NamHB's Blog

Install Snort with snort report in CentOS

Nam Ha Bach's photo
Nam Ha Bach
·

3 min read

Step 1: Preparing

#yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison mysql mysql-devel mysql-bench mysql-server php-pear.noarch php-pear-DB.noarch php-pear-File.noarch kernel-devel libxml2-devel vim-enhanced.i386

#yum install gcc-c++

Download sourcode:

#cd /usr/local

#wget ips-builder.googlecode.com/files/libnet-1.0..

#wget libdnet.googlecode.com/files/libdnet-1.12.tgz

#wget tcpdump.org/release/libpcap-1.1.1.tar.gz

#wget snort.org/downloads/1623 -O daq-0.6.2.tar.gz

#wget snort.org/downloads/1631 -O snort-2.9.2.3.tar.gz

#download snort.org/snort-rules

#wget unixwiz.net/tools/nbtscan-source-1.0.35.tgz

#wget jpgraph.net/download/download.php?p=1.27.1 -O jpgraph-1.27.1.tar.gz

Step 2: Install lib

#cd /usr/local

#tar zxvf /root/libnet-1.0.2a.tar.gz

#cd Libnet-1.0.2a

#./configure && make && make install

#cd /usr/local

#tar zxvf /root/libdnet-1.12.tgz

#cd libdnet-1.12

#./configure && make && make install

#cd /usr/local

#tar xvzf libpcap-1.1.1.tar.gz

#cd libpcap-1.1.1

#./configure && make && make install

#cp /usr/local/lib/libpcap.a /usr/lib/

#cd /usr/local

#mkdir nbtscan

#cd nbtscan

#tar zxvf /root/nbtscan-1-3-1.tar.gz

#make

Step 3: Install dag and snort
Install DAG

#cd /usr/local

#tar xvzf daq-0.6.2.tar.gz

#cd daq-0.6.2

#./configure && make && make install

Install Snort

#cd /usr/local

#tar zxvf /root/snort-2.9.2.3.tar.gz

#cd snort-2.9.2.3

#./configure && make && make install

Step 4: Config snort

Create snort rules and logs

#mkdir /etc/snort

#mkdir /var/log/snort

#cd /etc/snort

#tar zxvf /root/snortrules-snapshot-2921.tar.gz -C /etc/snort

#cp etc/* /etc/snort

#groupadd snort

#useradd -g snort snort

#chown snort:snort /var/log/snort

#touch /var/log/snort/alert

#chown snort:snort /var/log/snort/alert

#chmod 600 /var/log/snort/alert

#mkdir /usr/local/lib/snort_dynamicrules

#cp /etc/snort/so_rules/precompiled/Centos-5-4/i386/2.9.2.1/*.so /usr/local/lib/snort_dynamicrules

#cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules

Edit snort.conf

#vim /etc/snort/snort.conf
Change:
RULE_PATH to /etc/snort/rules
PREPROC_RULE_PATH to /etc/snort/preproc_rules
SO_RULE_PATH to /etc/snort/so_rules
Find reputation preprocessor and comment all this preprocessor. ( line 511)
Find unified2 and uncomment, edit to: output unified2: filename snort.log, limit 128

Step 5: Setup MySQL

#mysql -u root -p
>SET PASSWORD FOR root@localhost=PASSWORD(‘password’);
>create database snort;
>grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;
>SET PASSWORD FOR snort@localhost=PASSWORD(‘password’);
>exit

#cd /usr/local/snort-2.9.2.1/schemas

#mysql -p < create_mysql snort

Test database:

#mysql -u root -p

#SHOW DATABASES;
There should be 4 rows ( snort)

#use snort;

#SHOW TABLES;
There should be 16 rows

#exit;

Step 6: Create GUI

Extract JPGRAPP

#cd /usr/local

#tar xvzf /root/jpgraph-1.27.1.tar.gz

#cp jpgraph-1.27.1 /var/www/html

#mv /var/www/html/jpgraph-1.27.1 /var/www/html/jpgraph

#cd /var/www/html

#tar zxvf /root/snortreport-1.3.1.tar.gz

#cd snortreport-1.3.1

#vim srconf.php
Find $pass, change password to your password
Find JPGRAPH_PATH change to ("JPGRAPH_PATH", "../jpgraph/src/");
Find NMAP_PATH change to ("NMAP_PATH", "/usr/bin/nmap -v");
Find NBTSCAN_PATH change to ("NBTSCAN_PATH", "/usr/local/nbtscan/nbtscan");

Install Barnyard

#cd /usr/local

#tar zxvf /root/barnyard2-1.9.tar.gz

#cd barnyard2-1.9

#./configure --with-mysql &&make && make install

#cp etc/barnyard2.conf /etc/snort

Setup Barnyard

#vim /etc/snort/barnyard2.conf
Change hostname to localhost
Change interface to eth0 ( listen interface)
Change mysql line: output database: log, mysql, user=snort password=password dbname=snort host=localhost

Step 7: Start Snort
First CLI terminal

#snort -c /etc/snort/snort.conf

Second CLI terminal

#cp /dev/null /var/log/snort/barnyard.waldo

#mkdir /var/log/barnyard2
Start barnyard:

#/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Test snort:
Third CLI:

#vim /etc/snort/rules/local.rules
Insert line:
“alert tcp any any <> any 80 (msg: "Test web activity"; sid:1000001;)”
Restart snort ( Ctrl+C and type start snort again in first CLI)
Open Web Browser, type your snort server address
Go to: http:///snortreport-1.3.3/alerts.php

If you see a number of events with SID 1000001, Snort works!

Step 8: Config Snort and barnyard start automatically

Snort:

#ln -s /usr/local/bin/snort /usr/sbin/snort

#cp /usr/local/snort-2.9.2.1/rpm/snortd /etc/init.d

#cp /usr/local/snort-2.9.2.1/rpm/snort.sysconfig /etc/sysconfig/snort

#cd /etc/rc3.d

#ln -s ../init.d/snortd S99snortd

#cd ../rc0.d

#ln -s ../init.d/snortd K99snortd

#cd /etc/rc5.d

#ln -s ../init.d/snortd S99snortd

#cd ../rc6.d

#ln -s ../init.d/snortd K99snortd

#chmod 755 /etc/init.d/snortd

#vim /etc/sysconfig/snort
Find eth0 and change to your interface
Comment ALERTMODE=FAST, DUMP_APP=1, BINARY_LOG=1

Test: /etc/init.d/snortd start

Barnyard2:

#vim /etc/snort/barnyard2.conf
Uncomment config daemon
Set the path to your waldo file, /var/log/snort/barnyard2.waldo

#vim /usr/local/barnyard2-1.9/rpm/barnyard2.config
Change LOG_FILE to snort.log
Change CONF to /etc/snort/barnyard2.conf

#ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2

#cp /usr/local/barnyard2-1.9/rpm/barnyard2 /etc/init.d

#vim /etc/init.d/barnyard2
Change BARNYARD_OPTS to BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"

#cp /usr/local/barnyard2-1.9/rpm/barnyard2.config /etc/sysconfig/barnyard2

#chmod 755 /usr/local/bin/barnyard2

#cd /etc/rc3.d

#ln -s ../init.d/barnyard2d S99barnyard2d

#cd ../rc0.d

#ln -s ../init.d/barnyard2d K99barnyard2d

#cd /etc/rc5.d

#ln -s ../init.d/barnyard2d S99barnyard2d

#cd ../rc6.d

#ln -s ../init.d/barnyard2d K99barnyard2d

#chmod 755 /etc/init.d/barnyard2

Test: /etc/init.d/barnyard2 start.

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Nam Habach