HOWTO INSTALL & CONFIGURE SNORT ON DEBIAN/UBUNTU

================================= == REQUIREMENTS == =================================

mysql-common - MySQL database common files mysql-client - MySQL database client (metapackage depending on the latest version) mysql-server - MySQL database server (metapackage depending on the latest version) php5-dev - Files for ! 5 mod"le development php5-gd - #$ mod"le for php5 php5-ldap - L$% mod"le for php5 php5-mysql - MySQL mod"le for php5 php-pear - &%' - ! &(tension and %pplication 'epository libpcap-dev - development library for libpcap (transitional package) libpcap)*+ - system interface for "ser-level packet capt"re libpcap)*+-dev - development library and header files for libpcap)*+ libpcre, - erl 5 -ompatible 'eg"lar &(pression Library - r"ntime files libpcre,-dev - erl 5 -ompatible 'eg"lar &(pression Library - development files e(pect - % program that can a"tomate interactive applications gob.c - /he #01 2b.ective-- compiler libnet) - library for the constr"ction and handling of net3ork packets (obsolete) libnet)-dev - $evelopment files for libnet) (obsolete) bison - % parser generator that is compatible 3ith 4%-libmysql55-dev - MySQL -55 library bindings (development) libapache6-mod-php5 - server-side7 !/ML-embedded scripting lang"age (%pache 6 mod"le) php5-cgi - server-side7 !/ML-embedded scripting lang"age (-#8 binary) Installing MySQL Se !e " 9root:snortbo( ;<= apt-get install mysql-common mysql-client mysql-server Installing e#$i e%ents" 9root:snortbo( ;<= apt-get install php5-dev php5-gd php5-ldap php5-mysql php-pear libnet1 libnet1-dev libpcap-dev libpcap0.8 libpcap0.8-dev libpcre3 expect gobjc libpcre3-dev flex libnet0 libnet0-dev bison libmysql++-dev libapache -mod-php5 php5-cgi

=========================== == SECURING MYSQL == ===========================

%fter 3e install the MySQL server7 there is a b"iltin script that comes 3ith it 3hich 3e can "se to sec"re o"r MySQL server* /o do that do the follo3ing> 9root:snortbo( ;<= mysql!sec"re!installation 02/&> '10080# %LL %'/S 2F /!8S S-'8 / 8S '&-2MM&0$&$ F2' %LL MySQL S&'?&'S 80 '2$1-/820 1S&@ L&%S& '&%$ &%-! S/& -%'&F1LL4@ 8n order to log into MySQL to sec"re it7 3eAll need the c"rrent pass3ord for the root "ser* 8f yo"Ave ."st installed MySQL7 and yo" havenAt set the root pass3ord yet7 the pass3ord 3ill be blank7 so yo" sho"ld ."st press enter here* Enter current password for root (enter for none): 2B7 s"ccessf"lly "sed pass3ord7 moving on*** Setting the root pass3ord ens"res that nobody can log into the MySQL root "ser 3itho"t the proper a"thorisation* 4o" already have a root pass3ord set7 so yo" can safely ans3er AnA* C an!e t e root password" #Y$n% n *** skipping* Cy defa"lt7 a MySQL installation has an anonymo"s "ser7 allo3ing anyone to log into MySQL 3itho"t having to have a "ser acco"nt created for them* /his is intended only for testing7 and to make the installation go a bit smoother* 4o" sho"ld remove them before moving into a prod"ction environment* Re&o'e anon(&ous users" #Y$n% ( *** S"ccess@ 0ormally7 root sho"ld only be allo3ed to connect from AlocalhostA* /his ens"res that someone cannot g"ess at the root pass3ord from the net3ork* )*sa++ow root +o!*n re&ote+(" #Y$n% ( *** S"ccess@ Cy defa"lt7 MySQL comes 3ith a database named AtestA that anyone can access* /his is also intended only for testing7 and sho"ld be removed before moving into a prod"ction environment* Re&o'e test data,ase and access to *t" #Y$n% ( - $ropping test database*** &''2' D))+ (!4)))) at line D> -anAt drop database AtestAE database doesnAt e(ist *** Failed@ 0ot critical7 keep moving*** - 'emoving privileges on test database***

*** S"ccess@ 'eloading the privilege tables 3ill ens"re that all changes made so far 3ill take effect immediately* Re+oad pr*'*+e!e ta,+es now" #Y$n% ( *** S"ccess@ -leaning "p*** %ll done@ 8f yo"Ave completed all of the above steps7 yo"r MySQL installation sho"ld no3 be sec"re* /hanks for "sing MySQL@

Lets make s"re MySQL is no3 r"nning> 9root:snortbo( ;<= netstat -ntlp # grep mysql tcp ) ) D6F*)*)*D>,,)G )*)*)*)>H

L8S/&0

DG)))Imysqld

========================================== == C-N.IGURE / INST0LL SN-RT == ==========================================

0o3 everything is ready7 lets config"re and install Snort* First yo" need to do3nload the latest version of Snort and Snort-r"les from Snort*org* 0o3 e(tract them and enter the e(tracted snort directory to start the config"ration process> 9root:snortbo( snort-6*+*5<= .$config"re --enable-so"rcefire --enable-targetbased --enable-flexresp --%ith-mysql %fter the config"ration is complete 3e are no3 ready to -ompile and install Snort> 9root:snortbo( snort-6*+*5<= ma&e 9root:snortbo( snort-6*+*5<= ma&e install 0o3 lets make some config"rations for S02'/ to 3ork* First 3e create the config"ration directory "nder Ietc to be "sed for snorts config"rations> 9root:snortbo( snort-6*+*5<= m&dir $etc$snort 0o3 3e create a directory for snort to log into> 9root:snortbo( snort-6*+*5<= m&dir $var$log$snort 0o3 3e e(tract and copy the Snort r"les to o"r snort config"ration directory 3e ."st created above> 9root:snortbo( snort-6*+*5<= tar xvf' snortr"les-snapshot-()**+,-.tar.g' -( $etc$snort 0o3 3e start coping some of the config"ration files needed by snort> 9root:snortbo( snort-6*+*5<= cp -r preproc!r"les $etc$snort 9root:snortbo( snort-6*+*5<= cp etc$..conf. $etc$snort 9root:snortbo( snort-6*+*5<= cp etc$..map $etc$snort Lets create a symlink to I"srIlocalIbinIsnort and p"t it in I"srIsbin> 9root:snortbo( snort-6*+*5<= +n 1s $usr$+oca+$,*n$snort $usr$s,*n$snort Je need a "ser and gro"p for snort to operate 3ith> 9root:snortbo( snort-6*+*5<= gro"padd snort 9root:snortbo( snort-6*+*5<= "seradd -g snort snort

Let "s change the o3ner of the snort log directory>

9root:snortbo( snort-6*+*5<= cho%n snort/snort $var$log$snort 0o3 edit snortAs def"alt config"ration file> 9root:snortbo( snort-6*+*5<= vim $etc$snort$snort.conf 0o3 search for the line KRULE230T4 55$ru+esL and replace it 3ith> var *)0+!12-3 $etc$snort$r"les

0o3 search for K3RE3R-C2RULE230T4 55$preproc2ru+esL7 and replace it 3ith> 1*+1*4(!*)0+!12-3 $etc$snort$preproc!r"les 0o3 search for Koutput data,ase: +o!6 &(s7+6 user=root password=test d,na&e=d, ost=+oca+ ost L and replace it 3ith> o"tp"t database/ log5 mysql5 "ser6)7+*,28+ pass%ord6127794*: dbname6:2-2;27+,28+ host6347Le!end: USERN0ME M 4o"r SnortAs $C "sername (/hat shall be "sed later in config"ration)* 30SS8-R) M 4o"r SnortAs $C "sername pass3ord (/hat shall be "sed later in config"ration)* )0T090SEN0ME M the name of the Snort database (/hat shall be "sed later in config"ration)* 4-ST M the hostname of the machine r"nning Snort (1s"ally this is localhost7 specially if yo" shall only have one sensor)* 0o3 goto the end of the file and search for> : *nc+ude ;3RE3R-C2RULE230T4$preprocessor5ru+es : *nc+ude ;3RE3R-C2RULE230T4$decoder5ru+es %nd comment them o"t* 0o3 close and e(it the snort5conf file "sing K:<L*

======================================= == SETU3 T4E SN-RT )0T090SE == =======================================

-onfig"ration is ready 3e need to prepare the MySQL database for Snort* /o do that 3e need to create a database and "ser for Snort to "se>

Le!end:
)9N0ME = /he database name that yo" shall "se for Snort* SN-RT)9USER = /he snort db "ser that yo" shall "se for Snort* Y-UR30SS8-R) = /he pass3ord that yo" shall "se for the Snort db "ser* 9root:snortbo( ;<= &(s7+ 1p &nter pass3ord> Jelcome to the MySQL monitor* -ommands end 3ith E or Ng* 4o"r MySQL connection id is O) Server version> 5*)*5Da-6O5lenny6 ($ebian) /ype AhelpEA or ANhA for help* /ype ANcA to clear the b"ffer* mysqlP (*+2-+ :2-2;27+ :;,28+< Q"ery 2B7 D ro3 affected ()*)) sec) mysqlP =*2,- (*+2-+5 >,7+*-5 7+0+(-5 :+0+-+5 )1:2-+ 4, :;,28+.. -4 7,4*-:;)7+*?04(20347-< Q"ery 2B7 ) ro3s affected ()*)) sec) mysqlP 7+- 127794*: @4* 7,4*-:;)7+*?04(20347-6127794*:ABC4)*127794*:BD< Q"ery 2B7 ) ro3s affected ()*)) sec) mysqlP @0)73 1*>E>0+=+7< Q"ery 2B7 ) ro3s affected ()*)) sec) mysqlP exit Cye 0o3 lets set"p the database schema for Snort> 9root:snortbo( schemas<= cd schemas$ 0o3 lets import the schema into the database 3e created for Snort> 9root:snortbo( schemas<= mysql -p -" 7,4*-:;)7+* :;,28+ F create!mysql &nter pass3ord> 4o" shall be asked to enter the pass3ord yo" set for the SN-RT)9USER that yo" set"p in the previo"s lines above*

0o3 lets make s"re that everything 3ent 3ell and o"r database is ready> 9root:snortbo( schemas<= mysql -p &nter pass3ord> Jelcome to the MySQL monitor* -ommands end 3ith E or Ng* 4o"r MySQL connection id is O, Server version> 5*)*5Da-6O5lenny6 ($ebian) mysqlP sho% databases< 5--------------------5 Q $atabase Q 5--------------------5 Q informationRschema Q Q )9N0ME Q Q mysql Q 5--------------------5 , ro3s in set ()*)) sec) mysqlP "se :;,28+< 'eading table information for completion of table and col"mn names 4o" can t"rn off this feat"re to get a q"icker start"p 3ith -% $atabase changed mysqlP sho% tables< 5---------------------------5 Q /ablesRinR)9N0ME Q 5---------------------------5 Q data Q Q detail Q Q encoding Q Q event Q Q icmphdr Q Q iphdr Q Q opt Q Q reference Q Q referenceRsystem Q Q schema Q Q sensor Q Q sigRclass Q Q sigRreference Q Q signat"re Q Q tcphdr Q Q "dphdr Q 5---------------------------5 DG ro3s in set ()*)) sec) mysqlP exit

======================================= == TESTING SN-RT == =======================================

0o3 everything is done7 lets make a test> 9root:snortbo( schemas<= snort -c $etc$snort$snort.conf 4o"r o"tp"t shall be something like this> 9 ort and Service Cased attern Matching Memory < 5-9%--C0F% Search 8nfo S"mmary<-----------------------------Q 8nstances > 6+O Q atterns > 6,)5D Q attern -hars > D5GS,) Q 0"m States > S)F+6 Q 0"m Match States > D665O Q Memory > ,*+FMbytes Q atterns > D*),M Q Match Lists > D*O,M Q /ransitions > D*,)M 5--------------------------------------------------MM 8nitialiTation -omplete MM-77R -HP Snort@ UHoV ); ?ersion 6*+*5 (C"ild D)G) AAAA Cy Martin 'oesch W /he Snort /eam> http>II333*snort*orgIsnortIsnort-team -opyright (-) DSS+-6))S So"rcefire7 8nc*7 et al* 1sing -'& version> F*G 6))+-)D-6+ '"les &ngine> SFRS02'/R$&/&-/820R&0#80& ?ersion D*DD UC"ild DFP reprocessor 2b.ect> SFR$-&' - ?ersion D*D UC"ild 5P reprocessor 2b.ect> SFRF/ /&L0&/ ?ersion D*6 UC"ild D6P reprocessor 2b.ect> SFRSSL ?ersion D*D UC"ild ,P reprocessor 2b.ect> SFRSS! ?ersion D*D UC"ild 6P reprocessor 2b.ect> SFRSM/ ?ersion D*D UC"ild +P reprocessor 2b.ect> SFR$-&' -6 ?ersion D*) UC"ild 6P reprocessor 2b.ect> SFR$0S ?ersion D*D UC"ild ,P 0ot 1sing -% RF'%M&S 3ress ctr+=c to !et ,ac> to t e s e++ and stop snort5 %s 3e shall be r"nning snort "sing a start"p script7 3e need to change the alert file created by the Snort process so that the snort has access to it7 3e need to change its permissions to be> 9root:snortbo( schemas<= cho%n snort/snort $var$log$snort$alert 9root:snortbo( schemas<= chmod G00 $var$log$snort$alert

======================================================== == SETU3 T4E GR034IC0L INTER.0CE .-R SN-RT == ========================================================

0o3 lets set"p the graphical interface K9as*c 0na+(s*s and Secur*t( En!*ne (90SE)L that 3e shall be "sing 3ith Snort* 9root:snortbo( IvarI333<= cd $'ar$www First 3e need to do3nload 90SE and 0)-d, from Source.or!e7 then e(tract them in the 3eb root directory 3hich is $'ar$www on de,*an and then give the apache "ser access to the 90SE directory files> 9root:snortbo( IvarI333<= cho%n %%%-data base-1.H.H 0o3 3e need to t"ne the error reporting level of ! 7 so lets edit the php*ini file> 9root:snortbo( IvarI333<= vim $etc$php5$cli$php.ini Search for> error!reporting 6 +!200 I J+!,4->(+ %nd "ncomment it* /hen -omment o"t the line belo3 3hich can be fo"nd a several lines belo3> error!reporting 6 +!200 Save yo"r changes and e(it K:<L* 0o3 restart %pache> 9root:snortbo( IvarI333<= $etc$init.d$apache restart Cefore 3e contin"e to the config"ration of C%S& 3e need to make s"re of the availability of the follo3ing ! e(tensions> Ma*+6 Ma*+2M*&e6 Lo!6 I&a!e2Co+or6 I&a!e2Can'as6 Nu&,ers2Ro&an6 Nu&,ers28ords 4o" can make s"re of that "sing the follo3ing command> 9root:snortbo( IvarI333<= find I -name VMail*phpV 8f yo" donAt get any ans3ers this means that the Mail ! &(tension is not installed* So lets install it and install the others "sing 3E0R K ! &(tension and %pplication 'epositoryL* 8f &%' is not installed then yo" can install it like this> 9root:snortbo( IvarI333<= apt-get install php-pear 8f yo" already have &%'7 its a good idea to "pdate and "pgrade it> 9root:snortbo( IvarI333<= pear channel-"pdate pear.php.net 9root:snortbo( IvarI333<= pear "pgrade 1+2* 0o3 lets "se &%' to install the missing php e(tensions needed by C%S&> 9root:snortbo( IvarI333<= pear install 8ail 8ail!8ime >mage!(olor 0og ,"mbers!*oman ,"mbers!9ords >mage!(anvas

%fter the installation of the php e(tensions is finished lets move on to config"re C%S&* #oto yo"r 3eb bro3ser and open the follo3ing link> http>IIlocalhostIbase-D*O*OI Note: 8f yo" have changed the name of the C%S& directory7 then donAt forget to bro3se that name and not the directory base-D*O*O* 0o3 yo" sho"ld have reached the C%S& set"p page7 3hich looks like this>

&nter the path of the %$2db7 3hich is> $var$%%%$adodb5. %nd then press on the 7"bmit K"ery b"tton* 4o" shall no3 be taken to the ne(t screen of C%S& set"p7 3hich is similar to>

8nsert yo"r database name7 database hostname7 database "sername7 and the "sernameAs pass3ord that 3e created earlier for Snort to "se* Note: yo" can leave the database port field empty if yo" didnAt change the defa"lt port K??@AL* Finally press the 7"bmit K"ery b"tton* 0o3 yo" sho"ld have reached the third C%S& set"p page>

!ere 3e can define a "sername and pass3ord for it to be "sed 3ith accessing C%S&* -hoose a "sername7 pass3ord7 and add the "sernameAs f"ll name and press the 7"bmit K"ery b"tton* 0o3 yo" sho"ld have reached the fo"rth C%S& set"p page>

#o ahead and press the (reate ;27+ 2= b"tton* %fter doing that 3e shall get the res"lts page 3hich looks like>

/his page informs yo" of the completion of the C%S& set"p* 4o" can no3 go ahead and press on the Kstep 5L link fo"nd at the bottom of the page* /his shall lead yo" to the C%S& login page>

&nter the "sername and pass3ord yo" chose previo"sly7 and yo" shall be inside C%S&>

%s yo" can see it is clean no37 there is no activity yet* /o generate some noise and see if snort is doing its .obX From another comp"ter initiate a port scan "sing nmap on the C2Y that is r"nning Snort> root:scanbo( ;= nmap -s7 ip-address-of-snort-box -p1-10 H $id 8 mention that 3e havnAt started Snort yetX Jell yes act"ally 3e havenAt and 3e need to do that first before o"r nmap noisy .ob gets discovered by Snort*

So do3nload this start"p script for snort from here* -opy it7 and do the follo3ing> 9root:snortbo( ;<= cp "b"nt".snort.init.txt $etc$init.d$snort 9root:snortbo( ;<= cho%n root/root $etc$init.d$snort 9root:snortbo( ;<= chmod 500 $etc$init.d$snort 0o3 if yo" are "sing eth) for monitoring then yo" donAt need to change the settings in the script7 b"t if yo" are "sing for e(ample ethDX /hen edit the snort file and search for> 9root:snortbo( ;<= vim $etc$init.d$snort >@2(+6Leth0L %nd change it to> >@2(+6Leth1L Save and e(it K+scL then K/xL* &verything is ready no37 lets start Snort> 9root:snortbo( ;<= $etc$init.d$snort restart 0o3 go and r"n the nmap scan command again to generate some noise and 3atch C%S& as it displays the information abo"t that attack for yo"* Con!ratu+at*ons now Snort *s up and runn*n!5

8r*tten ,(: 0+* 0+1S e&er( (a>a: 9BnCr() L*nu< 0ra, Co&&un*t( ,*nar( #at% +*nu<ac #dot% or! Spec*a+ T an>s: Snort )e'e+opers for the 3onderf"l 8$SI8 S* ,od *5DaDen for the start"p script