SNORT, BARNYARD2 dan BASE INSTALASI DAN KONFIGURASI SNORT Instalasi rpmforge repository : Untuk 32 bit

:
[root@localhost ~]# rpm -Uhv

http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/rpmforge-release-0.5.3-1.el6.rf.i686.rpm untuk 64 bit :
[root@localhost ~]# rpm -Uhv

http://apt.sw.be/redhat/el6/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.31.el6.rf.ix86_64.rpm Install Dependency :
yum -y install libdnet libdnet-devel libpcap libpcap-devel daq gcc make flex bison pcre pcre-devel zlib zlib-devel

Download dan Install daq
cd /tmp ; wget http://www.snort.org/downloads/2546 -O daq-2.0.1.tar.gz tar -xzvf daq-2.0.1.tar.gz cd daq-2.0.1/ ./configure make && make install ldconfig -v

Membuat user snort dan direktori yang dibutuhkan
groupadd snort useradd -g snort snort mkdir /usr/local/snort mkdir /etc/snort mkdir /var/log/snort mkdir /var/run/snort chown snort:snort /var/log/snort chown snort:snort /var/run/snort

Instalasi Snort dan konfigurasi rules Download dan Install Snort

0/24 var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules .5.tar.9./configure --prefix /usr/local/snort --enablemake && make install ln -s /usr/local/snort/bin/snort /usr/bin/snort cp /tmp/snort-2.5.5.[root@localhost ~]# snort-2.5.5/etc/unicode.9.5/etc/classification.5.gz cp etc/ /etc/snort/ cp –r rules /etc/snort/ cp –r so_rules /etc/snort/ touch /etc/snort/rules/white_list.tar.gz cd snort-2.lunartar -xzvf snortrules-snapshot-2953. wget http://www.5.5.9.9.5/etc/snort.config cp -r /usr/local/snort/lib/snort_dynamicpreprocessor/ cp -r /usr/local/snort/lib/snort_dynamicengine mkdir -p /usr/local/lib/snort_dynamicrules chown –R snort:snort /usr/local/lib sourcefire --enable-ipv6 Download snortrules-snapshot-<xxxx> [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# cd /tmp wget http://download.rules chown -R snort:snort /etc/snort/ linux.conf ipvar HOME_NET 192.conf /etc/snort/ cp /tmp/snort-2.tar.1.5.gz [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# [root@localhost ~]# /etc/snort/ [root@localhost ~]# /usr/local/lib/ [root@localhost ~]# /usr/local/lib/ [root@localhost ~]# [root@localhost ~]# cd /tmp .5/ .map /etc/snort/ cp /tmp/snort-2.org/downloads/2555 -O tar -xzvf snort-2.9.gz /etc/snort/rules/black_list.9.org/lunar/mirrors/snortrules-snapshot-2953.snort.168.rules Edit Snort Configuration [root@localhost ~]# vi /etc/snort/snort.tar.gz cd snortrules-snapshot-2953.tar.

d/snortd #!/bin/bash # # snort Start up the Snort Intrusion Detection System daemon # # chkconfig: 2345 55 25 # description: Snort is a Open Source Intrusion Detection System # This service starts up the snort daemon.pid ### BEGIN INIT INFO # Provides: snort # Required-Start: $local_fs $network $syslog # Required-Stop: $local_fs $syslog # Should-Start: $syslog # Should-Stop: $network $syslog # Default-Start: 2 3 4 5 . # # processname: snort # pidfile: /var/run/snort_eth0.var BLACK_LIST_PATH /etc/snort/rules include $RULE_PATH/emerging.conf Melakukan konfigurasi script init untuk snort Membuat konfigurasi sysconfig snort: [root@localhost ~]# vi /etc/sysconfig/snort #### General Configuration INTERFACE=eth0 CONF=/etc/snort/snort.conf USER=snort GROUP=snort PASS_FIRST=0 #### Logging & Alerting LOGDIR=/var/log/snort ALERTMODE=fast DUMP_APP=1 BINARY_LOG=1 NO_PACKET_LOG=0 PRINT_INTERFACE=0 Tambahkan init script [root@localhost ~]# vi /etc/init.

# This service starts up the Snort IDS daemon. then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]. if [ "$ALERTMODE"X = "X" ]. then BINARY_LOG="-b" else BINARY_LOG="" fi . then GROUP="snort" fi if [ "$BINARY_LOG"X = "1X" ].d/functions # pull in sysconfig settings [ -f /etc/sysconfig/snort ] && . then USER="snort" fi if [ "$GROUP"X = "X" ]. ### END INIT INFO # source function library . /etc/rc.conf -l /var/log/snort" #PID_FILE=/var/run/snort_eth0.pid # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. /etc/sysconfig/snort RETVAL=0 prog="snort" lockfile=/var/lock/subsys/$prog # Some functions to make the below more readable SNORTD=/usr/bin/snort #OPTIONS="-A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.# Default-Stop: 0 1 6 # Short-Description: Start up the Snort Intrusion Detection System daemon # Description: Snort is an application for Open Source Intrusion Detection.d/init.

then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ].pid" INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]. then LINK_LAYER="-e" else LINK_LAYER="" fi if [ "$CONF"X = "X" ]. then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]. then CONF="-c /etc/snort/snort.if [ "$LINK_LAYER"X = "1X" ]. then INTERFACE="-i eth0" PID_FILE="/var/run/snort_eth0.conf" else CONF="-c $CONF" fi if [ "$INTERFACE"X = "X" ]. then PASS_FIRST="-o" else PASS_FIRST="" fi . then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ].pid" else PID_FILE="/var/run/snort_$INTERFACE.

then BPFFILE="-F $BPFFILE" fi runlevel=$(set -. then LOGDIR=/var/log/snort fi # These are used by the 'stats' option if [ "$SYSLOG"X = "X" ]. then SECS=5 fi if [ ! "$BPFFILE"X = "X" ].pi* fi .if [ "$LOGDIR"X = "X" ].$(runlevel). then SYSLOG=/var/log/messages fi if [ "$SECS"X = "X" ]. eval "echo $$#" ) start() { [ -x $SNORTD ] || exit 5 echo -n $"Starting $prog: " daemon --pidfile=$PID_FILE $SNORTD $ALERTMODE $BINARY_LOG $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch $lockfile echo return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc $SNORTD if [ -e $PID_FILE ].* && rm -f /var/run/snort_eth0. then chown -R $USER:$GROUP /var/run/snort_eth0.

then rm -f $lockfile exit 0 fi stop . status) rh_status RETVAL=$? .. stop) if ! rh_status_q.RETVAL=$? # if we are in halt or reboot runlevel kill all running sessions # so the TCP connections are closed cleanly if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ... restart) restart .1 } case "$1" in start) rh_status_q && exit 0 start . then trap TERM killall $prog 2> /dev/null trap TERM fi [ $RETVAL -eq 0 ] && rm -f $lockfile echo return $RETVAL } restart() { stop start } rh_status() { status -p $PID_FILE $SNORTD } rh_status_q() { rh_status > /dev/null 2>&.

php.net [root@localhost ~]# pear install Numbers_Roman [root@localhost ~]# pear install channel://pear.* to snort@localhost.php.5 [root@localhost ~]# pear install channel://pear. *) echo $"Usage: $0 {start|stop|restart|status}" RETVAL=2 esac exit $RETVAL auto start snort pada saat booting [root@localhost ~]# chmod 700 /etc/init.d/snortd [root@localhost ~]# chkconfig --levels 235 snortd on Start snort [root@localhost ~]# /etc/init. then RETVAL=2 fi .create on snort. Setup snort untuk log out dengan format unified2 ..d/snortd start INSTALASI SERTA KONFIGURASI BARNYARD2 DAN BASE(Basic Analysis and Security Engine) Install BASE dependency [root@localhost ~]# yum install -y mysql-server mysql-devel php-mysql phpadodb php-pear php-gd httpd [root@localhost ~]# pear channel-update pear.if [ $RETVAL -eq 3 -a -f $lockfile ] .delete.3.net/Image_Canvas-0.8.net/Image_Graph-0.insert. <mysql> set password for snort@localhost=PASSWORD('snortpassword').php.update. <mysql> grant select.0 Persiapan Environment mysql Menginisialisasi mysql dan konfigurasi auto start saat booting: [root@localhost ~]# service mysqld start [root@localhost ~]# chkconfig --levels 235 mysqld on Membuat database untuk snort [root@localhost ~]# mysql -u root –p <mysql> create database snort.

map input unified2 config hostname: localhost config interface: eth0 config alert_with_interface_name output database: log.gz [root@localhost ~]# cd barnyard2-1.conf config reference_file: /etc/snort/reference.config config gen_file: /etc/snort/rules/gen-msg./configure --with-mysql <untuk 32 bit> [root@localhost ~]#. mysql.tar.waldo Edit Konfigurasi Barnyard2 [root@localhost ~]# vi /etc/snort/barnyard2.gz [root@localhost ~]# tar -xzvf barnyard2-1.tar.securixlive.config config classification_file: /etc/snort/classification.map config sid_file: /etc/snort/rules/sid-msg. user=snort password=snortpassword dbname=snort host=localhost Edit script init pada snort dan tambahkan kode dibawah ini : [root@localhost ~]# vi /etc/init.9.waldo [root@localhost ~]# chmod 777 /etc/snort/barnyard2.9.[root@localhost ~]# vi /etc/snort/snort.u2.com/download/barnyard2/barnyard2- 1./configure --with-mysql –with-mysqllibraries=/usr/lib64/mysql <untuk 64 bit> [root@localhost ~]# make && make install [root@localhost ~]# cp etc/barnyard2.d/snortd BARNYARD2=/usr/local/bin/barnyard2 start() { [ -x $SNORTD ] || exit 5 echo -n $"Starting $prog: " daemon --pidfile=$PID_FILE $SNORTD $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure .conf /etc/snort/ [root@localhost ~]# mysql -u snort -psnortpassword snort < schemas/create_mysql [root@localhost ~]# touch /etc/snort/barnyard2.waldo [root@localhost ~]# chown snort:snort /etc/snort/barnyard2. limit 128 Barnyard2 Melakukan instalasi Barnyard2 [root@localhost ~]# cd /tmp [root@localhost ~]# wget http://www.conf output unified2: filename snort.9 [root@localhost ~]#.

5.waldo -u snort -g snort -D [ $RETVAL -eq 0 ] && touch $lockfile echo return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc $SNORTD killproc $BARNYARD2 if [ -e $PID_FILE ].conf -d /var/log/snort -f snort. $alert_host = 'localhost'.dist base_conf.php Edit konfigurasi script BASE [root@localhost ~]# vi base_conf. $alert_port = '3306'. then trap TERM killall $prog 2>/dev/null trap TERM fi [ $RETVAL -eq 0 ] && rm -f $lockfile echo return $RETVAL } Restart snort [root@localhost ~]# /etc/init. .gz cp -r base-1.php.net/projects/secureideas/files/latest/download tar -xzvf base-1.5/ /var/www/base cd /var/www/base/ cp base_conf.php $BASE_urlpath = '/base'.u2 -w /etc/snort/barnyard2.tar. then chown -R $USER:$GROUP /var/run/snort_eth0.4.pi* fi RETVAL=$? if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] . $alert_dbname = 'snort'.d/snortd restart BASE Melakukan instalasi BASE [root@localhost [root@localhost [root@localhost [root@localhost [root@localhost [root@localhost ~]# ~]# ~]# ~]# ~]# ~]# cd /tmp wget http://sourceforge.* && rm -f /var/run/snort_eth0.RETVAL=$? $BARNYARD2 -c /etc/snort/barnyard2. $DBlib_path = '/usr/share/php/adodb'. $alert_user = 'snort'.4.

Apache Konfigurasi Apache [root@localhost ~]# vi /etc/httpd/conf.php dan klik create BASE AV .passwd Require valid-user </directory> Membuat file password untuk login ke BASE melalui web [root@localhost ~]# htpasswd -c /etc/snort/base.deny Allow from all AuthName "Snort IDS" AuthType Basic AuthUserFile /etc/snort/base.d/base.$alert_password = 'snortpassword'.passwd <password> Restart Apache [root@localhost ~]# service httpd restart Tambahan.conf Alias /base /var/www/base/ <directory "/var/www/base/"> AllowOverride None Order allow. jika ada error yang menyatakan Melakukan akses ke BASE web environment http://IP-Server/base/base_db_setup.

Sign up to vote on this title
UsefulNot useful