Snort installation on Ubuntu

 

About

Snort is Network Intrusion Detection System (NIDS). Snort can sniff your network and alert you based on his rule DB if there is an attack on your computers network. It is an opensource system that was build from tcpdump (linux sniffer tool).

This guide can be used for installing snort only or as part of a series for installing Snort Barnyard and BASE or Snort Barnyard and Snorby.

 

Prerequisite

• su to root user

sudo su -

• Install PCRE and libdnet

apt-get install libdnet libdnet-dev libpcre3 libpcre3-dev gcc make flex byacc bison linux-headers-generic libxml2-dev libdumbnet-dev zlib1g zlib1g-dev -y

• If you are using VirtualBox on windows in network bridge mode like me when I wrote this, maybe you lost your network connection after intalling libdnet, when the “Starting DECnet…” message appears then you need to do the following steps:
• In the virtual machine console check what is the new MAC address of your network card

ifconfig eth0

eth0 Link encap:Ethernet HWaddr aa:00:04:00:0b:04
inet addr:10.4.1.11 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::a800:4ff:fe00:b04/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22693 errors:0 dropped:0 overruns:0 frame:0
TX packets:14585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27589885 (27.5 MB) TX bytes:1760895 (1.7 MB)

• Power off the virtual machine

poweroff

• Change the MAC address of your network interface in VirtualBoxto the new one you get after installing libdnet package

- In VirtualBox manager click on the snort guest to highlight it - Click on Setting - Click on Network - Click Advanced to expand more option - Enter your new network MAC address in the "Mac Address:" field - Click OK

• Start your virtual machine

- In VirtualBox manager click on the snort guest to highlight it - Click on Start to start the virtual machine

• Create dir for Snort prerequisite sources

mkdir /usr/local/src/snort

• Change dir to the new created directory

cd /usr/local/src/snort

• Download and install libpcap

wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz tar zxvf libpcap* cd libpcap* ./configure && make && make install ldconfig -v

• Download and install DAQ

cd /usr/local/src/snort wget http://www.snort.org/downloads/1408 -O daq.tar.gz tar zxvf daq.tar.gz cd daq* ./configure && make && make install ldconfig -v

 

Install Snort

• Download Snort

cd /usr/local/src/snort wget http://www.snort.org/downloads/1538 -O snort.tar.gz

• Extract and install Snort

tar zxvf snort.tar.gz cd snort-2* ./configure --prefix /usr/local/snort && make && make install

• Create snort user and group

groupadd snort useradd -g snort snort

• Create links for Snort files

ln -s /usr/local/snort/bin/snort /usr/sbin/ ln -s /usr/local/snort/etc /etc/snort

• Configure Snort startup script to run at startup

cp rpm/snortd /etc/init.d/ chmod +x /etc/init.d/snortd cp rpm/snort.sysconfig /etc/default/snort update-rc.d snortd defaults

• Make the following changes in snort startup file

vi /etc/init.d/snortd

...
# Source function library.
. /etc/rc.d/init.d/functions
...
. /etc/default/snort
...
# check if more than one interface is given
if [ `echo $INTERFACE|wc -w` -gt 2 ]; then 
...
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
...
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
...
else
# Run with a single interface (default) 
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF
fi
...
        touch /var/lock/snort
        echo
        ;;
...
        killall snort
        rm -f /var/lock/snort
        echo
        ;;
...
        condrestart)
        [ -e /var/lock/snort ] && $0 restart
        ;;
...

• Comment out the following variable in /etc/default/snort and add / to the LOGDIR variable

vi /etc/default/snort

...
LOGDIR=/var/log/snort/
...
#ALERTMODE=fast
#BINARY_LOG=1
...

• Download Snort rules files from http://www.snort.org/snort-rules to /usr/local/src/snort

You have to register to the site in order to get the free register user rules or you can pay and get the most update rules as a "Subscriber user"

• Extract rules file in the new created directory

cd /usr/local/snort tar zxvf /usr/local/src/snort/snortrules-snapshot-2*

• Create directory for snort logging

mkdir -p /usr/local/snort/var/log chown snort:snort /usr/local/snort/var/log ln -s /usr/local/snort/var/log /var/log/snort

 

Configure Snort dynamic rules

• Create links for dynamic rules files and directories

ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules

• Set snort permissions

chown -R snort:snort /usr/local/snort

• Comment out or delete all reputation preprocessor configuration lines from snot.conf and configure ouput plugin

vi /usr/local/snort/etc/snort.conf

...
#preprocessor reputation: \
# memcap 500, \
# priority whitelist, \
# nested_ip inner, \
#  whitelist $WHITE_LIST_PATH/white_list.rules, \
# blacklist $BLACK_LIST_PATH/black_list.rules
...
output unified2: filename snort.log, limit 128 
...

• Create Dynamicrules directory

mkdir /usr/local/snort/lib/snort_dynamicrules

• Copy dynamicrules files
• i386 system:

cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.2.2/*so /usr/local/snort/lib/snort_dynamicrules

• x86_64 system:

cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/x86-64/2.9.2.2/*so /usr/local/snort/lib/snort_dynamicrules

• Dump the stub rules

snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules

• Enable snort dynamic rules configuration in the end of snort.conf file

vi /usr/local/snort/etc/snort.conf

...
# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
...

• Test Snort configuration

snort -c /usr/local/snort/etc/snort.conf -T

• Update Snort rules automatically

PulledPork is an opensource perl script that can update your rules files automatically. To install PulledPork please go to this guide Configure Snort automatic rules updating with PulledPork.

Snort installation completed. Now that we have a Snort server writing it’s data in binary format we need to install Barnyard. Barnyard is application that run on Snort binary files and can output the data to MySQL server and then use it with other PHP web application.

Here is a link for Barnyard Installation.

Please visithttp://www.snort.org/for more information about Snort configuration and usage.