Installing Snort 2.3 with BASE, Oinkmaster, and Bleeding Snort

Introduction

Here is a short hand series of steps I used for installing Snort on a Debian Linux machine. Doing the same thing on Redhat isn't too difficult. Features of this install make use of PostgreSQL for data storage, BASE for web analysis, Bleeding Snort for recent rule sets, and Oinkmaster for keeping all the rules sets up to date.

Use at your own risk. If you see revisions necessary for these steps, send a message to support@oneunified.net.

• download and place pcre-5.0.tar.gz from www.pcre.org into /usr/src
• tar .zxvf pcre-5.0.tar.gz
• cd pcre-5.0
• ./configure --libdir=/usr/lib/
• make
• make install
• download and place snort-2.3.0RC2.tar.gz from www.snort.org into /usr/src
• tar .zxvf snort-2.3.0RC2.tar.gz
• cd snort-2.3.0RC2
• ./configure .enable-linux-smp-status .with-postgresql
• make
• make install
• cd /usr/src/snort-2.3.0RC2/etc
• cp snort.conf snort.conf.old
• edit snort.conf:
• var HOME_NET 10.100.0.0/24 (change to suit)
• obtain addresses for dns, smtp, http, sql, telnet, snmp
• #preprocessor http_inspect_server: server default \ ..  (maybe)
• output database:alert, postgresql, user=snort dbname=snort sensor_name=sensor1
• Can enable some of the port scanners which are off by default
• There are some performance statistics which can be turned on
• Enable:
• Backdoor.rules
• Mkdir /var/log/snort
• There are some funky vlan/trunked based connections for multi-probe sensing. Contact us if you'd like some assistance with some cool Cisco based SPAN and VLAN solutions.
• Postgresql:
• cd /etc/postgresql
• edit pg_hba.conf
• local snort snort  trust
• host snort snort 127.0.0.1 255.255.255.255 trust
• /etc/init.d/postgresql restart
• su . postgres
• createuser .no-adduser .no-createdb snort
• createdb .owner snort snort
• psql -d snort -U snort  < /usr/src/snort-2.3.0RC2/schemas/create_postgresql
• cd /etc/init.d
• cp skelton snort
• nano snort
• Content of File
• update-rc.d  snort defaults 25
• apt-get install libphp-adodb
• apt-get install php4-pgsql
• download jpgraph from http://www.aditus.nu/jpgraph/
• wget http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17beta2.tgz
• cp jpgraph-1.17beta2.tgz /var/www
• cd /var/www
• tar -zxvf jpgraph-1.17beta2.tgz
• rm jpgraph-1.17beta2.tgz
• Download base and install
• wget http://voxel.dl.sourceforge.net/sourceforge/secureideas/base-1.0.tar.gz
• cp base-1.0.tar.gz /var/www\
• cd /var/www
• tar -zxvf base-1.0.tar.gz
• rm base-1.0.tar.gz
• base Configuration:
• cd /var/www/base
• cp base_conf.php.dist base_conf.php
• edit base_conf.php
• $DBlib_path = "/var/www/adodb";
• $DBtype = "postgres";
• $alert_dbname   = "snort";
• $alert_host     = "127.0.0.1";
• $alert_port     = "5432";
• $alert_user     = "snort";
• $alert_password = "";
• $ChartLib_path = "/var/www/jpgraph-1.17beta2/src";
• Edit base_db_setup.php
• For all postgres entries, change .datetime. to .timestamp.
• Change .CREATE TABLE base_roles( roleid. to .CREATE TABLE base_roles( role_id.
• Remove .CREATE INDEX base_users_usr_login ON base_users (usr_login);.
• Change .PRIMARY KEY         (usr_id) ,. to .PRIMARY KEY         (usr_id) ).
• nano /etc/php4/apache2/php.ini
• display_errors = Off
• Configure oinkmaster
• http://voxel.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-1.1.tar.gz
• tar -zxvf oinkmaster-1.1.tar.gz
• cd /usr/src/oinkmaster-1.1
• cp oinkmaster.pl /usr/local/bin
• cp oinkmaster.conf /etc
• cp oinkmaster.1 /usr/local/man/man1/
• mkdir /tmp/oinkmaster
• nano /etc/oinkmaster.conf
• tmpdir = /tmp/oinkmaster
• to run manually:
• oinkmaster.pl -o /usr/src/snort-2.3.0RC2/rules
• Add bleeding-rules set
• cd /usr/src/snort-2.3.0RC2/
• wget http://bleedingsnort.com/bleeding.rules.tar.gz
• tar -zxvf bleeding.rules.tar.gz
• cd ../etc
• nano snort.conf
• # Bleeding Snort Rules from www.bleedingsnort.com
• include $RULE_PATH/bleeding-malware.rules
• include $RULE_PATH/bleeding-virus.rules
• include $RULE_PATH/bleeding-p2p.rules
• include $RULE_PATH/bleeding-policy.rules
• include $RULE_PATH/bleeding.rules
• nano /etc/bleedingsnort.conf
• url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
• path = /bin:/usr/bin:/usr/local/bin
• tmpdir = /tmp/oinkmaster
• update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
• skipfile local.rules
• nano /usr/local/bin/snort.sh
• #! /bin/sh
• /usr/local/bin/oinkmaster.pl -o /usr/src/snort-2.3.0RC2/rules/
• /usr/local/bin/oinkmaster.pl -C /etc/bleedingsnort.conf -o /usr/src/snort-2.3.0RC2/rules/
• /etc/init.d/snort restart
• chmod 755 /usr/local/bin/snort.sh
• crontab -e
• 17 3    * * *   root    /usr/local/bin/snort.sh
• Browse to http://localhost/base/