Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Snort and Aanval Detailed Installation Guide for OS X

From Aanval Wiki
Jump to: navigation, search

Aanval Installation Guides Home

The following guide provides detailed instructions for installing Snort and Aanval 8 onto a fresh installation of Mac OS X El Capitan (10.11).

Important Note: This Snort install guide is designed for and tested with Snort 2.9.8.0. You may yield different results if using older versions of Snort and/or OS X.

Objective

The objective of this installation guide is for users to have a fully-functional IDS system, powered by Snort, the world's most widely-used and trusted Intrusion Detection System, and Aanval, the industry's longest running Snort threat management console that has been in continual development since 2003.

Preparation

With only a few minor exceptions, the majority of this installation guide will take place on the command line using the preinstalled Terminal app.

It is assumed that this is a fresh installation of Mac OS X El Capitan (10.11).

  1. If using Safari as the default browser, navigate to its Preferences page and disable (uncheck) the "Open 'safe' files after downloading" box; otherwise, the commands listed below won't work as strictly written if Safari automatically opens them.
  2. Navigate to System Preferences > Security & Privacy > and choose to "Allow application downloaded from:" Anywhere, as applications outside the Mac App Store are necessary for installation.
  3. For the purposes of this installation guide, the following command will require the root password to be entered and allow the rest of the installation to take place without individual sudo commands being necessary:
  4. sudo bash
    
  5. Create the following directories:
  6. mkdir /etc/snort
    mkdir /var/log/snort
    mkdir /usr/local/src
    mkdir /smt
    mkdir -p /usr/local/lib/snort_dynamicrules
    
  7. Echo the MySQL path information into your root .profile:
  8. echo 'export PATH=/usr/local/mysql/bin:$PATH' >> ~/.profile
    
  9. Exit and close Terminal completely, and reopen for path changes to take effect.

Installation

Command Line Developer Tools

  1. Download and install command line developer tools, necessary to compile packages for OS X.
  2. To initiate the download, using Terminal, execute a command that would normally require the command line developer tools, like "gcc".
  3. gcc
    

    You'll receive the following note:

    no developer tools were found at '/Applications/Xcode.app', requesting install. Choose an option in the dialog to download the command line developer tools.
    

    You'll then see a dialog box with options to download Xcode or simply install the command line developer tools. Choose the option to Install.

  4. After completing the command line developer tools installation, you will need to close your Terminal session and relaunch, running sudo once more for changes to take effect:
  5. sudo bash
    

PCRE

The PCRE (Perl Compatible Regular Expression) library contains the required functionality for linked-applications to implement regular expression matching based on Perl.

The latest version of PCRE can be obtained from http://www.pcre.org/

For the purposes of this installation guide, PCRE 8.38 will be referenced.

  1. Download pcre-8.38.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/pcre-8.38.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive pcre-8.38.tar.gz
  7. tar -zxvf pcre-8.38.tar.gz
    
  8. Change into the newly created package directory:
  9. cd pcre-8.38
    
  10. Configure, compile, and install the PCRE library:
  11. ./configure
    make
    make install
    

DAQ

The DAQ (Data AcQuisition) library is a data acquisition layer that allows applications to replace direct calls to PCAP and is required by Snort as of 2.9.

The latest version of DAQ can be obtained from http://www.snort.org/downloads

For the purposes of this installation guide, DAQ 2.0.6 will be referenced.

  1. Download daq-2.0.6.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/daq-2.0.6.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive daq-2.0.6.tar.gz
  7. tar -zxvf daq-2.0.6.tar.gz
    
  8. Change into the newly created package directory:
  9. cd daq-2.0.6
    
  10. Configure, compile, and install the DAQ library:
  11. ./configure
    make
    make install
    

libdnet

libdnet provides a simplified, portable interface to several low-level networking routines and is required by Snort.

The latest version of libdnet can be obtained from http://libdnet.sourceforge.net/

For the purposes of this installation guide, libdnet 1.11 will be referenced.

  1. Download libdnet-1.11.tar.gz
  2. Copy the package into /usr/local/src
  3. cp ~/Downloads/libdnet-1.11.tar.gz /usr/local/src
    
  4. Change into the /usr/local/src directory:
  5. cd /usr/local/src
    
  6. Uncompress and unarchive libdnet-1.11.tar.gz
  7. tar -zxvf libdnet-1.11.tar.gz
    
  8. Change into the newly created package directory:
  9. cd libdnet-1.11
    
  10. Configure, compile, and install the libdnet library:
  11. ./configure
    make
    make install
    

MySQL

MySQL provides the necessary database storage for Aanval.

The most recent MySQL package for OS X can be obtained from http://dev.mysql.com/downloads/mysql/.

For the purposes of this installation guide, mysql-5.7.11-osx10.10-x86_64.dmg was downloaded and used.

  1. Download and install the DMG.
  2. Note: The latest version of MySQL creates a default root user and password during installation. Immediately following the completion of the installation, a pop-up window with the default password will be displayed. RECORD AND DO NOT LOSE THIS PASSWORD, as it will be required later to create and access the Aanval database.

  3. Once the installation is complete, you can open System Preferences to view the status of MySQL and start it. You can also start the process using the following command:
  4. /usr/local/mysql/support-files/mysql.server start
    
  5. Run the following command to place the MySQL libraries in the correct location:
  6. cp /usr/local/mysql/lib/* /usr/local/lib/
    
  7. The default root password can also be changed by first accessing MySQL from the command line:
  8. mysql -u root -p
    
  9. Enter the default password. Once accessed, enter the following query:
  10. ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyNewPass';
    
  11. Create the Aanval database and enter the root password when prompted:
  12. mysqladmin create aanvaldb -u root -p
    

Apache

  1. Edit /etc/apache2/httpd.conf and uncomment the following line to enable PHP script interpretation:
  2. LoadModule php5_module libexec/apache2/libphp5.so
    
  3. Restart Apache:
  4. apachectl restart
    

PHP

  1. Rename php.ini.default to the more recognizable and standardized php.ini
  2. mv /etc/php.ini.default /etc/php.ini
    

OpenSSL

The latest version of OS X El Capitan (10.11) requires OpenSSL be installed prior to installing Snort.

The latest version of OpenSSL can be obtained from http://www.openssl.org/source/ (a direct curl command is also provided below)

For the purposes of this installation guide, OpenSSL 1.0.2f will be referenced.

  1. Enter the following commands:
cd /usr/local/src
curl -O http://www.openssl.org/source/openssl-1.0.2f.tar.gz
tar -zxvf openssl-1.0.2f.tar.gz
cd openssl-1.0.2f
./configure darwin64-x86_64-cc -shared
make
make install
mkdir /usr/local/include/openssl
cd /usr/local/src/openssl-1.0.2f/include/openssl/
cp * /usr/local/include/openssl/

Snort

Snort is the industry's most widely-used and trusted Intrusion Detection and Prevention engine available.

  • Note: Interface en0 is being used for this installation guide; substitute the correct interface for your particular system.

The latest version of Snort can be obtained from http://www.snort.org/downloads

The latest rules (those referenced in this guide are 2980) can be obtained from http://www.snort.org/downloads

For the purposes of this installation guide, Snort 2.9.8.0 will be referenced.

  1. Download snortrules-snapshot-2980.tar.gz
  2. Download snort-2.9.8.0.tar.gz
  3. Copy the package into /usr/local/src
  4. cp ~/Downloads/snort-2.9.8.0.tar.gz /usr/local/src
    
  5. Change into the /usr/local/src directory:
  6. cd /usr/local/src
    
  7. Uncompress and unarchive snort-2.9.8.0.tar.gz
  8. tar -zxvf snort-2.9.8.0.tar.gz
    
  9. Change into the newly created package directory:
  10. cd snort-2.9.8.0
    

Compiling

  1. Configure, compile, and install Snort with the following commands:
  2. ./configure  --enable-gre --enable-mpls --enable-targetbased \
    --enable-ppm --enable-perfprofiling --enable-active-response \
    --enable-normalizer --enable-reload --enable-react make make install

Configuration

  1. Copy the default configuration file from the package into the /etc/snort directory:
  2. cp ./etc/* /etc/snort/
    
  3. Edit /etc/snort/snort.conf and make the following changes:
  4. var RULE_PATH /etc/snort/rules
    
    var SO_RULE_PATH /etc/snort/so_rules
    
    var PREPROC_RULE_PATH /etc/snort/preproc_rules
    
    var WHITE_LIST_PATH /etc/snort/rules
    
    var BLACK_LIST_PATH /etc/snort/rules
    
  5. Uncomment the Unified2 output line and remove nostamp from the comma-delimited options list:
  6. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
    
  7. Uncompress and install Snort rules:
  8. cp ~/Downloads/snortrules-snapshot-2980.tar.gz /etc/snort/
    cd /etc/snort
    tar -zxvf snortrules-snapshot-2980.tar.gz
    rm -f snortrules-snapshot-2980.tar.gz
    
  9. Create empty black and white lists:
  10. touch /etc/snort/rules/white_list.rules
    touch /etc/snort/rules/black_list.rules
    
  11. SID map configuration:
  12. cp /etc/snort/etc/sid-msg.map /etc/snort
    rm -rf /etc/snort/etc
    

Starting

Foreground
  1. Initially run Snort in the foreground, looking for errors and/or to ensure Snort is properly functioning:
  2. snort -c /etc/snort/snort.conf -i en0
    
Daemon Mode
  1. Once you are satisfied, running the previous command with the -D option will launch Snort in daemon mode:
  2. snort -c /etc/snort/snort.conf -i en0 -D
    

Aanval

Watch the Aanval 8 Installation and Unified2 Sensor Setup video guide on YouTube

Preparation

  1. Assuming a default installation of Mac OS X, delete the contents of the web server's root directory with the following command:
  2. rm -rf /Library/WebServer/Documents/*
    
  3. Change into the web-servers root directory:
  4. cd /Library/WebServer/Documents/
    

Download

  1. Download the latest build of Aanval.
  2. The latest version of Aanval can be obtained from http://www.aanval.com/download. Users will first need to sign in to an existing or create a new Aanval account if downloading via a web-browser.

    For the purposes of this installation guide, Aanval 8 will be referenced.

    curl -O http://download.aanval.com/aanval-8-latest-stable.tar.gz
    
  3. Uncompress and unarchive aanval-8-latest-stable.tar.gz
  4. tar -zxvf aanval-8-latest-stable.tar.gz
    
  5. Perform a clean-up by removing the Aanval download package:
  6. rm -f aanval-8-latest-stable.tar.gz
    

Web-based Install

  1. Open Safari or your preferred web browser and enter localhost in the address field, where you should be presented with the Aanval End-User-License-Agreement.
  2. Click I agree to continue.
  3. Ensure all compatibility tests are successful; otherwise, resolve the problems listed and select Continue.
  4. Configure database settings for the Aanval database created earlier in this guide:
  5. Database Server

    127.0.0.1
    

    Database Name

    aanvaldb
    

    Database Username

    root
    

    Database Password

    {default or new root password}
    
  6. Click the Check Settings button. Once successful, click Continue
  7. NOTE: In some instances this portion of the installation may fail with with a "Failure! DB Connection Failure: Invalid Configuration" notice, and even a Warning at the top of the browser: "mysql_error() expects parameter 1 to be mysql, boolean given in /Library/WebServer/Documents/console/core/installUpgrade.php on line 847"

    Aanval connects to MySQL with the default port of 3306. If these errors display, it is because the MySQL instance is started and accessible only by port 3307 (used in SSL connections).

    There are two methods to remedy the error. The first is to navigate to /Library/LaunchDaemons/ and edit the com.oracle.os.mysql.mysqld.plist file and edit the line which reads <string>--port=3307</string> to read <string>--port=3306</string> and then restart MySQL. The other method would be to return to the configuration menu on the browser and when entering the location of the Aanval database enter also the specific port. So in this example of a local installation, you'd enter 127.0.0.1:3307.

  8. The Aanval installation process will take place and is relatively quick. This process creates and loads all required database tables as well as provisions the console for initial usage. When complete, click Continue to proceed.
  9. Installation complete!

    Once you have successfully installed Aanval, you will be presented with the default username and password of this Aanval console as well as the instructions to start the Aanval BPUs (Background Processing Units).

    You may proceed to log in to Aanval.

  10. Log in to Aanval using the credentials provided on the previous screen. Typically these will be a username of root and a password of specter.

Starting the BPUs

  1. At the command-line, run the following commands to change into the /apps directory of Aanval:
  2. cd /Library/WebServer/Documents/apps
    
  3. Start the BPUs with the following command (it will launch the background processing units in daemon mode):
  4. perl idsBackground.pl -start
    

Adding an IDS Unified2 Sensor

Watch the Aanval 8 Installation and Unified2 Sensor Setup video guide on YouTube

  1. Inside the Aanval console, go to the Configuration menu by hovering over the user login at the top-right of the screen. Under Event Import Options, go to Unified2 Module > Sensor Configuration.
  2. To add a new sensor, click the + button at the upper-right of the menu.
  3. Select the new sensor, check the Enabled box at the top, continue to enter sensor information (name, description, location, etc.) and click Update to commit the changes. Take note of the SMT ID provided, as it will need to be added to the SMT configuration file in step 10.
  4. Ensure the Sensor Permissions at the bottom of the menu are enabled for each user that will be viewing and managing the events for the given sensor; otherwise, events will not display or be available on any menu.
  5. From the menu directory display in the upper-right of the screen, go back one menu by clicking Configuration, and then under Event Import Options, select Unified2 Module > Sensor Management.
  6. Select the new Snort sensor listed on the left of the menu and click its Configuration (gear icon) button.
  7. Provide the paths and values to the following:
  8. Configuration File: /etc/snort/snort.conf
    
    Unified2 Path: /var/log/snort/
    
    sid-msg.map File: /etc/snort/sid-msg.map
    
    gen-msg.map File: /etc/snort/gen-msg.map
    
    Engine Start Command: launchctl load /Library/LaunchDaemons/org.snort.snort.plist
    
    Engine Stop Command: launchctl unload /Library/LaunchDaemons/org.snort.snort.plist
    
    Engine Reload Command: <blank>
    
    Engine Status Command: ps aux | grep -v grep | grep snort
    
  9. Click Update to commit the changes. The remaining fields for Rules Path, SO Rules Path, etc. will be extracted from the Snort configuration file during the initial SMT sync.
  10. The SMTs are found within the /contrib/ directory of any Aanval installation. To copy the SMT contents to the /smt directory, enter the following command:
  11. cp /Library/WebServer/Documents/contrib/smt2/* /smt/
    
    cd /smt
    
  12. Edit conf.php and add the location of Aanval (aanvalURL), which for this installation is localhost (http://localhost). Enter the SMT ID recorded from step 3. Save the file.
  13. Test the SMTs by issuing the following command while in the /smt directory:
  14. php smt.php
    
  15. This test is the initial sync between Aanval and the Snort sensor. Resolve any communication or configuration errors, and then start the SMTs with the following command:
  16. perl idsSensor.pl -start
    
  17. The SMTs can be stopped using the following command:
  18. perl idsSensor.pl -stop
    
  19. On the Aanval console, under Configuration > Unified2 Module > Sensor Management select the sensor from the left, and using the SMT Communication drop-down box, issue the commands to Engine Configuration> Get and Engine Rules > Get.

Launch Daemons

Configuring Snort and Aanval to properly launch upon system boot is critical in the event of power failure or even a simple restart. The following sections provide the appropriate sample LaunchDaemon scripts for this purpose and the commands to load them.

Aanval BPUs

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/com.aanval.bpu.plist
  1. Create the file /Library/LaunchDaemons/com.aanval.bpu.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>com.aanval.bpu</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/bin/perl</string>
       <string>/Library/WebServer/Documents/apps/idsBackground.pl</string>
       <string>-start</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/Library/WebServer/Documents/apps</string>
    </dict>
    </plist>
    
  3. If the BPUs are currently running from a manual start (which can be checked by issuing ps aux | grep BPU), stop them from the /apps directory before loading the launch daemon:
  4. perl idsBackground.pl -stop
    
  5. Load the BPU launch daemon:
  6. launchctl load /Library/LaunchDaemons/com.aanval.bpu.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Aanval SMTs

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/com.aanval.smt.plist
  1. Create the file /Library/LaunchDaemons/com.aanval.smt.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>com.aanval.smt</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/bin/perl</string>
       <string>/smt/idsSensor.pl</string>
       <string>-start</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/smt</string>
    </dict>
    </plist>
    
  3. If the SMTs are currently running from a manual start (which can be checked by issuing ps aux | grep SMT), stop them from the /smt directory before loading the launch daemon:
  4. perl idsSensor.pl -stop
    
  5. Load the SMT launch daemon:
  6. launchctl load /Library/LaunchDaemons/com.aanval.smt.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Aanval Syslog Daemon

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/com.aanval.syslog.plist
  1. Create the file /Library/LaunchDaemons/com.aanval.syslog.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>com.aanval.syslog</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/bin/perl</string>
       <string>/Library/WebServer/Documents/apps/idsSyslog.pl</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/Library/WebServer/Documents/apps</string>
    </dict>
    </plist>
    
  3. Load the Syslog launch daemon:
  4. launchctl load /Library/LaunchDaemons/com.aanval.syslog.plist
    
    • Note, to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Snort

The following launch daemon can be created by following the steps below or by performing the following command from the /Library/LaunchDaemons/ directory:

curl -O http://download.aanval.com/org.snort.snort.plist
  1. Create the file /Library/LaunchDaemons/org.snort.snort.plist and include the following contents:
  2. <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
       <key>KeepAlive</key>
       <dict>
          <key>SuccessfulExit</key>
          <false/>
       </dict>
       <key>Label</key>
       <string>org.snort.snort</string>
       <key>ProgramArguments</key>
       <array>
       <string>/usr/local/bin/snort</string>
       <string>-i</string>
       <string>en0</string>
       <string>-c</string>
       <string>/etc/snort/snort.conf</string>
       <string>-D</string>
       </array>
       <key>RunAtLoad</key>
       <true/>
       <key>UserName</key>
       <string>root</string>
       <key>WorkingDirectory</key>
       <string>/etc/snort</string>
    </dict>
    </plist>
    
  3. If you would like to use this launch daemon, simply kill the current Snort process (if started in previous steps) and load this launch daemon:
  4. launchctl load /Library/LaunchDaemons/org.snort.snort.plist
    
    • Note: to unload the launch daemon and stop the process, simply change 'load' to 'unload'.

Nmap (Optional)

Nmap is used to scan networks via Aanval's scanning tools for on-demand and automated network scanning and alerting.

Aanval was designed and tested to work with Nmap version 6 and above. For the purposes of this installation guide, Nmap 7.01 and the package nmap-7.01.tar.bz2 will be referenced.

  1. Download Nmap. The most recent version can be obtained from http://nmap.org/download.html.
  2. Copy the package into /usr/local/bin
  3. cp ~/Downloads/nmap-7.01.tar.bz2 /usr/local/bin
    
  4. Change into the /usr/bin directory:
  5. cd /usr/local/bin
    
  6. Uncompress and unarchive nmap-7.01.tar.bz2
  7. tar -zxvf nmap-7.01.tar.bz2
    
  8. Change into the newly created package directory:
  9. cd nmap-7.01
    
  10. Configure, compile, and install Nmap:
  11. ./configure
    make
    make install
    
  12. From the Aanval console, navigate to Configuration > Console Configuration > Preferences > Network Scanning > Nmap Binary Path, and confirm Nmap's location:
  13. /usr/local/bin/nmap
    

Summary

With a fully-functional Aanval-powered IDS system now installed, we strongly recommend purchasing an Aanval commercial license. These packages provide the following:

  • Annual unlimited sensor capacity licenses (with full support for Snort, Suricata, and any device capable of logging).
  • Telephone and remote support.
  • Access to all of Aanval's features.
  • Console maintenance, which includes all patches, fixes, and minor and major upgrades.

Purchases can be made directly at https://www.aanval.com/purchase (when logged into an Aanval account) or by contacting Tactical FLEX's Sales or Support teams.

See Also