|
Installing Snort 2.3
with BASE,
Oinkmaster,
and Bleeding Snort
Introduction
Here is a short hand series of steps I used for installing Snort on a Debian Linux machine.
Doing the same thing on Redhat isn't too difficult.
Features of this install make use of PostgreSQL for data storage, BASE for web analysis,
Bleeding Snort for recent rule sets, and Oinkmaster for keeping all the rules sets up to date.
Use at your own risk. If you see revisions necessary for these steps, send a message to
support@oneunified.net.
- download and place pcre-5.0.tar.gz from www.pcre.org into /usr/src
- tar .zxvf pcre-5.0.tar.gz
- cd pcre-5.0
- ./configure --libdir=/usr/lib/
- make
- make install
- download and place snort-2.3.0RC2.tar.gz from www.snort.org into /usr/src
- tar .zxvf snort-2.3.0RC2.tar.gz
- cd snort-2.3.0RC2
- ./configure .enable-linux-smp-status .with-postgresql
- make
- make install
- cd /usr/src/snort-2.3.0RC2/etc
- cp snort.conf snort.conf.old
- edit snort.conf:
- var HOME_NET 10.100.0.0/24 (change to suit)
- obtain addresses for dns, smtp, http, sql, telnet, snmp
- #preprocessor http_inspect_server: server default \ ..
(maybe)
- output database:alert, postgresql, user=snort
dbname=snort sensor_name=sensor1
- Can enable some of the port scanners which are off by
default
- There are some performance statistics which can be turned
on
- Enable:
- Mkdir /var/log/snort
- There are some funky vlan/trunked based connections for multi-probe sensing. Contact us
if you'd like some assistance with some cool Cisco based SPAN and VLAN solutions.
- Postgresql:
- cd /etc/postgresql
- edit pg_hba.conf
- local snort snort trust
- host snort snort 127.0.0.1 255.255.255.255 trust
- /etc/init.d/postgresql restart
- su . postgres
- createuser .no-adduser .no-createdb snort
- createdb .owner snort snort
- psql -d snort -U snort < /usr/src/snort-2.3.0RC2/schemas/create_postgresql
- cd /etc/init.d
- cp skelton snort
- nano snort
- update-rc.d snort defaults 25
- apt-get install libphp-adodb
- apt-get install php4-pgsql
- download jpgraph from http://www.aditus.nu/jpgraph/
- Download base and install
- base Configuration:
- cd /var/www/base
- cp base_conf.php.dist base_conf.php
- edit base_conf.php
- $DBlib_path = "/var/www/adodb";
- $DBtype = "postgres";
- $alert_dbname = "snort";
- $alert_host = "127.0.0.1";
- $alert_port = "5432";
- $alert_user = "snort";
- $alert_password = "";
- $ChartLib_path = "/var/www/jpgraph-1.17beta2/src";
- Edit base_db_setup.php
- For all postgres entries, change .datetime. to
.timestamp.
- Change .CREATE TABLE base_roles( roleid. to .CREATE
TABLE base_roles( role_id.
- Remove .CREATE INDEX base_users_usr_login ON base_users
(usr_login);.
- Change .PRIMARY KEY (usr_id) ,. to .PRIMARY
KEY (usr_id) ).
- nano /etc/php4/apache2/php.ini
- Configure oinkmaster
- Add bleeding-rules set
- cd /usr/src/snort-2.3.0RC2/
- wget http://bleedingsnort.com/bleeding.rules.tar.gz
- tar -zxvf bleeding.rules.tar.gz
- cd ../etc
- nano snort.conf
- # Bleeding Snort Rules from www.bleedingsnort.com
- include $RULE_PATH/bleeding-malware.rules
- include $RULE_PATH/bleeding-virus.rules
- include $RULE_PATH/bleeding-p2p.rules
- include $RULE_PATH/bleeding-policy.rules
- include $RULE_PATH/bleeding.rules
- nano /etc/bleedingsnort.conf
- url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
- path = /bin:/usr/bin:/usr/local/bin
- tmpdir = /tmp/oinkmaster
- update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
- skipfile local.rules
- nano /usr/local/bin/snort.sh
- #! /bin/sh
- /usr/local/bin/oinkmaster.pl -o
/usr/src/snort-2.3.0RC2/rules/
- /usr/local/bin/oinkmaster.pl -C /etc/bleedingsnort.conf
-o /usr/src/snort-2.3.0RC2/rules/
- /etc/init.d/snort restart
- chmod 755 /usr/local/bin/snort.sh
- crontab -e
- 17 3 * * * root /usr/local/bin/snort.sh
- Browse to http://localhost/base/
|