darkog
July 6th, 2007, 11:56 PM
Introduction
This document describes the procedures involved in how to install, setup, and
compile the latest version of Snort intrusion detection software on Ubuntu
GNU/Linux 7.04. Based on the current version of Snort 2.6.1.5.
It is assumed that the user is competent with basic GNU/Linux Unix commands,
basic mySql commands, and is capable of installing Ubuntu Linux on a computer.
A) Ubuntu Installation, Disk Partitioning, & User Setup
Download the current version of Ubuntu 7.04 ISO image. Burn the ISO to CD
media. Set your computer BIOS to boot from CD-ROM first and boot the computer.
Select "Start or install Ubuntu" and press [Enter] and follow the on screen
instructions until you get to the hard drive partitioning screen.
Once you get to the partitioning menu, select "Manual" and click "Forward".
Click "New partition table" and click "Continue" to delete all existing
partitions.
Create the following partitions manually:
Size Type Mount point
------- -------- ----------
100mb ext3 /boot
1024mb swap none
10240mb ext3 /var
10240mb ext3 /
Leave everything else unused. The goal here is to separate your
/var partition from the rest of the file system so that the snort logs don't
eat up all your disk space.
For this document, we are going to keep it simple and use "snort" as the user
name and password.
** DO NOT DO THIS IF THIS MACHINE WILL BE EXPOSED TO THE INTERNET **
For obvious reasons. Use a complex password. I would also change the user name
to something less obvious.
For username, type "snort" without quotes.
For password, type "snort" without quotes.
Click forward to continue and complete the Ubuntu OS install.
B) Install Pre-requisites
Login to the computer and open a Terminal window. From here on end, all lines
starting with $ are typed by user.
Install C compiler prerequisites
$ sudo apt-get install gcc g++ -y
Install libpcap prerequisites
$ sudo apt-get install libpcap-dev libpcre3 libpcre3-dev -y
Install MySQL prerequisites
$ sudo apt-get install mysql-server libmysqlclient-dev -y
C) Download Snort & Snort Rules
Create a new folder in your home folder called "temp".
$ mkdir /home/snort/temp
Download the latest version of Snort and Snort rules from www.snort.org. Just
register -- you will need it to get the rules anyway. The latest versions
are snort-2.6.1.5.tar.gz and snortrules-snapshot-CURRENT.tar.gz.
Place both files into the temp folder and un-tar them.
$ tar -xzvf snort-2.6.1.5.tar.gz
$ tar -xzvf snortrules-snapshot-CURRENT.tar.gz
$ mv snort-2.6.1.5 snort
Remove unneeded files.
$ rm snort-2.6.1.5.tar.gz
$ rm snortrules-snapshot-CURRENT.tar.gz
You should have a clean folder structure with the following folders:
/home/snort/temp/snort
/home/snort/temp/so_rules
/home/snort/temp/doc
/home/snort/temp/rules
Setup mySQL Database
Create the snort database.
$ sudo mysql
$ mysql> create database snort;
$ mysql> grant CREATE,INSERT,UPDATE,DELETE,SELECT on snort.* to snort@localhost;
Set the user name and password we used earlier. Once again, you have to change this to
something complex if this is going on the net.
$ mysql> set password for snort@localhost = password('snort');
Check that the database exists and check that the tables are empty.
$ mysql> show databases;
$ mysql> use snort;
$ mysql> status;
$ mysql> show tables;
$ mysql> exit;
Populate the snort database with the correct mySQL table layout.
$ cd /home/snort/temp/snort/schemas
$ mysql -p snort < create_msql
[enter password]
Check to that there are tables are in the database.
$ mysql -p
$ [enter password]
$ mysql> use snort;
$ mysql> show tables;
$ mysql> exit;
You should see new database tables. You are now ready to compile, install, and configure snort.
Snort compilation, installation, and configuration
Configure snort. You are going to install it in the traditional /opt folder.
$ cd /home/snort/temp/snort
$ ./configure --with-mysql --prefix=/opt/snort
$ sudo make
$ sudo make install
** Optional: Install tree program. I like it and think it's useful.
$ sudo apt-get install tree
Check to see that snort is installed.
$ tree /opt/snort
Create the folders where to store the configs, rules, logs.
$ sudo mkdir /etc/snort
$ sudo chown snort:snort /etc/snort
$ sudo mkdir /var/log/snort
$ sudo chown snort:snort /var/log/snort
$ mkdir /etc/snort/rules
$ cd /home/snort/temp/snort
Copy the necessary etc files.
$ cd /home/snort/temp/snort/etc
$ cp *.config *.conf *.map sid generators /etc/snort
Copy the rules and docs.
$ mv doc rules /etc/snort
Setup the conf file
$ cd /etc/snort
$ nano snort.conf
Setup you home network. Use CIDR.
$ var HOME_NET [your subnet]
Setup your external network.
$ var EXTERTNAL_NET !$HOME_NET
Specify the path to rules.
$ var RULE_PATH /etc/snort/rules
Fix the dynamic engine and processor paths.
$ dynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessor/
$ dynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so
Setup the mysql and logging options.
$ output database: alert, mysql, user=snort, password=snort, dbname=snort host=localhost
Testing
You want to test to make sure that your have installed and configured Snort
correctly.
Open two terminal windows. In one you will look at the log files and
in the other you will launch and test the sort.
$ ls /var/log/snort -la
You should see nothing in that folder.
$ sudo /opt/snort/bin/snort -c /etc/snort/snort.conf -i eth0
Check that new log files are created. You should see the files alert
and snort.log.something..something..
$ ls /var/log/snort -la
Watch the alert files in real time as you attach the machine.
$ sudo tail -f /var/log/snort/alert
From a second machine, launch a port scan using Nmap or some other scanning tool.
You should see the alert log populate with your attack.
Remove C compilers
$ sudo apt-get remove gcc g++ -y
Conclusion
You have compiled, installed and configured the latest version of Snort on
Ubuntu. You can launch as a daemon manually or via start up script by running:
$ sudo /opt/snort/bin/snort -c /etc/snort/snort.conf -i eth0 -D
If there is interest, I can do a Part 2 on how to setup the web based display
console BASE so that you can look at the logs from a nicer interface.
Snort isn't going to do much without proper rules and making it do something
when it does detect something. Things it can do is send you e-mail messages,
make changes to other devices via SNMP, and other things. These topics
are beyond the scope of this HOWTO. You should check the documentation at
http://www.snort.org and books that focus on Snort.
This document describes the procedures involved in how to install, setup, and
compile the latest version of Snort intrusion detection software on Ubuntu
GNU/Linux 7.04. Based on the current version of Snort 2.6.1.5.
It is assumed that the user is competent with basic GNU/Linux Unix commands,
basic mySql commands, and is capable of installing Ubuntu Linux on a computer.
A) Ubuntu Installation, Disk Partitioning, & User Setup
Download the current version of Ubuntu 7.04 ISO image. Burn the ISO to CD
media. Set your computer BIOS to boot from CD-ROM first and boot the computer.
Select "Start or install Ubuntu" and press [Enter] and follow the on screen
instructions until you get to the hard drive partitioning screen.
Once you get to the partitioning menu, select "Manual" and click "Forward".
Click "New partition table" and click "Continue" to delete all existing
partitions.
Create the following partitions manually:
Size Type Mount point
------- -------- ----------
100mb ext3 /boot
1024mb swap none
10240mb ext3 /var
10240mb ext3 /
Leave everything else unused. The goal here is to separate your
/var partition from the rest of the file system so that the snort logs don't
eat up all your disk space.
For this document, we are going to keep it simple and use "snort" as the user
name and password.
** DO NOT DO THIS IF THIS MACHINE WILL BE EXPOSED TO THE INTERNET **
For obvious reasons. Use a complex password. I would also change the user name
to something less obvious.
For username, type "snort" without quotes.
For password, type "snort" without quotes.
Click forward to continue and complete the Ubuntu OS install.
B) Install Pre-requisites
Login to the computer and open a Terminal window. From here on end, all lines
starting with $ are typed by user.
Install C compiler prerequisites
$ sudo apt-get install gcc g++ -y
Install libpcap prerequisites
$ sudo apt-get install libpcap-dev libpcre3 libpcre3-dev -y
Install MySQL prerequisites
$ sudo apt-get install mysql-server libmysqlclient-dev -y
C) Download Snort & Snort Rules
Create a new folder in your home folder called "temp".
$ mkdir /home/snort/temp
Download the latest version of Snort and Snort rules from www.snort.org. Just
register -- you will need it to get the rules anyway. The latest versions
are snort-2.6.1.5.tar.gz and snortrules-snapshot-CURRENT.tar.gz.
Place both files into the temp folder and un-tar them.
$ tar -xzvf snort-2.6.1.5.tar.gz
$ tar -xzvf snortrules-snapshot-CURRENT.tar.gz
$ mv snort-2.6.1.5 snort
Remove unneeded files.
$ rm snort-2.6.1.5.tar.gz
$ rm snortrules-snapshot-CURRENT.tar.gz
You should have a clean folder structure with the following folders:
/home/snort/temp/snort
/home/snort/temp/so_rules
/home/snort/temp/doc
/home/snort/temp/rules
Setup mySQL Database
Create the snort database.
$ sudo mysql
$ mysql> create database snort;
$ mysql> grant CREATE,INSERT,UPDATE,DELETE,SELECT on snort.* to snort@localhost;
Set the user name and password we used earlier. Once again, you have to change this to
something complex if this is going on the net.
$ mysql> set password for snort@localhost = password('snort');
Check that the database exists and check that the tables are empty.
$ mysql> show databases;
$ mysql> use snort;
$ mysql> status;
$ mysql> show tables;
$ mysql> exit;
Populate the snort database with the correct mySQL table layout.
$ cd /home/snort/temp/snort/schemas
$ mysql -p snort < create_msql
[enter password]
Check to that there are tables are in the database.
$ mysql -p
$ [enter password]
$ mysql> use snort;
$ mysql> show tables;
$ mysql> exit;
You should see new database tables. You are now ready to compile, install, and configure snort.
Snort compilation, installation, and configuration
Configure snort. You are going to install it in the traditional /opt folder.
$ cd /home/snort/temp/snort
$ ./configure --with-mysql --prefix=/opt/snort
$ sudo make
$ sudo make install
** Optional: Install tree program. I like it and think it's useful.
$ sudo apt-get install tree
Check to see that snort is installed.
$ tree /opt/snort
Create the folders where to store the configs, rules, logs.
$ sudo mkdir /etc/snort
$ sudo chown snort:snort /etc/snort
$ sudo mkdir /var/log/snort
$ sudo chown snort:snort /var/log/snort
$ mkdir /etc/snort/rules
$ cd /home/snort/temp/snort
Copy the necessary etc files.
$ cd /home/snort/temp/snort/etc
$ cp *.config *.conf *.map sid generators /etc/snort
Copy the rules and docs.
$ mv doc rules /etc/snort
Setup the conf file
$ cd /etc/snort
$ nano snort.conf
Setup you home network. Use CIDR.
$ var HOME_NET [your subnet]
Setup your external network.
$ var EXTERTNAL_NET !$HOME_NET
Specify the path to rules.
$ var RULE_PATH /etc/snort/rules
Fix the dynamic engine and processor paths.
$ dynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessor/
$ dynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so
Setup the mysql and logging options.
$ output database: alert, mysql, user=snort, password=snort, dbname=snort host=localhost
Testing
You want to test to make sure that your have installed and configured Snort
correctly.
Open two terminal windows. In one you will look at the log files and
in the other you will launch and test the sort.
$ ls /var/log/snort -la
You should see nothing in that folder.
$ sudo /opt/snort/bin/snort -c /etc/snort/snort.conf -i eth0
Check that new log files are created. You should see the files alert
and snort.log.something..something..
$ ls /var/log/snort -la
Watch the alert files in real time as you attach the machine.
$ sudo tail -f /var/log/snort/alert
From a second machine, launch a port scan using Nmap or some other scanning tool.
You should see the alert log populate with your attack.
Remove C compilers
$ sudo apt-get remove gcc g++ -y
Conclusion
You have compiled, installed and configured the latest version of Snort on
Ubuntu. You can launch as a daemon manually or via start up script by running:
$ sudo /opt/snort/bin/snort -c /etc/snort/snort.conf -i eth0 -D
If there is interest, I can do a Part 2 on how to setup the web based display
console BASE so that you can look at the logs from a nicer interface.
Snort isn't going to do much without proper rules and making it do something
when it does detect something. Things it can do is send you e-mail messages,
make changes to other devices via SNMP, and other things. These topics
are beyond the scope of this HOWTO. You should check the documentation at
http://www.snort.org and books that focus on Snort.