RSS Feed

Snort


Snort NIDS

Features:

1. Network Intrusion Detection System (NIDS)

2. Packet Sniffer

3. Packet Logger – logs using TCPDump format

Tasks:

1. Download and install Snort NIDS

a. snort.org

b. Confirm MD5SUM: ‘md5sum snort-2.8.0.2.tar.gz’ Compare to snort-2.8.0.2.tar.gz.md5

c. Import GPG key used to sign the current release of Snort

d. gpg –verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz

Requirements:

1. gcc – C compiler

2. make – creates binaries

3. libpcre – Provides access to Perl Compatible RegExes

4. mysql-devel* – provides access to MySQL

5. libpcap* – provides the TCPDump, packet capture library

e. Extract and install (compile) Snort NIDS

e1. tar -xzvf snort-2.8.0.2.tar.gz – creates top-level directory

e2. ./configure –with-mysql –enable-dynamicplugin – checks for prerequisites, including: mysql-devel, libpcre, gcc, make, etc.

e3. make – creates binaries

e4. su (as ‘root’) and execute ‘make install’ – places binaries in /usr/local/ accessible location

Usage – Packet Sniffer:

1. snort -v -i eth0 – reveals layers 3 & 4 of the OSI model

2. snort -vde -i eth0 – reveals layers 2-7

3. snort -vde -i eth0 tcp port 23

Usage – Packet Logger:

1. snort -v -i eth0 -l ./ tcp port 23 – logs binary file in current directory with Unix Epoch suffix

2. snort -b -i eth0 – attempts to log in: /var/log/snort

3. snort -b -L test.snort.log -i eth0 – creates: /var/log/snort/test.snort.log.UnixEpochDate

Note: Snort drops less packets when run in binary logging mode than in verbose, dump-to-screen, mode

Snort NIDS Setup

1. Setup MySQL DB environment

a. create database snort;

b. grant insert,select on root.* to snort@localhost;

c. set password for snort@localhost=password(‘abc123’);

d. grant create,insert,select,delete,update on snort.* to snort@localhost;

e. grant create,insert,select,delete,update on snort.* to snort;

2. Import MySQL DB schema

a. mysql -u root -p < /home/linuxcbt/temp/Snort/snort-2.8.0.2/schemas/create_mysql snort

3. Setup Snort NIDS /etc/snort environment

a. mkdir /etc/snort && cp -v /home/linuxcbt/temp/Snort/snort-2.8.0.2/etc/* /etc/snort

Note: Snort’s primary configuration file for NIDS mode: /etc/snort/snort.conf

4. Download the latest Snort rules file and extract to: /etc/snort/rules

Note: Snort rules are available as follows:

1. Registered users: with delay

2. Subscriber: no delay – NOT FREE

3. Unregistered users: release version (very old) of rules

4. Various third-party sites: i.e. Bleeding Snort, etc.

a. cd /etc/snort && tar -xzvf snortrules*

5. Configure: /etc/snort/snort.conf to use MySQL and rules

a. MySQL – output

b. Rules – path to the rules

6. Start Snort in NIDS mode

a. snort -i eth0 -c /etc/snort/snort.conf -D

7. Setup BASE web analysis application

a. wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz

b. tar -xzvf adodb480.tgz

Note: adodb480.tgz – provides DB-connectivity for BASE to MySQL

c. Download BASE from http://base.secureideas.net

d. Configure: base_conf.php file

d1. $BASE_urlpath = ‘/base’;

d2. $Dblib_path = “/var/www/html/adodb”;

d3. $Dbtype = ‘mysql’;

d4. alert_dbname = ‘snort’;

d5. alert_host = ‘localhost’;

d6. alert_password = ‘abc123’;

Note: Ensure that your Apache instance has PHP support

Note: Ensure that ‘php-mysql*’ package is installed

8. Connect to BASE via web browser

Note: Consider protecting ‘/base’ application using HTDIGEST or basic auth

Advertisements

About Ali abdo

Ali 32 years old from Egypt working as system engineer riding motorcycle to Support and develop Egyptian tourism, spread motorcycling.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: