SNORT: Install SNORT untuk BARNYARD2
Asumsi:
- IP address 192.168.0.100
- nama server : refserver
Cek Interface
sudo su vi /etc/network/interfaces
auto eth0 iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.223 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 8.8.8.8
Install apache & MySQL
Instalasi
apt-get update -y apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev \ php5-gd php-pear libphp-adodb php5-cli
Jika masih belajar dapat menggunakan
- MySQL Root password 123456
Instalasi dependency
apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl \ libtool libssl-dev build-essential automake gcc make flex bison git
Install Deps
Download dan Install libdnet:
mkdir /usr/local/snort cd /usr/local/snort wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz tar xzvf libdnet-1.12.tgz cd libdnet-1.12/ ./configure make make install ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
Install libcap, kita harus instalasi libcap sebelum DAQ.
cd /usr/local/snort wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz tar -xzvf libpcap-1.6.2.tar.gz cd libpcap-1.6.2 ./configure make make install echo “/usr/local/lib” >> /etc/ld.so.conf ldconfig -v
Downloading & Installing DAQ:
cd /usr/local/snort wget https://www.snort.org/downloads/snort/daq-2.0.5.tar.gz tar zxvf daq-2.0.5.tar.gz cd daq-2.0.5 ./configure make make install
Download & Install Snort:
cd /usr/local/snort wget https://www.snort.org/downloads/snort/snort-2.9.7.3.tar.gz tar -xzvf snort-2.9.7.3.tar.gz cd snort-2.9.7.3 ./configure -prefix=/usr/local/snort -enable-sourcefire make make install mkdir /var/log/snort mkdir /var/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort
Download Latest Snort Rules
Kita dapat men-download Snort Rules yang terakhir. Kita perlu membuat login di snort.org Kemudian Sign-In untuk download rules. Setelah rules berhasil di download, lakukan:
cd /usr/local/src tar zxf snortrules-snapshot-2973.tar.gz -C /usr/local/snort mkdir -p /usr/local/snort/lib/snort_dynamicrules cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.7.3/* /usr/local/snort/lib/snort_dynamicrules/ touch /usr/local/snort/rules/white_list.rules touch /usr/local/snort/rules/black_list.rules ldconfig -v
Edit file konfigurasi snort.conf
vi /usr/local/snort/etc/snort.conf
Set nilai di bawah ini
var WHITE_LIST_PATH /usr/local/snort/rules var BLACK_LIST_PATH /usr/local/snort/rules dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules output unified2: filename snort.u2, limit 128
Download & Install Barnyard2
Barnyard2 akan memperbaiki efisiensi Snort dengan cara mengurangi beban dari engine deteksi utama. Barnyard2 akan membaca file keluaran logging snort dan memasukannya ke database. Jika database tidak tersedia, Barnyard2 akan memasukan data saat database kembali online sehingga tidak ada alert yang akan hilang.
Instalasi barnyard2,
cd /usr/local/src git clone http://github.com/firnsy/barnyard2.git barnyard2 cd barnyard2 autoreconf -fvi -I ./m4 ./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu make make install cp etc/barnyard2.conf /usr/local/snort/etc mkdir /var/log/barnyard2 chmod 666 /var/log/barnyard2 touch /var/log/snort/barnyard2.waldo chown snort.snort /var/log/snort/barnyard2.waldo
Buat database untuk snort yang akan digunakan Barnyard untuk penyimpanan,
mysql -u root -p123456
create database snortdb; grant create, insert, select, delete, update on snortdb.* to 'snortuser'@'localhost' identified by '3ngin33r'; flush privileges; quit;
Buat Snort DB
mysql -u root -p -D snortdb < ./schemas/create_mysql
Modifikasi file konfigurasi Barnyard2 dengan perintah berikut:
vi /usr/local/snort/etc/barnyard2.conf
Set Values as given below:
config reference_file: /usr/local/snort/etc/reference.config config classification_file: /usr/local/snort/etc/classification.config config gen_file: /usr/local/snort/etc/gen-msg.map config sid_file: /usr/local/snort/etc/sid-msg.map config hostname: localhost config interface: eth0 output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost
SAVE & Quit
12 - Barnyard2 ConfigChange Copy Required Files from Snort Source Directory:::
- cp /usr/local/snort/snort-2.9.6.2/etc/gen-msg.map /usr/local/snort/etc/
Testing Snort:
It’s time to test if Snort has been installed and configured correctly by using this command:
- /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
“Commencing packet processing” must be shown at the end of the execution of the command, this means Snort is Installed & configured correctly. 13 - Test Snort To set Snort to start automatically on your machine edit the rc.local file with the following command:
- vim /etc/rc.local
Add following lines before “exit” command.
ifconfig eth0 up
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
SAVE & Quit by :wq!
14 - AutoStart at boot Download and Set up Snort Report (Optional):
Download Snort Report from: http://www.symmetrixtech.com/
or
- wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
- tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
- vim /var/www/html/snortreport-1.3.4/srconf.php
Set Database details: $server = “localhost”; $user = “snortuser”; $pass = “3ngin33r”; $dbname = “snortdb”;
15 - SnortGraph ConfigEdit Download and Install JPGraph:
- wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
- tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
- mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph
Download and Install ADODB5:
- wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
- tar -xzf adodb519.tar.gz -C /var/www/html
- mv adodb519 adodb5
Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)
- cd /usr/local/src
- wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
- tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
- cd /var/www/html/acid/
- vim acid_conf.php
– Set Options as:
$DBlib_path = “/var/www/html/adodb5″;
$alert_dbname = “snortdb”; $alert_host = “localhost”; $alert_port = “”; $alert_user = “snortuser”; $alert_password = “3ngin33r”;
/* Archive DB connection parameters */ $archive_dbname = “snortdb”; $archive_host = “localhost”; $archive_port = “”; $archive_user = “snortuser”; $archive_password = “3ngin33r”;
$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1″;
— SAVE and Quit
16 - Acid ConfigEdit – Restart Apache and Browse following URL in Browser:
http://<ServerIP>/acid
Installing BASE for Snort Front-end : RECOMMENDED for Snort
— I used BASE as ACID didn’t work for me.
– Check if all dependencies are installed or else install them by following command:
- apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y
– Install pear Image_Graph
- pear install -f Image_Graph
Download and extract BASE
- cd /var/www/html/
- wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
- tar zxvf base-1.4.5.tar.gz
- mv base-1.4.5 base
Configure BASE
- cd base
- cp base_conf.php.dist base_conf.php
- vim base_conf.php
– Set Directives as:
$BASE_urlpath = ‘/base';
$DBlib_path = ‘/var/www/html/adodb5′;
$alert_dbname = ‘snortdb'; $alert_host = ‘localhost'; $alert_port = ”; $alert_user = ‘snortuser'; $alert_password = ‘3ngin33r';
17 - Base ConfigEdit
Change the Ownership of all files to www-data:
- chown -R www-data:www-data /var/www/html
- service apache2 restart
– Browse to: http://<snort_ip_address>/base/ and click on “setup page” link – Click on “Create BASE AG” button on the upper right of the page
18 - Base ConfigPage – Click on the “Main page” link
19 - Config complete
— Now, we should see BASE Dashboard like shown below:
20 - BASE Dashboard
More HoTos:
– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS
– Installing Snorby on Ubuntu for Snort with Barnyard2