Threats against an organization's information and integrity are more abundant and insidious than ever, with more than 8 million viruses and other forms of attack added in the last 12 months alone. As a result, organizations continue to turn to intrusion detection and prevention systems as foundational controls for an in-depth defense against identified attacks — while ensuring legitimate traffic reaches its intended destination for continued business operation.
This article describes the process of setting up a Snort Intrusion Detection System 2.9.2 (IDS) with Red Hat Enterprise Linux (RHEL) Server 6.2 on x86/64 hardware.
Install Dependencies
Some or all of these may be already on your system (depending on your installation options). Best to make sure, though.
$ yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison
$ yum install libxml2-devel php-pear.noarch vim-enhanced.x86_64 gcc gcc-cpp gcc-c++
$ rpm -Uvh http://ftp.riken.jp/Linux/fedora/epel/6/i386/epel-release-6-7.noarch.rpm
$ rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
$ yum install php-pear-DB.noarch php-pear-File.noarch
$yum -y install iptables-devel mysql-devel
Update the system:
$ yum -y update
Reboot the system :
$reboot
Downloading pre-requisites
Download the following packages:
$ wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
$ wget http://www.snort.org/downloads/1221 -O daq-0.6.2.tar.gz
$ wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
$ wget http://www.snort.org/downloads/1347 -O snort-2.9.2.tar.gz
$ wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
$ wget http://ftp.netfilter.org/pub/libnfnetlink/libnfnetlink-0.0.41.tar.bz2
$ wget http://ftp.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.1.tar.bz2
$ wget http://www.snort.org/reg-rules/snortrules-snapshot-2912.tar.gz/64ff58897b3a5c5296261a7eb3feeb5d75266124 -O snortrules-snapshot-2912.tar.gz
Installing Pre-Requisites
Install the Libdnet package
$tar zxvf /root/snort-packages/libdnet-1.12.tgz
$cd /root/snort-packages/libdnet-1.12
$ ./configure "CFLAGS=-fPIC -g -O2" --prefix=/usr
$make
$make install
$ yum install libdnet-devel
$ locate libdnet
$ ln -s libdnet.1 libdnet.so.1
$ cp /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.so.1
Install the Libnfnetlink and libnetfilter_queue package
$cd /root/snort-packages
$tar xf /root/snort-packages/libnfnetlink-0.0.41.tar.bz2
$cd /root/snort-packages/libnfnetlink-0.0.41
$./configure --prefix=/usr
$make
$make install
$export PKG_CONFIG_PATH=/usr/lib/pkgconfig/
$cd /root/snort-packages
$tar xf /root/snort-packages/libnetfilter_queue-1.0.1.tar.bz2
$cd /root/snort-packages/libnetfilter_queue-1.0.1
$./configure --prefix=/usr/local
$make
$make install
Uninstall libpcap old version and install the new version
$yum remove libpcap libpcap-devel
$cd /usr
$tar zxvf /root/snort-packages/libpcap-1.1.1.tar.gz
$cd libpcap-1.1.1
$./configure
$make
$make install
$cp /usr/local/lib/libpcap.a /usr/lib64/
Install DAQ
$cd /usr
$tar zxvf /root/snort-packages/daq-0.6.2.tar.gz
$cd daq-0.6.2
$./configure
Note: Open the netlink.h file
$vi /usr/include/linux/netlink.h
Note: Add the below lines in the file :
#ifndef SOL_NETLINK
#define SOL_NETLINK 270
#endif
$make
$make install
Snort Installation
$cd /usr
$tar zxvf /root/snort-packages/snort-2.9.2.tar.gz
$cd snort-2.9.2
$./configure --with-mysql-libraries=/usr/lib64/mysql/
$ make
$ make install
Set up Snort Environment
Create directory for storing snort configuration file:
$ mkdir /etc/snort
Create directory for storing snort logs:
$ mkdir /var/log/snort
Install the Snort rules
$cd /etc/snort
$tar zxvf /root/snort-packages/snortrules-snapshot-2912.tar.gz -C /etc/snort
Note: Create a group snort.
$groupadd snort
Note: Add a user snort and assign it to group snort.
$useradd -g snort snort -s /bin/false
Note: Change the ownership of the /var/log/snort
$chown snort:snort /var/log/snort
$touch /var/log/snort/alert
$chown snort:snort /var/log/snort/alert
$chmod 600 /var/log/snort/alert
$mkdir /usr/local/lib/snort_dynamicrules
$cd /usr/local/lib/snort_dynamicrules
$cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.1.2/*.so /usr/local/lib/snort_dynamicrules
Note: Enable snort rules using below command
$cd /usr/local/lib/snort_dynamicrules
$
cat
/etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules
Configuring Snort and Snort Rules
Note: The snort.conf file defines how snort will run once the application is started.
$ vi /etc/snort/etc/snort.conf
Find the variable RULE_PATH and change to /etc/snort/rules
Find the variable PREPROC_RULE_PATH and change to /etc/snort/preproc_rules
Find the variable SO_RULE_PATH and change to /etc/snort/so_rules
Search for Reputation and comment all the lines of preprocessor. If you want to use it, you have to create white list and blacklist rules.
Find “unified2”. Uncomment the line, change merged.log to snort.log and make sure to delete the nostamp option. Failing to remove nostamp will cause problems with Barnyard2 parsing the log files. Also, remove mpls and vlan event types,statements. When done, it should read like below:
Note: The above modifications will cause Snort to generate unified2 log files named "snort.u2.<timestamp> (eg snort.u2.1245910233), limited to 128MB each, and place them in /var/log/snort. You can now run Snort the same way you always have and the unified2 files should be visible.
Test the snort installation by using below command:
$snort -c /etc/snort/etc/snort.conf –T
Barnyard Installation
$cd /usr
$tar zxvf /root/snort-packages/barnyard2-1.9.tar.gz
$cd barnyard2-1.9
Note: Compile the source and let barnyard2 know that you want mysql awareness.
$./configure --with-mysql-libraries=/usr/lib64/mysql/
$make
Note: this will place the barnyard2 binary in /usr/local/bin by default
$make install
$cp /usr/barnyard2-1.9/etc/barnyard2.conf /etc/snort
Note: you can check the version of snort and barnyard2
snort --version
barnyard2 --version
Configure barnyard
$mkdir -p /var/log/barnyard2
$chmod 666 /var/log/barnyard2
$touch /var/log/snort/barnyard2.waldo
chown snort:snort /var/log/snort/barnyard2.waldo
$mv /usr/barnyard2-1.9/etc/barnyard2.conf /etc/snort
Note: Edit the /etc/snort/barnyard2.conf & add db details like below, Here host name will be the IP address of the RDS.
$vi /etc/snort/barnyard2.conf
output database: log, mysql, user=user_name password=passwd dbname=snorby host=localhost
Uncomment the below two lines
config hostname: localhost
config interface: eth0
Comment the below line
$output alert_fast: stdout
Starting Snort during boot
$ln -s /usr/local/bin/snort /usr/sbin/snort
$cp /usr/snort-2.9.2/rpm/snortd /etc/init.d
$cp /usr/snort-2.9.2/rpm/snort.sysconfig /etc/sysconfig/snort
$cd /etc/rc3.d
$ln -s ../init.d/snortd S99snortd
$cd ../rc0.d
$ln -s ../init.d/snortd K99snortd
$cd /etc/rc5.d
$ln -s ../init.d/snortd S99snortd
$cd ../rc6.d
$ln -s ../init.d/snortd K99snortd
$chmod 755 /etc/init.d/snortd
$chkconfig snortd on
Note: Edit the snort sysconfig file.
$vim /etc/sysconfig/snort
Find and comment ALERTMODE=FAST, DUMP_APP=1, BINARY_LOG=1
Save and close the file.
To test this, type the following:
$cd /etc/snort/etc
$cp * /etc/snort
$/etc/init.d/snortd start
Barnyard configuration
$vim /etc/snort/barnyard2.conf
Uncomment config daemon
Uncomment and set the path to your waldo file, /var/log/snort/barnyard2.waldo.
$vim /usr/barnyard2-1.9/rpm/barnyard2.config
Change the LOG_FILE to snort.log and change the CONF variable to /etc/ snort/barnyard2.conf
Starting Barnyard2 during boot
$ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2
$cp /usr/barnyard2-1.9/rpm/barnyard2 /etc/init.d
Edit barnyard2 file.
$vim /etc/init.d/barnyard2
Change the BARNYARD_OPTS line to read BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS". Save and close file.
$cp /usr/barnyard2-1.9/rpm/barnyard2.config /etc/sysconfig/barnyard2
$chmod 755 /usr/local/bin/barnyard2
$cd /etc/rc3.d
$ln -s ../init.d/barnyard2d S99barnyard2d
$cd ../rc0.d
$ln -s ../init.d/barnyard2d K99barnyard2d
$cd /etc/rc5.d
$ln -s ../init.d/barnyard2d S99barnyard2d
$cd ../rc6.d
$ln -s ../init.d/barnyard2d K99barnyard2d
$chmod 755 /etc/init.d/barnyard2
$chkconfig --add barnyard2
$chkconfig barnyard2 on
To test, type
$/etc/init.d/barnyard2 start
0 comments:
Post a Comment