Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that was build from tcpdump (linux sniffer tool).
This guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.
- su to root user
- Install PCRE and libdnet
- If you are using VirtualBox on windows in network bridge mode like me when I wrote this, maybe you lost your network connection after intalling libdnet, when the “Starting DECnet…” message appears then you need to do the following steps:
- In the virtual machine console check what is the new MAC address of your network card
eth0 Link encap:Ethernet HWaddr aa:00:04:00:0b:04 inet addr:10.4.1.11 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::a800:4ff:fe00:b04/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22693 errors:0 dropped:0 overruns:0 frame:0 TX packets:14585 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27589885 (27.5 MB) TX bytes:1760895 (1.7 MB)
- Power off the virtual machine
- Change the MAC address of your network interface in VirtualBoxto the new one you get after installing libdnet package
- Start your virtual machine
- Create dir for Snort prerequisite sources
- Change dir to the new created directory
- Download and install libpcap
- Download and install DAQ
- Download Snort
- Extract and install Snort
- Create snort user and group
- Create links for Snort files
- Configure Snort startup script to run at startup
- Make the following changes in snort startup file
# Source function library. . /etc/rc.d/init.d/functions... . /etc/default/snort ... # check if more than one interface is given if [ `echo $INTERFACE|wc -w` -gt 2 ]; then... daemon/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF ... daemon/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF ... else # Run with a single interface (default) daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF fi... touch /var/lock/snort echo ;; ... killall snort rm -f /var/lock/snort echo ;; ... condrestart) [ -e /var/lock/snort ] && $0 restart ;; ...
- Comment out the following variable in /etc/default/snort and add / to the LOGDIR variable
... LOGDIR=/var/log/snort/ ... #ALERTMODE=fast #BINARY_LOG=1 ...
- Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snort
- Extract rules file in the new created directory
- Create directory for snort logging
Configure Snort dynamic rules
- Create links for dynamic rules files and directories
- Set snort permissions
- Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin
... #preprocessor reputation: \ # memcap 500, \ # priority whitelist, \ # nested_ip inner, \ # whitelist $WHITE_LIST_PATH/white_list.rules, \ # blacklist $BLACK_LIST_PATH/black_list.rules ... output unified2: filename snort.log, limit 128 ...
- Create Dynamicrules directory
- Copy dynamicrules files
- i386 system:
- x86_64 system:
- Dump the stub rules
- Enable snort dynamic rules configuration in the end of snort.conf file
... # dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/icmp.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/snmp.rules include $SO_RULE_PATH/specific-threats.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-iis.rules include $SO_RULE_PATH/web-misc.rules ...
- Test Snort configuration
- Update Snort rules automatically
PulledPork is an opensource perl script that can update your rules files automatically. To install PulledPork please go to this guide Configure Snort automatic rules updating with PulledPork.
Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.
Here is a link for Barnyard Installation.
Please visithttp://www.snort.org/for more information about Snort configuration and usage.