Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Community:Snort Installation Guide for Debian 6.0.5

From Aanval Wiki
Jump to: navigation, search

Community Portal Home

Snort Installation Guide for Debian 6.0.5

By Jason Weir
Email: jason.weir [at] nhrs [dot] org

Published August 27, 2012

This document installs Debian 6.0.5 (Squeeze), Snort, and Barnyard2-1.10.

Install OS

This document assumes 2 network cards with eth0 being the management interface and eth1 being the collector interface.

  1. Get Debian here: http://www.debian.org/distrib/netinst. I used the small CD version. Burn the iso and boot the CD.
  2. Choose the default options (or as appropriate for your site).
  3. When you get to the "Software Selection" screen, unselect all options to get a bare minimum install.
  4. After the install finishes, the CD ejects and the system will reboot. Log back in as root.
  5. So we can connect via SSH and copy\paste to the terminal, enter the following command:
  6. apt-get update && apt-get -y install ssh
  7. Dotdeb.org maintains packages of MySQL and PHP more current than the Debian repository. Enter the following so apt can use them:
  8. vi /etc/apt/sources.list
  9. Add the following lines:
  10. deb http://packages.dotdeb.org squeeze all
    deb-src http://packages.dotdeb.org squeeze all
  11. Install the dotdeb GnuPG key:
  12. cd /usr/src && wget http://www.dotdeb.org/dotdeb.gpg
    cat dotdeb.gpg | apt-key add -
  13. Apt will require input. For example, MySQL will ask for you to enter a “root” password for the MySQL server. Make it secure and don’t forget it.
  14. apt-get update && apt-get -y install apache2 apache2-doc autoconf automake bison ca-certificates ethtool flex g++ gcc gcc-4.4 libapache2-modphp5
    libcrypt-ssleay-perl libmysqlclient-dev libnet1 libnet1-dev libpcre3 libpcre3-dev libphp-adodb libssl-dev libtool libwww-perl make mysqlclient
    mysql-common mysql-server ntp php5-cli php5-gd php5-mysql php-pear sendmail sysstat usbmount vim
  15. Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector interface:
  16. ethtool -K eth1 gro off
    ethtool -K eth1 lro off

Install Snort Prerequisites: libpcap, libdnet, and DAQ

  1. Install libpcap:
  2. cd /usr/src && wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
    tar -zxf libpcap-1.3.0.tar.gz && cd libpcap-1.3.0
    ./configure --prefix=/usr --enable-shared && make && make install
  3. Install libdnet:
  4. cd /usr/src && wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
    tar -zxf libdnet-1.12.tgz && cd libdnet-1.12
    ./configure --prefix=/usr --enable-shared && make && make install
  5. Install DAQ:
  6. cd /usr/src && wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
    tar -zxf daq-1.1.1.tar.gz && cd daq-1.1.1
    ./configure && make && make install
  7. Update the shared library path:
  8. echo >> /etc/ld.so.conf /usr/lib
    echo >> /etc/ld.so.conf /usr/local/lib && ldconfig

Install, Configure, and Test Snort

  1. Enter the following commands:
  2. cd /usr/src && wget http://labs.snort.org/snort/2931/snort.conf -O snort.conf 
    wget http://www.snort.org/dl/snort-current/snort- -O snort-
    tar -zxf snort- && cd snort-
    ./configure --enable-sourcefire && make && make install
    mkdir /etc/snort /etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
    touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
    groupadd snort && useradd -g snort snort
    chown snort:snort /var/log/snort /var/log/barnyard2
    cp /usr/src/snort-*.conf* /etc/snort
    cp /usr/src/snort-*.map /etc/snort
    cp /usr/src/snort.conf /etc/snort
  3. Edit the Snort conf:
  4. vi /etc/snort/snort.conf
  5. Make the following changes:
  6. Line #45:

    ipvar HOME_NET

    Make this match your internal (friendly) network

    Line #48:


    Line #104

    var RULE_PATH ./rules

    Line #113:

    var WHITE_LIST_PATH ./rules

    Line #114:

    var BLACK_LIST_PATH ./rules

    Line #297: Add this to the end after “decompress_depth 65535”

    max_gzip_mem 104857600

    Line #538: Add this line:

    output unified2: filename snort.log, limit 128

    Line #554: Delete or comment out all of the “include $RULE_PATH” lines except “local.rules”

  7. Edit local.rules:
  8. vi /etc/snort/rules/local.rules
  9. Enter a simple rule like this for testing:
  10. alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)
  11. Now we can start and test Snort:
  12. /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
  13. Ping the management IP address from another machine. Alerts should be printed to the console like this:
  14. 02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} ->
    02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} ->

    If so, congrats – you have Snort working… Use ctrl-c to kill Snort.

Install and Configure Barnyard

  1. Enter the following commands:
  2. cd /usr/src && wget https://nodeload.github.com/firnsy/barnyard2/tarball/master
    tar -zxf master && cd firnsy-barnyard2-*
    autoreconf -fvi -I ./m4 && ./configure --with-mysql && make && make install
    mv /usr/local/etc/barnyard2.conf /etc/snort
    cp schemas/create_mysql /usr/src
  3. Edit the Barnyard conf file:
  4. vi /etc/snort/barnyard2.conf
  5. Make the following changes:
  6. Line #215: change to

    output alert_fast

    At the end of the file add this line:

    output database: log, mysql, user=snort password=<mypassword> dbname=snort host=localhost

Set up the MySQL Server

  1. Enter the following commands:
  2. mysql -u root -p 

    You will be prompted to enter the password you created during installation.

    mysql> create database snort;
    mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
    mysql> SET PASSWORD FOR snort@localhost=PASSWORD('mypassword'); 

    Set user password different from “root” password

    mysql> use snort;
    mysql> source /usr/src/create_mysql
    mysql> show tables; 

    You should see the list of new tables you just imported.

    mysql> exit
  3. Now start Snort and Barnyard with these commands:
  4. /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
    /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S
    /etc/snort/sid-msg.map -C /etc/snort/classification.config &
  5. Again, ping the management IP address from another machine.
  6. This command shows that Barnyard is correctly inserting events into the database:
  7. mysql -uroot -p -D snort -e "select count(*) from event"

    Enter your password again.

Configure Apache and PHP

  1. Enter the following commands:
  2. cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled
    vi /etc/php5/apache2/php.ini
  3. Make the following change:
  4. Line #521: Change line to read:

    error_reporting = E_ALL & ~E_NOTICE
  5. Continue with the following commands:
  6. a2enmod ssl
    pear config-set preferred_state alpha && pear channel-update pear.php.net && pear install --alldeps Image_Color Image_Canvas Image_Graph
    /etc/init.d/apache2 restart

Install and Configure Aanval

Refer to the Aanval SAS (v7) Installation Guide

Startup Scripts for Snort and Barnyard

  1. Create the following file:
  2. vi /etc/init.d/snortbarn
  3. Paste the following into the file:
  4. #! /bin/sh
    #Provides: snortbarn
    #Required-Start: $remote_fs $syslog mysql
    #Required-Stop: $remote_fs $syslog
    #Default-Start: 2 3 4 5
    #Default-Stop: 0 1 6
    #X-Interactive: true
    #Short-Description: Start Snort and Barnyard
    . /lib/init/vars.sh . /lib/lsb/init-functions
    mysqld_get_param() { /usr/sbin/mysqld --print-defaults | tr " " "\n" | grep -- "--$1" | tail -n 1 | cut -d= -f2 }
    do_start() { log_daemon_msg "Starting Snort and Barnyard" "" # Make sure mysql has finished starting ps_alive=0 while [ $ps_alive -lt 1 ]; do pidfile=`mysqld_get_param pid-file` if [ -f "$pidfile" ] && ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi sleep 1 done
    /sbin/ifconfig eth1 up /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map –S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/null & log_end_msg 0 return 0 }
    do_stop() { log_daemon_msg "Stopping Snort and Barnyard" "" kill $(pidof snort) 2> /dev/null kill $(pidof barnyard2) 2> /dev/null log_end_msg 0 return 0 }
    case "$1" in start) do_start  ;; stop) do_stop  ;; restart) do_stop do_start  ;; *) echo "Usage: snort-barn {start|stop|restart}" >&2 exit 3  ;; esac exit 0
  5. Make it executable and create the startup symlinks:
  6. chmod +x /etc/init.d/snortbarn
    insserv -f -v snortbarn

    Snort and Barnyard will now start automatically at boot.


  1. Enter the following commands:
  2. rm /var/www/index.html
    chmod 755 /var/www/base
    pkill snort && pkill barnyard2
    rm -rf /var/log/snort/* /var/log/barnyard2/*
  3. Edit local.rules:
  4. vi /etc/snort/rules/local.rules
  5. Comment out the test rule.
  6. Edit the Snort conf file:
  7. vi /etc/snort/snort.conf

    On line #553, add:

    include $RULE_PATH/snort.rules
  8. Plug a span port or tap into eth1 and restart Snort:
  9. /etc/init.d/snortbarn restart

Community Support from Tactical FLEX, Inc.

We support over 6,000 customers in more than 100 countries by delivering real-time, continuous network monitoring and by providing a wide range of product manuals, information security articles, and up-to-date how-to guides. Built with a unique Situational Awareness engine, users rely on Aanval because it provides a proactive tool to combat cyber threats and safeguard their virtual and physical assets.

Aanval continues to support both the information security and open source Snort and Suricata communities by providing users with a free non-commercial version of Aanval® that allows full functionality of a single-sensor device. Aanval is designed to work with all versions of Snort and Suricata, and can process syslog data from any device capable of external logging (file or UDP 514).

Aanval is available for download as a free Community edition, in addition to an unlimited sensor-capacity, commercially purchased and supported Snort, Suricata, and syslog license. Downloading and installing Aanval is free and takes only minutes to accomplish. Designed to work with all current Linux, Unix, and Mac OS X flavors of operating systems, you can be up, running, and viewing events within minutes. Let Aanval turn your data into actionable and comprehensive insights to reduce security risks. Free download here: Aanval Community Edition

Aanval® is the industry's most comprehensive Snort and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Learn more at http://www.aanval.com.