BASE
Download dari
Install BASE untuk versi 1.4.5
cp base-1.4.5.tar.gz /var/www/ cd /var/www tar zxvf base-1.4.5.tar.gz mv base-1.4.5 base cd /var/www/base cp base_conf.php.dist base_conf.php
Edit konfigurasi BASE
# vi base_conf.php
isi dengan
$BASE_urlpath = "/base"; $DBlib_path = "/usr/share/php/adodb/"; $DBlib_path = "/var/adodb/"; - gunakan ini untuk instalasi adodb manual $DBtype = "mysql"; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ; $alert_user = 'snort'; $alert_password = 'snort'; $archive_exists = 0; $archive_dbname = 'snort'; $archive_host = 'localhost'; $archive_port = ; $archive_user = 'snort'; $archive_password = 'snort';
Beri ijin Apache Web Server mengakses folder BASE
# chown -Rf www-data.www-data /var/www/base
http://localhost/base
Setup page CREATE BASE AG Main page
Bacaan
Referensi
- http://125.160.17.21/speedyorari/index.php?dir=snort/rules RULES JADOEL untuk Percobaan
- http://www.snort.org/snort-downloads
- http://www.snort.org/dl/
- http://www.snort.org/start/rules
- http://base.secureideas.net/