Scribd
Upload
146 views

Setup Snort

The document provides instructions for installing and configuring Snort, an open source intrusion detection and prevention system. It describes downloading and compiling Snort and related components like DAQ, Barnyard2 and PulledPork. It also covers configuring Snort to run in passive IDS or active IPS mode, integrating it with a MySQL database, and testing rule additions. Basic web server, PHP and BASE installation is outlined to provide a frontend management interface for Snort alerts.

Uploaded by

Hưng Nguyễn
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
146 views

Setup Snort

The document provides instructions for installing and configuring Snort, an open source intrusion detection and prevention system. It describes downloading and compiling Snort and related components like DAQ, Barnyard2 and PulledPork. It also covers configuring Snort to run in passive IDS or active IPS mode, integrating it with a MySQL database, and testing rule additions. Basic web server, PHP and BASE installation is outlined to provide a frontend management interface for Snort alerts.

Uploaded by

Hưng Nguyễn
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 6

Ci t Snort

Ci t Package
1.yum install -y gcc flex bison zlib* libxml2 libpcap* pcre* tcpdump git libtool
curl man make daq
2. yum groupinstall - y "Development Tools"
3.yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd ht
tpd wget pcre pcre-devel
Chun b cc file ci t ring sau
libdnet-1.12.tgz
Nguyen Van Hung
libdnet-1.12-6.el6.x86_64.rpm
CNTT
libdnet-devel-1.12-6.el6.x86_64.rpm

Nguoi thuc hien:


Ban:

Ti file snort mi nht ti Snort.org


daq-2.0.4.tar
snort-2.9.7.2.tar
cd /usr/local/src
tar -zxvf /root/Desktop/daq-2.0.4.tar.gz
tar -zxvf /root/Desktop/snort-2.9.7.2.tar.gz
cd daq-2.0.4.tar
./configure
make && make install
cd /usr/local/src/snort-2.9.7.2
./configure --enable-sourcefire
make && make install
cd /etc
mkdir snort
cd snort
cp /usr/local/src/snort-2.9.7.2/etc/* .
tar -zvxf /root/Desktop/snortrules-snapshot-2970.tar.gz
touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
To user, group, cp quyn
groupadd -g 40000 snort
useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS -g snort
cd /etc/snort
chown -R snort:snort *
chown -R snort:snort /var/log/snort
Cu hnh snort
vi /etc/snort/snort.conf
ipvar HOME_NET any
>
ipvar HOME_NET 192.168.x.x
ipvar EXTERNAL_NET any
>
ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH ../so_rules >
105 var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH ../preproc_rules
> 106 var PREPROC_RULE_PATH /etc/sno
rt/preproc_rules
var WHITE_LIST_PATH ../rules

>

109 var WHITE_LIST_PATH /etc/snort/rule

s
var BLACK_LIST_PATH ../rules
s

>

110 var BLACK_LIST_PATH /etc/snort/rule

cd /usr/local/src
chown -R snort:snort daq-2.0.4
chown -R 777 daq-2.0.4
chown -R snort:snort snort-2.9.7.2
chown -R 755 snort-2.9.7.2
chown -R snort:snort snort_dynamicsrc
chown -R 777 snort_dynamicsrc
Start snort
cd /usr/local/src/snort-2.9.7.2/rpm
cp snortd /etc/init.d/snort
cp /usr/local/src/snort-2.9.7.2/rpm/snort.sysconfig /etc/sysconfig/snort
chmod 777 /etc/init.d/snort
chkconfig --add /etc/init.d/snort
chkconfig snortd on
cd /usr/sbin
ln -s /usr/local/bin/snort snort
Nu ko c directory /var/log
cd /var/log
mkdir snort
Quyn
chmod 777 snort
chown -R snort:snort snort
cd /usr/local/lib
chown -R snort:snort snort*
chown -R snort:snort snort_dynamic*
chown -R snort:snort pkgconfig
chown -R 777 snort*
chown -R 777 pkgconfig
cd /usr/local/bin
chown -R snort:snort daq-modules-config
chown -R snort:snort u2*
chown -R 777 daq-modules-config
chown 777 u2*
cd /etc
chown -R snort:snort snort
chown -R 777 snort
check
cd /usr/local/bin
./snort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf
Kim tra
snort -v
snort -T -i eht0 -u snort -g snort -c /etc/snort/snort.conf

ERROR: /etc/snort/snort.conf(249) Could not stat dynamic module path "/usr/local


/lib/snort_dynamicrules": No such file or directory.
To th mc dynamicrules
mkdir -p /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/lib/snort_dynamicrules
chown -R 777 /usr/local/lib/snort_dynamicrules
Nu ok
cd /usr/local/bin
./snort -A fast -b -D -d -i eht0 -u snort -g snort -c /etc/snort/snort.conf -l /
var/log/snort
service snort start /stop /restart
Add rule
gedit /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"Co Nguoi Ping"; sid:1000003;rev:1;)
Xem
snort -c /etc/snort/snort.conf -i eth0 -A console
snort -vde
Rules khc
drop icmp any any -> any any (itype:0;msg:"Chan Ping";sid:1000002;)
alert icmp any any -> $HOME_NET 81 (msg:"Scanning Port 81"; sid:1000001;rev:1;)
alert tcp any any -> $HOME_NET 22 (msg:"Scanning Port 22"; sid:1000002;rev:1;)
alert icmp any any -> any any (msg:"UDP Tesing Rule"; sid:1000006;rev:1;)
alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test!!!"; classtype:not-suspicious;
sid:1000005; rev:1;)
Xem File Log Cnh bo snort
/var/log/snort
Cu hnh Snort Inline
Chun b 1 my Centos 6.5
Chun b 1 my Attacker
2 Card mng.
1 card WAN NAT - 1 card LAN (host)
NAT card LAN ra card WAN cho bn ngoi ping c
vi /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 7 -j DNAT --to 192.168.1.10
:7
1. Configure the Inline Packet Normalization to be enabled. If running Snort in pa
ssive mode (IDS),
comment/disable Inline Packet Normalization:
## Keep these unchanged. If they are commented out, then uncomment them.
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
2. Configure Snort Policy mode to run in inline (IPS):
## Under Step #2: add the following line
config policy_mode:inline

3. Configure DAQ variables to run AFPacket in inline (IPS) mode:


## Configure DAQ variables for AFPacket
vi /etc/snort/snort.conf
config daq: afpacket
config daq_mode: inline
config daq_dir: /usr/local/lib/daq
config daq_var: buffer_size_mb=128
Xem. Kim tra
/usr/local/bin/snort -i eth0:eth1 -A console -c /etc/snort/snort.conf -l /var/lo
g/snort/ -Q
Thnh cng chn port ping
Thm rules chn nmap
Snort pht hin v chn >>>> Thnh cng
Ci phpmyadmin
yum -y install phpmyadmin
b li No package phpmyadmin available th
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3
-1.el6.rf.x86_64.rpm
yum -y install phpmyadmin

> Ci Ok

Ci MySql
yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd libt
ool php-imap php-ldap hp-mbstring php-odbc php-pear php-xml php-xmlr
yum install php-pecl-apc
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
mysql_secure_installation
/usr/bin/mysqladmin -u root password 'mt khu mi'
V th truy cp MySQL xem sao:
#
service httpd start
service mysqld start
chkconfig httpd on
chkconfig mysqld on
mysqladmin -u root password 123456
# mysql -u root -p
mysql> create database snort;
Query OK, 1 row affected (0.00 sec)
mysql> grant select,insert,update,delete,create on snort.* to snort@localhost;
Query OK, 0 rows affected (0.06 sec)
mysql> set password for snort@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.00 sec)
mysql>exit
Ci Barnyard2

cd /usr/local/src/
tar zxvf /root/Desktop/barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13/
autoreconf -fvi -I ./m4
./configure --with-mysql(centos 32)
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql
make && make install
cp etc/barnyard2.conf /etc/snort
Tao database
mysql -u snort -p123456 snort < schemas/create_mysql
vi /usr/local/etc/barnyard2.conf
mkdir
chown
touch
chown
touch

/var/log/barnyard2
snort.snort /var/log/barnyard2
/var/log/snort/barnyard2.waldo
snort.snort /var/log/snort/barnyard2.waldo
/etc/snort/sid-msg.map

Ci PulledPork
cd /usr/local/src/snort
tar xvfvz pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0
cp pulledpork.pl /usr/local/bin
chmod 755 /usr/sbin/pulledpork.pl
etc/* /etc/snort/
vi /etc/snort/pulledpork.conf
updatedb
locate snort.conf

Ci php
yum install php
yum install php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xml
rpc
service httpd restart

Test xen qu trnh ci module PHP thnh cng hay cha, ta to 1 file info.php cha trong
/html vi ni dung nh sau:
<?php
phpinfo();
?>
#
#
#
#
#

pear
pear
pear
pear
pear

channel-update pear.php.net
install Numbers_Roman
install Image_Color-1.0.4
install Image_Canvas-0.3.5
install Image_Graph-0.8.0

Ci t BASE v adodb
tar -xvzf adodb518.tgz
mv adodb5 /var/adodb
tar -zxvf base-1.4.5.tar.gz

mv base-1.4.5 /var/www/html/base/
cd /var/www/httml/base
cp base_conf.php.dist base_conf.php
chown -R www-data:www-data /var/www/base
chmod o-r /var/www/base/base_conf.php
vi /var/www/base/base_conf.php
$BASE_urlpath = '/base';
$DBlib_path = '/var/adodb';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_user = 'snort';
$alert_password = ''snort';
chmod 777 /var/www/html/base
vi /etc/sysconfig/barnyard2
mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
cp base_conf.php.dist base_conf.php
chmod o-r /var/www/html/base/base_conf.php
vi /var/www/html/base/base_conf.php
vi /etc/http/conf/httd.conf
Alias /base /var/www/html/base/
<Directory "/var/www/html/base/">
AllowOverride None
Order allow,deny
Allow from all
</directory>
Alias /adodb/ "/var/adodb/"
<Directory "/var/adodb">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
service httd restart
chcon -R -t httpd_sys_content_t /var/www/html/base/
chcon -R -h -t httpd_sys_content_t /var/adodb

You might also like