Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Managing Multiple Snort Instances and Interfaces with Aanval

From Aanval Wiki
Jump to: navigation, search

Users commonly run multiple Snort instances on multiple interfaces on a single box; this guide will assist with such a configuration and also the remote management of multiple Snort instances using Aanval's Sensor Management Tools (SMTs).

This guide covers the installation and configuration of Snort 2.9.7.0, Barnyard2, and Aanval's SMTs for two or more monitoring instances.

Preparation and Installation

Multiple instances or threads of Snort can be started and sustained from a single Snort install.

Depending on your OS, dependencies for Snort will/may be required prior to installing Snort:

We recommend creating interface sub directories for each instance. In this example, we'll be creating and starting two instances of Snort for interfaces eth1 and eth2 after an installation.

  1. Create sub directories for Snort and Barnyard configuration files and logging, and Aanval's SMTs:
  2. mkdir /usr/src
    mkdir /etc/snort/eth1
    mkdir /etc/snort/eth2
    mkdir /etc/barnyard2/eth1
    mkdir /etc/barnyard2/eth2
    mkdir /var/log/snort/eth1
    mkdir /var/log/snort/eth2
    mkdir /var/log/barnyard2/eth1
    mkdir /var/log/barnyard2/eth2
    mkdir /smt/eth1
    mkdir /smt/eth2
    
  3. Download and install Snort to the /usr/src directory:
  4. cd /usr/src
    wget https://snort.org/downloads/snort/snort-2.9.7.0.tar.gz
    tar -zxvf snort-2.9.7.0.tar.gz
    cd snort-2.9.7.0
    ./configure  --enable-gre --enable-mpls --enable-targetbased \
    --enable-ppm --enable-perfprofiling \
    --enable-active-response --enable-normalizer --enable-reload \
    --enable-react --enable-flexresp3
    make
    make install
    
  5. Download and install Barnyard2 to the /usr/src directory:
  6. cd /usr/src
    wget http://download.aanval.com/barnyard2-1.9.tar.gz
    tar -zxvf barnyard2-1.9.tar.gz
    cd barnyard2-1.9
    ./configure  --with-mysql
    make
    make install
    
  7. Download and install Snort signatures for each interface:
  8. cd /etc/snort/eth1
    wget https://snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=<oinkcode>
    cp snortrules-snapshot-2970.tar.gz /etc/snort/eth2
    tar -zxvf snortrules-snapshot-2970.tar.gz
    rm -f snortrules-snapshot-2970.tar.gz
    

    (Repeat untar and removal steps for each interface)

  9. Copy configuration files and contents from the source to each interface directory:
  10. cp /usr/src/snort-2.9.7.0/etc/* /etc/snort/eth1
    cp /usr/src/snort-2.9.7.0/etc/* /etc/snort/eth2
    cp /usr/src/barnyard2-1.9/etc/* /etc/barnyard2/eth1
    cp /usr/src/barnyard2-1.9/etc/* /etc/barnyard2/eth2
    
  11. Download and untar the SMT package for each interface:
  12. cd /smt/eth1
    wget http://download.aanval.com/smt.tar.gz
    cp smt.tar.gz /smt/eth2
    tar -zxvf smt.tar.gz
    rm -f smt.tar.gz
    

    (Repeat untar and removal steps for each interface)

Snort Configuration

  1. Edit /etc/snort/eth1/snort.conf and make the following changes:
  2. var RULE_PATH /etc/snort/eth1/rules
    var SO_RULE_PATH /etc/snort/eth1/rules
    var PREPROC_RULE_PATH /etc/snort/eth1/rules
    var WHITE_LIST_PATH /etc/snort/eth1/rules
    var BLACK_LIST_PATH /etc/snort/eth1/rules
    
  3. Uncomment the Unified2 output line and remove 'nostamp' from the comma-delimited options list:
  4. output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
    

    (Save the file and repeat steps for each interface)

  5. Create empty black and white lists:
  6. touch /etc/snort/eth1/rules/white_list.rules
    touch /etc/snort/eth1/rules/black_list.rules
    
    touch /etc/snort/eth2/rules/white_list.rules
    touch /etc/snort/eth2/rules/black_list.rules
    
  7. Initially start Snort in the foreground to check for errors:
  8. snort -c /etc/snort/eth1/snort.conf -i eth1 -l /var/log/snort/eth1
    
  9. Once satisfied, repeat steps for each interface. Check each logging directory to ensure the merged.log file was created at each Snort startup.
  10. ls -la /var/log/snort/eth1
    ls -la /var/log/snort/eth2
    

    Don't worry about starting Snort is daemon mode; we'll do that along with Barnyard below with some included scripts.

Barnyard Configuration

  1. Edit /etc/barnyard2/eth1/barnyard2.conf and make the following changes (modify user, password, db name, and host for proper environment):
  2. config interface:       eth1
    config waldo_file:      /var/log/barnyard2/eth1/waldo
    output database:        log, mysql, user=root password=password dbname=snort host=xxx.xxx.xxx.xxx
    
  3. Initially start Barnyard in the foreground to check for errors:
  4. barnyard2 -c /etc/barnyard2/eth1/barnyard2.conf -f merged.log -d /var/log/snort/eth1
    
  5. Once satisfied, repeat steps for each interface.

SMT Configuration

  1. Edit /smt/eth1/conf.php and make the following changes (modify protocol and host to specific environment):
  2. $id = "00000000001";
    

    This should be an 11-digit number and unique to each Snort instance and match what is listed inside Aanval at Console Configuration > Snort Module > Sensor Configuration

    $sensorDataPath = "/smt/eth1";
    $protocol = "http";
    $consoleHost = "www.site.com";
    $consoleHostPath = "/aanval/";
    

    Depending on the location of Aanval, this field, instead of /aanval/, may be filled with a simple /

    $cmdSnortStart = "startEth1";
    $cmdSnortStop = "stopEth1";
    $cmdSnortStatus = "ps aux | grep -v grep | grep snort | grep eth1";
    $confSnort = "/etc/snort/eth1/snort.conf";
    $rulesSnort = "/etc/snort/eth1/rules/";
    

    (Save the file and repeat steps for each interface)

  3. While still in the /smt/eth1 directory, test the SMTs to ensure the connection is successful:
  4. php smt.php
    
  5. Once satisfied, start the SMTs in daemon mode:
  6. ./idsSensor.pl -start
    

Snort and Barnyard Start/Stop Scripts

With the scripts below, you'll be able to easily start and stop Snort and Barnyard on each interface, and even remotely control them with Aanval's SMT tools.

  1. Create and edit /smt/eth1/startEth1:
  2. Paste the following into the file and save:

    #!/bin/bash
    
    echo "Starting Snort/Barnyard on eth1"
    
    /usr/local/bin/snort -i eth1 -c /etc/snort/eth1/snort.conf -l /var/log/snort/eth1 -D
    
    /usr/local/bin/barnyard2 -c /etc/barnyard2/eth1/barnyard2.conf -f merged.log -d /var/log/snort/eth1/ -D
    
    echo "Done..."
    
  3. Make the script executable:
  4. chmod a+x startEth1
    
  5. Repeat these steps to create the script and make it executable for each interface and then start the script from the /smt/eth1 directory:
  6. ./startEth1
    
  7. Check the status of each process to ensure they started properly:
  8. ps aux | grep -v grep | grep snort
    
  9. Create and edit /smt/eth1/stopEth1:
  10. Paste the following into the file and save:

    #!/bin/bash
    
    echo "Stopping Snort/Barnyard on eth1"
    
    kill $(ps aux | grep snort | grep eth1 | grep -v grep | awk '{print $2}')
    
    echo "Done..."
    
  11. Make the script executable:
  12. chmod a+x stopEth1
    
  13. Repeat these steps to create the script and make it executable for each interface and then execute the script from the /smt/eth1 directory:
  14. ./stopEth1
    
  15. Check the status of each process to ensure they are stopped:
  16. ps aux | grep -v grep | grep snort
    
  17. At this point Snort, Barnyard, and the SMTs are functioning and can easily and remotely be started and stopped. Reference the Signature Management guide for direction on using the SMTs for these functions.