Difference between revisions of "SNORT: Install SNORT untuk BARNYARD2"

From OnnoWiki
Jump to navigation Jump to search
Line 216: Line 216:
  
  
 +
wget http://symmetrixtech.com/download/snortreport-1.3.4.tar.gz
 
  wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
 
  wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
 
  tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
 
  tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html

Revision as of 13:10, 2 June 2015

Asumsi:

  • IP address 192.168.0.100
  • nama server : refserver

Cek Interface

sudo su
vi /etc/network/interfaces
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.223
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8


Install apache & MySQL

Instalasi

apt-get update -y
apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \
php5-gd php-pear libphp-adodb php5-cli

Jika masih belajar dapat menggunakan

  • MySQL Root password 123456

Instalasi dependency

apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl \
libtool libssl-dev build-essential automake gcc make flex bison git

Install Deps

Download dan Install libdnet:

mkdir /usr/local/snort
cd /usr/local/snort
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xzvf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Install libcap, kita harus instalasi libcap sebelum DAQ.

cd /usr/local/snort
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
tar -xzvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure
make
make install
echo “/usr/local/lib” >> /etc/ld.so.conf
ldconfig -v

Downloading & Installing DAQ:

cd /usr/local/snort
wget https://www.snort.org/downloads/snort/daq-2.0.5.tar.gz
tar zxvf daq-2.0.5.tar.gz
cd daq-2.0.5
./configure
make
make install

Download & Install Snort:

cd /usr/local/snort
wget https://www.snort.org/downloads/snort/snort-2.9.7.3.tar.gz
tar -xzvf snort-2.9.7.3.tar.gz
cd snort-2.9.7.3
./configure -prefix=/usr/local/snort -enable-sourcefire
make
make install
mkdir /var/log/snort
mkdir /var/snort
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort

Download Latest Snort Rules

Kita dapat men-download Snort Rules yang terakhir. Kita perlu membuat login di snort.org Kemudian Sign-In untuk download rules. Setelah rules berhasil di download, lakukan:

cd /usr/local/src
tar zxf snortrules-snapshot-2973.tar.gz -C /usr/local/snort
mkdir -p /usr/local/snort/lib/snort_dynamicrules
cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.7.3/* /usr/local/snort/lib/snort_dynamicrules/
touch /usr/local/snort/rules/white_list.rules
touch /usr/local/snort/rules/black_list.rules
ldconfig -v

Edit file konfigurasi snort.conf

vi /usr/local/snort/etc/snort.conf

Set nilai di bawah ini

var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename snort.u2, limit 128


Download & Install Barnyard2

Barnyard2 akan memperbaiki efisiensi Snort dengan cara mengurangi beban dari engine deteksi utama. Barnyard2 akan membaca file keluaran logging snort dan memasukannya ke database. Jika database tidak tersedia, Barnyard2 akan memasukan data saat database kembali online sehingga tidak ada alert yang akan hilang.

Instalasi barnyard2,

cd /usr/local/src
git clone  http://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
autoreconf -fvi -I ./m4
./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
make install
cp etc/barnyard2.conf /usr/local/snort/etc
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo

Buat database untuk snort yang akan digunakan Barnyard untuk penyimpanan,

mysql -u root -p123456
create database snortdb;
grant create, insert, select, delete, update on snortdb.* to 'snortuser'@'localhost' identified by '3ngin33r';
flush privileges;
quit;

Buat Snort DB

mysql -u root -p123456 -D snortdb < /usr/local/src/barnyard2/schemas/create_mysql

Modifikasi file konfigurasi Barnyard2 dengan perintah berikut:

vi /usr/local/snort/etc/barnyard2.conf

Set nilai berikut

config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0

output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost

Ubah konfigurasi snort untuk Barnyard2

cp /usr/local/snort/snort-2.9.7.3/etc/gen-msg.map /usr/local/snort/etc/


Test Snort

/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0


Akan keluar kira-kira

..
..
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
Commencing packet processing (pid=26253)

Harus keluar kata-kata

“Commencing packet processing” 

ini menandakan Snort telah di instalasi dan di konfigurasi dengan benar.

Auto Start

Agar Snort berjalan secara automatis, Tambahkan pada rc.local sebelum "exit"

vi /etc/rc.local

isi

ifconfig eth0 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D


Instalasi Snort Report

wget http://symmetrixtech.com/download/snortreport-1.3.4.tar.gz
wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html

Set Database:

vim /var/www/html/snortreport-1.3.4/srconf.php
$server = “localhost”;
$user = “snortuser”;
$pass = “3ngin33r”;
$dbname = “snortdb”;

15 - SnortGraph ConfigEdit Download and Install JPGraph:

wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph

Download and Install ADODB5:

wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
tar -xzf adodb519.tar.gz -C /var/www/html
mv adodb519 adodb5

Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)

cd /usr/local/src
wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
cd /var/www/html/acid/
vim acid_conf.php

– Set Options as:

$DBlib_path = “/var/www/html/adodb5″;

$alert_dbname   = “snortdb”;
$alert_host     = “localhost”;
$alert_port     = “”;
$alert_user     = “snortuser”;
$alert_password = “3ngin33r”;

/* Archive DB connection parameters */
$archive_dbname   = “snortdb”;
$archive_host     = “localhost”;
$archive_port     = “”;
$archive_user     = “snortuser”;
$archive_password = “3ngin33r”;

$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;


— SAVE and Quit


16 - Acid ConfigEdit – Restart Apache and Browse following URL in Browser:

http://<ServerIP>/acid


Installing BASE for Snort Front-end : RECOMMENDED for Snort

— I used BASE as ACID didn’t work for me.

– Check if all dependencies are installed or else install them by following command:

apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y

– Install pear Image_Graph

pear install -f Image_Graph

Download and extract BASE

cd /var/www/html/
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar zxvf base-1.4.5.tar.gz
mv base-1.4.5 base

Configure BASE

cd base
cp base_conf.php.dist base_conf.php
vi base_conf.php

– Set Directives as:

$BASE_urlpath = ‘/base';

$DBlib_path = ‘/var/www/html/adodb5′;

$alert_dbname   = ‘snortdb';
$alert_host     = ‘localhost';
$alert_port     = ”;
$alert_user     = ‘snortuser';
$alert_password = ‘3ngin33r';


17 - Base ConfigEdit Change the Ownership of all files to www-data:

chown -R www-data:www-data /var/www/html
service apache2 restart

– Browse to: http://<snort_ip_address>/base/ and click on “setup page” link – Click on “Create BASE AG” button on the upper right of the page


18 - Base ConfigPage – Click on the “Main page” link


19 - Config complete


— Now, we should see BASE Dashboard like shown below:


20 - BASE Dashboard


More HoTos:

– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS – Installing Snorby on Ubuntu for Snort with Barnyard2

Referensi