Difference between revisions of "SNORT: Install SNORT untuk BARNYARD2"

From OnnoWiki
Jump to navigation Jump to search
(New page: Asumsi: * IP address 192.168.0.100 * nama server : refserver ==Cek Interface== sudo su vi /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.0.100 ...)
 
 
(32 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Asumsi:
 
Asumsi:
  
* IP address 192.168.0.100
+
* IP address 192.168.0.80
 
* nama server : refserver
 
* nama server : refserver
 +
 +
 +
  
 
==Cek Interface==
 
==Cek Interface==
Line 11: Line 14:
 
  auto eth0
 
  auto eth0
 
  iface eth0 inet static
 
  iface eth0 inet static
         address 192.168.0.100
+
         address 192.168.0.80
 
         netmask 255.255.255.0
 
         netmask 255.255.255.0
 
         network 192.168.0.0
 
         network 192.168.0.0
 
         broadcast 192.168.0.255
 
         broadcast 192.168.0.255
         gateway 192.168.0.223
+
         gateway 192.168.0.222
 
         # dns-* options are implemented by the resolvconf package, if installed
 
         # dns-* options are implemented by the resolvconf package, if installed
 
         dns-nameservers 8.8.8.8
 
         dns-nameservers 8.8.8.8
Line 26: Line 29:
 
  apt-get update -y
 
  apt-get update -y
 
  apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \
 
  apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \
  php5-gd php-pear libphp-adodb php5-cli
+
  php5-gd php-pear libphp-adodb php5-cli php5-adodb
 +
 
  
 
Jika masih belajar dapat menggunakan  
 
Jika masih belajar dapat menggunakan  
Line 39: Line 43:
 
==Install Deps==
 
==Install Deps==
  
Download and Install libdnet:
+
Download dan Install libdnet:
  
 
  mkdir /usr/local/snort
 
  mkdir /usr/local/snort
Line 51: Line 55:
 
  ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
 
  ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
  
Installing DAQ before libpcap fails, as it require libpcap, so let’s install libpcap now.
+
Install libcap, kita harus instalasi libcap sebelum DAQ.
Download libpcap from tcpdump.org and install, I’ll download latest version by wget.
 
  
 
  cd /usr/local/snort
 
  cd /usr/local/snort
Line 67: Line 70:
  
 
  cd /usr/local/snort
 
  cd /usr/local/snort
  wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
+
  wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
  tar zxvf daq-2.0.4.tar.gz
+
  tar zxvf daq-2.0.6.tar.gz
  cd daq-2.0.4
+
  cd daq-2.0.6
 
  ./configure
 
  ./configure
 
  make
 
  make
 
  make install
 
  make install
  
Download and Install Snort:
+
Download & Install Snort:
  
 
  cd /usr/local/snort
 
  cd /usr/local/snort
  wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
+
  wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
  tar -xzvf snort-2.9.7.0.tar.gz
+
  tar -xzvf snort-2.9.8.0.tar.gz
  cd snort-2.9.7.0
+
  cd snort-2.9.8.0
 
  ./configure -prefix=/usr/local/snort -enable-sourcefire
 
  ./configure -prefix=/usr/local/snort -enable-sourcefire
 
  make
 
  make
Line 89: Line 92:
 
  chown snort:snort /var/log/snort
 
  chown snort:snort /var/log/snort
  
Download the Latest Snort Rules:
+
==Download Latest Snort Rules==
  
Download latest Tools by signing in as shown in fig below:
+
Kita dapat men-download Snort Rules yang terakhir.
9 - Sign In to get Snort Rules Snapshot
+
Kita perlu membuat login di snort.org
Extract & Copy Rules to Snort directory.
+
Kemudian Sign-In untuk download rules.
# cd /usr/local/src
+
Setelah rules berhasil di download, copy ke ke /usr/local/src.
# tar zxf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
 
# mkdir /usr/local/snort/lib/snort_dynamicrules
 
# cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.6.2/* /usr/local/snort/lib/snort_dynamicrules
 
# touch /usr/local/snort/rules/white_list.rules
 
# touch /usr/local/snort/rules/black_list.rules
 
# ldconfig -v
 
  
Now we need to edit the snort.conf configuration file:
+
Kemudian lakukan:
    # vim /usr/local/snort/etc/snort.conf
 
  
== Set Values as given Below:
+
cd /usr/local/src
 +
tar zxvf community-rules.tar.gz -C /usr/local/snort
 +
tar zxvf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
 +
tar zxvf snortrules-snapshot-2976.tar.gz -C /usr/local/snort
 +
tar zxvf snortrules-snapshot-2980.tar.gz -C /usr/local/snort
 +
mkdir -p /usr/local/snort/lib/snort_dynamicrules
 +
cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.8.0/* /usr/local/snort/lib/snort_dynamicrules/
 +
touch /usr/local/snort/rules/white_list.rules
 +
touch /usr/local/snort/rules/black_list.rules
 +
ldconfig -v
 +
 
 +
Edit file konfigurasi snort.conf
 +
 
 +
vi /usr/local/snort/etc/snort.conf
 +
 
 +
Set nilai di bawah ini
  
 
  var WHITE_LIST_PATH /usr/local/snort/rules
 
  var WHITE_LIST_PATH /usr/local/snort/rules
Line 116: Line 127:
 
  output unified2: filename snort.u2, limit 128
 
  output unified2: filename snort.u2, limit 128
  
Also shown in Figure below how to set these values.
+
==Download & Install Barnyard2==
10 - Snort ConfigChanges
 
  
Download and Install Barnyard2:
+
Barnyard2 akan memperbaiki efisiensi Snort dengan cara mengurangi beban dari engine deteksi utama.
 +
Barnyard2 akan membaca file keluaran logging snort dan memasukannya ke database.
 +
Jika database tidak tersedia, Barnyard2 akan memasukan data saat database kembali online sehingga tidak ada alert yang akan hilang.
  
Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all data when the database comes back online so no alerts will be lost.
+
Instalasi barnyard2,
Download Barnyard2 from GitHub & Install:
 
  
 
  cd /usr/local/src
 
  cd /usr/local/src
Line 137: Line 148:
 
  chown snort.snort /var/log/snort/barnyard2.waldo
 
  chown snort.snort /var/log/snort/barnyard2.waldo
  
Create Database for Snort to be used by Barnyard for Storage:
+
Buat database untuk snort yang akan digunakan Barnyard untuk penyimpanan,
mysql –u root –p
 
  
  mysql> create database snortdb;
+
  mysql -u root -p123456
mysql> grant create, insert, select, delete, update on snortdb.* to snortuser@localhost identified by ‘3ngin33r';
 
mysql> flush privileges;
 
  
11 - Create Snort DB
+
create database snortdb;
Populate Snort DB:
+
grant create, insert, select, delete, update on snortdb.* to 'snortuser'@'localhost' identified by '3ngin33r';
 +
flush privileges;
 +
quit;
  
mysql -u root -p -D snortdb < ./schemas/create_mysql
+
==Buat Snort DB==
  
Modify the Barnyard2 configuration file with the following command:
+
mysql -u root -p123456 -D snortdb < /usr/local/src/barnyard2/schemas/create_mysql
  
vim /usr/local/snort/etc/barnyard2.conf
+
Modifikasi file konfigurasi Barnyard2 dengan perintah berikut:
  
Set Values as given below:
+
vi /usr/local/snort/etc/barnyard2.conf
  
  config reference_file: /usr/local/snort/etc/reference.config
+
Set nilai berikut
  config classification_file: /usr/local/snort/etc/classification.config
+
 
  config gen_file: /usr/local/snort/etc/gen-msg.map
+
  config reference_file: /usr/local/snort/etc/reference.config
  config sid_file: /usr/local/snort/etc/sid-msg.map
+
  config classification_file: /usr/local/snort/etc/classification.config
 +
  config gen_file: /usr/local/snort/etc/gen-msg.map
 +
  config sid_file: /usr/local/snort/etc/sid-msg.map
 
  config hostname: localhost
 
  config hostname: localhost
 
  config interface: eth0
 
  config interface: eth0
Line 164: Line 176:
 
  output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost
 
  output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost
  
+
==Ubah konfigurasi snort untuk Barnyard2==
  
== SAVE & Quit
 
  
   
+
  cp /usr/local/snort/snort-2.9.8.0/etc/gen-msg.map /usr/local/snort/etc/
  
12 - Barnyard2 ConfigChange
+
==Test Snort==
Copy Required Files from Snort Source Directory:::
 
# cp /usr/local/snort/snort-2.9.6.2/etc/gen-msg.map /usr/local/snort/etc/
 
Testing Snort:
 
  
It’s time to test if Snort has been installed and configured correctly by using this command:
 
#/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
 
  
“Commencing packet processing” must be shown at the end of the execution of the command, this means Snort is Installed & configured correctly.
+
/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
13 - Test Snort
 
To set Snort to start automatically on your machine edit the rc.local file with the following command:
 
# vim /etc/rc.local
 
  
Add following lines before “exit” command.
 
  
ifconfig eth0 up
+
Akan keluar kira-kira
  
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
+
..
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
+
..
 +
            Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
 +
            Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
 +
            Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
 +
            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
 +
            Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
 +
            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
 +
            Preprocessor Object: SF_POP  Version 1.0  <Build 1>
 +
            Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
 +
Commencing packet processing (pid=6082)
  
+
Harus keluar kata-kata
  
SAVE & Quit by  :wq!
+
  “Commencing packet processing”
  
+
ini menandakan Snort telah di instalasi dan di konfigurasi dengan benar.
  
14 - AutoStart at boot
+
==Auto Start==
Download and Set up Snort Report (Optional):
 
  
Download Snort Report from:
+
Agar Snort berjalan secara automatis,
http://www.symmetrixtech.com/
+
Tambahkan pada rc.local sebelum "exit"
  
or
+
vi /etc/rc.local
  
# wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
+
isi
# tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
 
# vim /var/www/html/snortreport-1.3.4/srconf.php
 
  
Set Database details:
+
ifconfig eth0 up
$server = “localhost”;
+
$user = “snortuser”;
+
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
$pass = “3ngin33r”;
+
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
$dbname = “snortdb”;
 
  
15 - SnortGraph ConfigEdit
+
Download and Install JPGraph:
 
# wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
 
# tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
 
# mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph
 
Download and Install ADODB5:
 
# wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
 
# tar -xzf adodb519.tar.gz -C /var/www/html
 
  
# mv adodb519 adodb5
+
==Instalasi Snort Report==
Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)
 
# cd /usr/local/src
 
# wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
 
# tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
 
# cd /var/www/html/acid/
 
# vim acid_conf.php
 
  
– Set Options as:
 
  
$DBlib_path = “/var/www/html/adodb5″;
+
wget http://symmetrixtech.com/download/snortreport-1.3.4.tar.gz
 +
tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
  
$alert_dbname  = “snortdb”;
+
Set Database:
$alert_host    = “localhost”;
 
$alert_port    = “”;
 
$alert_user    = “snortuser”;
 
$alert_password = “3ngin33r”;
 
  
/* Archive DB connection parameters */
+
vi /var/www/html/snortreport-1.3.4/srconf.php
$archive_dbname  = “snortdb”;
 
$archive_host    = “localhost”;
 
$archive_port    = “”;
 
$archive_user    = “snortuser”;
 
$archive_password = “3ngin33r”;
 
  
$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;
+
$server = "localhost";
 +
$user = "snortuser";
 +
$pass = "3ngin33r";
 +
$dbname = "snortdb";
  
+
==Instalasi SnortGraph==
  
— SAVE and Quit
+
wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
 +
tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
 +
mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph
  
+
Download & Install ADODB5:
  
16 - Acid ConfigEdit
+
wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
– Restart Apache and Browse following URL in Browser:
+
tar -xzf adodb519.tar.gz -C /var/www/html
 +
cd /var/www/html
 +
mv adodb519 adodb5
  
http://<ServerIP>/acid
+
==Instalasi ACID==
  
+
Instalasi salah satu ACID atau BASE. Yang lebih di rekomendasikan adalah BASE.
Installing BASE for Snort Front-end :        RECOMMENDED for Snort
 
  
— I used BASE as ACID didn’t work for me.
+
cd /usr/local/src
 +
wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
 +
tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
 +
cd /var/www/html/acid/
 +
vim acid_conf.php
  
– Check if all dependencies are installed or else install them by following command:
+
Set Options:
# apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y
 
– Install pear Image_Graph
 
# pear install -f Image_Graph
 
Download and extract BASE
 
# cd /var/www/html/
 
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
 
# tar zxvf base-1.4.5.tar.gz
 
# mv base-1.4.5 base
 
Configure BASE
 
# cd base
 
# cp base_conf.php.dist base_conf.php
 
# vim base_conf.php
 
  
– Set Directives as:
+
$DBlib_path = “/var/www/html/adodb5″;
 +
 +
$alert_dbname  = “snortdb”;
 +
$alert_host    = “localhost”;
 +
$alert_port    = “”;
 +
$alert_user    = “snortuser”;
 +
$alert_password = “3ngin33r”;
 +
 +
/* Archive DB connection parameters */
 +
$archive_dbname  = “snortdb”;
 +
$archive_host    = “localhost”;
 +
$archive_port    = “”;
 +
$archive_user    = “snortuser”;
 +
$archive_password = “3ngin33r”;
 +
 +
$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;
  
$BASE_urlpath = ‘/base';
+
 
+
Akses menggunakan
$DBlib_path = ‘/var/www/html/adodb5′;
 
  
$alert_dbname  = ‘snortdb';
+
http://<ServerIP>/acid
$alert_host    = ‘localhost';
 
$alert_port    = ”;
 
$alert_user    = ‘snortuser';
 
$alert_password = ‘3ngin33r';
 
  
 
   
 
   
17 - Base ConfigEdit
 
Change the Ownership of all files to www-data:
 
# chown -R www-data:www-data /var/www/html
 
  
# service apache2 restart
+
==Instalasi BASE==
  
– Browse to:  http://<snort_ip_address>/base/ and click on “setup page” link
 
– Click on “Create BASE AG” button on the upper right of the page
 
  
   
+
  apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y
 +
pear install -f Image_Graph
  
18 - Base ConfigPage
+
Download & extract BASE
– Click on the “Main page” link
 
  
   
+
  cd /usr/local/snort
 +
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
 +
tar zxvf base-1.4.5.tar.gz -C /var/www/html
 +
cd /var/www/html
 +
mv base-1.4.5 base
  
19 - Config complete
+
Konfigurasi BASE
  
   
+
  cd /var/www/html/base
 +
cp base_conf.php.dist base_conf.php
 +
vi base_conf.php
  
— Now, we should see BASE Dashboard like shown below:
+
Set
  
 +
$BASE_urlpath = ‘/base';
 +
 +
$DBlib_path = ‘/usr/share/php/adodb/′;
 
   
 
   
 
+
$alert_dbname  = ‘snortdb';
20 - BASE Dashboard
+
$alert_host    = ‘localhost';
 +
$alert_port    = ”;
 +
$alert_user    = ‘snortuser';
 +
$alert_password = ‘3ngin33r';
  
 
   
 
   
 +
Ubah owner & restart
  
More HoTos:
+
chown -R www-data:www-data /var/www/html
 
+
service apache2 restart
– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS
 
 
 
– Installing Snorby on Ubuntu for Snort with Barnyard2
 
  
 +
Akses ke
  
 +
http://<snort_ip_address>/base/
  
 +
Lakukan:
  
 +
* klik “setup page” link
 +
* klik “Create BASE AG”
  
 
==Referensi==
 
==Referensi==
  
 
* http://blog.muhammadattique.com/install-configure-snort-hids-barnyard2-base-mysql-ubuntu/
 
* http://blog.muhammadattique.com/install-configure-snort-hids-barnyard2-base-mysql-ubuntu/

Latest revision as of 11:43, 21 February 2016

Asumsi:

  • IP address 192.168.0.80
  • nama server : refserver



Cek Interface

sudo su
vi /etc/network/interfaces
auto eth0
iface eth0 inet static
        address 192.168.0.80
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.222
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8


Install apache & MySQL

Instalasi

apt-get update -y
apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \
php5-gd php-pear libphp-adodb php5-cli php5-adodb


Jika masih belajar dapat menggunakan

  • MySQL Root password 123456

Instalasi dependency

apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl \
libtool libssl-dev build-essential automake gcc make flex bison git

Install Deps

Download dan Install libdnet:

mkdir /usr/local/snort
cd /usr/local/snort
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xzvf libdnet-1.12.tgz
cd libdnet-1.12/
./configure
make
make install
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Install libcap, kita harus instalasi libcap sebelum DAQ.

cd /usr/local/snort
wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
tar -xzvf libpcap-1.6.2.tar.gz
cd libpcap-1.6.2
./configure
make
make install
echo “/usr/local/lib” >> /etc/ld.so.conf
ldconfig -v

Downloading & Installing DAQ:

cd /usr/local/snort
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar zxvf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
make install

Download & Install Snort:

cd /usr/local/snort
wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz
tar -xzvf snort-2.9.8.0.tar.gz
cd snort-2.9.8.0
./configure -prefix=/usr/local/snort -enable-sourcefire
make
make install
mkdir /var/log/snort
mkdir /var/snort
groupadd snort
useradd -g snort snort
chown snort:snort /var/log/snort

Download Latest Snort Rules

Kita dapat men-download Snort Rules yang terakhir. Kita perlu membuat login di snort.org Kemudian Sign-In untuk download rules. Setelah rules berhasil di download, copy ke ke /usr/local/src.

Kemudian lakukan:

cd /usr/local/src
tar zxvf community-rules.tar.gz -C /usr/local/snort
tar zxvf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
tar zxvf snortrules-snapshot-2976.tar.gz -C /usr/local/snort
tar zxvf snortrules-snapshot-2980.tar.gz -C /usr/local/snort
mkdir -p /usr/local/snort/lib/snort_dynamicrules
cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.8.0/* /usr/local/snort/lib/snort_dynamicrules/
touch /usr/local/snort/rules/white_list.rules
touch /usr/local/snort/rules/black_list.rules
ldconfig -v

Edit file konfigurasi snort.conf

vi /usr/local/snort/etc/snort.conf

Set nilai di bawah ini

var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename snort.u2, limit 128

Download & Install Barnyard2

Barnyard2 akan memperbaiki efisiensi Snort dengan cara mengurangi beban dari engine deteksi utama. Barnyard2 akan membaca file keluaran logging snort dan memasukannya ke database. Jika database tidak tersedia, Barnyard2 akan memasukan data saat database kembali online sehingga tidak ada alert yang akan hilang.

Instalasi barnyard2,

cd /usr/local/src
git clone  http://github.com/firnsy/barnyard2.git barnyard2
cd barnyard2
autoreconf -fvi -I ./m4
./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
make install
cp etc/barnyard2.conf /usr/local/snort/etc
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo

Buat database untuk snort yang akan digunakan Barnyard untuk penyimpanan,

mysql -u root -p123456
create database snortdb;
grant create, insert, select, delete, update on snortdb.* to 'snortuser'@'localhost' identified by '3ngin33r';
flush privileges;
quit;

Buat Snort DB

mysql -u root -p123456 -D snortdb < /usr/local/src/barnyard2/schemas/create_mysql

Modifikasi file konfigurasi Barnyard2 dengan perintah berikut:

vi /usr/local/snort/etc/barnyard2.conf

Set nilai berikut

config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0

output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost

Ubah konfigurasi snort untuk Barnyard2

cp /usr/local/snort/snort-2.9.8.0/etc/gen-msg.map /usr/local/snort/etc/

Test Snort

/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0


Akan keluar kira-kira

..
..
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
Commencing packet processing (pid=6082)

Harus keluar kata-kata

“Commencing packet processing” 

ini menandakan Snort telah di instalasi dan di konfigurasi dengan benar.

Auto Start

Agar Snort berjalan secara automatis, Tambahkan pada rc.local sebelum "exit"

vi /etc/rc.local

isi

ifconfig eth0 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D


Instalasi Snort Report

wget http://symmetrixtech.com/download/snortreport-1.3.4.tar.gz
tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html

Set Database:

vi /var/www/html/snortreport-1.3.4/srconf.php
$server = "localhost";
$user = "snortuser";
$pass = "3ngin33r";
$dbname = "snortdb";

Instalasi SnortGraph

wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph

Download & Install ADODB5:

wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
tar -xzf adodb519.tar.gz -C /var/www/html
cd /var/www/html
mv adodb519 adodb5

Instalasi ACID

Instalasi salah satu ACID atau BASE. Yang lebih di rekomendasikan adalah BASE.

cd /usr/local/src
wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
cd /var/www/html/acid/
vim acid_conf.php

Set Options:

$DBlib_path = “/var/www/html/adodb5″;

$alert_dbname   = “snortdb”;
$alert_host     = “localhost”;
$alert_port     = “”;
$alert_user     = “snortuser”;
$alert_password = “3ngin33r”;

/* Archive DB connection parameters */
$archive_dbname   = “snortdb”;
$archive_host     = “localhost”;
$archive_port     = “”;
$archive_user     = “snortuser”;
$archive_password = “3ngin33r”;

$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;


Akses menggunakan

http://<ServerIP>/acid


Instalasi BASE

apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y
pear install -f Image_Graph

Download & extract BASE

cd /usr/local/snort
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar zxvf base-1.4.5.tar.gz -C /var/www/html
cd /var/www/html
mv base-1.4.5 base

Konfigurasi BASE

cd /var/www/html/base
cp base_conf.php.dist base_conf.php
vi base_conf.php

Set

$BASE_urlpath = ‘/base';

$DBlib_path = ‘/usr/share/php/adodb/′;

$alert_dbname   = ‘snortdb';
$alert_host     = ‘localhost';
$alert_port     = ”;
$alert_user     = ‘snortuser';
$alert_password = ‘3ngin33r';


Ubah owner & restart

chown -R www-data:www-data /var/www/html
service apache2 restart

Akses ke

http://<snort_ip_address>/base/

Lakukan:

  • klik “setup page” link
  • klik “Create BASE AG”

Referensi