Instalasi SNORT dan BASE

From OnnoWiki
Revision as of 08:59, 14 September 2010 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Download SNORT & SNORT RULES versi terakhir dari

http://www.snort.org/dl/
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz


Siapkan software pendukung

# apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-image-graph php-image-canvas php-pear

Untuk Ubuntu 9.04 tampaknya menggunakan

# apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear

Untuk Ubuntu 10.04

# apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear
pear install Numbers_Roman-1.0.2
pear install Numbers_Words-0.16.2
pear install Image_Canvas-0.3.2
pear install Image_Graph-0.7.2


Restart Server

/etc/init.d/apache2 restart
/etc/init.d/mysql restart

Install snort. Tampaknya masih lebih gampang menggunakan versi Snort yang lama. Versi yang baru entah kenapa tidak terlalu tersambung ke database rules.

cp -Rf snort-2.8.0.tar.gz /usr/local/src/
cd /usr/local/src
tar zxvf snort-2.8.0.tar.gz
cd /usr/local/src/snort-2.8.0
./configure --with-mysql
make
make install
groupadd snort
useradd -g snort snort
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort


Ambil Snort Rules dari

http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz

Tampaknya alamat di atas sudah tidak valid lagi. Perlu di cari community rules snort yang bebas / gratis :( .. Jika anda berhasil memperoleh community rules snort, lakukan copy Snort Rules

cp snortrules-snapshot-CURRENT.tar.gz /etc/snort/
cd /etc/snort
tar zxvf snortrules-snapshot-CURRENT.tar.gz


Siapkan konfigurasi Snort

cp /usr/local/src/snort-2.8.0/etc/* /etc/snort
cd /etc/snort/
mkdir /etc/snort/preproc_rules
vi /etc/snort/snort.conf

Ubah

var RULE_PATH ../rules                  var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules            var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules  var PREPROC_RULE_PATH /etc/snort/preproc_rules
output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Ujicoba jalankan snort, karena Snort rules yang digunakan biasanya masih banyak bug / error dan harus dibuang supaya hanya rules yang baik yang digunakan

/usr/local/bin/snort -dev -c /etc/snort/snort.conf

Contoh error

Initializing rule chains...
ERROR: (/etc/snort/rules/web-misc.rules)98 => Cannot use 'rawbytes' and  'http_uri' as modifiers for the same "content" nor use 'rawbytes' with   "uricontent".
Fatal Error, Quitting..

Artinya

  • file /etc/snort/rules/web-misc.rules mengandung error pada line 98
  • edit file /etc/snort/rules/web-misc.rules dan buang line yang ada error-nya

sampai keluar error terakhir

ERROR: database: mysql_error: Access denied for user 'snort'@'localhost' (using password: YES)
Fatal Error, Quitting..

Siapkan snort di rc.local

# vi /etc/rc.local

masukan

/usr/local/bin/snort -dev -c /etc/snort/snort.conf -D

Siapkan database MySQL

mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');

Selanjutnya dengan database MySQL

# mysql -u root -p
Enter password:
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost IDENTIFIED BY 'snortpass' ;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort IDENTIFIED BY 'snortpass' ;
exit


Atau jika anda masih dalam tahap ujicoba bukan untuk operasional, dengan asumsi username snort, password snort, database snort; dapat menggunakan perintah

# mysql -u root -p
Enter password:
create database snort;
grant ALL on root.* to snort@localhost;
grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ;
grant ALL on snort.* to snort IDENTIFIED BY 'snort' ;
exit


Siapkan tabel di database snort

# mysql -u root -p < /usr/local/src/snort-2.8.0/schemas/create_mysql snort
password:

Atau kalau sedang belajar dengan password root 123456 dapat menggunakan perintah

# mysql -u root -p123456 < /usr/local/src/snort-2.8.0/schemas/create_mysql snort

Cek database snort

# mysql -p
Enter password: 
show databases;
use snort
show tables;
exit


Install BASE untuk versi 1.4.5

cp base-1.4.5.tar.gz /var/www/
cd /var/www
tar zxvf base-1.4.5.tar.gz
mv base-1.4.5 base
cd /var/www/base
cp base_conf.php.dist base_conf.php


Edit konfigurasi BASE

# vi base_conf.php

isi dengan

$BASE_urlpath = "/base";
$DBlib_path = "/usr/share/php/adodb/";
$DBlib_path = "/var/adodb/"; - gunakan ini untuk instalasi adodb manual
$DBtype = "mysql"; 

$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = ;
$alert_user     = 'snort';
$alert_password = 'snort'; 

$archive_exists   = 0;
$archive_dbname   = 'snort';
$archive_host     = 'localhost';
$archive_port     = ;
$archive_user     = 'snort';
$archive_password = 'snort';

Beri ijin Apache Web Server mengakses folder BASE

# chown -Rf www-data.www-data /var/www/base


Akses Web SNORT & BASE

http://localhost/base
Setup page
CREATE BASE AG
Main page

Bacaan


Pranala Menarik