Friday, May 18, 2012

Install Snort with snort report in CentOS

Step 1: Preparing

#yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison mysql mysql-devel mysql-bench mysql-server php-pear.noarch php-pear-DB.noarch php-pear-File.noarch kernel-devel libxml2-devel vim-enhanced.i386
#yum install gcc-c++

Download sourcode:
#cd /usr/local
#wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
#wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
#wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
#wget http://www.snort.org/downloads/1623 -O daq-0.6.2.tar.gz
#wget http://www.snort.org/downloads/1631 -O snort-2.9.2.3.tar.gz
#download https://www.snort.org/snort-rules/
#wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz
#wget http://jpgraph.net/download/download.php?p=1.27.1 -O jpgraph-1.27.1.tar.gz

Step 2: Install lib
#cd /usr/local
#tar zxvf /root/libnet-1.0.2a.tar.gz
#cd Libnet-1.0.2a
#./configure && make && make install
#cd /usr/local
#tar zxvf /root/libdnet-1.12.tgz
#cd libdnet-1.12
#./configure && make && make install
#cd /usr/local
#tar xvzf libpcap-1.1.1.tar.gz
#cd libpcap-1.1.1
#./configure && make && make install
#cp /usr/local/lib/libpcap.a /usr/lib/
#cd /usr/local
#mkdir nbtscan
#cd nbtscan
#tar zxvf /root/nbtscan-1-3-1.tar.gz
#make

Step 3: Install dag and snort
Install DAG
#cd /usr/local
#tar xvzf daq-0.6.2.tar.gz
#cd daq-0.6.2
#./configure && make && make install

Install Snort
#cd /usr/local
#tar zxvf /root/snort-2.9.2.3.tar.gz
#cd snort-2.9.2.3
#./configure && make && make install

Step 4: Config snort

Create snort rules and logs
#mkdir /etc/snort
#mkdir /var/log/snort
#cd /etc/snort
#tar zxvf /root/snortrules-snapshot-2921.tar.gz -C /etc/snort
#cp etc/* /etc/snort
#groupadd snort
#useradd -g snort snort
#chown snort:snort /var/log/snort
#touch /var/log/snort/alert
#chown snort:snort /var/log/snort/alert
#chmod 600 /var/log/snort/alert
#mkdir /usr/local/lib/snort_dynamicrules
#cp /etc/snort/so_rules/precompiled/Centos-5-4/i386/2.9.2.1/*.so /usr/local/lib/snort_dynamicrules
#cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules

Edit snort.conf
#vim /etc/snort/snort.conf
Change:
RULE_PATH to /etc/snort/rules
PREPROC_RULE_PATH to /etc/snort/preproc_rules
SO_RULE_PATH to /etc/snort/so_rules
Find reputation preprocessor and comment all this preprocessor. ( line 511)
Find unified2 and uncomment, edit to:  output unified2: filename snort.log, limit 128

Step 5: Setup MySQL
#mysql -u root -p
>SET PASSWORD FOR root@localhost=PASSWORD(‘password’);
>create database snort;
>grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;
>SET PASSWORD FOR snort@localhost=PASSWORD(‘password’);
>exit

#cd /usr/local/snort-2.9.2.1/schemas
#mysql -p < create_mysql snort

Test database:
#mysql -u root -p
#SHOW DATABASES;
There should be 4 rows ( snort)
#use snort;
#SHOW TABLES;
There should be 16 rows
#exit;

Step 6: Create GUI

Extract JPGRAPP
#cd /usr/local
#tar xvzf /root/jpgraph-1.27.1.tar.gz
#cp jpgraph-1.27.1 /var/www/html
#mv /var/www/html/jpgraph-1.27.1 /var/www/html/jpgraph

#cd /var/www/html
#tar zxvf /root/snortreport-1.3.1.tar.gz
#cd snortreport-1.3.1
#vim srconf.php
Find $pass, change password to your password
Find JPGRAPH_PATH change to ("JPGRAPH_PATH", "../jpgraph/src/");
Find NMAP_PATH change to ("NMAP_PATH", "/usr/bin/nmap -v");
Find NBTSCAN_PATH change to ("NBTSCAN_PATH", "/usr/local/nbtscan/nbtscan");

Install Barnyard
#cd /usr/local
#tar zxvf /root/barnyard2-1.9.tar.gz
#cd barnyard2-1.9
#./configure --with-mysql &&make && make install
#cp etc/barnyard2.conf /etc/snort

Setup Barnyard
#vim /etc/snort/barnyard2.conf
Change hostname to localhost
Change interface to eth0 ( listen interface)
Change mysql line: output database: log, mysql, user=snort password=password dbname=snort host=localhost

Step 7: Start Snort
First CLI terminal
#snort -c /etc/snort/snort.conf

Second CLI terminal
#cp /dev/null /var/log/snort/barnyard.waldo
#mkdir /var/log/barnyard2
Start barnyard:
#/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Test snort:
Third CLI:
#vim /etc/snort/rules/local.rules
Insert line:
“alert tcp any any <> any 80 (msg: "Test web activity"; sid:1000001;)”
Restart snort ( Ctrl+C and type start snort again in first CLI)
Open Web Browser, type your snort server address
Go to: http:///snortreport-1.3.3/alerts.php


If you see a number of events with SID 1000001, Snort works!

Step 8: Config Snort and barnyard start automatically

Snort:
#ln -s /usr/local/bin/snort /usr/sbin/snort
#cp /usr/local/snort-2.9.2.1/rpm/snortd /etc/init.d
#cp /usr/local/snort-2.9.2.1/rpm/snort.sysconfig /etc/sysconfig/snort
#cd /etc/rc3.d
#ln -s ../init.d/snortd S99snortd
#cd ../rc0.d
#ln -s ../init.d/snortd K99snortd
#cd /etc/rc5.d
#ln -s ../init.d/snortd S99snortd
#cd ../rc6.d
#ln -s ../init.d/snortd K99snortd
#chmod 755 /etc/init.d/snortd
#vim /etc/sysconfig/snort
Find eth0 and change to your interface
Comment ALERTMODE=FAST, DUMP_APP=1, BINARY_LOG=1

Test: /etc/init.d/snortd start

Barnyard2:
#vim /etc/snort/barnyard2.conf
Uncomment config daemon
Set the path to your waldo file, /var/log/snort/barnyard2.waldo

#vim /usr/local/barnyard2-1.9/rpm/barnyard2.config
Change LOG_FILE to snort.log
Change CONF to /etc/snort/barnyard2.conf

#ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2
#cp /usr/local/barnyard2-1.9/rpm/barnyard2 /etc/init.d
#vim /etc/init.d/barnyard2
Change BARNYARD_OPTS to BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
#cp /usr/local/barnyard2-1.9/rpm/barnyard2.config /etc/sysconfig/barnyard2
#chmod 755 /usr/local/bin/barnyard2
#cd /etc/rc3.d
#ln -s ../init.d/barnyard2d S99barnyard2d
#cd ../rc0.d
#ln -s ../init.d/barnyard2d K99barnyard2d
#cd /etc/rc5.d
#ln -s ../init.d/barnyard2d S99barnyard2d
#cd ../rc6.d
#ln -s ../init.d/barnyard2d K99barnyard2d
#chmod 755 /etc/init.d/barnyard2

Test: /etc/init.d/barnyard2 start.

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

1 comment:

Thắng Nguyễn Đức said...

bai nay anh lam thieu nhieu lam,anh ko ca cai apache,may phan mem lam den giua roi lai phai tai,dien ta lai kho hieu nua khong biet cai he thong snort cua anh hd the nao nua

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...