Sunday, 28 July 2013

Snort with Mysql on Centos 6.3 x86_64

Now we are going to create Mysql Database to receive the Snort logs. First we need to install Mysql.
Already i install mysql if you are not , use this link to install Mysql installation


[root@snort snort_install]# mysql -u root -p

Create the database "snort" using following command


mysql> create database snort;

now i am going to check whether the database created or not using below command

mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | snort | | test | +--------------------+ 4 rows in set (0.00 sec)
Create the separate user and give all permission for snort database.

mysql> grant all on snort.* to 'snortuser'@'localhost' identified by 'test@1234';

database name --> snort
database user name --> snortuser
database user password --> test@1234

mysql> flush privileges;

Now we will restore the "create_mysql" which has the schema for the database. Refer barnyard2 directory


[root@snort barnyard2-1.9]# mysql -u snortuser -p snort < schemas/create_mysql


Now restart the mysql service

[root@snort snort_install]# service mysql restart



Saturday, 27 July 2013

Snort Installation and Configuration on Centos 6.3 x86_64

Snort is a open source network Intrusion Detection System and Intrusion Prevention System (IDS/IPS).  more information click this link

Here i am going to install Snort Intrusion Detection System ( IDS).

Installation:

Install the below packages using yum command

[root@snort ~]# yum install mysql-bench mysql-devel php-mysql gcc php-gd gd glib2-devel gcc-c++

[root@snort ~]# yum install libcap*


[root@snort ~]# yum install libpcap*


[root@snort ~]# yum install pcre*


Download the below packages using "wget" command



1.libdnet
2.daq
3.snort

Create a directory snort_install for store downloads


[root@snort ~]# mkdir /snort_install

change directory 

[root@snort ~]# cd /snort_install/

[root@snort snort_install]# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz

[root@snort snort_install]# wget http://www.snort.org/dl/snort-current/daq-2.0.0.tar.gz -O daq-2.0.0.tar.gz

[root@snort snort_install]# wget http://www.snort.org/dl/snort-current/snort-2.9.5.tar.gz -O snort-2.9.5.tar.gz



Extract,compile and install the "libdnet"


[root@snort snort_install]# tar -zxvf libdnet-1.12.tgz


[root@snort snort_install]# cd libdnet-1.12


[root@snort libdnet-1.12]# ./configure


[root@snort libdnet-1.12]# make && make install


Extract,compile and install the "DAQ"


[root@snort snort_install]# tar -zxvf daq-2.0.0.tar.gz

[root@snort snort_install]# cd daq-2.0.0


[root@snort daq-2.0.0]# ./configure


[root@snort daq-2.0.0]# make && make install

Extract,compile and install the "Snort"


[root@snort snort_install]# tar -zxvf snort-2.9.5.tar.gz

[root@snort snort_install]# cd snort-2.9.5


[root@snort snort-2.9.5]# ./configure


[root@snort snort-2.9.5]# make && make install



Snort Rule


We need to download the Snort rule from this link


# wget http://www.snort.org/reg-rules/snortrules-snapshot-2945.tar.gz/38f33a5eb5f006c2ea77d1655001c0a5a9a5122c -O snortrules-snapshot-2945.tar.gz

[root@snort snort_install]# mkdir snort-rule

[root@snort snort_install]# mv snortrules-snapshot-2946.tar.gz snort-rule/


[root@snort snort_install]# tar -zxvf snortrules-snapshot-2946.tar.gz

Create a new group "snort"


[root@snort ~]# groupadd snort

Create a new user "snort" and change the shell "/sbin/nologin"

[root@snort ~]# useradd -g snort snort -s /sbin/nologin

Create some folder following path

[root@snort ~]# mkdir /etc/snort
[root@snort ~ ]# mkdir /etc/snort/rules
[root@snort ~]# mkdir /etc/snort/so_rules
[root@snort ~]# mkdir /etc/snort/preproc_rules
[root@snort ~]# mkdir /var/log/snort
[root@snort ~]# mkdir /usr/local/lib/snort_dynamicrules

Change the owner and group

[root@snort ~]# chown snort:snort /var/log/snort


We need to copy some files from "/snort_install"  to appropriate location


[root@snort snort_install]# cd snort-2.9.5/etc/


[root@snort etc]# cp * /etc/snort/

We need to copy all the rules from "snort-rule" directory to appropriate location

[root@snort snort_install]# cd snort-rule


[root@snort snort-rule]# cp rules/* /etc/snort/rules/


[root@snort snort_install]# cp snort-rule/so_rules/precompiled/Centos-5-4/i386/2.9.4.6/* /etc/snort/so_rules/


[root@snort snort-rule]# cp preproc_rules/* /etc/snort/preproc_rules/


[root@snort snort-rule]# touch /etc/snort/rules/black_list.rules

[root@snort snort-rule]# touch /etc/snort/rules/white_list.rules



Snort Configuration:


Open and Edit the Snort configuration file


[root@snort ]# vim /etc/snort/snort.conf



ipvar HOME_NET 10.21.1.19 <------ IP Address of your server


var RULE_PATH /etc/snort/rules <---- Give correct path
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

         var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
#preprocessor normalize_ip4                                        <------ comment this 5 lines
#preprocessor normalize_tcp: ips ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

         output unified2: filename snort.u2, limit 128 ## line no :521

:wq



Snort Testing



[root@snort ~]# snort -u snort -g snort -c /etc/snort/snort.conf -i eth0

--== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.5 GRE (Build 103) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.0 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13> Preprocessor Object: SF_GTP Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1> Preprocessor Object: SF_IMAP Version 1.0 <Build 1> Preprocessor Object: SF_SDF Version 1.1 <Build 1> Preprocessor Object: SF_POP Version 1.0 <Build 1> Preprocessor Object: SF_DNP3 Version 1.1 <Build 1> Preprocessor Object: SF_SSH Version 1.1 <Build 3> Preprocessor Object: SF_SIP Version 1.1 <Build 1> Preprocessor Object: SF_SSLPP Version 1.1 <Build 4> Preprocessor Object: SF_SMTP Version 1.1 <Build 9> Preprocessor Object: SF_DNS Version 1.1 <Build 4> Preprocessor Object: SF_MODBUS Version 1.1 <Build 1> Commencing packet processing (pid=4884)

Now snort is working.