Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort/barnyard2 Install

From: "Davison, Charles Robert" <cdaviso1 () vols utk edu>
Date: Sun, 30 Aug 2015 01:26:36 +0000
Mike,

I had the same issues when I first started out as well. Follow the instructions below… I have included how to install 
snort, by2, pulled pork, and snorby. These instructions have been verified for Ubuntu 14.04LTS. This is just the stuff 
I make for plain text install instructions but I should be releasing some fancy documentation on how to do everything 
and why you’re doing it. This is not detailed but you should be able to copy and paste to get setup. If you have any 
issues let me know and we can set up a WebEx or something and Ill walk you though it.

Snort From Source:

sudo apt-get install -y build-essential
sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev
mkdir ~/snort_src
cd ~/snort_src
sudo apt-get install -y bison flex
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure; make; sudo make install
sudo apt-get install -y zlib1g-dev
cd ~/snort_src
wget https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz
tar xvfz snort-2.9.7.5.tar.gz
cd snort-2.9.7.5
./configure --enable-sourcefire
make
sudo make install
sudo ldconfig
sudo ln -s /usr/local/bin/snort /usr/sbin/snort

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/preproc_rules
sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

sudo cp ~/snort_src/snort-2.9.7.5/etc/*.conf* /etc/snort
sudo cp ~/snort_src/snort-2.9.7.5/etc/*.map /etc/snort

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
sudo nano /etc/snort/snort.conf

Edit HOME_NET and EXTERNAL
Line 104 Add:
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Line 545 Uncomment:
include $RULE_PATH/local.rules

Barnyard 2
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool yagiuda libdumbnet1 checkinstall 
libdnet
sudo apt-get install libdubmnet-dev
sudo ldconfig

wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12/
./configure CFLAGS=-fPIC; make
sudo checkinstall
y
sudo dpkg -i libdnet_1.12-1_amd64.deb
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
n
y

Line 520 Add:
output unified2: filename snort.u2, limit 128

cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-2-1.13.tar.gz
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
sudo make install

cd ~/snort_src/barnyard2-master
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map

echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ~/snort_src/barnyard2-master/schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to \
snort@localhost identified by 'toor'" | mysql -u root -p

Add To /etc/snort/barnyard2.conf
output database: log, mysql, user=snort password=toor dbname=snort host=localhost

sudo chmod o-r  /etc/snort/barnyard2.conf

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
user@snortserver:/var/log/snort$  ls -l /var/log/snort/

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo \
-g snort -u snort
mysql -u snort -p -D snort -e "select count(*) from event"

Pulled Pork

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
cd ~/snort_src
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
tar xvfvz pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

sudo mkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist

Verify it is working:
user@snortserver:~$ /usr/local/bin/pulledpork.pl -V
PulledPork v0.7.0 - Swine Flu!
user@snortserver:~$

Edit Pulled Pork.conf (https://code.google.com/p/pulledpork/source/browse/trunk/etc/pulledpork.conf?r=264)
gksudo gedit /etc/snort/pulledpork.conf

Anywhere you see <oinkcode> enter your oinkcode from snort.org account:
Line 19 & 26: enter your oinkcode where appropriate
Line 27 & 30 : leave uncommented to use the Emerging Threats rule set
Line 72: change to: rule_path=/etc/snort/rules/snort.rules
Line 87: change to: local_rules=/etc/snort/rules/local.rules
Line 90: change to: sid_msg=/etc/snort/sid-msg.map
Line 117: change to: config_path=/etc/snort/snort.conf
Line 131: change to: distro=Ubuntu-10-4
Line 139: change to: black_list=/etc/snort/rules/iplists/default.blacklist
Line 148: change to: IPRVersion=/etc/snort/rules/iplists
Line 194: Uncomment and change to: enablesid=/etc/snort/enablesid.conf
Line 195: Uncomment and change to: dropsid=/etc/snort/dropsid.conf
Line 196: Uncomment and change to: disablesid=/etc/snort/disablesid.conf
Line 197: Uncomment and change to: modifysid=/etc/snort/modifysid.conf

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Edit/etc/snort/snort.conf, and append to the end of the
le (on a new line):
include $RULE_PATH/snort.rules

sudo snort -T -c /etc/snort/snort.conf

sudo crontab -e
Append the follwoing line in crontab:
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Creating Startup Scripts

gksudo gedit /etc/init/snort.conf
Paste:
description "Snort NIDS Service"
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D
end script

sudo chmod +x /etc/init/snort.conf
sudo /etc/init/snort.conf start
initctl list | grep snort
stop/waiting

gksudo gedit /etc/init/barnyard2.conf
Paste:
description "Barnyard2 service"
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort
/barnyard2.waldo -g snort -u snort -D
end script

sudo chmod +x /etc/init/barnyard2.conf
sudo /etc/init/barnyard2.conf start
initctl list | grep barnyard
barnyard2 stop/waiting

Verify:
sudo service snort status
sudo service barnyard2 status

Snorby

# apt-get install apache2 git imagemagick wkhtmltopdf ruby1.9.3 libyaml-dev libxml2-dev libxslt1-dev  zlib1g-dev 
build-essential openssl libssl-dev libmysqlclient-dev libreadline6-dev
# gem install rails
# gem update
git clone http://github.com/Snorby/snorby.git
# cd snorby && bundle install

follow pics in one note
https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql

mysql -u root -p
CREATE DATABASE snorby;
USE snorby;
CREATE USER 'snorby'@'localhost' IDENTIFIED BY 's3cr3t';
GRANT ALL PRIVILEGES ON *.* TO 'snorby'@'localhost' with GRANT OPTION;
FLUSH PRIVILEGES;

Check: mysql -u snorby -p's3cr3t' snorby

bundle exe rake snorby:setup
bundle exe rails server -e production

Browse to: http://localhost:3000

Add to Barnyard2.conf (/etc/snort/barnyard2.conf)
output database: log, mysql, user=snorby password=s3cr3t dbname=snorby host=localhost

From: Mike Hendrie [mailto:mike () hendrienet com]
Sent: Saturday, August 29, 2015 5:05 PM
To: Davison, Charles Robert <cdaviso1 () vols utk edu>
Subject: Re: [Snort-users] Snort/barnyard2 Install


Thank you

Mike Hendrie, PMP/ITIL
On Aug 29, 2015 6:01 PM, "Davison, Charles Robert" <cdaviso1 () vols utk edu<mailto:cdaviso1 () vols utk edu>> wrote:
Mike

I'm at dinner right now but I'll send you the complete install guide I made from beginning to end for By2 later 
tonight... I would try also looking on git hub for auto snort. It's pretty cool.
Sent from Outlook<http://aka.ms/Ox5hz3>



On Sat, Aug 29, 2015 at 9:03 AM -0700, "Mike Hendrie" <mike () hendrienet com<mailto:mike () hendrienet com>> wrote:

I have tried to follow the install instructions on the Snort site to install on Ubuntu 14.  I am able to get Snort 
working and tested via icmp, great!

However, I am not able to get Barnyard2 to install:

===============error below =================

make[3]: Entering directory `/home/w14219/snort_src/barnyard2-master/src'

gcc -DHAVE_CONFIG_H -I. -I..  -Isfutil -I/usr/include/mysql -DENABLE_MYSQL  -g -O2 -fno-strict-aliasing -Wall -c -o 
decode.o decode.c

decode.c:38:18: fatal error: dnet.h: No such file or directory

 #include <dnet.h>

                  ^

compilation terminated.

make[3]: *** [decode.o] Error 1

make[3]: Leaving directory `/home/w14219/snort_src/barnyard2-master/src'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/home/w14219/snort_src/barnyard2-master/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/home/w14219/snort_src/barnyard2-master'

make: *** [all] Error 2
===================error end===============

Documentation used:

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/065/original/Snort_2.9.7.x_on_Ubuntu_12_and_14.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1440826195&Signature=uLPmrjecsivn2zXaGnlmEBCrbzI%3D

Can someone please assist with getting past this error?



Thanks

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: