Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Community:Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanval

From Aanval Wiki
Jump to: navigation, search

Community Portal Home

Snort 2.9.2.3 Installation Guide for Ubuntu 12.04, with Barnyard2, Pulledpork, and Aanval

By Dino Edwards
dino.edwards [at] mydirectmail [dot] net

Contents

Preparation

This guide is based on Ubuntu 12.04 LTS. It's assumed that you have a fully functional Ubuntu 12.04 machine up and running with at least TWO network interfaces: one network interface dedicated to managing the machine and connected to the actual LAN and the other network interface dedicated for sniffing network traffic. For the purposes of this guide, we are going to assume the network interface that will be sniffing network traffic is eth1 and the interface for managing the machine will be eth0.

Ubuntu requires that all commands be prefixed by sudo. This is a pain, so the simplest way to get around this is by logging in your box with the username/password you set during the setup and typing sudo su and then typing your password. That way you will remain root for the duration of your session.

Installation

Setup the network interface you will be using for sniffing traffic in promiscuous mode

  1. Assuming that the network interface you will be using for sniffing traffic is eth1, edit /etc/network/interfaces and set the following under the eth1 section or create an eth1 section if you don't already have one:
  2. vi /etc/network/interfaces
    
  3. Enter the following entry right below the existing eth0 entry if one already exists:
  4. auto eth1
    
iface eth1 inet manual

    up ifconfig $IFACE 0.0.0.0 up
    
up ip link set $IFACE promisc on
    down ip link set $IFACE promisc off

    down ifconfig $IFACE down
    
  5. Save the file (ESC) (SHIFT ZZ)
  6. Restart networking:
  7. /etc/init.d/networking restart
    
  8. Check your interfaces:
  9. ifconfig
    

    The eth1 interface should look like below. Notice the RUNNING PROMISC on the third line:

    eth1 Link encap:Ethernet HWaddr 00:0c:29:32:bf:11
    
inet6 addr: fe80::20c:29ff:fe32:bf11/64 Scope:Link
    
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

    RX packets:1152 errors:0 dropped:0 overruns:0 frame:0

    TX packets:62 errors:0 dropped:0 overruns:0 carrier:0

    collisions:0 txqueuelen:1000

    RX bytes:94351 (94.3 KB) TX bytes:17248 (17.2 KB)
    

Install Snort

  1. Update and upgrade your Ubuntu installation:
  2. apt-get update
    apt-get upgrade
    
  3. Install the prerequisite packages from the Ubuntu repositories:
  4. apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3-
    dev g++ bison flex libpcap-ruby make zlib1g-dev libmysqld-dev libdnet libdnet-dev libpcre3 libpcre3-
    dev gcc make flex byacc bison linux-headers-generic libxml2-dev libdumbnet-dev zlib1g zlib1g-dev
    
  5. Type Y in the After this operation, 224 MB of additional disk space will be used.
 Do you want to continue [Y/N]? prompt:
  6. During the installation of the above packages, you will be prompted to set a New password for the MySQL "root" user (Figure 1). Set a password, take a note of it, tab over to Ok and press enter. You will be asked to Repeat passord for the MySQL "root" user. Re-type the password, tab over to Ok and press enter again. The istallation should continue:

    full
    Figure 1


  7. Create directory for Snort Prerequisite packages that we are going to install from source:
  8. mkdir /usr/local/src/snort
    
  9. Change to that directory:
  10. cd /usr/local/src/snort
    
  11. Snort is going to require the Data Acquisition API. Browse to the http://www.snort.org website and click on the Download Snort link and look under the Latest Release-->Source-->daq-x.x.x.tar.gz.
  12. Select and copy the name of the latest daq package name from the snort.org website and then use the http://www.snort.org/dl/snort-current/ url and then paste the name of the filename you are downloading at the end of that url as it appears below. As of the writing of this guide, the latet release was daq-0.6.2.tar.gz. It is easiest to download from the command line of your machine using wget. Remember, your download filename will differ depending on which is the latest version of the daq package, so adjust the command below accordingly:
  13. wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz
    
  14. Once downloaded, extract it:
  15. tar -xvzf daq-0.6.2.tar.gz
    
  16. That will create a daq-0.6.2 directory in the directory you are in. Change into that directory and run the following commands to compile and install (Remember, the created directory will differ according to the filename you downloaded and extracted):
  17. cd daq-0.6.2
    ./configure
    

    You should get no errors from running the ./configue command. The output should be similar to below:

    Build AFPacket DAQ module.. : yes

    Build Dump DAQ module...... : yes

    Build IPFW DAQ module...... : yes

    Build IPQ DAQ module....... : no

    Build NFQ DAQ module....... : no
    
Build PCAP DAQ module...... : yes
    
  18. Next, compile and install using the commands below:
  19. make
    make install 
    
  20. Next, we are going to download the latest stable version of Snort. Browse to the http://www.snort.org website and click on the Download Snort link and look under the Latest Release-->Source-->snort-2.x.x.x.tar.gz. As of the writing of this guide, the latest version was snort-2.9.2.3.tar.gz. Select and copy the name of the latest snort package filename and then use the http://www.snort.org/dl/snort-current/ url and then paste the name of the filename you are downloading at the end of that url as it appears below. As always, it is easiest to download from the command line of your machine using wget. Remember, your download filename will differ depending on which is the latest version of the daq package. Adjust the command below accordingly:
  21. cd /usr/local/src/snort
    wget http://www.snort.org/dl/snort-current/snort-2.9.2.3.tar.gz
    
  22. Once downloaded, extract it:
  23. tar -xvzf snort-2.9.2.3.tar.gz
    
  24. That will create a snort-2.9.2.3 directory in the directory you are in. Change into that directory and run the following commands to compile and install (Remember, the created directory will differ according to the filename you downloaded and extracted):
  25. cd snort-2.9.2.3
    ./configure --prefix /usr/local/snort && make && make install
    
  26. Create snort user and group and add snort user to the snort group:
  27. groupadd snort
    useradd -g snort snort
    
  28. Create Links for snort files:
  29. ln -s /usr/local/snort/bin/snort /usr/sbin/
    ln -s /usr/local/snort/etc /etc/snort
    
  30. Next, we need to download the latest Registered User Snort rules snapshot. The rules are downloaded from the http://www.snort.org website, but you must have an account and a special code called an Oinkcode before you can download any rule snapshots. Signing up for an account is free. Once on the snort.org website, click on Sign In-->Account Management-->Sign Up for an Account. Go ahead and create a new account. A newly created account requires activation, so ensure you click on the link that arrives in the activation email before attempting to login to the snort.org website.
  31. Once you account is activated, login to your account and once logged in, click on My Account-->Subscriptions and Oinkcodes-->Generate Oinkcode. This will generate your very own Oinkcode. Please make a note of it and then click on Get Rules-->Registered user Release-->Snort v2.9-->snortrules-snapshot-xxxx.tar.gz. As of the writing of this guide, the latest Registered User Snort rules snapshot was snortrules-snapshot-2923.tar.gz.
  32. Select and copy the filename of the latest rules snapshot filename and then use the http://www.snort.org/dl/snort-current/ url and then paste the name of the filename you just copied at the end of the url just like it appears below. As always, it is easiest to download from the command line of your machine using wget. Remember, your download filename will differ depending on which is the latest version of the snapshot you are downloading. Adjust the command below accordingly:
  33. cd /usr/local/src/snort
    wget -O snortrules-snapshot-2923.tar.gz http://www.snort.org/reg-rules/snortrules-snapshot-2923.tar.gz/<oinkcode>
    

    Where <oinkcode> is the oinkcode you generated earlier.

  34. Change to the snort directory:
  35. cd /usr/local/snort
    
  36. Extract the snort rules snapshot you just downloaded:
  37. tar –xvzf /usr/local/src/snort/snortrules-snapshot-2*
    
  38. Create directory for snort logging, assign the snort user as the owner, and create necessary links:
  39. mkdir –p /usr/local/snort/var/log
    chown snort:snort /usr/local/snort/var/log
    ln –s /usr/local/snort/var/log /var/log/snort
    
  40. Create links for dynamic rules files and directories:
  41. ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
    ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
    ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
    
  42. Set snort permissions:
  43. chown -R snort:snort /usr/local/snort
    
  44. Edit snort.conf:
  45. vi /usr/local/snort/etc/snort.conf
    
  46. Find the section that starts with #Reputation preprocessor and comment out the following lines under it (enter a # symbol in front of them):
  47. # Reputation preprocessor. For more information see README.reputation
    #preprocessor reputation: \
    #   memcap 500, \
    #   priority whitelist, \
    #   nested_ip inner, \
    #   whitelist $WHITE_LIST_PATH/white_list.rules, \
    #   blacklist $BLACK_LIST_PATH/black_list.rules
    
  48. Find the section that starts with output unified2: and below it add the following line so the entire section looks like below:
  49. # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
    output unified2: filename snort.log, limit 128
    
  50. Create dynamicrules directory:
  51. mkdir /usr/local/snort/lib/snort_dynamicrules
    
  52. Next, copy your Linux distribution specific precompiled dynamic rules into the directory you just created. In order to do this correctly, first you need to know if you are running the 32-bit or 64-bit version of Ubuntu. In this example, we are running the 32-bit version. An easy way to find out is by typing the following command:
  53. uname -a
    

    You should get an output similar to below:

    Linux hostname 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
    

    The i386 GNU/Linux part tells us that we are running a 32-bit version of Ubuntu. If it was 64-bit it would be similar to below; notice the x86_64 GNU/Linux:

    Linux hostname 3.2.0-24-generic #38-Ubuntu SMP Tue May 1 16:18:50 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
    
  54. Once you know if your Ubuntu machine is 32-bit or 64-bit, you are ready to copy the distribution specific precompiled rules. Since as of the time of this writing, there were not specific rules for Ubuntu 12.04; we are simply going to go to the next lower version which is Ubuntu 10.04 and copy those rules like below:
  55. If you are running a 32-bit system, use the following command. Obviously, adjust the rules snapshot version number to reflect the rules snapshot you downloaded:

    cd /usr/local/src/snort
    cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.2.3/*so /usr/local/snort/lib/snort_dynamicrules
    

    If you are running a 64-bit system, use the following command. Obviously, adjust the rules snapshot version number to reflect the rules snapshot you downloaded:

    cd /usr/local/src/snort
    cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/x86-64/2.9.2.3/*so /usr/local/snort/lib/snort_dynamicrules
    
  56. Dump all the stub rules:
  57. snort -c /usr/local/snort/etc/snort.conf --dump-dynamic-rules=/usr/local/snort/so_rules
    
  58. Next, edit /usr/local/snort/etc/snort.conf file:
  59. vi /usr/local/snort/etc/snort.conf
    
  60. Enable all the dynamic rules by locating the section that starts with #dynamic library rules in /usr/local/snort/etc/snort.conf and uncommenting (Removing the # sign) all of them under the so it looks like below:
  61. # dynamic library rules
    include $SO_RULE_PATH/bad-traffic.rules
    include $SO_RULE_PATH/chat.rules
    include $SO_RULE_PATH/dos.rules
    include $SO_RULE_PATH/exploit.rules
    include $SO_RULE_PATH/icmp.rules
    include $SO_RULE_PATH/imap.rules
    include $SO_RULE_PATH/misc.rules
    include $SO_RULE_PATH/multimedia.rules
    include $SO_RULE_PATH/netbios.rules
    include $SO_RULE_PATH/nntp.rules
    include $SO_RULE_PATH/p2p.rules
    include $SO_RULE_PATH/smtp.rules
    include $SO_RULE_PATH/snmp.rules
    include $SO_RULE_PATH/specific-threats.rules
    include $SO_RULE_PATH/web-activex.rules
    include $SO_RULE_PATH/web-client.rules
    include $SO_RULE_PATH/web-iis.rules
    include $SO_RULE_PATH/web-misc.rules
    
  62. Save the file (ESC) (SHIFT ZZ)
  63. Next, test the snort configuration to ensure no errors:
  64. snort -c /usr/local/snort/etc/snort.conf -T
    

    You should get a message like below:

    Snort successfully validated the configuration!
    Snort exiting
    
  65. Next, we are going to configure snort to start on system startup. First, create a snort script under /etc/init.d/:
  66. touch /etc/init.d/snortd
    
  67. Next, edit /etc/init.d/snort:
  68. vi /etc/init.d/snortd
    
  69. Paste the text below into the file:
  70. #!/bin/sh
    # $Id$
    #
    # snortd         Start/Stop the snort IDS daemon.
    #
    # chkconfig: 2345 40 60
    # description:  snort is a lightweight network intrusion detection tool that \
    #                currently detects more than 1100 host and network \
    #                vulnerabilities, portscans, backdoors, and more.
    #

    # Source the local configuration file . /etc/default/snort
    # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi
    if [ "$USER"X = "X" ]; then USER="snort" fi
    if [ "$GROUP"X = "X" ]; then GROUP="snort" fi
    if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi
    if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi
    if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi
    if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi
    if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi
    if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi
    if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi
    if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi
    # These are used by the 'stats' option if [ "$SYSLOG"X = "X" ]; then SYSLOG=/var/log/messages fi
    if [ "$SECS"X = "X" ]; then SECS=5 fi
    if [ ! "$BPFFILE"X = "X" ]; then BPFFILE="-F $BPFFILE" fi
    ###################################### # Now to the real heart of the matter:
    # See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done else for i in `echo $INTERFACE | sed s/"-i "//` do mkdir -p "$LOGDIR/$i" chown -R $USER:$GROUP $LOGDIR /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF done fi touch /var/lock/snort echo  ;; stop) echo -n "Stopping snort: " killall snort rm -f /var/lock/snort echo  ;; reload) echo "Sorry, not implemented yet"  ;; restart) $0 stop $0 start  ;; condrestart) [ -e /var/lock/snort ] && $0 restart  ;; status) status snort  ;; stats) TC=125 # Trailing context to grep SNORTNAME='snort' # Process name to look for
    if [ ! -x "/sbin/pidof" ]; then echo "/sbin/pidof not present, sorry, I cannot go on like this!" exit 1 fi
    #Grab Snort's PID PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`
    if [ ! -n "$PID" ]; then # if we got no PID then: echo "No PID found: ${SNORTNAME} must not running." exit 2 fi
    echo "" echo "*******" echo "WARNING: This feature is EXPERIMENTAL - please report errors!" echo "*******" echo "" echo "You can also run: $0 stats [long | opt]" echo "" echo "Dumping ${SNORTNAME}'s ($PID) statistics" echo "please wait..."
    # Get the date and tell Snort to dump stats as close together in # time as possible--not 100%, but it seems to work. startdate=`date '+%b %e %H:%M:%S'`
    # This causes the stats to be dumped to syslog kill -USR1 $PID
    # Sleep for $SECS secs to give syslog a chance to catch up # May need to be adjusted for slow/busy systems sleep $SECS
    if [ "$2" = "long" ]; then # Long format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: elif [ "$2" = "opt" ]; then # OPTimize format # Just show stuff useful for optimizing Snort egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:" else # Default format egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG | \ grep snort.*: | cut -d: -f4- fi  ;; *) echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}" exit 2 esac
    exit 0
  71. Make the file executable:
  72. chmod +x /etc/init.d/snortd
    
  73. Copy the snort default configuration file to /etc/default/snort:
  74. cd /usr/local/src/snort/snort-2*
    cp rpm/snort.sysconfig /etc/default/snort
    
  75. Configure the /etc/init.d/snortd file as a service and to start on system startup:
  76. update-rc.d snortd defaults
    
  77. Next, ensure the /etc/init.d/snortd script works as it should:
  78. service snortd restart
    

    You should get an output like below:

    Stopping snort:
    Starting snort: Spawning daemon child...
    My daemon child 8804 lives...
    Daemon parent exiting (0)
    

Install and Configure Barnyard2

Next, we will install Barnyard2 which is an add-on to Snort that enables Snort to write its log and alert data very quickly into binary files, and then Barnyard reads thoses files and dumps them into our MySQL database. Ubuntu comes with an old version of Barnyard, not Barnyard2, so we need to download and and compile from source into our box.

But before we get to downloading and installing Barnyard2, we are going to go ahead and create the MySQL database to which Barnyard2 will use to dump all the Snort data.

  1. Type the following command to logon to the MySQL console:
  2. mysql -u root -p
    
  3. You will be prompted for the MySQL root password above when you first installed MySQL at the beginning of this guide. You should be dropped into a mysql> prompt. After each command below press Enter. Create a database for Snort:
  4. create database snortdb;
    
  5. Create a user for the Snort database. Replace the SOMEPASSWORD with a password of your choice for that user and make a note of it:
  6. CREATE USER 'snort_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD';
    

    The @'localhost' tells my MySQL to only accept connections coming from only the local machine into that database for that user. Alternatively, you can enter @'%' to accept connections from any host if you need to. However, if you go that route, you must ensure that MySQL will accept connections from other hosts by editing the /etc/mysql/my.cnf file and commenting out bind-address = 127.0.0.1 line and restarting MySQL (service mysql restart)

  7. Give the snort_user you just created full access to the database. If you decided to accept connections from anywhere as mentioned above, ensure the command below reflects that by changing the snort_user'@'localhost to 'snort_user'@'%' and of course again ensure the SOMEPASSWORD reflects the password you set for the user above:
  8. 


GRANT ALL PRIVILEGES ON snortdb.* TO 'snort_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD' with grant option;
    
  9. Force the new permissions to take effect:
  10. flush privileges;
    
  11. Exit the MySQL console:
  12. quit;
    
  13. Next, we are going to create the MySQL table structure that Barnyard2 is going to require to dump the Snort data. At a command prompt, NOT a MySQL query, enter the following:
  14. mysql -u root -p -D snortdb < /usr/local/src/snort/snort-2.9.2.3/schemas/create_mysql
    

    Warning: In Snort version 2.9.3 and above, the /schemas directory can be found in your Barnyard2 source directory.

    You will be prompted for the MySQL root password you setup during the initial MySQL setup at the beginning of this guide. After you enter that password, the command should complete with no errors.

  15. Next, we are going to download and install Barnyard2. You can download the latest version of Barnyard2 from http://www.securixlive.com/barnyard2/. As of the writing of this guide, the latest version was 1.9. Again, the easiest way to download is using wget. Of course, your version may very, so adjust the commands below to fit the version you are downloading:
  16. cd /usr/local/src/snort 
    wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
    tar -xvzf barnyard2-1.9.tar.gz
    cd barnyard2-1.9
    
  17. If you are using a 32-bit system enter the following command (Refer to the instructions above on how to determine if you are using a 32-bit or 64-bit system):
  18. ./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu/
    

    If you are using a 64-bit system enter the following command (Refer to the instructions above on how to determine if you are using a 32-bit or 64-bit system):

    ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/
    
  19. Next, configure Barnyard to start on system startup by creating a barnyard2 script in /etc/init.d/ directory:
  20. touch /etc/init.d/barnyard2
    
  21. Next, edit the newly created /etc/inig.d/barnyard2 file:
  22. vi /etc/init.d/barnyard2
    
  23. Paste the text below into the file:
  24. #!/bin/sh
    #
    # Init file for Barnyard2
    #
    #
    # chkconfig: 2345 40 60
    # description:  Barnyard2 is an output processor for snort.
    #
    # processname: barnyard2
    # config: /etc/sysconfig/barnyard2
    # config: /etc/snort/barnyard.conf
    # pidfile: /var/lock/subsys/barnyard2.pid

    [ -x /usr/sbin/snort ] || exit 1 [ -r /etc/snort/snort.conf ] || exit 1
    ### Default variables SYSCONFIG="/etc/default/barnyard2"
    ### Read configuration [ -r "$SYSCONFIG" ] && . "$SYSCONFIG"
    RETVAL=0 prog="barnyard2" desc="Snort Output Processor"
    start() { echo -n $"Starting $desc ($prog): " for INT in $INTERFACES; do PIDFILE="/var/lock/barnyard2-$INT.pid" ARCHIVEDIR="$SNORTDIR/$INT/archive" WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo" BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS" $prog $BARNYARD_OPTS done RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/$prog return $RETVAL }
    stop() { echo -n $"Shutting down $desc ($prog): " killall $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/$prog return $RETVAL }
    restart() { stop start }

    reload() { echo -n $"Reloading $desc ($prog): " killall $prog -HUP RETVAL=$? echo return $RETVAL }

    case "$1" in start) start  ;; stop) stop  ;; restart) restart  ;; reload) reload  ;; condrestart) [ -e /var/lock/$prog ] && restart RETVAL=$?  ;; status) status $prog RETVAL=$?  ;; dump) dump  ;; *) echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}" RETVAL=1 esac
    exit $RETVAL
  25. Save the file (ESC) (SHIFT ZZ)
  26. Make the /etc/init.d/barnyard2 executable:
  27. chmod +x /etc/init.d/barnyard2
    
  28. Next, copy the Barnyard2 reference configuration file to /etc/default/barnyard2:
  29. cp rpm/barnyard2.config /etc/default/barnyard2
    
  30. Next, configure the Barnyard2 script as a service and configure to start on system startup:
  31. update-rc.d barnyard2 defaults 98
    
  32. Create some necessary links and directories:
  33. ln -s /usr/local/etc/barnyard2.conf /etc/snort/barnyard.conf
    ln -s /usr/local/bin/barnyard2 /usr/bin/
    mkdir -p /var/log/snort/eth0/archive/
    mkdir -p /var/log/snort/eth1/archive/
    
  34. Edit /etc/default/barnyard2:
  35. vi /etc/default/barnyard2
    
  36. Make the LOG_FILE line look like below:
  37. LOG_FILE="snort.log"
    
  38. Edit /usr/local/etc/barnyard2.conf
  39. vi /usr/local/etc/barnyard2.conf
    
  40. Locate the line that starts with output database: Right below the Examples: section, uncomment the first output database line (remove the # from the front of it) and make it look like below where SOMEPASSWORD is the password you setup for the snort_user when you setup the snortdb database earlier:
  41. output database: log, mysql, user=snort_user password=SOMEPASSWORD dbname=snortdb host=localhost
    
  42. Test that the Barnyard2 service works as expected:
  43. service snortd restart
    service barnyard2 start
    

    You should get an output like below:

    Stopping snort:
    Starting snort: Spawning daemon child...
    My daemon child 8833 lives...
    Daemon parent exiting (0)
    $Starting Snort Output Processor (barnyard2):
    
  44. Typing the following commands will tell you if both Snort and Barnyard2 are running:
  45. ps –A|grep snort
    

    You should have an output similar to below:

    8833 ?        00:00:00 snort
    ps –A|grep barnyard2
    8844 ?        00:00:00 barnyard2
    

Install and Configure PulledPork

Snort needs to have an updated set of rulesets in order to be able to detect and respond to emerging threats as effectively as possible. Pulledpork is a Perl script that is able to keep your Snort rulesets updated at all times with a minimal amount of effort.

  1. Install prerequisites:
  2. apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y
    
  3. Next, go to http://pulledpork.googlecode.com and download the latest version of PulledPork. As of the writing of this guide, the latest version was 0.6.1. Obviously, adjust your filenames to reflect the version of PulledPork you download. The easiest way to download is through wget from your machine's command line. Copy the complete download URL from the PulledPork website and then do the following:
  4. cd /usr/local/src/snort
    wget https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
    

    If you get a warning WARNING: cannot verify pulledpork.googlecode.com's certificate, and your file doesn't download, simply use the following command instead:

    cd /usr/local/src/snort
    wget --no-check-certificate https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
    
  5. Untar the downloaded file:
  6. cd /usr/local/snort
    tar -xvzf /usr/local/src/snort/pulledpork-0.6.1.tar.gz
    
  7. This will create a pulledpork-0.6.1.tar.gz directory and extract all the PulledPork files in it. We are going to rename that directory into simply pulled pork to keep it simple:
  8. mv pulledpork-06* pulledpork
    
  9. Next, edit the /usr/local/snort/pulledpork/etc/pulledpork.conf file:
  10. vi /usr/local/snort/pulledpork/etc/pulledpork.conf
    
  11. Change the lines that appear below and make them look exactly like they appear below with the exception of the <oinkcode> on the rule_url line which should be replaced with the oinkcode you generated earlier in the guide.
  12. rule_url=http://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7C<oinkcode>
    # get the rule docs!
    #rule_url=https://www.snort.org/reg-rules/%7Copensource.gz%7C
    #rule_url=https://rules.emergingthreats.net/%7Cemerging.rules.tar.gz%7Copen
    # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
    # and the et oinkcode requirement!
    #rule_url=https://rules.emergingthreats.net/%7Cetpro.rules.tar.gz%7C
    rule_path=/usr/local/snort/etc/rules/snort.rules
    local_rules=/usr/local/snort/etc/rules/local.rules
    # Where should I put the sid-msg.map file?
    sid_msg=/usr/local/snort/etc/sid-msg.map
    # Path to the snort binary, we need this to generate the stub files
    snort_path=/usr/local/snort/bin/snort
    # We need to know where your snort.conf file lives so that we can
    # generate the stub files
    config_path=/usr/local/snort/etc/snort.conf
    # This is the file that contains all of the shared object rules that pulledpork
    # has processed, note that this has changed as of 0.4.0 just like the rules_path!
    sostub_path=/usr/local/snort/etc/rules/so_rules.rules
    distro=Ubuntu-10.04 
    
  13. Next, edit /usr/local/snort/etc/snort.conf:
  14. vi /usr/local/snort/etc/snort.conf
    
  15. Locate the var RULE_PATH line and change it to appear like below:
  16. var RULE_PATH /usr/local/snort/etc/rules
    
  17. Next, remove all snort include rules files from /usr/local/snort/etc/snort.conf by typing the following commands:
  18. sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
    sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
    sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
    
  19. Now, add the following include files to /usr/local/snort/etc/snort.conf by typing the following commands:
  20. echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
    echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
    echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
    
  21. Create a rules directory:
  22. mkdir /usr/local/snort/etc/rules
    
  23. Create a local rules file:
  24. touch /usr/local/snort/etc/rules/local.rules
    
  25. Test PulledPork runs successfully by typing the command below:
  26. /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
    

    Upon success, you should get an output similar to below:

    Rule Stats....
           New:-------0
           Deleted:---0
           Enabled Rules:----3154
           Dropped Rules:----0
           Disabled Rules:---11235
           Total Rules:------14389
           Done
    Please review /var/log/sid_changes.log for additional details
    Fly Piggy Fly!
    

    Now, let's schedule PulledPork to automatically update on a daily basis.

  27. Edit crontab:
  28. crontab -e
    
  29. Insert a new line like below into crontab (All in one line):
  30. 00 01 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
    

    The line above will run the script every day of the week at 1 A.M.

  31. Save Crontab (ESC) (SHIFT ZZ)

Install Aanval

As of the time this guide was written, the latest Aanval version was v7. Obviously, adjust the commands below for the current version. Before we get started, we need to create and configure the database we are going to be using for Aanval.

  1. Type the following command to logon to the MySQL console:
  2. mysql -u root –p
    

    You will be prompted for the MySQL root password above when you first installed MySQL. You should be dropped into a mysql> prompt. After each command below press Enter.

  3. Create a database for Snort:
  4. create database aanvaldb;
    
  5. Create a user for the Aanval database. Replace the SOMEPASSWORD with a password of your choice for that user and make a note of it:
  6. CREATE USER 'aanval_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD';
    
  7. Give the aanval_user you just created full access to the aanval database:
  8. 

GRANT ALL PRIVILEGES ON aanvaldb.* TO 'aanval_user'@'localhost' IDENTIFIED BY 'SOMEPASSWORD' with grant option;
    
  9. Force the new permissions to take effect:
  10. flush privileges;
    
  11. Exit the MySQL console:
  12. quit;
    
  13. Next, create a directory in your web root for Aanval to live. The natural choice would be /var/www/aanval. Adjust as necessary:
  14. mkdir /var/www/aanval
    
  15. Change to the directory you just created:
  16. cd /var/www/aanval
    
  17. Download the latest version of Aanval from the command prompt using wget. This should download the file in the /var/www/aanval directory:
  18. wget download.aanval.com/aanval-7-latest-stable.tar.gz
    
  19. While still in the /var/www/aanval directory, extract the Aanval package:
  20. tar -xvzf aanval-7-latest-stable.tar.gz
    
  21. Now remove the the download Aanval package from that directory (this action keeps your Aanval directory cleaner):
  22. rm -rf aanval-7-latest-stable.tar.gz
    
  23. Next, from a web browser, browse to http://ipaddress/aanval where ipaddress is the IP address of your machine. You should be greeted by the Aanval EULA - End User License Agreement. At the very bottom of the page, click I Agree. Continue. On the following Environment Compatibility Test you should get Success! in green at the bottom of the page with a Continue link below that (Figure 2). Click on Continue.
    full
    Figure 2

  24. On the following Configuration screen, ensure the Database Server is set to 127.0.0.1, the Database name is set to aanvaldb, the Database Username is set to aanval_user, and the Database Password is set to the aanval_user password you setup earlier and press the Submit button (Figure 3)
  25. full
    Figure 3

  26. If everything went well, you should get a Success! Configuration confirmed - Continue message on the following screen. Click Continue. On the next screen you should get a Creating all tables Loading table data Installation Complete - Continue message. Click Continue. On the final screen You should get a Installation Complete! message. Take note of the Default username and the Default password which should be root and specter respectively and click the Login Now button. You will be taken to the Aanval login screen. Don't login just yet.
  27. Next, from your machine's command prompt, enter the following commands to start the Aanval BPUs:
  28. Change to the Aanval /apps directory:

    cd /var/www/aanval/apps
    

    Start the BPUs

    perl idsBackground.pl -start
    

    You should get the following message:

    ---------------------------------------------------
Aanval by Tactical FLEX, Inc.
Copyright 2003-2012
    http://www.tacticalflex.com/
    Background Processing Unit (BPU) Initializer
Version: 7.0.700
---------------------------------------------------
    Aanval BPU (importer) launched in daemon mode [PID: 11206].
Aanval BPU (core) launched in daemon mode [PID: 11214].
Aanval BPU (A:1,2,3,4,5) launched in daemon mode [PID: 11229].
             
    Aanval BPU (A:10,100,101,102,103,104,105) launched in daemon mode [PID: 11234].
    

    If you want to stop the BPUs, simply enter (Don't run the command below, it's just for reference):

    perl idsBackground.pl -stop 
    
  29. Now, go back to your browser and login to Aanval using the default username and password (root/specter). Once successfully logged in, click the gear icon on the bottom right-hand corner of the screen (Figure 4) to go to the Configuration screen.
    full
    Figure 4

  30. Once in the Configuration screen, click Snort Module-->Settings (Figure 5):
  31. full
    Figure 5


    


  32. On the Snort Module Settings screen, ensure Enabled is checked, the database Name is snortdb, the Database Hostname is localhost, the Database username is snort_user, the Database Password is the password you setup for the snort_user when you were creating the database for Snort, NOT the username for Aanval, and click the Update button (Figure 6):
    full
    Figure 6

  33. Next, go to Configuration->Snort Module->Sensor Configuration and ensure the Enabled checkbox is checked and enter the name of your sensor under the Name field and the Operating System in the OS field. In the Location field, you must enter the latitude,longitude of your sensor in order for the Live Geolocation module of Aanval to work correctly. The easiest way to do this is by going to the following website: http://itouchmap.com/latlong.html and entering the physical address of where the sensor is located in the Address field and clicking the Go button. This will display a Google map below along with the latitude and longitude (Figure 7). Once you get the latitude and longitude, enter them in the Location field in the form 37.330853,-122.029684. Next, select the correct timezone from the Timezone drop-down field. Ensure you check the Admin Account checkbox and click the Update button (Figure 8).
    full
    Figure 7

    full
    Figure 8

This concludes this tutorial. If you click the Home icon on top of the Aanval GUI and if Snort is working correctly, you should start seeing events. One very important thing to keep in mind, Snort must be finely tuned in order to get the best results and cut down on a lot of the noise. However, this is not part of the scope of this tutotial.

Community Support from Tactical FLEX, Inc.

We support over 6,000 customers in more than 100 countries by delivering real-time, continuous network monitoring and by providing a wide range of product manuals, information security articles, and up-to-date how-to guides. Built with a unique Situational Awareness engine, users rely on Aanval because it provides a proactive tool to combat cyber threats and safeguard their virtual and physical assets.

Aanval continues to support both the information security and open source Snort and Suricata communities by providing users with a free non-commercial version of Aanval® that allows full functionality of a single-sensor device. Aanval is designed to work with all versions of Snort and Suricata, and can process syslog data from any device capable of external logging (file or UDP 514).

Aanval is available for download as a free Community edition, in addition to an unlimited sensor-capacity, commercially purchased and supported Snort, Suricata, and syslog license. Downloading and installing Aanval is free and takes only minutes to accomplish. Designed to work with all current Linux, Unix, and Mac OS X flavors of operating systems, you can be up, running, and viewing events within minutes. Let Aanval turn your data into actionable and comprehensive insights to reduce security risks. Free download here: Aanval Community Edition

Aanval® is the industry's most comprehensive Snort and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Learn more at http://www.aanval.com.

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox