Difference between revisions of "SNORT: Install SNORT untuk BARNYARD2"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(27 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Asumsi: | Asumsi: | ||
− | * IP address 192.168.0. | + | * IP address 192.168.0.80 |
* nama server : refserver | * nama server : refserver | ||
+ | |||
+ | |||
+ | |||
==Cek Interface== | ==Cek Interface== | ||
Line 11: | Line 14: | ||
auto eth0 | auto eth0 | ||
iface eth0 inet static | iface eth0 inet static | ||
− | address 192.168.0. | + | address 192.168.0.80 |
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
network 192.168.0.0 | network 192.168.0.0 | ||
broadcast 192.168.0.255 | broadcast 192.168.0.255 | ||
− | gateway 192.168.0. | + | gateway 192.168.0.222 |
# dns-* options are implemented by the resolvconf package, if installed | # dns-* options are implemented by the resolvconf package, if installed | ||
dns-nameservers 8.8.8.8 | dns-nameservers 8.8.8.8 | ||
Line 26: | Line 29: | ||
apt-get update -y | apt-get update -y | ||
apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \ | apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \ | ||
− | php5-gd php-pear libphp-adodb php5-cli | + | php5-gd php-pear libphp-adodb php5-cli php5-adodb |
+ | |||
Jika masih belajar dapat menggunakan | Jika masih belajar dapat menggunakan | ||
Line 66: | Line 70: | ||
cd /usr/local/snort | cd /usr/local/snort | ||
− | wget https://www.snort.org/downloads/snort/daq-2.0. | + | wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz |
− | tar zxvf daq-2.0. | + | tar zxvf daq-2.0.6.tar.gz |
− | cd daq-2.0. | + | cd daq-2.0.6 |
./configure | ./configure | ||
make | make | ||
Line 76: | Line 80: | ||
cd /usr/local/snort | cd /usr/local/snort | ||
− | wget https://www.snort.org/downloads/snort/snort-2.9. | + | wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz |
− | tar -xzvf snort-2.9. | + | tar -xzvf snort-2.9.8.0.tar.gz |
− | cd snort-2.9. | + | cd snort-2.9.8.0 |
./configure -prefix=/usr/local/snort -enable-sourcefire | ./configure -prefix=/usr/local/snort -enable-sourcefire | ||
make | make | ||
Line 93: | Line 97: | ||
Kita perlu membuat login di snort.org | Kita perlu membuat login di snort.org | ||
Kemudian Sign-In untuk download rules. | Kemudian Sign-In untuk download rules. | ||
− | Setelah rules berhasil di download, lakukan: | + | Setelah rules berhasil di download, copy ke ke /usr/local/src. |
+ | |||
+ | Kemudian lakukan: | ||
cd /usr/local/src | cd /usr/local/src | ||
− | tar | + | tar zxvf community-rules.tar.gz -C /usr/local/snort |
+ | tar zxvf snortrules-snapshot-2962.tar.gz -C /usr/local/snort | ||
+ | tar zxvf snortrules-snapshot-2976.tar.gz -C /usr/local/snort | ||
+ | tar zxvf snortrules-snapshot-2980.tar.gz -C /usr/local/snort | ||
mkdir -p /usr/local/snort/lib/snort_dynamicrules | mkdir -p /usr/local/snort/lib/snort_dynamicrules | ||
− | cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9. | + | cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.8.0/* /usr/local/snort/lib/snort_dynamicrules/ |
touch /usr/local/snort/rules/white_list.rules | touch /usr/local/snort/rules/white_list.rules | ||
touch /usr/local/snort/rules/black_list.rules | touch /usr/local/snort/rules/black_list.rules | ||
Line 107: | Line 116: | ||
vi /usr/local/snort/etc/snort.conf | vi /usr/local/snort/etc/snort.conf | ||
− | + | Set nilai di bawah ini | |
var WHITE_LIST_PATH /usr/local/snort/rules | var WHITE_LIST_PATH /usr/local/snort/rules | ||
Line 118: | Line 127: | ||
output unified2: filename snort.u2, limit 128 | output unified2: filename snort.u2, limit 128 | ||
− | + | ==Download & Install Barnyard2== | |
− | |||
− | + | Barnyard2 akan memperbaiki efisiensi Snort dengan cara mengurangi beban dari engine deteksi utama. | |
+ | Barnyard2 akan membaca file keluaran logging snort dan memasukannya ke database. | ||
+ | Jika database tidak tersedia, Barnyard2 akan memasukan data saat database kembali online sehingga tidak ada alert yang akan hilang. | ||
− | + | Instalasi barnyard2, | |
− | |||
cd /usr/local/src | cd /usr/local/src | ||
Line 139: | Line 148: | ||
chown snort.snort /var/log/snort/barnyard2.waldo | chown snort.snort /var/log/snort/barnyard2.waldo | ||
− | + | Buat database untuk snort yang akan digunakan Barnyard untuk penyimpanan, | |
− | mysql | + | |
+ | mysql -u root -p123456 | ||
− | + | create database snortdb; | |
− | + | grant create, insert, select, delete, update on snortdb.* to 'snortuser'@'localhost' identified by '3ngin33r'; | |
− | + | flush privileges; | |
+ | quit; | ||
− | + | ==Buat Snort DB== | |
− | |||
− | mysql -u root - | + | mysql -u root -p123456 -D snortdb < /usr/local/src/barnyard2/schemas/create_mysql |
− | + | Modifikasi file konfigurasi Barnyard2 dengan perintah berikut: | |
− | + | vi /usr/local/snort/etc/barnyard2.conf | |
− | Set | + | Set nilai berikut |
− | config | + | config reference_file: /usr/local/snort/etc/reference.config |
− | config | + | config classification_file: /usr/local/snort/etc/classification.config |
− | config | + | config gen_file: /usr/local/snort/etc/gen-msg.map |
− | config | + | config sid_file: /usr/local/snort/etc/sid-msg.map |
config hostname: localhost | config hostname: localhost | ||
config interface: eth0 | config interface: eth0 | ||
Line 166: | Line 176: | ||
output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost | output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost | ||
− | + | ==Ubah konfigurasi snort untuk Barnyard2== | |
+ | |||
+ | |||
+ | cp /usr/local/snort/snort-2.9.8.0/etc/gen-msg.map /usr/local/snort/etc/ | ||
+ | |||
+ | ==Test Snort== | ||
− | |||
− | + | /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 | |
− | |||
− | |||
− | |||
− | |||
− | + | Akan keluar kira-kira | |
− | |||
− | + | .. | |
− | 13 | + | .. |
− | + | Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> | |
− | + | Preprocessor Object: SF_DNS Version 1.1 <Build 4> | |
+ | Preprocessor Object: SF_SDF Version 1.1 <Build 1> | ||
+ | Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> | ||
+ | Preprocessor Object: SF_SSH Version 1.1 <Build 3> | ||
+ | Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> | ||
+ | Preprocessor Object: SF_POP Version 1.0 <Build 1> | ||
+ | Preprocessor Object: SF_SMTP Version 1.1 <Build 9> | ||
+ | Commencing packet processing (pid=6082) | ||
− | + | Harus keluar kata-kata | |
− | + | “Commencing packet processing” | |
− | + | ini menandakan Snort telah di instalasi dan di konfigurasi dengan benar. | |
− | |||
− | + | ==Auto Start== | |
− | + | Agar Snort berjalan secara automatis, | |
+ | Tambahkan pada rc.local sebelum "exit" | ||
− | + | vi /etc/rc.local | |
− | + | isi | |
− | |||
− | + | ifconfig eth0 up | |
− | + | ||
+ | /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 | ||
+ | /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D | ||
− | + | ||
− | + | ==Instalasi Snort Report== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | wget http://symmetrixtech.com/download/snortreport-1.3.4.tar.gz | |
− | + | tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Set Database: | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | vi /var/www/html/snortreport-1.3.4/srconf.php | |
− | $ | + | $server = "localhost"; |
+ | $user = "snortuser"; | ||
+ | $pass = "3ngin33r"; | ||
+ | $dbname = "snortdb"; | ||
− | + | ==Instalasi SnortGraph== | |
− | |||
− | |||
− | |||
− | |||
− | / | + | wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz |
− | + | tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/ | |
− | + | mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph | |
− | |||
− | |||
− | |||
− | + | Download & Install ADODB5: | |
− | + | wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz | |
+ | tar -xzf adodb519.tar.gz -C /var/www/html | ||
+ | cd /var/www/html | ||
+ | mv adodb519 adodb5 | ||
− | + | ==Instalasi ACID== | |
− | + | Instalasi salah satu ACID atau BASE. Yang lebih di rekomendasikan adalah BASE. | |
− | + | cd /usr/local/src | |
− | + | wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz | |
+ | tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html | ||
+ | cd /var/www/html/acid/ | ||
+ | vim acid_conf.php | ||
− | + | Set Options: | |
+ | $DBlib_path = “/var/www/html/adodb5″; | ||
− | + | $alert_dbname = “snortdb”; | |
+ | $alert_host = “localhost”; | ||
+ | $alert_port = “”; | ||
+ | $alert_user = “snortuser”; | ||
+ | $alert_password = “3ngin33r”; | ||
+ | |||
+ | /* Archive DB connection parameters */ | ||
+ | $archive_dbname = “snortdb”; | ||
+ | $archive_host = “localhost”; | ||
+ | $archive_port = “”; | ||
+ | $archive_user = “snortuser”; | ||
+ | $archive_password = “3ngin33r”; | ||
+ | |||
+ | $ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″; | ||
− | + | ||
+ | Akses menggunakan | ||
− | + | http://<ServerIP>/acid | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ||
− | + | ==Instalasi BASE== | |
− | |||
− | + | apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y | |
− | + | pear install -f Image_Graph | |
− | |||
− | |||
− | |||
− | + | Download & extract BASE | |
− | |||
− | |||
− | |||
− | + | cd /usr/local/snort | |
+ | wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz | ||
+ | tar zxvf base-1.4.5.tar.gz -C /var/www/html | ||
+ | cd /var/www/html | ||
+ | mv base-1.4.5 base | ||
− | + | Konfigurasi BASE | |
− | |||
− | + | cd /var/www/html/base | |
+ | cp base_conf.php.dist base_conf.php | ||
+ | vi base_conf.php | ||
− | + | Set | |
− | |||
+ | $BASE_urlpath = ‘/base'; | ||
− | + | $DBlib_path = ‘/usr/share/php/adodb/′; | |
− | |||
− | |||
− | + | $alert_dbname = ‘snortdb'; | |
− | + | $alert_host = ‘localhost'; | |
+ | $alert_port = ”; | ||
+ | $alert_user = ‘snortuser'; | ||
+ | $alert_password = ‘3ngin33r'; | ||
+ | Ubah owner & restart | ||
− | + | chown -R www-data:www-data /var/www/html | |
+ | service apache2 restart | ||
− | + | Akses ke | |
− | + | http://<snort_ip_address>/base/ | |
− | + | Lakukan: | |
− | + | * klik “setup page” link | |
+ | * klik “Create BASE AG” | ||
==Referensi== | ==Referensi== | ||
* http://blog.muhammadattique.com/install-configure-snort-hids-barnyard2-base-mysql-ubuntu/ | * http://blog.muhammadattique.com/install-configure-snort-hids-barnyard2-base-mysql-ubuntu/ |
Latest revision as of 11:43, 21 February 2016
Asumsi:
- IP address 192.168.0.80
- nama server : refserver
Cek Interface
sudo su vi /etc/network/interfaces
auto eth0 iface eth0 inet static address 192.168.0.80 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.222 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 8.8.8.8
Install apache & MySQL
Instalasi
apt-get update -y apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \ php5-gd php-pear libphp-adodb php5-cli php5-adodb
Jika masih belajar dapat menggunakan
- MySQL Root password 123456
Instalasi dependency
apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl \ libtool libssl-dev build-essential automake gcc make flex bison git
Install Deps
Download dan Install libdnet:
mkdir /usr/local/snort cd /usr/local/snort wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar xzvf libdnet-1.12.tgz cd libdnet-1.12/ ./configure make make install ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
Install libcap, kita harus instalasi libcap sebelum DAQ.
cd /usr/local/snort wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz tar -xzvf libpcap-1.6.2.tar.gz cd libpcap-1.6.2 ./configure make make install echo “/usr/local/lib” >> /etc/ld.so.conf ldconfig -v
Downloading & Installing DAQ:
cd /usr/local/snort wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar zxvf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make make install
Download & Install Snort:
cd /usr/local/snort wget https://www.snort.org/downloads/snort/snort-2.9.8.0.tar.gz tar -xzvf snort-2.9.8.0.tar.gz cd snort-2.9.8.0 ./configure -prefix=/usr/local/snort -enable-sourcefire make make install mkdir /var/log/snort mkdir /var/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort
Download Latest Snort Rules
Kita dapat men-download Snort Rules yang terakhir. Kita perlu membuat login di snort.org Kemudian Sign-In untuk download rules. Setelah rules berhasil di download, copy ke ke /usr/local/src.
Kemudian lakukan:
cd /usr/local/src tar zxvf community-rules.tar.gz -C /usr/local/snort tar zxvf snortrules-snapshot-2962.tar.gz -C /usr/local/snort tar zxvf snortrules-snapshot-2976.tar.gz -C /usr/local/snort tar zxvf snortrules-snapshot-2980.tar.gz -C /usr/local/snort mkdir -p /usr/local/snort/lib/snort_dynamicrules cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.8.0/* /usr/local/snort/lib/snort_dynamicrules/ touch /usr/local/snort/rules/white_list.rules touch /usr/local/snort/rules/black_list.rules ldconfig -v
Edit file konfigurasi snort.conf
vi /usr/local/snort/etc/snort.conf
Set nilai di bawah ini
var WHITE_LIST_PATH /usr/local/snort/rules var BLACK_LIST_PATH /usr/local/snort/rules dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules output unified2: filename snort.u2, limit 128
Download & Install Barnyard2
Barnyard2 akan memperbaiki efisiensi Snort dengan cara mengurangi beban dari engine deteksi utama. Barnyard2 akan membaca file keluaran logging snort dan memasukannya ke database. Jika database tidak tersedia, Barnyard2 akan memasukan data saat database kembali online sehingga tidak ada alert yang akan hilang.
Instalasi barnyard2,
cd /usr/local/src git clone http://github.com/firnsy/barnyard2.git barnyard2 cd barnyard2 autoreconf -fvi -I ./m4 ./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu make make install cp etc/barnyard2.conf /usr/local/snort/etc mkdir /var/log/barnyard2 chmod 666 /var/log/barnyard2 touch /var/log/snort/barnyard2.waldo chown snort.snort /var/log/snort/barnyard2.waldo
Buat database untuk snort yang akan digunakan Barnyard untuk penyimpanan,
mysql -u root -p123456
create database snortdb; grant create, insert, select, delete, update on snortdb.* to 'snortuser'@'localhost' identified by '3ngin33r'; flush privileges; quit;
Buat Snort DB
mysql -u root -p123456 -D snortdb < /usr/local/src/barnyard2/schemas/create_mysql
Modifikasi file konfigurasi Barnyard2 dengan perintah berikut:
vi /usr/local/snort/etc/barnyard2.conf
Set nilai berikut
config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth0 output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost
Ubah konfigurasi snort untuk Barnyard2
cp /usr/local/snort/snort-2.9.8.0/etc/gen-msg.map /usr/local/snort/etc/
Test Snort
/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
Akan keluar kira-kira
.. .. Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Commencing packet processing (pid=6082)
Harus keluar kata-kata
“Commencing packet processing”
ini menandakan Snort telah di instalasi dan di konfigurasi dengan benar.
Auto Start
Agar Snort berjalan secara automatis, Tambahkan pada rc.local sebelum "exit"
vi /etc/rc.local
isi
ifconfig eth0 up /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
Instalasi Snort Report
wget http://symmetrixtech.com/download/snortreport-1.3.4.tar.gz tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
Set Database:
vi /var/www/html/snortreport-1.3.4/srconf.php
$server = "localhost"; $user = "snortuser"; $pass = "3ngin33r"; $dbname = "snortdb";
Instalasi SnortGraph
wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/ mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph
Download & Install ADODB5:
wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz tar -xzf adodb519.tar.gz -C /var/www/html cd /var/www/html mv adodb519 adodb5
Instalasi ACID
Instalasi salah satu ACID atau BASE. Yang lebih di rekomendasikan adalah BASE.
cd /usr/local/src wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html cd /var/www/html/acid/ vim acid_conf.php
Set Options:
$DBlib_path = “/var/www/html/adodb5″; $alert_dbname = “snortdb”; $alert_host = “localhost”; $alert_port = “”; $alert_user = “snortuser”; $alert_password = “3ngin33r”; /* Archive DB connection parameters */ $archive_dbname = “snortdb”; $archive_host = “localhost”; $archive_port = “”; $archive_user = “snortuser”; $archive_password = “3ngin33r”; $ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;
Akses menggunakan
http://<ServerIP>/acid
Instalasi BASE
apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y pear install -f Image_Graph
Download & extract BASE
cd /usr/local/snort wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz tar zxvf base-1.4.5.tar.gz -C /var/www/html cd /var/www/html mv base-1.4.5 base
Konfigurasi BASE
cd /var/www/html/base cp base_conf.php.dist base_conf.php vi base_conf.php
Set
$BASE_urlpath = ‘/base'; $DBlib_path = ‘/usr/share/php/adodb/′; $alert_dbname = ‘snortdb'; $alert_host = ‘localhost'; $alert_port = ”; $alert_user = ‘snortuser'; $alert_password = ‘3ngin33r';
Ubah owner & restart
chown -R www-data:www-data /var/www/html service apache2 restart
Akses ke
http://<snort_ip_address>/base/
Lakukan:
- klik “setup page” link
- klik “Create BASE AG”