Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanval
http://wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
Community:Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanval
Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanval
By Dino Edwards
dino.edwards [at] mydirectmail [dot] net
Contents |
Preparation
This guide is based on Ubuntu 12.04 LTS. It's assumed that you have a fully functional Ubuntu 12.04 machine up and running with at least TWO network interfaces: one network interface dedicated to managing the machine and connected to the actual LAN and the other network interface dedicated for sniffing network traffic. For the purposes of this guide, we are going to assume the network interface that will be sniffing network traffic is eth1 and the interface for managing the machine will be eth0.
Ubuntu requires that all commands be prefixed by sudo. This is a pain, so the simplest way to get around this is by logging in your box with the username/password you set during the setup and typing sudo su and then typing your password. That way you will remain root for the duration of your session.
Installation
Setup the network interface you will be using for sniffing traffic in promiscuous mode
- Assuming that the network interface you will be using for sniffing traffic is eth1, edit /etc/network/interfaces and set the following under the eth1 section or create an eth1 section if you don't already have one:
vi /etc/network/interfaces
- Enter the following entry right below the existing eth0 entry if one already exists:
auto eth1 iface eth1 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
- Save the file (ESC) (SHIFT ZZ)
- Restart networking:
/etc/init.d/networking restart
- Check your interfaces:
ifconfig
The eth1 interface should look like below. Notice the RUNNING PROMISC on the third line:
eth1 Link encap:Ethernet HWaddr 00:0c:29:32:bf:11 inet6 addr: fe80::20c:29ff:fe32:bf11/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1152 errors:0 dropped:0 overruns:0 frame:0 TX packets:62 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:94351 (94.3 KB) TX bytes:17248 (17.2 KB)
Install Snort
- Update and upgrade your Ubuntu installation:
apt-get update apt-get upgrade
- Install the prerequisite packages from the Ubuntu repositories:
apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3- dev g++ bison flex libpcap-ruby make zlib1g-dev libmysqld-dev libdnet libdnet-dev libpcre3 libpcre3- dev gcc make flex byacc bison linux-headers-generic libxml2-dev libdumbnet-dev zlib1g zlib1g-dev
- Type Y in the After this operation, 224 MB of additional disk space will be used. Do you want to continue [Y/N]? prompt:
During the installation of the above packages, you will be prompted to set a New password for the MySQL "root" user (Figure 1). Set a password, take a note of it, tab over to Ok and press enter. You will be asked to Repeat passord for the MySQL "root" user. Re-type the password, tab over to Ok and press enter again. The istallation should continue:
- 
Figure 1
- Create directory for Snort Prerequisite packages that we are going to install from source:
mkdir /usr/local/src/snort
- Change to that directory:
cd /usr/local/src/snort
- Snort is going to require the Data Acquisition API. Browse to the http://www.snort.org website and click on the Download Snort link and look under the Latest Release-->Source-->daq-x.x.x.tar.gz.
- Select and copy the name of the latest daq package name from the snort.org website and then use the http://www.snort.org/dl/snort-current/ url and then paste the name of the filename you are downloading at the end of that url as it appears below. As of the writing of this guide, the latet release was daq-0.6.2.tar.gz. It is easiest to download from the command line of your machine using wget. Remember, your download filename will differ depending on which is the latest version of the daq package, so adjust the command below accordingly:
wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz
- Once downloaded, extract it:
tar -xvzf daq-0.6.2.tar.gz
- That will create a daq-0.6.2 directory in the directory you are in. Change into that directory and run the following commands to compile and install (Remember, the created directory will differ according to the filename you downloaded and extracted):
cd daq-0.6.2 ./configure
You should get no errors from running the ./configue command. The output should be similar to below:
Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes
- Next, compile and install using the commands below:
make make install
- Next, we are going to download the latest stable version of Snort. Browse to the http://www.snort.org website and click on the Download Snort link and look under the Latest Release-->Source-->snort-2.x.x.x.tar.gz. As of the writing of this guide, the latest version was snort-2.9.2.3.tar.gz. Select and copy the name of the latest snort package filename and then use the http://www.snort.org/dl/snort-current/ url and then paste the name of the filename you are downloading at the end of that url as it appears below. As always, it is easiest to download from the command line of your machine using wget. Remember, your download filename will differ depending on which is the latest version of the daq package. Adjust the command below accordingly:
cd /usr/local/src/snort wget http://www.snort.org/dl/snort-current/snort-2.9.2.3.tar.gz
- Once downloaded, extract it:
tar -xvzf snort-2.9.2.3.tar.gz
- That will create a snort-2.9.2.3 directory in the directory you are in. Change into that directory and run the following commands to compile and install (Remember, the created directory will differ according to the filename you downloaded and extracted):
cd snort-2.9.2.3 ./configure --prefix /usr/local/snort && make && make install
- Create snort user and group and add snort user to the snort group:
groupadd snort useradd -g snort snort
- Create Links for snort files:
ln -s /usr/local/snort/bin/snort /usr/sbin/ ln -s /usr/local/snort/etc /etc/snort
- Next, we need to download the latest Registered User Snort rules snapshot. The rules are downloaded from the http://www.snort.org website, but you must have an account and a special code called an Oinkcode before you can download any rule snapshots. Signing up for an account is free. Once on the snort.org website, click on Sign In-->Account Management-->Sign Up for an Account. Go ahead and create a new account. A newly created account requires activation, so ensure you click on the link that arrives in the activation email before attempting to login to the snort.org website.
- Once you account is activated, login to your account and once logged in, click on My Account-->Subscriptions and Oinkcodes-->Generate Oinkcode. This will generate your very own Oinkcode. Please make a note of it and then click on Get Rules-->Registered user Release-->Snort v2.9-->snortrules-snapshot-xxxx.tar.gz. As of the writing of this guide, the latest Registered User Snort rules snapshot was snortrules-snapshot-2923.tar.gz.
- Select and copy the filename of the latest rules snapshot filename and then use the http://www.snort.org/dl/snort-current/ url and then paste the name of the filename you just copied at the end of the url just like it appears below. As always, it is easiest to download from the command line of your machine using wget. Remember, your download filename will differ depending on which is the latest version of the snapshot you are downloading. Adjust the command below accordingly:
cd /usr/local/src/snort wget -O snortrules-snapshot-2923.tar.gz http://www.snort.org/reg-rules/snortrules-snapshot-2923.tar.gz/<oinkcode>
Where <oinkcode> is the oinkcode you generated earlier.
- Change to the snort directory:
cd /usr/local/snort
- Extract the snort rules snapshot you just downloaded:
tar –xvzf /usr/local/src/snort/snortrules-snapshot-2*
- Create directory for snort logging, assign the snort user as the owner, and create necessary links:
mkdir –p /usr/local/snort/var/log chown snort:snort /usr/local/snort/var/log ln –s /usr/local/snort/var/log /var/log/snort
- Create links for dynamic rules files and directories:
ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
- Set snort permissions:
chown -R snort:snort /usr/local/snort
- Edit snort.conf:
vi /usr/local/snort/etc/snort.conf
- Find the section that starts with #Reputation preprocessor and comment out the following lines under it (enter a # symbol in front of them):
# Reputation preprocessor. For more information see README.reputation #preprocessor reputation: \ # memcap 500, \ # priority whitelist, \ # nested_ip inner, \ # whitelist $WHITE_LIST_PATH/white_list.rules, \ # blacklist $BLACK_LIST_PATH/black_list.rules
- Find the section that starts with output unified2: and below it add the following line so the entire section looks like below:
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output unified2: filename snort.log, limit 128
- Create dynamicrules directory:
mkdir /usr/local/snort/lib/snort_dynamicrules
- Next, copy your Linux distribution specific precompiled dynamic rules into the directory you just created. In order to do this correctly, first you need to know if you are running the 32-bit or 64-bit version of Ubuntu. In this example, we are running the 32-bit version. An easy way to find out is by typing the following command:
uname -a
You should get an output similar to below:
Linux hostname 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
The i386 GNU/Linux part tells us that we are running a 32-bit version of Ubuntu. If it was 64-bit it would be similar to below; notice the x86_64 GNU/Linux:
Linux hostname 3.2.0-24-generic #38-Ubuntu SMP Tue May 1 16:18:50 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
- Once you know if your Ubuntu machine is 32-bit or 64-bit, you are ready to copy the distribution specific precompiled rules. Since as of the time of this writing, there were not specific rules for Ubuntu 12.04; we are simply going to go to the next lower version which is Ubuntu 10.04 and copy those rules like below:
If you are running a 32-bit system, use the following command. Obviously, adjust the rules snapshot version number to reflect the rules snapshot you downloaded:
cd /usr/local/src/snort cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.2.3/*so /usr/local/snort/lib/snort_dynamicrules
If you are running a 64-bit system, use the following command. Obviously, adjust the rules snapshot version number to reflect the rules snapshot you downloaded:
cd /usr/local/src/snort cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/x86-64/2.9.2.3/*so /usr/local/snort/lib/snort_dynamicrules
- Dump all the stub rules:
snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules
- Next, edit /usr/local/snort/etc/snort.conf file:
vi /usr/local/snort/etc/snort.conf
- Enable all the dynamic rules by locating the section that starts with #dynamic library rules in /usr/local/snort/etc/snort.conf and uncommenting (Removing the # sign) all of them under the so it looks like below:
# dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/icmp.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/snmp.rules include $SO_RULE_PATH/specific-threats.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-iis.rules include $SO_RULE_PATH/web-misc.rules
- Save the file (ESC) (SHIFT ZZ)
- Next, test the snort configuration to ensure no errors:
snort -c /usr/local/snort/etc/snort.conf -T
You should get a message like below:
Snort successfully validated the configuration! Snort exiting
- Next, we are going to configure snort to start on system startup. First, create a snort script under /etc/init.d/:
touch /etc/init.d/snortd
- Next, edit /etc/init.d/snort:
vi /etc/init.d/snortd
- Paste the text below into the file:
#!/bin/sh # $Id$ # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that \ # currently detects more than 1100 host and network \ # vulnerabilities, portscans, backdoors, and more. #
# Source the local configuration file . /etc/default/snort
# Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi
if [ "$USER"X = "X" ]; then USER="snort" fi
if [ "$GROUP"X = "X" ]; then GROUP="snort" fi
if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi
if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi
if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi
if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi
if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi
if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi
# These are used by the 'stats' option if [ "$SYSLOG"X = "X" ]; then SYSLOG=/var/log/messages fi
if [ "$SECS"X = "X" ]; then SECS=5 fi
if [ ! "$BPFFILE"X = "X" ]; then BPFFILE="-F $BPFFILE" fi
###################################### # Now to the real heart of the matter:
# See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done else for i in `echo $INTERFACE | sed s/"-i "//` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done fi touch /var/lock/snort echo ;; stop) echo -n "Stopping snort: " killall snort rm -f /var/lock/snort echo ;; reload) echo "Sorry, not implemented yet" ;; restart) $0 stop $0 start ;; condrestart) [ -e /var/lock/snort ] && $0 restart ;; status) status snort ;; stats) TC=125 # Trailing context to grep SNORTNAME='snort' # Process name to look for
if [ ! -x "/sbin/pidof" ]; then echo "/sbin/pidof not present, sorry, I cannot go on like this!" exit 1 fi
#Grab Snort's PID PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`
if [ ! -n "$PID" ]; then # if we got no PID then: echo "No PID found: ${SNORTNAME} must not running." exit 2 fi
echo "" echo "*******" echo "WARNING: This feature is EXPERIMENTAL - please report errors!" echo "*******" echo "" echo "You can also run: $0 stats [long | opt]" echo "" echo "Dumping ${SNORTNAME}'s ($PID) statistics" echo "please wait..."
# Get the date and tell Snort to dump stats as close together in # time as possible--not 100%, but it seems to work. startdate=`date '+%b %e %H:%M:%S'`
# This causes the stats to be dumped to syslog kill -USR1 $PID
# Sleep for $SECS secs to give syslog a chance to catch up # May need to be adjusted for slow/busy systems sleep $SECS
if [ "$2" = "long" ]; then # Long format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: elif [ "$2" = "opt" ]; then # OPTimize format # Just show stuff useful for optimizing Snort egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:" else # Default format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: | cut -d: -f4- fi ;; *) echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}" exit 2 esac
exit 0
- Make the file executable:
chmod +x /etc/init.d/snortd
- Copy the snort default configuration file to /etc/default/snort:
cd /usr/local/src/snort/snort-2* cp rpm/snort.sysconfig /etc/default/snort
- Configure the /etc/init.d/snortd file as a service and to start on system startup:
update-rc.d snortd defaults
- Next, ensure the /etc/init.d/snortd script works as it should:
service snortd restart
You should get an output like below:
Stopping snort: Starting snort: Spawning daemon child... My daemon child 8804 lives... Daemon parent exiting (0)
Install and Configure Barnyard2
Next, we will install Barnyard2 which is an add-on to Snort that enables Snort to write its log and alert data very quickly into binary files, and then Barnyard reads thoses files and dumps them into our MySQL database. Ubuntu comes with an old version of Barnyard, not Barnyard2, so we need to download and and compile from source into our box.
But before we get to downloading and installing Barnyard2, we are going to go ahead and create the MySQL database to which Barnyard2 will use to dump all the Snort data.
- Type the following command to logon to the MySQL console:
mysql -u root -p
- You will be prompted for the MySQL root password above when you first installed MySQL at the beginning of this guide. You should be dropped into a mysql> prompt. After each command below press Enter. Create a database for Snort:
create database snortdb;
- Create a user for the Snort database. Replace the SOMEPASSWORD with a password of your choice for that user and make a note of it:
CREATE USER 'snort_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD';
The @'localhost' tells my MySQL to only accept connections coming from only the local machine into that database for that user. Alternatively, you can enter @'%' to accept connections from any host if you need to. However, if you go that route, you must ensure that MySQL will accept connections from other hosts by editing the /etc/mysql/my.cnf file and commenting out bind-address = 127.0.0.1 line and restarting MySQL (service mysql restart)
- Give the snort_user you just created full access to the database. If you decided to accept connections from anywhere as mentioned above, ensure the command below reflects that by changing the snort_user'@'localhost to 'snort_user'@'%' and of course again ensure the SOMEPASSWORD reflects the password you set for the user above:
GRANT ALL PRIVILEGES ON snortdb.* TO 'snort_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD' with grant option;
- Force the new permissions to take effect:
flush privileges;
- Exit the MySQL console:
quit;
- Next, we are going to create the MySQL table structure that Barnyard2 is going to require to dump the Snort data. At a command prompt, NOT a MySQL query, enter the following:
mysql -u root -p -D snortdb < /usr/local/src/snort/snort-2.9.2.3/schemas/create_mysql
Warning: In Snort version 2.9.3 and above, the /schemas directory can be found in your Barnyard2 source directory.
You will be prompted for the MySQL root password you setup during the initial MySQL setup at the beginning of this guide. After you enter that password, the command should complete with no errors.
- Next, we are going to download and install Barnyard2. You can download the latest version of Barnyard2 from http://www.securixlive.com/barnyard2/. As of the writing of this guide, the latest version was 1.9. Again, the easiest way to download is using wget. Of course, your version may very, so adjust the commands below to fit the version you are downloading:
cd /usr/local/src/snort wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz tar -xvzf barnyard2-1.9.tar.gz cd barnyard2-1.9
- If you are using a 32-bit system enter the following command (Refer to the instructions above on how to determine if you are using a 32-bit or 64-bit system):
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu/
If you are using a 64-bit system enter the following command (Refer to the instructions above on how to determine if you are using a 32-bit or 64-bit system):
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/
- Next, configure Barnyard to start on system startup by creating a barnyard2 script in /etc/init.d/ directory:
touch /etc/init.d/barnyard2
- Next, edit the newly created /etc/inig.d/barnyard2 file:
vi /etc/init.d/barnyard2
- Paste the text below into the file:
#!/bin/sh # # Init file for Barnyard2 # # # chkconfig: 2345 40 60 # description: Barnyard2 is an output processor for snort. # # processname: barnyard2 # config: /etc/sysconfig/barnyard2 # config: /etc/snort/barnyard.conf # pidfile: /var/lock/subsys/barnyard2.pid
[ -x /usr/sbin/snort ] || exit 1 [ -r /etc/snort/snort.conf ] || exit 1
### Default variables SYSCONFIG="/etc/default/barnyard2"
### Read configuration [ -r "$SYSCONFIG" ] && . "$SYSCONFIG"
RETVAL=0 prog="barnyard2" desc="Snort Output Processor"
start() { echo -n $"Starting $desc ($prog): " for INT in $INTERFACES; do PIDFILE="/var/lock/barnyard2-$INT.pid" ARCHIVEDIR="$SNORTDIR/$INT/archive" WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo" BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" $prog $BARNYARD_OPTS done RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/$prog return $RETVAL }
stop() { echo -n $"Shutting down $desc ($prog): " killall $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/$prog return $RETVAL }
restart() { stop start }
reload() { echo -n $"Reloading $desc ($prog): " killall $prog -HUP RETVAL=$? echo return $RETVAL }
case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; condrestart) [ -e /var/lock/$prog ] && restart RETVAL=$? ;; status) status $prog RETVAL=$? ;; dump) dump ;; *) echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}" RETVAL=1 esac
exit $RETVAL
- Save the file (ESC) (SHIFT ZZ)
- Make the /etc/init.d/barnyard2 executable:
chmod +x /etc/init.d/barnyard2
- Next, copy the Barnyard2 reference configuration file to /etc/default/barnyard2:
cp rpm/barnyard2.config /etc/default/barnyard2
- Next, configure the Barnyard2 script as a service and configure to start on system startup:
update-rc.d barnyard2 defaults 98
- Create some necessary links and directories:
ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf ln -s /usr/local/bin/barnyard2 /usr/bin/ mkdir -p /var/log/snort/eth0/archive/ mkdir -p /var/log/snort/eth1/archive/
- Edit /etc/default/barnyard2:
vi /etc/default/barnyard2
- Make the LOG_FILE line look like below:
LOG_FILE="snort.log"
- Edit /usr/local/etc/barnyard2.conf
vi /usr/local/etc/barnyard2.conf
- Locate the line that starts with output database: Right below the Examples: section, uncomment the first output database line (remove the # from the front of it) and make it look like below where SOMEPASSWORD is the password you setup for the snort_user when you setup the snortdb database earlier:
output database: log, mysql, user=snort_user password=SOMEPASSWORD dbname=snortdb host=localhost
- Test that the Barnyard2 service works as expected:
service snortd restart service barnyard2 start
You should get an output like below:
Stopping snort: Starting snort: Spawning daemon child... My daemon child 8833 lives... Daemon parent exiting (0) $Starting Snort Output Processor (barnyard2):
- Typing the following commands will tell you if both Snort and Barnyard2 are running:
ps –A|grep snort
You should have an output similar to below:
8833 ? 00:00:00 snort ps –A|grep barnyard2 8844 ? 00:00:00 barnyard2
Install and Configure PulledPork
Snort needs to have an updated set of rulesets in order to be able to detect and respond to emerging threats as effectively as possible. Pulledpork is a Perl script that is able to keep your Snort rulesets updated at all times with a minimal amount of effort.
- Install prerequisites:
apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y
- Next, go to http://pulledpork.googlecode.com and download the latest version of PulledPork. As of the writing of this guide, the latest version was 0.6.1. Obviously, adjust your filenames to reflect the version of PulledPork you download. The easiest way to download is through wget from your machine's command line. Copy the complete download URL from the PulledPork website and then do the following:
cd /usr/local/src/snort wget https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
If you get a warning WARNING: cannot verify pulledpork.googlecode.com's certificate, and your file doesn't download, simply use the following command instead:
cd /usr/local/src/snort wget --no-check-certificate https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
- Untar the downloaded file:
cd /usr/local/snort tar -xvzf /usr/local/src/snort/pulledpork-0.6.1.tar.gz
- This will create a pulledpork-0.6.1.tar.gz directory and extract all the PulledPork files in it. We are going to rename that directory into simply pulled pork to keep it simple:
mv pulledpork-06* pulledpork
- Next, edit the /usr/local/snort/pulledpork/etc/pulledpork.conf file:
vi /usr/local/snort/pulledpork/etc/pulledpork.conf
- Change the lines that appear below and make them look exactly like they appear below with the exception of the <oinkcode> on the rule_url line which should be replaced with the oinkcode you generated earlier in the guide.
rule_url=http://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7C<oinkcode> # get the rule docs! #rule_url=https://www.snort.org/reg-rules/%7Copensource.gz%7C #rule_url=https://rules.emergingthreats.net/%7Cemerging.rules.tar.gz%7Copen # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! #rule_url=https://rules.emergingthreats.net/%7Cetpro.rules.tar.gz%7C rule_path=/usr/local/snort/etc/rules/snort.rules local_rules=/usr/local/snort/etc/rules/local.rules # Where should I put the sid-msg.map file? sid_msg=/usr/local/snort/etc/sid-msg.map # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/snort/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/usr/local/snort/etc/snort.conf # This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path! sostub_path=/usr/local/snort/etc/rules/so_rules.rules distro=Ubuntu-10.04
- Next, edit /usr/local/snort/etc/snort.conf:
vi /usr/local/snort/etc/snort.conf
- Locate the var RULE_PATH line and change it to appear like below:
var RULE_PATH /usr/local/snort/etc/rules
- Next, remove all snort include rules files from /usr/local/snort/etc/snort.conf by typing the following commands:
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
- Now, add the following include files to /usr/local/snort/etc/snort.conf by typing the following commands:
echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
- Create a rules directory:
mkdir /usr/local/snort/etc/rules
- Create a local rules file:
touch /usr/local/snort/etc/rules/local.rules
- Test PulledPork runs successfully by typing the command below:
/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
Upon success, you should get an output similar to below:
Rule Stats....
New:-------0
Deleted:---0
Enabled Rules:----3154
Dropped Rules:----0
Disabled Rules:---11235
Total Rules:------14389
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Now, let's schedule PulledPork to automatically update on a daily basis.
- Edit crontab:
crontab -e
- Insert a new line like below into crontab (All in one line):
00 01 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
The line above will run the script every day of the week at 1 A.M.
- Save Crontab (ESC) (SHIFT ZZ)
Install Aanval
As of the time this guide was written, the latest Aanval version was v7. Obviously, adjust the commands below for the current version. Before we get started, we need to create and configure the database we are going to be using for Aanval.
- Type the following command to logon to the MySQL console:
mysql -u root –p
You will be prompted for the MySQL root password above when you first installed MySQL. You should be dropped into a mysql> prompt. After each command below press Enter.
- Create a database for Snort:
create database aanvaldb;
- Create a user for the Aanval database. Replace the SOMEPASSWORD with a password of your choice for that user and make a note of it:
CREATE USER 'aanval_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD';
- Give the aanval_user you just created full access to the aanval database:
GRANT ALL PRIVILEGES ON aanvaldb.* TO 'aanval_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD' with grant option;
- Force the new permissions to take effect:
flush privileges;
- Exit the MySQL console:
quit;
- Next, create a directory in your web root for Aanval to live. The natural choice would be /var/www/aanval. Adjust as necessary:
mkdir /var/www/aanval
- Change to the directory you just created:
cd /var/www/aanval
- Download the latest version of Aanval from the command prompt using wget. This should download the file in the /var/www/aanval directory:
wget download.aanval.com/aanval-7-latest-stable.tar.gz
- While still in the /var/www/aanval directory, extract the Aanval package:
tar -xvzf aanval-7-latest-stable.tar.gz
- Now remove the the download Aanval package from that directory (this action keeps your Aanval directory cleaner):
rm -rf aanval-7-latest-stable.tar.gz
- Next, from a web browser, browse to http://ipaddress/aanval where ipaddress is the IP address of your machine. You should be greeted by the Aanval EULA - End User License Agreement. At the very bottom of the page, click I Agree. Continue. On the following Environment Compatibility Test you should get Success! in green at the bottom of the page with a Continue link below that (Figure 2). Click on Continue.
Figure 2
- On the following Configuration screen, ensure the Database Server is set to 127.0.0.1, the Database name is set to aanvaldb, the Database Username is set to aanval_user, and the Database Password is set to the aanval_user password you setup earlier and press the Submit button (Figure 3)
Figure 3

- If everything went well, you should get a Success! Configuration confirmed - Continue message on the following screen. Click Continue. On the next screen you should get a Creating all tables Loading table data Installation Complete - Continue message. Click Continue. On the final screen You should get a Installation Complete! message. Take note of the Default username and the Default password which should be root and specter respectively and click the Login Now button. You will be taken to the Aanval login screen. Don't login just yet.
- Next, from your machine's command prompt, enter the following commands to start the Aanval BPUs:
Change to the Aanval /apps directory:
cd /var/www/aanval/apps
Start the BPUs
perl idsBackground.pl -start
You should get the following message:
--------------------------------------------------- Aanval by Tactical FLEX, Inc. Copyright 2003-2012 http://www.tacticalflex.com/ Background Processing Unit (BPU) Initializer Version: 7.0.700 --------------------------------------------------- Aanval BPU (importer) launched in daemon mode [PID: 11206]. Aanval BPU (core) launched in daemon mode [PID: 11214]. Aanval BPU (A:1,2,3,4,5) launched in daemon mode [PID: 11229]. Aanval BPU (A:10,100,101,102,103,104,105) launched in daemon mode [PID: 11234].
If you want to stop the BPUs, simply enter (Don't run the command below, it's just for reference):
perl idsBackground.pl -stop
- Now, go back to your browser and login to Aanval using the default username and password (root/specter). Once successfully logged in, click the gear icon on the bottom right-hand corner of the screen (Figure 4) to go to the Configuration screen.
Figure 4
- Once in the Configuration screen, click Snort Module-->Settings (Figure 5):
Figure 5
-

- On the Snort Module Settings screen, ensure Enabled is
checked, the database Name is snortdb, the Database Hostname is
localhost, the Database username is snort_user, the Database Password is
the password you setup for the snort_user when you were creating the
database for Snort, NOT the username for Aanval, and click the Update
button (Figure 6):
Figure 6
- Next, go to Configuration->Snort
Module->Sensor Configuration and ensure the Enabled checkbox is
checked and enter the name of your sensor under the Name field and the
Operating System in the OS field. In the Location field, you must enter
the latitude,longitude of your sensor in order for the Live
Geolocation module of Aanval to work correctly. The easiest way to do
this is by going to the following website: http://itouchmap.com/latlong.html
and entering the physical address of where the sensor is located in the
Address field and clicking the Go button. This will display a Google
map below along with the latitude and longitude (Figure 7). Once
you get the latitude and longitude, enter them in the Location field in
the form 37.330853,-122.029684. Next, select the correct timezone from
the Timezone drop-down field. Ensure you check the Admin Account
checkbox and click the Update button (Figure 8).
Figure 7
Figure 8
This concludes this tutorial. If you click the Home icon on top of the Aanval GUI and if Snort is working correctly, you should start seeing events. One very important thing to keep in mind, Snort must be finely tuned in order to get the best results and cut down on a lot of the noise. However, this is not part of the scope of this tutotial.
Community Support from Tactical FLEX, Inc.
We support over 6,000 customers in more than 100 countries by delivering real-time, continuous network monitoring and by providing a wide range of product manuals, information security articles, and up-to-date how-to guides. Built with a unique Situational Awareness engine, users rely on Aanval because it provides a proactive tool to combat cyber threats and safeguard their virtual and physical assets.
Aanval continues to support both the information security and open source Snort and Suricata communities by providing users with a free non-commercial version of Aanval® that allows full functionality of a single-sensor device. Aanval is designed to work with all versions of Snort and Suricata, and can process syslog data from any device capable of external logging (file or UDP 514).
Aanval is available for download as a free Community edition, in addition to an unlimited sensor-capacity, commercially purchased and supported Snort, Suricata, and syslog license. Downloading and installing Aanval is free and takes only minutes to accomplish. Designed to work with all current Linux, Unix, and Mac OS X flavors of operating systems, you can be up, running, and viewing events within minutes. Let Aanval turn your data into actionable and comprehensive insights to reduce security risks. Free download here: Aanval Community Edition
Aanval® is the industry's most comprehensive end-to-end SIEM-based Snort and Suricata IDS solution, built with a unique Situational Awareness engine, distinct false-positive protection technology, and a fully integrated event management and attack data correlation engine. Learn more at http://www.aanval.com.
 |
|
|||||||
| Security Discussions Discuss security flaws/updates/notices in the various Ubuntu releases. |
|
|
Thread Tools | Display Modes |
September 14th, 2008
|
#1 | ||
|
Walking moon
 
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Intrusion Detection
Ubuntu Intrusion Detection
 Quote : “Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia” ~ Pete Granger Contents
This how to was written as an extension to Ubuntu Security and is intended as an introduction to intrusion detection, Ubuntu Style. This post is quite long, and for what I hope is greater readability, I have broken it into separate posts. Here is a very nice link that reviews IDS : Security Focus ~ An Introduction to Intrusion Detection Systems And for the impatient, the readers digest version : There are two "arms" of intrusion detection: HIDS and NIDS. HIDS = Host-based Intrusion Detection System. NIDS = Network-based Intrusion Detection System. In a nut-shell, HIDS monitors you system files for unauthorized changes. Examples of this type of monitoring methodology might include techniques such as scanning for viruses, tripwire, Tiger, rkhunter, and chkrootkit. Similarly, NIDS monitors your network traffic for DOS attacks, port scans, or other suspicious network activity. Examples include watching your firewall in Windows for alerts, snort, or Wireshark. Although there are other options, both for applications and configuration, in this tutorial I will show you how to install ossec-hids and snort: NIDS = snort HIDS = ossec Snort : Snort will monitor your network traffic by checking packets against "rules". We will configure snort to log "alerts" to a mysql database. We will then use base to display this information in a web browser (Firefox). Although seemingly foreign at first, base is a very nice web based gui front end for snort. Base is basically point and click and contains numerous links to help interpret alerts. Quote:
OSSEC-HIDS : OSSEC-HIDS will monitor your log files, monitor the integrity of system files, check for root kits, and perform active response. Active response means ossec will blacklist (block connections) from potential crackers "automagically". Quote:
Note : There are of course other options for HIDS, NIDS, as well as alternate configuration options for both snort and ossec. You should be familiar with : 1. Installing from source (don't worry I will walk you through it). 2. Your ip address, both on your private LAN and public IP address. 3. Your netmask
4. If you wish to access base and the OSSEC web interface outside your LAN you will need to know how to configure your router (you do have a router don't you?). In addition be sure to understand the security implications of running LAMP. In addition you may wish to use ,htaccess or ssl. Reference: community/ApacheMySQLPHP 5. Installing and configuring snort will take some time, give yourself a few hours. We will be running all commands in this tutorial as root So either add "sudo" in front of these commands or open a terminal and obtain a root shell: Code:
sudo -i __________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; September 29th, 2008 at 12:35 AM.. |
||
|
|
|
September 14th, 2008
|
#2 |
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
How to install snort + mysql + base
As has been pointed out by Sarmacid you can install snort from the Ubuntu repositories. In the repos snort is on version 2.7 where from source we are on snort 2.8. To use the repos use "sudo apt-get install snort-mysql".You will need to download a set of rules for snort. The downloads page is here : http://www.snort.org/pub-bin/downloads.cgi 1. prep ~ Install the various tools and dependencies for Snort and OSSEC. You wee need the Universe repository enabled. If you need assistance enabling your repositories, see : /community/Repositories/Ubuntu Code:
apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev For reference : /community/Repositories/ApacheMySQLPHP During the installation of these applications, make note of (write down) your mysql root password. 2. Obtain snort source code ~ be sure to check the snort home page for updated versions of snort. Although snort is in the repositories you will need to compile snort yourself. This is because the binary in Ubuntu does not have support for snort logging to a mysql database enabled. This procedure has been tested (and is working) on both 32 bit 64 bit arch. Code:
cd /usr/src wget http://www.snort.org/dl/current/snort-2.8.3.tar.gz tar zxvf snort-2.8.3.tar.gz In order to get a set of rules you have a set of options listed on the snort rules page The "Community Rules", at the bottom of the page, are available without any further registration. For a more "up to date" set of rules you must either register or subscribe. (continuing in the /usr/src directory) Code:
wget http://www.snort.org/the_rules_you_wish_to_use cd snort-2.8.3 tar zxvf ../snortrules* Bleeding Edge Threats The snort rule sets are here : http://doc.bleedingthreats.net/bin/v...in/AllRulesets I downloaded the bleeding-all.rules You may also be interested in : http://www.emergingthreats.net You can keep your rules up to date with oinkmaster. Oinkmaster is in the reops. If you use oinkmaster, be sure to READ THE DOCUMENTATION. Code:
cd /usr/src/snort-2.8.3/rules wget http://www.bleedingthreats.net/rules/bleeding-all.rules Code:
cd /usr/src/snort-2.8.3 ./configure -enable-dynamicplugin --with-mysql make make install If, however, you do get errors when compiling snort, see This thread 5. You can remove snort with : Code:
make uninstall __________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; March 9th, 2009 at 07:22 AM.. |
|
|
|
|
September 14th, 2008
|
#3 | |
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
Configure snort
Configure mysql Next we need to configure a mysql database for snort to use for alerts. Code:
mysql -u root -p You will get a mysql prompt "mysql>". I will use this prompt to indicate commands entered in mysql (as opposed to the command line) you do not need to enter the "mysql >". Quote:
Now, back at the command line, import the snort database scheme Code:
mysql -D snort -u snort -p < /usr/src/snort-2.8.3/schemas/create_mysql We need to configure snort and write a start script, and add a cron job. If things are too quiet, and snort goes a few hours without logging an alert to mysql, snort loses the connection with mysql. You then need to restart snort to re-establish a connection with the mysql database. First lets create a user for snort. Again change the user name if you wish. Code:
adduser snort Code:
chsh snort Last, lock the account. Code:
passwd snort -l Code:
cd /usr/src/snort-2.8.3 mkdir -p /etc/snort/rules /var/log/snort chown -R root.snort /var/log/snort chmod -R 770 /var/log/snort cp etc/* /etc/snort/ cp rules/* /etc/snort/rules Using any editor, open /etc/snort/snort.conf and make the following changes :
Write a script to start snort : The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that if there are no alerts, snort will lose it's connection with the mysql database. To solve this, I wrote a script to start / restart snort. The script is attached to this post and is called "ubuntu.snort.init.txt" Copy this file to your computer and copy/move it to /etc/init.d/snort Now lets look at the code. You need to look at two lines.
Now that you are done editing the file, set ownership and permissions : Code:
chown root.root /etc/init.d/snort chmod 500 /etc/init.d/snort My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To avoid adding a 20 second longer boot time, use the "boot" option. With this factoid in mind, edit /etc/rc.local and add : Code:
exec /etc/init.d/snort boot Restarting snort with a cron job Did I mention, Snort may lose the connection to the mysql data base if no alerts are received for several hours (which can happen once we eliminate false positives and install OSSEC-HIDS)? In addition if you clear your data in base you may need to re-start snort. To restart snort with my script : Code:
/etc/init.d/snort restart To restart snort every 6 hours, use crontab (as root) Code:
crontab -e Code:
0 0,6,12,18 * * * /etc/init.d/snort restart >/dev/null 2>&1 Back to top
__________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; January 4th, 2009 at 05:27 AM.. |
|
|
|
|
|
September 14th, 2008
|
#4 |
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
Install base
Base is a web interface for snort and the snort alerts. See the "using base" section for a brief introduction. Code:
cd wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz Code:
cd /var/www tar zvxf ~/base-1.3.9.tar.gz mv base-1.3.9 base cd base cp -R /usr/src/snort-2.8.3/doc/signatures . cd .. chown -R www-data.www-data base Code:
pear install Image_Color Image_Canvas-alpha Image_Graph-alpha Code:
nano /etc/apache2/apache2.conf Code:
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml Code:
/etc/init.d/apache2 restart You must accept cookies from base Click continue on the first page. Step 1 of 5: Enter the path to ADODB. This is /usr/share/php/adodb.
Step 2 of 5: Database type = MySQL, Database name = snort, Database Host = localhost, Database username = snort, Database Password = snort_password
Step 3 of 5: If you want to use authentication (used to log into the web interface) enter a username and password here and check the box. Step 4 of 5: Click on Create BASE AG. Step 5 of 5: once step 4 is done at the bottom click on Now continue to step 5 and log in. Congratulations ! You should now see something that looks like this : 
Click to enlarge pictureYou can password protect the base directory with .htaccess and/or use ssl. Back to top
__________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; September 16th, 2008 at 01:57 AM.. |
|
|
|
|
September 14th, 2008
|
#5 | |||
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
Using snort / base
Although seemingly foreign, everything in base is point and click. Click on your alerts for example and they will be listed. Click on various links and you will be brought to web pages(s) where the alert is explained in more detail. For example, here is a screen shot showing us some alerts.
Click to enlarge pictureClilck on the blue "19" by "Total Number of Alerts" and base will show you ... 
Click to enlarge pictureAlerts : Quote:
click on the ip address (74.6.17.188) to take you to a page where you can select a link to look up the offending ip.  On this second page, click on ARIN (or any other) which will take us to a page where we can see this ip address belongs to Yahoo.com =============== Another example, from a local port scan : Quote:
http://www.snort.org/pub-bin/sigs.cgi?sid=119:14 This alert was generated by my portscan to show the active response of ossec (see below). Basic alert management First, when you first install snort, you will likely get a large number of alerts. Most of these are legitimate traffic (false positives). YOU WILL NEED TO RESEARCH EACH ALERT AND DETERMINE IF YOU ARE VULNERABLE. IF SO, FIX YOUR VULNERABILITY. For "false positives, once you have confirmed an alert is indeed either a false positive or legitimate traffic, either modify or comment out the rule (writing snort rules is beyond this tutorial, see How to snort rules). For the example here, robots.txt : Note: There are better ways of managing robots.txt, see the snort links and apache documentation, I am using this only as an example of editing snort rules. grep is our friend here, so find the alert with : Code:
grep robots.txt /etc/snort/rules/* Quote:
Code:
sudo nano -w /etc/snort/rules/web-misc.rules When you find the appropriate line (the one that starts with a "alert"), add a # to the front of the line. Re-start snort. Once you have managed the false positives, watch for repeat offenders. If I see an IP address persistently triggering snort, I black list it in iptables. If you do not know how to do this, see here : Uncomplicated_Firewall_ufw Specifically : https://help.ubuntu.com/community/Un...ocking%20Rules Hint: EDIT /etc/ufw/before.rules Back to top
__________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; September 15th, 2008 at 09:48 PM.. |
|||
|
|
|
|
September 14th, 2008
|
#6 | |
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
OSSEC-HIDS
OSSEC-HIDS is much easier to install. Basically it is downloading and then running a script. Go to the ossec download page and download the most recent version : http://www.ossec.net/main/downloads/ Code:
wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz tar xzvf ossec-hids-1.6.tar.gz Code:
cd ossec-hids-1.6 ./install.sh When you get to the question : Quote:
There is a very nice post on the Ubuntu forums here : Howto setup OSSEC-HIDS on your ubuntu box ~ Thanks RShadow The only "problem" is that the post is a little outdated. The information about running the install script is accurate, but you DO NOT need to write an init script. ossec 1.6 will install a script for you into /etc/init.d/ossec Start / Stop OSSEC with : Code:
sudo /etc/init.d/ossec start|stop Not much needs to be done. HOWEVER I would caution you that OSSEC has an active response to threats. If OSSEC detects a bad ip address, it will block that ip address using iptables. This means that if your snort rules are giving you false alerts legitimate traffic to your server will be blocked. This also means you can lose access to your server as well. Fortunately this is a temporary ban. It is more than sufficient to deter the script kiddies and if your access is blocked, access is restored in a few minutes. This means , however, you need to monitor snort (base) and fine tune your rules so you are not blocking legitimate traffic. Again, if there are repeat offending IP addresses, black list them in iptables (See the using snort/base post for how to do this). Additional configuration of OSSEC is is done by editing /var/ossec/etc/ossec.conf This configuration file is well commented and you will see a white list section where you may white list additional ip addresses if needed. Back to top
__________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; September 15th, 2008 at 09:56 PM.. |
|
|
|
|
|
September 14th, 2008
|
#7 |
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
Web access to ossec
Download the web interface from http://www.ossec.net/main/downloads/ Code:
cd wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz cd /var/www tar xzvf ~/ossec-wui-0.3.tar.gz mv ossec-wui* ossec cd ossec ./setup.sh When the script is finished running, change ownership of the directory and add www-data to the ossec group Code:
cd /var/www chown -R www-data.www-data ossec usermod -G ossec -a www-data Code:
/etc/init.d/apache2 restart From the web interface you can see any changes to system files and alerts. Back to top
__________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; September 17th, 2008 at 12:05 AM.. |
|
|
|
|
September 14th, 2008
|
#8 | |
|
Walking moon
Join Date: Apr 2006
Location: Montana
My beans are hidden!
Kubuntu Development Release
|
Re: Intrusion Detection
Using ossec :
Once you log into the web interface you will have a number of tabs. Main ~ This is where you will see alerts. Integrity checking ~ Will show you recent changes to system files.  Understanding and modifying rules Listing of rules (it is incomplete): http://www.ossec.net/wiki/index.php/Rule Modifying rules : http://www.ossec.net/wiki/index.php/...w:Ignore_Rules I did find this wiki page on integrating base + ossec, but I have not tried it. ossec + base : http://www.ossec.net/wiki/index.php/OSSEC_&_BASE Example of ossec active response : Quote:
__________________
There are two mistakes one can make along the road to truth...not going all the way, and not starting. --Prince Gautama Siddharta #ubuntuforums web interface Last edited by bodhi.zazen; September 19th, 2008 at 04:19 AM.. |
|
|
|
|
|
September 14th, 2008
|
#9 |
|
Ubuntu Master Jedi
Join Date: May 2007
My beans are hidden!
Ubuntu
|
Re: Intrusion Detection
The Ubuntu Guru strikes again! Thanks bodhi, this thread is great, I think it's your best so far.
Now for a short little addendum to the main guide, for those interested in low system impact. Intrusion Detection using a Virtual Machine If you would like to take this guide for a run without heavily messing with their current system configuration, you can still get the full effect by setting up Ubuntu in a Virtual Machine (VM) and following the guide from there. The concepts here apply to whatever virtualization software you prefer, I just use vbox as an example since that is what I used. The only work that needs to be done on your host machine (not the VM) is to setup a network bridge so that your VM will have an IP assigned by your network's DHCP server (in a home network, this is usually the central router). You can also opt set a static IP that is recognized by the rest of the network. With this network IP, you can then actually see what is happening on the network, unlike with the default private IP that VMs normally get assigned. Example: Normal Private IP: 10.0.2.15(Note: Yes, yes, 192.168.xxx.yyy is also in the private IP range, but this is what is generally seen on a home network, and I therefore refer to as the network IP.) General Directions for using VirtualBox: Setup your virtual machine with an Ubuntu installation - there are many guides out there on how to do this (ex: community/VirtualBox). Don't forget to install LAMP and the build-essential metapackage which are needed for the above tutorial. Now create a network bridge on your host machine by following the directions at community/VirtualBox#Networking. Our guru, bodhi.zazen, also suggested the following link which will also work for vbox - community/KVM#Creating a network bridge on the host. I found it helps to first set your host to DHCP temporarily if you are using a static IP so that you can easily configure the bridge. Then you can setup your static IP after your bridge is successfully created and tested. The VM won't know the difference, other than it will get an IP immediately compatible with your network. Also, don't forget to create the scripts to bring the bridge up and down as described in the VirtualBox wiki link. Here is my /etc/network/interfaces file, with static IP on the host, for your reference (yours will vary). I have edited out my username, and I am using a Linksys WRT54G router: Code:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). auto eth0 iface eth0 inet manual address 0.0.0.0 auto br0 iface br0 inet static bridge_ports eth0 address 192.168.1.201 netmask 255.255.255.0 gateway 192.168.1.1 auto lo iface lo inet loopback auto tap1 iface tap1 inet manual up ifconfig $iface 0.0.0.0 up down ifconfig $iface down tunctl_user username If you're in to using static IPs, you can now set a static IP on your VM as well. This makes it convenient to access the web service interfaces for BASE and OSSEC from another system (like the host). Enjoy!
__________________
Beginners Guide to Filing Bug Reports System Docs | Community Docs | Contribute to Documentation The Bump Thread - as pointless as it sounds. Last edited by Rocket2DMn; September 26th, 2008 at 07:23 PM.. Reason: set eth0 static ip |
|
|
|
|
September 14th, 2008
|
#10 |
|
Fresh Brewed Ubuntu
 
Join Date: Oct 2007
Location: ISS
Beans: 1,429
|
Re: Intrusion Detection
Thanks mate. This thread is indeed great.
__________________
CLI | Installation_Problems | DocIndex | tldp.org | GNUphil | Criticism_Microsoft |
|
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
|
|
All times are GMT +1. The time now is 09:41 AM.
posted on 2013-02-21 17:52 Richard.FreeBSD 阅读(742) 评论(0) 收藏 举报
浙公网安备 33010602011771号