Difference between revisions of "SNORT: Install SNORT"

From OnnoWiki
Jump to navigation Jump to search
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
'''NOT RECOMMENDED: Karena snort-mysql & acidbase sudah tidak menjadi bagian dari repo Ubuntu'''
 +
 +
 
Install menggunakan perintah
 
Install menggunakan perintah
  
 
  sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
 
  sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
  mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
+
  mysql-server libmysqlclient-dev libphp-adodb libgd2-xpm-dev php5-mysql \
 
  php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \
 
  php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \
  mysql-client libdumbnet1 libdumbnet-dev
+
  mysql-client libdumbnet1 libdumbnet-dev php-pear
  
  pear install Numbers_Roman-1.0.2
+
  pear install Numbers_Roman
  pear install Numbers_Words-0.16.2
+
  pear install Numbers_Words-0.18.1
  pear install Image_Canvas-0.3.2
+
  pear install Image_Canvas-0.3.5
  pear install Image_Graph-0.7.2
+
  pear install Image_Graph-0.8.0
 
  pear install --alldeps mail
 
  pear install --alldeps mail
  
  apt-get install snort-mysql snort-rules-default acidbase
+
Konfigurasi [[database]]
 +
 
 +
mysql -u root -p123456
 +
 
 +
create database snort;
 +
grant ALL on root.* to snort@localhost;
 +
grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ;
 +
grant ALL on snort.* to snort IDENTIFIED BY 'snort' ;
 +
exit
 +
 
 +
Instal SNORT
 +
 
 +
  apt-get install snort snort-common snort-common-libraries snort-rules-default
  
 
Masukan
 
Masukan
  
  192.168.0.0/16
+
Address range for the local network: 192.168.0.0/16
 +
mysql password : snort
  
 
Konfigurasi [[database]]
 
Konfigurasi [[database]]
Line 28: Line 44:
 
  zcat create_mysql.gz | mysql -u root -h localhost -p123456 snort
 
  zcat create_mysql.gz | mysql -u root -h localhost -p123456 snort
  
Konfigurasi [[database]]
+
Konfigurasi [[SNORT]]
 +
 
 +
vi /etc/snort/database.conf
  
  rm /etc/snort/db-pending-config
+
  output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
mysql -u root -p123456
+
  output database: log, mysql, user=snort password=snort dbname=snort host=localhost
create database snort;
 
grant ALL on root.* to snort@localhost;
 
grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ;
 
  grant ALL on snort.* to snort IDENTIFIED BY 'snort' ;
 
exit
 
  
Konfigurasi SNORT
+
Cek juga snort.conf harusnya OK
  
 
  vi /etc/snort/snort.conf
 
  vi /etc/snort/snort.conf
  
  output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
+
  # dibagian output database masukan
  output database: log, mysql, user=snort password=snort dbname=snort host=localhost
+
  include database.conf
 +
 
 +
 
 +
Buang db-pending-config
 +
 
 +
rm /etc/snort/db-pending-config
 +
 
 +
jika di perlukan
 +
 
 +
dpkg-reconfigure -plow snort-mysql
  
  
 
Konfigurasi BASE
 
Konfigurasi BASE
 
   
 
   
  vi /usr/share/acidbase/base_conf.php
+
  vi /etc/acidbase/database.php  
  
  $archive_exists  = 1; # Set this to 1 if you have an archive DB
+
  $alert_user='snort';
  $archive_dbname  = 'snort';
+
  $alert_password='snort';
  $archive_host    = 'localhost';
+
  $basepath='/acidbase';
  $archive_port    = '';
+
$alert_dbname='snort';
  $archive_user    = 'snort';
+
  $alert_host='localhost';
  $archive_password = 'snort';
+
  $alert_port='';
 +
  $DBtype='mysql';
  
Restart APACHE
+
==Restart [[APACHE]] dan [[SNORT]]==
  
 
  /etc/init.d/apache2 restart
 
  /etc/init.d/apache2 restart
 +
/etc/init.d/snort restart
  
 +
Tampaknya snort bisa di jalankan menggunakan perintah
 +
 +
/usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
  
 
Akses ke
 
Akses ke
Line 66: Line 93:
 
  http://localhost/acidbase
 
  http://localhost/acidbase
  
 +
 +
==Beberapa ERROR==
 +
 +
Pada masa lalu kita menjalankan [[snort]] menggunakan
 +
 +
snort -dev -c /etc/snort/snort.conf -D
 +
 +
jika terjadi fatal error seperti
 +
 +
ERROR: Failed to initialize dynamic preprocessor: SF_SMTP version 1.1.8
 +
 +
Sebaiknya jalankan snort menggunakan perintah
 +
 +
/etc/init.d/snort restart
 +
 +
==Perbaiki Rules==
 +
 +
Jalankan
 +
 +
snort -dev -c /etc/snort/snort.conf
 +
 +
Akan keluar error seperti
 +
 +
Warning: /etc/snort/rules/dos.rules(42) => threshold (in rule) is deprecated; use detection_filter instead.
 +
ERROR: /etc/snort/rules/community-smtp.rules(13) => !any is not allowed
 +
Fatal Error, Quitting..
 +
 +
Perbaiki line yang error misalnya
 +
 +
vi /etc/snort/rules/dos.rules
 +
 +
delete line 42
 +
 +
 +
==Ijin Akses Non Localhost==
 +
 +
Pada saat belajar, agar mesin non-localhost dapat mengakses kita perlu mengedit 
 +
 +
vi /etc/acidbase/apache.conf
 +
 +
Tambahkan
 +
 +
<DirectoryMatch /usr/share/acidbase/>
 +
  ...
 +
  allow from 127.0.0.0/255.0.0.0
 +
  allow from 0.0.0.0/0.0.0.0
 +
  ...
 +
</DirectoryMatch>
 +
 +
Restart [[Web Server]]
 +
 +
/etc/init.d/apache2 restart
 +
                     
  
 
==Bacaan==
 
==Bacaan==

Latest revision as of 16:57, 2 June 2015

NOT RECOMMENDED: Karena snort-mysql & acidbase sudah tidak menjadi bagian dari repo Ubuntu


Install menggunakan perintah

sudo apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient-dev libphp-adodb libgd2-xpm-dev php5-mysql \
php5-gd php-pear apache2 php5 php5-xmlrpc php5-mysql php5-gd php5-cli php5-curl \
mysql-client libdumbnet1 libdumbnet-dev php-pear
pear install Numbers_Roman
pear install Numbers_Words-0.18.1
pear install Image_Canvas-0.3.5
pear install Image_Graph-0.8.0
pear install --alldeps mail

Konfigurasi database

mysql -u root -p123456
create database snort;
grant ALL on root.* to snort@localhost;
grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ;
grant ALL on snort.* to snort IDENTIFIED BY 'snort' ;
exit

Instal SNORT

apt-get install snort snort-common snort-common-libraries snort-rules-default

Masukan

Address range for the local network:  192.168.0.0/16
mysql password : snort

Konfigurasi database

cd /usr/share/doc/snort-mysql/                                             
zcat create_mysql.gz | mysql -u <user> -h <host> -p <databasename>    

Jika sedang belajar

cd /usr/share/doc/snort-mysql/                                             
zcat create_mysql.gz | mysql -u root -h localhost -p123456 snort

Konfigurasi SNORT

vi /etc/snort/database.conf
output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
output database: log, mysql, user=snort password=snort dbname=snort host=localhost

Cek juga snort.conf harusnya OK

vi /etc/snort/snort.conf
# dibagian output database masukan
include database.conf


Buang db-pending-config

rm /etc/snort/db-pending-config

jika di perlukan

dpkg-reconfigure -plow snort-mysql


Konfigurasi BASE

vi /etc/acidbase/database.php 
$alert_user='snort';
$alert_password='snort';
$basepath='/acidbase';
$alert_dbname='snort';
$alert_host='localhost';
$alert_port=;
$DBtype='mysql';

Restart APACHE dan SNORT

/etc/init.d/apache2 restart
/etc/init.d/snort restart

Tampaknya snort bisa di jalankan menggunakan perintah

/usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0

Akses ke

http://localhost/acidbase


Beberapa ERROR

Pada masa lalu kita menjalankan snort menggunakan

snort -dev -c /etc/snort/snort.conf -D

jika terjadi fatal error seperti

ERROR: Failed to initialize dynamic preprocessor: SF_SMTP version 1.1.8

Sebaiknya jalankan snort menggunakan perintah

/etc/init.d/snort restart

Perbaiki Rules

Jalankan

snort -dev -c /etc/snort/snort.conf

Akan keluar error seperti

Warning: /etc/snort/rules/dos.rules(42) => threshold (in rule) is deprecated; use detection_filter instead.
ERROR: /etc/snort/rules/community-smtp.rules(13) => !any is not allowed
Fatal Error, Quitting..

Perbaiki line yang error misalnya

vi /etc/snort/rules/dos.rules

delete line 42


Ijin Akses Non Localhost

Pada saat belajar, agar mesin non-localhost dapat mengakses kita perlu mengedit

vi /etc/acidbase/apache.conf 

Tambahkan

<DirectoryMatch /usr/share/acidbase/>
  ...
  allow from 127.0.0.0/255.0.0.0
  allow from 0.0.0.0/0.0.0.0
  ...
</DirectoryMatch>

Restart Web Server

/etc/init.d/apache2 restart
                      

Bacaan

Referensi

Pranala Menarik