Site icon Free Linux Tutorials

Installing IDS using Snort with OinkMaster, Barnyard and BASE on RHEL/CentOS 64-bit

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire.

Other definitions:
– Barnyard is an output system for Snort. Snort creates a special binary output format called unified. Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plug-in, Barnyard manages the sending of events to the database and stores them when the database temporarily cannot accept connections.

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

Oinkmaster is a script that will help you update and manage your Snort rules.

Pre-requisites Softwares:

Mysql
mysql-bench
mysql-server
mysql-devel
mysqlclient10
php-mysql
httpd
gcc
pcre-devel
php-gd
gd
mod_ssl
glib2-devel
gcc-c++
libpcap-devel
php
php-pear
yum-utils

Assuming you already installed your latest 64-bit CentOS, configured important services like Apache,PHP and your mysql server, make sure your server packages are updated as well by issuing
#yum update

 


I. Installation of Snort

  1. Download the lateset Snort source file on Snort’s official Site @ snort.org. As of this moment, the latest version is 2.9.11.1. You can find it at http://www.snort.org/downloads
    #wget  https://www.snort.org/downloads/snort/snort-2.9.11.1.tar.gz 
  2. Go to your favorite root install directory (mine is /usr/local/src) and extract the file
    #tar zxvf snort-2.8.6.tar.gz
  3. Compile. If you are using the 32-bit OS, it’s very rare that you encounter errors. For 64-bit, it’s quite pain In the ass, errors like libmysqlclient cannot be found since it will look for /lib/mysql instead of lib64/mysql. In order to solve that issue, you need to add extra parameters to your configure .

#cd snort-2.8.6
#./configure –with-mysql –enable-dynamicplugin –with-mysql-libraries=/usr/lib64/mysql
#make
#make install

  1. Create snort user and group
    #groupadd snort
    #useradd –g snort snort –s /sbin/nologin
  2. Create snort directory files
    #mkdir –p /etc/snort
    #mkdir –p /etc/snort/rules
    #mkdir /var/log/snort
  3. Copy files on the root installation folder of snort to /etc/snort
    #cd etc/
    #cp * /etc/snort
  4. Modify your snort.conf and make these changes, assuming your network is 192.168.1.0/24

var RULE_PATH /etc/snort/rules
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET !$HOME_NET

Uncomment the lines (create if none):

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

  1. Download the snort init file for easy management of snort service
    #cd /etc/init.d
    #wget https://freelinuxtutorials.com/freefiles/snort
    #chmod 755 snort
    #chkconfig snort on

II. Installation and Configuration of OinkMaster

Downloading the snort rules on the snort.org website is a little bit tricky. Even if you can sign up an account, you cannot directly download those rules and you’ll receive a  403 Forbidden error. There are ways to get it, you either get it by paying a subscription or get the registered user  release.

  1. Download the OinkMaster source file in SourceForge @ oinkmaster.sourceforge.net
    #cd /usr/local/src
    # wget http://nchc.dl.sourceforge.net/project/oinkmaster/oinkmaster/2.0/oinkmaster-2.0.tar.gz
  2. Extract the file and read the INSTALL file for details
    # tar zxvf oinkmaster-2.0.tar.gz
    #cd oinkmaster-2.0
    #less INSTALL
  3. Copy oinkmaster.pl,oinkmaster.conf and oinkmaster.1  on your suitable directory
    #cp oinkmaster.pl /usr/local/bin
    #cp oinkmaster.conf /etc
    #cp oinkmaster.1 /usr/local/man/man1
  4. Edit oinkmaster configuration, change the settings on the line “ url = <url> “. Download the snort rule same with your snort version.  Use snort –V to check.[root@FLT oinkmaster-2.0]# snort -V

,,_     -*> Snort! <*-
o”  )~   Version 2.8.6 (Build 38)
””    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 6.6 06-Feb-2006

You will see line similar to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/filename

e.g.

url = http://www.snort.org/pub-bin/oinkmaster.cgi/f8ff7c46785aac436c9f596059863b145d285abc/snortrules-snapshot-CURRENT.tar.gz

Save and exit

  1. Assuming your rules directory is /etc/snort/rules. Update the rules by executing:
    # oinkmaster.pl –o /etc/snort/rules
  2. Create a non-root user for schedule run of oinkmaster daily
    #group add oink
    #useradd –g oink oink –s /sbin/nologin
  3. Create the crontab
    #su – oink
    $crontab –e

01 4 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules 2>&1 | mail -s “oinkmaster” darwin@freelinuxtutorials.com

This will run the oinkmaster daily @ 4:01AM and send email

You will see an email like this:

Loading /etc/oinkmaster.conf

Loading /etc/autodisable.conf

Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapshot-CURRENT.tar.gz… done.

Archive successfully downloaded, unpacking… done.

Setting up rules structures… done.

Processing downloaded rules… disabled 0, enabled 0, modified 0, total=8464

Setting up rules structures… done.

Comparing new files to the old ones… done.

[***] Results from Oinkmaster started 20100518 05:33:38 [***]

[*] Rules modifications: [*]

None.

[*] Non-rule line modifications: [*]

None.

[*] Added files: [*]

None.

III. Set-up database in MySQL

  1. This will serve as database for snort to make it easy to look up on events and it is a requirement of the BASE monitoring tool

#mysql –u root –p

Mysql> create database snort;
mysql> GRANT CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost IDENTIFIED by ‘snortpass’;
mysql>exit

  1. Execute the command below to create tables
    #mysql –u root –p snort < /usr/local/src/snort-2.8.6/schemas/create_mysql

IV. Install Barnyard

  1. Download and extract barnyard#cd /usr/local/src
    # wget http://snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
    #tar zxvf barnyard-0.2.0
  2. Patch and configure for 64-bit. This is another pain in the ass, coz if you don’t patch the barnyard, you will get an error something like “ERROR: Invalid packet length:”#cd barnyard-0.2.0
    #wget http://www.snort.org/users/jbrvenik/Site/Code_files/barnyard.64bit.diff
    #patch –p1 < barnyard.64bit.diff
    You will something like this:

[root@FLT barnyard-0.2.0]# patch -p1 < barnyard.64bit.diff

patching file src/barnyard.h
patching file src/event.h

patching file src/input-plugins/dp_alert.h
patching file src/util.c
patching file src/util.h

  1. Edit op_acid_db.c  and the line “mysql->reconnect = 1; “ below
    #cd /usr/local/src/barnyard-0.2.0/src/output-plugins
    #vi  op_acid_db.c
    From:
    LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
    while(mysql_ping(mysql) != 0)

To:
LogMessage(“Lost connection to MySQL server.  Reconnecting\n”);
mysql->reconnect = 1;
while(mysql_ping(mysql) != 0)

  1. Compile# ./configure –enable-mysql  –with-mysql-libraries=/usr/lib64/mysql
    #make
    #make install
  2. Copy barnyard.conf on /etc/snort
    #cp etc/barnyard.conf /etc/snort
  3. Configure barnyard.conf. Change the ffg:
    from:
    config interface: fxp0
    to:
    config interface: eth0Add these lines if not existing, the database details should be same on the one you configure on your database.

output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort, password snortpass
output log_acid_db: mysql, database snort, server localhost, user snort, password snortpass, detail full

  1. Create a waldo file for barnyard.a. Execute on the CLI and let it go until on the message “Not Using PCAP_FRAMES”, run it for few seconds and stop it by pressing Ctrl-c
    #snort –c /etc/snort/snort.confb. Open another CLI and check your /var/log/snort, you will see files like :-rw-r–r– 1 root root    400 May 20 15:04 snort.alert.1274330319
    -rw-r–r– 1 root root   7484 May 20 15:04 snort.log.1274330319

c. Create a file barnyard.waldo and put this line
/var/log/snort snort.log 1274330319 0
Save and exit
We used 1274330319 as the 10 digit suffix on snort.log

8.  Copy the barnyard init file same as we did on snort.
#wget https://freelinuxtutorials.com/freefiles/barnyard
#chmod 755 barnyard
#chkconfig barnyard on

9. Start barnyard service
[root@FLT snort]# service barnyard startStarting Barnyard: Barnyard Version 0.2.0 (Build 32)
31165
[  OK  ]


V.  Install BASE

  1. Install first the following packages used for graphing of BASE
    #pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
  2. Download and install ADODB
    #wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
    #cd /var/www/
    # tar zxvf /usr/local/src/adodb480.tgz
  3. Download and configure BASE
    #wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.5.tar.gz
    #cd /var/www/html
    #tar –zxvf /usr/local/src/base-1.3.5.tar.gz
    # mv base-1.3.5/ base/
  4. Copy base_conf.php.dist to base_conf.php
    #cp base_conf.php.dist base_conf.php
  5. Edit base_conf.php and insert/edit the  parameters below:
    $BASE_urlpath = “/base”;
    $DBlib_path = “/var/www/adodb/ “;
    $DBtype = “mysql”;
    $alert_dbname = “snort”;
    $alert_host = “localhost”;
    $alert_port = “”;
    $alert_user = “snort”;
    $alert_password = “password on your snort DB”;
  6. Access the sensor on your browser
    http://192.168.1.x/base
  7. You should now see the BASE startup banner, click the “setup page” link and follow the instructions.
  8. You can create an htaccess to secure the base directory if you want

V1.  Testing Snort

  1. Create a simple rule under the /etc/snort/rules and named it as local.rules. Make sure the line below is  uncommented on snort.conf to make it work
    include $RULE_PATH/local.rules
  2. Create local.rules and insert this line:
    alert tcp any any <> any 80 (msg: “Test web activity”;sid:1000001;)
  3. Save and exit. Now restart your Snort and open a web browser,and go to any websites
  4. You should see number of events with SID 1000001 indicating the your snort is working.  Just check the alert links and categories to verify your testing. You will see something like this:https://freelinuxtutorials.com/freefiles/base1.PNG
    https://freelinuxtutorials.com/freefiles/base2.PNG
Exit mobile version