Snort 2.8.4.

1 Ubuntu 9 Installation Guide

Overview: Whats Snort? Scope and Limitations Assumptions Why Snort in VM? VMWare Settings Set up Ubuntu 9 Build Get Snort, BASE and adodb Finish System Set-up and Compile Snort Set up Snort Environment Edit snort.conf Set up MySQL Gettin GUI with it Barnyard Output (not as bad as it sounds) A Few More Steps in the Barnyard Starting Snort and Finishing Barnyard Cong Test Snort Your Pig is Ready to Snort! Future Topics

4 4 4 4 5 5 6 7 8 8 9 9 10 10 11 11 12 13

Overview: Whats Snort?

Snort is an open source Intrusion Detection/Prevention application (IPS) written in 1998 by Marty Roesch. It is the worlds most widely used IPS and has been downloaded over 4 million times. The 250,000+ active Snort users worldwide contribute new rules, plugins and complimentary applications to work with Snort.

Scope and Limitations

This paper covers Snort, not Linux system, web or database administration and is offered with no explicit or implied warranty. All code referenced in this paper is open source. This Ubuntu 9 paper is focused on the initial installation of Snort with some supporting applications. Tuning, rule writing, policy definition and other operational issues are outside this scope.

Assumptions
This paper will cover the installation of Snort 2.8.4.1 on Ubuntu 9 with:
MySQL 5.0.75 Libnet 1.0.2a Libpcap 0.8 BASE 1.4.3.1 Barnyard2-1.5 Apache 2.2.11 Using VMWare

Why Snort in VM?

As a laptop user, I am mobile and often have to use public guest networks, such as those in hotels, coffee shops and others. One never knows when such an environment can be hostile (just because Im paranoid doesnt mean that people arent trying to get me). Also, using a web based GUI means that a web port has to be open, as well as MySQL. So I find that its helpful to have these on a virtual machine so that I dont have these ports open on my laptop OS.

Last, snapshots are your friend. VMWare allows users to capture the virtual machines state at a point in time, which can be later restored. This is a huge advantage in the case that mistakes were made or the virtual machine has become unstable. If only real life was like that.... All of this being said, the instructions in this paper should also work for native Fedora systems. It just wont cover any of the machine specific details.

VMWare Settings
Within VMWare, the following settings are recommended: 512 MB RAM 12 GB Disk Eth0 host only network Eth1 bridged to host interface No sound device, printer or accessories

Set up Ubuntu 9 Build

First, download Ubuntu from http://www.ubuntu.com. Once the operating system is installed from defaults, several packages will have to be installed to support the Snort installation and its supporting applications. I created bubba as my non-root user and bubbas home directory is referred to throughout this paper. If another user account is used, simply replace bubba with the appropriate user name. Once the initial system has loaded and rebooted, in the GUI go to System > Administration > Synaptic Package Manager. You may have to click the reload button to get an updated list of packages. Inside the interface, choose the following applications for installation: libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2

 libapache2-mod-php5 php5-gd php5-mysql libtool libpcre3-dev php-pear vim ssh Now its time to install VMWare tools. While not completely necessary, the enhanced display resolution alone is worth the effort. Install VMWare Tools from the perl script in the menu bar under Virtual Machine > Install VMWare Tools. Once the disk is mounted on your desktop, un-tar it and run the *.pl script from a CLI as root user. For more information on this process, please see http://www.vmware.com/support/ws55/doc/ ws_newguest_tools_linux.html Ubuntu prefers to have users execute commands requiring root level privileges by typing sudo in front of the command in question. I believe this to be a pain in the anatomy, so I set a password for the root user by typing: sudo passwd If you would prefer to use sudo and not set up a root level password, please feel free to do so. Most of the CLI commands in here were typed as root, so they will all need sudo in front of them and some of them wont work properly. I apologize for any inconvenience this may cause, but I told you it was a pain in the anatomy. Download libnet-1.0.2a.tar.gz from http://www.filewatcher.com/m/ libnet-1.0.2a.tar.gz.140191.0.0.html. Be careful with this: there are other sources for libnet, even some with the same version, but saved as a .tgz file rather than a .tar.gz. The .tgz file will NOT work and neither will versions of libnet beyond 1.0.2a.

Get Snort, BASE and adodb

Go to http://snort.org and download snort-2.8.4.1.tar.gz. If you have a registered account with snort.org, you can get more up to date rules. The Subscription Release provides registered users of Snort.org with immediate access to the most up to date Sourcefire VRT Certified Rules available.

Real-time access requires a paid, annual subscription. For more information on a subscriptions, please see http://www.snort.org/snort-rules/ #rules. BASE provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. Get BASE 1.4.3.1.tar.gz from http:// sourceforge.net/project/showfiles.php? group_id=103348&package_id=128846. Adodb is a database abstraction utility which allows multiple kinds of databases to interact with PHP. Get adodb4991.tar.gz from http:// sourceforge.net/project/showfiles.php? group_id=42718&package_id=34890&release_id=636415

Finish System Set-up and Compile Snort

Now we will finish the system set up by installing libnet and pcre. For more information on libnet, please see http://libnet.sourceforge.net/. Take the following steps: cd /usr/local tar zxvf /home/bubba/Desktop/libnet-1.0.2a.tar.gz cd Libnet-1.0.2a ./configure && make && make install The && in the last step is a shellcode convention which means that if statement A is true and completes successfully, then execute statement B. In short, its a shortcut to compile and install the libnet code extensions. If youd like more information on configure, make and make install, please refer to http://www.codecoffee.com/tipsforlinux/articles/27.html. To install Snort, execute the following commands: cd /usr/local tar zxvf /home/bubba/Desktop/snort-2.8.4.1.tar.gz cd snort-2.8.4.1 ./configure --enable-targetbased && make && make install

Set up Snort Environment

There are a few steps that need to take place in order to have snort run properly, mostly setting up some directories, getting the snort rules, moving some files around and creating the snort user. Execute the following: mkdir /etc/snort mkdir /var/log/snort cd /etc/snort tar zxvf /home/bubba/Desktop/snortrules-snapshot-CURRENT_s.tar.gz -C /etc/snort cp etc/* /etc/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort touch /var/log/snort/alert chown snort:snort /var/log/snort/alert chmod 600 /var/log/snort/alert cp /etc/snort/so_rules/precompiled/Ubuntu-6.01.1/i386/2.8.4/*.so /usr/ local/lib/snort_dynamicrule mv /usr/local/lib/snort_dynamicrule /usr/local/lib/snort_dynamicrules The last step is to handle a misspelling.

Edit snort.conf
The snort.conf file defines how snort will run once the application is started. It is long and complex, but for this paper, we will only be working on a few of the features. vim /etc/snort/snort.conf Find the variable RULE_PATH and change to /etc/snort/rules Find output and comment out any output modules currently on. Find output log_unified. Insert the following below it: output unified2: filename snort.log, limit=128

Set up MySQL
MySQL will serve as the database for the snort application. While not required to run Snort on its own, a database makes it easier to track down events and is required by the BASE monitoring tool. One short note: this paper does not assume any expertise in database administration, nor does the author claim any significant skill in this area. The commands in this section are sufficient to install and run snort. The BASE tool provides some database maintenance tools; nothing additional is required to administer snort. mysql -p create database snort; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; SET PASSWORD FOR snort@localhost=PASSWORD(password); exit cd /usr/local/snort-2.8.4.1/schemas mysql -p < create_mysql snort Now we will check to see that the Snort database has been correctly installed: mysql -p SHOW DATABASES; There should be 4 rows use snort SHOW TABLES; There should be 16 rows

Gettin GUI with it

In this step, we will set up the web environment. The first set of steps involve un-tarring adodb and BASE into the web directory, followed by setting up BASE from a web prompt. From the CLI as root: cd /var/www

 pear install Mail_Mime tar zxvf /home/bubba/Desktop/adodb4991.tgz tar zxvf /home/bubba/Desktop/base-1.4.3.1.tar.gz vim /etc/php5/apache2/php.ini Find error_reporting. Make sure it is set to: error_reporting = E_ALL & ~E_NOTICE Find Dynamic Extensions. Insert the following lines at the bottom of that section: extension=mysql.so extension=gd.so vim /etc/apache2/apache2.conf At the bottom of the file, insert the line servername <your server name.domain> /etc/init.d/apache2 restart In a browser, go to http://localhost/base-1.4.3.1 Click continue Path to adodb is /var/www/adodb Database Name=snort, Database Host=localhost, Database User=snort, Database Password=password Admin User Name=snort, Password=password, Full Name=snort Click Create BASE AG. There will be an error writing to file.

Barnyard Output (not as bad as it sounds)

Barnyard was written to take over the various output processing tasks so that Snort could spend more resources on processing packets. From usr/local: tar zxvf /home/bubba/Desktop/barnyard2-1.5.tar.gz cd barnyard2-1.5 ./configure --with-mysql && make && make install cp etc/barnyard2.conf /etc/snort

A Few More Steps in the Barnyard

vim /etc/snort/barnyard2.conf Look for thor.

 replace thor with localhost look for config interface Make sure its eth0 Look for output database Edit the mysql line to read: output database: alert, mysql, user=snort password=password dbname=snort host=localhost

Starting Snort and Finishing Barnyard Config

In this section, we will start Snort and Barnyard. In the CLI, type snort -c /etc/snort/snort/conf -i eth1 Open a second CLI. ls -la /var/log/snort. Look for 10 digit suffix on snort.log. If there is more than one file, copy the latest one. vim /var/log/snort/barnyard.waldo Enter the following, then save and exit: /var/log/snort snort.log <10 digit number from step 2 above> 0 Start barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Test Snort
In this step, we will test Snort with a simple rule in the local.rules file. Local rules are rules that the administrator of Snort writes himself and have a convention of starting with SID (Snort ID) of 1,000,000-1,999,999. Open a third CLI vim /etc/snort/rules/local.rules Insert alert tcp any any <> any 80 (msg: "Test web activity"; sid:1000001;). Save and exit. Restart Snort Open a web browser In the browser, go to any web page. In the CLI, type [ctrl] + c Go to http://localhost/base-1.4.3.1 and look at your events If you see a number of events with SID 1000001, Snort works!

 vim /etc/snort/rules/local.rules and disable the Test web activity rule.

Your Pig is Ready to Snort!

Future Topics
Some topics for the next revision are: Configuring Snort and Barnyard to start automatically Oinkmaster Updates or using Pulled Pork Shared Object Rules Preprocessor Tuning Rulebase Tuning Im open to suggestions for improving this document and will be revisiting it on at least an annual basis. I cannot answer support questions; these are best addressed by the Snort Users mailing list. Nick Moore, June 2009 nmoore@sourcefire.com