After a standard installation of Ubuntu Server 10.04 LTS we need to set a password for root and update the system. Afterward we install some of the required components including a SSH server from which we will start working remotely. sudo passwd (set root password) apt-get update apt-get upgrade apt-get install g++ bison flex libpcap0.8-dev libpcre3-dev zlib1g-dev libmysqlclient16-dev openssh-server Connect through SSH, putty.exe Now we need to download the source files for the required components. cd /usr/local/src wget http://www.snort.org/dl/snort-current/daq-0.5.tar.gz -O daq-0.5.tar.gz wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz wget http://www.snort.org/dl/snort-current/snort-2.9.0.5.tar.gz -O snort-2.9.0.5.tar.gz wget http://www.snort.org/dl/snort-current/snort-2.9.1.tar.gz -O snort-2.9.1.tar.gz wget http://www.snort.org/sub-rules/snortrules-snapshot-2905.tar.gz/f13b51590a83e4f86e6843af0e4ad2a85dc04cf8 -O snortrules-snapshot-2905.tar.gz wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz Installing and configuring DAQ apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 tar zxvf daq-0.5.tar.gz cd daq0.5 ./configure && make && make install ldconfig cd.. Installing and configuring Libdnet tar zxvf libdnet1.12.tgz cd libdnet1.12/ ./configure && make && make install ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 cd.. Installing and configuring Snort tar zxvf snort-2.9.0.5.tar.gz cd snort2.9.0.5 ./configure prefix=/usr/local/snort --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response \ --enable-normalizer --enable-reload --enable-react --enable-flexresp3 && make && make install mkdir /var/log/snort mkdir /var/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort mkdir /usr/local/snort/etc cp etc/* /usr/local/snort/etc cd.. We need to edit the snort.conf file to adapt it to our system. nano /usr/local/snort/etc/snort.conf Change the following lines. •dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ •dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so •dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules •# unlimited_decompress \ •output unified2: filename snort.log, limit 128 •Comment out all rules at the buttom •include $RULE_PATH/snort.rules •include $RULE_PATH/so_rules.rules The two last lines are importent •We need to comment out all the rules except local.rules and add snort.rules. The file snort.rules is created with PulledPork and contains the rules we need and doesn't need in our setup. We can can test the installation with the following command /usr/local/snort/bin/snort --daq afpacket -Q -c /usr/local/snort/etc/snort.conf -i eth1:eth2 --daq-dir /usr/local/lib/daq Extracting the Snort rules tar zxvf snortrules-snapshot-2905.tar.gz -C /usr/local/snort mkdir /usr/local/snort/lib/snort_dynamicrules cp /usr/local/snort/so_rules/precompiled/Ubuntu­10­4/i386/2.9.0.5/* /usr/local/snort/lib/snort_dynamicrule Installing and configuring Barnyard2 tar zxvf barnyard2-1.9.tar.gz ./configure --with-mysql && make && make install cp etc/barnyard2.conf /usr/local/snort/etc mkdir /var/log/barnyard2 chmod 666 /var/log/barnyard2 touch /var/log/snort/barnyard2.waldo chown snort.snort /var/log/snort/barnyard2.waldo cd .. We need to edit the barnyard2.conf file to adapt it to our system. nano /usr/local/snort/etc/barnyard2.conf •config reference_file: /usr/local/snort/etc/reference.config •config classification_file: /usr/local/snort/etc/classification.config •config gen_file: /usr/local/snort/etc/gen-msg.map •config sid_file: /usr/local/snort/etc/sid-msg.map •config hostname: IPS •config interface: eth1 •output database: log, mysql, user= password= dbname=snorby host=Snorby We can test the installation with the following command. Of cause we need to have the MySQL-installation ready to test this. /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo Now we need to configure our network interfaces eth0, eth1 and eth2. Interface eth0, management interface, will have a static IP address on our internal LAN and eth1 and eth2 will be setup in promiscuous mode. Remember to enbale promiscuous mode on the VMware virtual switch too. nano /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.xxx.xxx netmask 255.255.255.0 gateway 192.168.xxx.254 auto eth1 iface eth1 inet manual up ifconfig eth1 0.0.0.0 up up ip link set eth1 promisc on auto eth2 iface eth2 inet manual up ifconfig eth2 0.0.0.0 up up ip link set eth2 promisc on Now we need to setup Snort and Barnyard2 to start automatically when the system reboots. Copy the following line and save the filenano /etc/rc.local ifconfig eth1 up ifconfig eth2 up /usr/local/snort/bin/snort -D --daq afpacket -Q -c /usr/local/snort/etc/snort.conf -i eth1:eth2 --daq-dir /usr/local/lib/daq /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D We can test by entering this command /etc/init.d/rc.local start Extracting and configuring PulledPork cd /usr/local tar zxvf pulledpork-0.6.1.tar.gz cd pulledpork-0.6.1/etc cp pulledpork.conf /usr/local/snort/etc We need to edit the pulledpork.conf file to adapt it to our system nano /usr/local/snort/etc/pulledpork.conf •rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| •rule_url=https://www.snort.org/reg-rules/|opensource.gz| •# rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz| •rule_path=/usr/local/snort/rules/snort.rules •local_rules=/usr/local/snort/rules/local.rules •sid_msg=/usr/local/snort/etc/sid-msg.map •config_path=/usr/local/snort/etc/snort.conf •sostub_path=/usr/local/snort/rules/so_rules.rules •snort_path=/usr/local/snort/bin/snort •distro=Ubuntu-10.04 •pid_path=pid_path=/var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid •ips_policy=security •dropsid=/usr/local/pulledpork-0.6.1/etc/dropsid.conf •disablesid=/usr/local/pulledpork-0.6.1/etc/disablesid.conf The two last line are importent •dropsid determents which sids/rule sets are set to drop due to the metadata: policy security-ips drop •disablesid determents which sids/rule sets are disabled and therefore not provcessed by Snort We need some extra components to make PulledPork work correctly. When you running the cpan-command just roll with the default answers, hit ENTER. apt-get install libssl-dev cpan install cpan install Test::More install Crypt::SSLeay install LWP::Simple exit Test the installation with the following command /usr/local/pulledpork-0.6.1/pulledpork.pl -c /usr/local/snort/etc/pulledpork.conf Tips and Trcks to Snort and more Snort To reload the snort.conf file without killing the process. There is howerver a small disruption in the traffic, approximately 4 ping timeouts: kill -SIGHUP "snort process ID" When reeboting Snort/IPS completely, it takes approximately 10 ping timeouts. To see the Snort statistics when running as a daemon: kill -SIGUSR1 "snort process ID" cat /var/log/daemon.log Whisteliting of IP addresses: Blacklisting of IP addresses: PulledPork Schedule PulledPork to run daily: crontab -e 30 2 * * * /usr/local/pulledpork-0.6.1/pulledpork.pl -c /usr/local/snort/etc/pulledpork.conf