Difference between revisions of "Instalasi SNORT dan BASE"

From OnnoWiki
Jump to navigation Jump to search
Line 1: Line 1:
 
Download [[SNORT]] & [[SNORT RULES]] versi terakhir dari
 
Download [[SNORT]] & [[SNORT RULES]] versi terakhir dari
  
 +
http://www.snort.org/snort-downloads
 
  http://www.snort.org/dl/
 
  http://www.snort.org/dl/
 +
http://www.snort.org/start/rules
 
  http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz
 
  http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz
  
Line 42: Line 44:
 
  /etc/init.d/mysql restart
 
  /etc/init.d/mysql restart
  
Install [[snort]]. Tampaknya masih lebih gampang menggunakan versi Snort yang lama. Versi yang baru entah kenapa tidak terlalu tersambung ke database rules.
+
==Install [[snort]]==
 +
 
 +
Compile snort yang terbaru
 +
 
 +
cp -Rf snort-2.8.6.1.tar.gz /usr/local/src/
 +
cd /usr/local/src
 +
tar zxvf snort-2.8.6.1.tar.gz
 +
 
 +
cd /usr/local/src/snort-2.8.6.1
 +
./configure --with-mysql
 +
make
 +
make install
 +
 
 +
groupadd snort
 +
useradd -g snort snort
 +
mkdir /etc/snort
 +
mkdir /etc/snort/rules
 +
mkdir /var/log/snort
 +
 
 +
Kadang kala kita masih kesulitan untuk menset parameter snort.conf agar bisa deteksi dengan baik.
 +
Versi yang baru entah kenapa tidak terlalu tersambung ke database rules.
 +
Mungkin sesudah compile snort yang baru akan agak aman kalau compile lagi yang lama.
  
 
  cp -Rf snort-2.8.0.tar.gz /usr/local/src/
 
  cp -Rf snort-2.8.0.tar.gz /usr/local/src/
Line 59: Line 82:
 
  mkdir /var/log/snort
 
  mkdir /var/log/snort
  
 +
==Instalasi Rules==
  
 
Ambil [[Snort Rules]] dari
 
Ambil [[Snort Rules]] dari
Line 71: Line 95:
 
  tar zxvf snortrules-snapshot-CURRENT.tar.gz
 
  tar zxvf snortrules-snapshot-CURRENT.tar.gz
  
 +
 +
==Konfigurasi Snort==
  
 
Siapkan konfigurasi [[Snort]]
 
Siapkan konfigurasi [[Snort]]
Line 108: Line 134:
 
  ERROR: database: mysql_error: Access denied for user 'snort'@'localhost' (using password: YES)
 
  ERROR: database: mysql_error: Access denied for user 'snort'@'localhost' (using password: YES)
 
  Fatal Error, Quitting..
 
  Fatal Error, Quitting..
 +
 +
==Autoexec==
  
 
Siapkan snort di rc.local
 
Siapkan snort di rc.local
Line 116: Line 144:
  
 
  /usr/local/bin/snort -dev -c /etc/snort/snort.conf -D
 
  /usr/local/bin/snort -dev -c /etc/snort/snort.conf -D
 +
 +
==Siapkan Database==
  
 
Siapkan [[database]] [[MySQL]]
 
Siapkan [[database]] [[MySQL]]
Line 164: Line 194:
  
  
<!--
+
==Siapkan BASE==
Entah kenapa [[BASE]] versi 1.4 susah untuk di instalasi. Mungkin sebaiknya di coba menggunakan versi lama versi 1.3.9.
 
 
 
Install [[BASE]] untuk versi 1.3.9
 
 
 
cp base-1.3.9.tar.gz /var/www/
 
cd /var/www
 
tar zxvf base-1.3.9.tar.gz
 
mv base-1.3.9 base
 
cd /var/www/base
 
cp base_conf.php.dist base_conf.php
 
-->
 
  
 
Install [[BASE]] untuk versi 1.4.5
 
Install [[BASE]] untuk versi 1.4.5
Line 229: Line 248:
 
* http://jogja.linux.or.id/berita/arsip/2010/01/14/kustomisasi-konfigurasi-ids-snort/
 
* http://jogja.linux.or.id/berita/arsip/2010/01/14/kustomisasi-konfigurasi-ids-snort/
  
 +
==Referensi==
 +
 +
* http://www.snort.org/snort-downloads
 +
* http://www.snort.org/dl/
 +
* http://www.snort.org/start/rules
  
 
==Pranala Menarik==
 
==Pranala Menarik==

Revision as of 10:23, 28 September 2010

Download SNORT & SNORT RULES versi terakhir dari 

http://www.snort.org/snort-downloads
http://www.snort.org/dl/
http://www.snort.org/start/rules
http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz


Siapkan software pendukung 

# apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-image-graph php-image-canvas php-pear

Untuk Ubuntu 9.04 tampaknya menggunakan 

# apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear

Untuk Ubuntu 10.04 

# apt-get install libpcre3 libpcre3-dev libpcrecpp0 libpcap0.8 libpcap0.8-dev \
mysql-server libmysqlclient15-dev libphp-adodb libgd2-xpm libgd2-xpm-dev php5-mysql \
php5-gd php-pear

pear install Numbers_Roman-1.0.2
pear install Numbers_Words-0.16.2
pear install Image_Canvas-0.3.2
pear install Image_Graph-0.7.2


Restart Server 

/etc/init.d/apache2 restart
/etc/init.d/mysql restart

Install snort

Compile snort yang terbaru 

cp -Rf snort-2.8.6.1.tar.gz /usr/local/src/
cd /usr/local/src
tar zxvf snort-2.8.6.1.tar.gz

cd /usr/local/src/snort-2.8.6.1
./configure --with-mysql
make
make install

groupadd snort
useradd -g snort snort
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Kadang kala kita masih kesulitan untuk menset parameter snort.conf agar bisa deteksi dengan baik. Versi yang baru entah kenapa tidak terlalu tersambung ke database rules. Mungkin sesudah compile snort yang baru akan agak aman kalau compile lagi yang lama. 

cp -Rf snort-2.8.0.tar.gz /usr/local/src/
cd /usr/local/src
tar zxvf snort-2.8.0.tar.gz

cd /usr/local/src/snort-2.8.0
./configure --with-mysql
make
make install

groupadd snort
useradd -g snort snort
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Instalasi Rules

Ambil Snort Rules dari 

http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz

Tampaknya alamat di atas sudah tidak valid lagi. Perlu di cari community rules snort yang bebas / gratis :( .. Jika anda berhasil memperoleh community rules snort, lakukan copy Snort Rules 

cp snortrules-snapshot-CURRENT.tar.gz /etc/snort/
cd /etc/snort
tar zxvf snortrules-snapshot-CURRENT.tar.gz


Konfigurasi Snort

Siapkan konfigurasi Snort 

cp /usr/local/src/snort-2.8.0/etc/* /etc/snort
cd /etc/snort/
mkdir /etc/snort/preproc_rules
vi /etc/snort/snort.conf

Ubah 

var RULE_PATH ../rules                  var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules            var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules  var PREPROC_RULE_PATH /etc/snort/preproc_rules
output database: alert, mysql, user=snort password=snort dbname=snort host=localhost
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Ujicoba jalankan snort, karena Snort rules yang digunakan biasanya masih banyak bug / error dan harus dibuang supaya hanya rules yang baik yang digunakan 

/usr/local/bin/snort -dev -c /etc/snort/snort.conf

Contoh error 

Initializing rule chains...
ERROR: (/etc/snort/rules/web-misc.rules)98 => Cannot use 'rawbytes' and  'http_uri' as modifiers for the same "content" nor use 'rawbytes' with   "uricontent".
Fatal Error, Quitting..

Artinya

  • file /etc/snort/rules/web-misc.rules mengandung error pada line 98
  • edit file /etc/snort/rules/web-misc.rules dan buang line yang ada error-nya

sampai keluar error terakhir 

ERROR: database: mysql_error: Access denied for user 'snort'@'localhost' (using password: YES)
Fatal Error, Quitting..

Autoexec

Siapkan snort di rc.local 

# vi /etc/rc.local

masukan 

/usr/local/bin/snort -dev -c /etc/snort/snort.conf -D

Siapkan Database

Siapkan database MySQL 

mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');

Selanjutnya dengan database MySQL 

# mysql -u root -p
Enter password:
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost IDENTIFIED BY 'snortpass' ;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort IDENTIFIED BY 'snortpass' ;
exit


Atau jika anda masih dalam tahap ujicoba bukan untuk operasional, dengan asumsi username snort, password snort, database snort; dapat menggunakan perintah 

# mysql -u root -p
Enter password:
create database snort;
grant ALL on root.* to snort@localhost;
grant ALL on snort.* to snort@localhost IDENTIFIED BY 'snort' ;
grant ALL on snort.* to snort IDENTIFIED BY 'snort' ;
exit


Siapkan tabel di database snort 

# mysql -u root -p < /usr/local/src/snort-2.8.0/schemas/create_mysql snort
password:

Atau kalau sedang belajar dengan password root 123456 dapat menggunakan perintah 

# mysql -u root -p123456 < /usr/local/src/snort-2.8.0/schemas/create_mysql snort

Cek database snort 

# mysql -p
Enter password: 
show databases;
use snort
show tables;
exit


Siapkan BASE

Install BASE untuk versi 1.4.5 

cp base-1.4.5.tar.gz /var/www/
cd /var/www
tar zxvf base-1.4.5.tar.gz
mv base-1.4.5 base
cd /var/www/base
cp base_conf.php.dist base_conf.php


Edit konfigurasi BASE 

# vi base_conf.php

isi dengan 

$BASE_urlpath = "/base";
$DBlib_path = "/usr/share/php/adodb/";
$DBlib_path = "/var/adodb/"; - gunakan ini untuk instalasi adodb manual
$DBtype = "mysql"; 

$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = ;
$alert_user     = 'snort';
$alert_password = 'snort'; 

$archive_exists   = 0;
$archive_dbname   = 'snort';
$archive_host     = 'localhost';
$archive_port     = ;
$archive_user     = 'snort';
$archive_password = 'snort';

Beri ijin Apache Web Server mengakses folder BASE 

# chown -Rf www-data.www-data /var/www/base


Akses Web SNORT & BASE 

http://localhost/base

Setup page
CREATE BASE AG
Main page

Bacaan

Referensi

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Instalasi_SNORT_dan_BASE&oldid=22228"