Network Intrusion Detection System
Home Up

Snort is one of the more difficult packages I've had to deal with. There are many HOW-TO's and documents out on the Internet, but most don't match the Ubuntu 12.04 LTS Server (64 bit) environment perfectly.

This is just one of many HOW-TO's you will find on the Internet on loading Snort. The procedures in this HOW-TO have been tested several times on a Ubuntu 12.04 LTS 64-bit load. We start our procedure after a clean installation of Ubuntu as outlined in the procedure on this web site.
Needed modification will be based on the fact that the initial load of Ubuntu has a network configure based on DHCP. In the end, this server will need two Network Interface Cards (NICs), one NIC will need to be in promiscuous mode to "sniff" all the network traffic, and the other NIC will need to be assigned a static Internet Protocol (IP) address so you can review the reports.

Although the title of the HOW-TO is "Snort", this HOW-TO also includes the installation of configuration of BarnYard2, Snort Report and Basic Analysis and Security Engine (BASE), as well as other supporting packages such as JpGraph and the Data Acquistion API.

The current load date is October 6, 2012. What the load date indicates is the last date the procedures were tested. Periodically we "rebuild" the system (from scratch) within a Virtual Machine (VM) to ensure the procedures work as described. I always start with a fresh load of Ubuntu 12.04 LTS Server (64-bit) and update the server with the update/upgrade commands.

Overview:

  1. Build a baseline Ubuntu 12.04 server
  2. Install Additional Packages
  3. Update the Baseline server
  4. Download and Install JpGraph
  5. Download and Install Snort Report 1.3.3
  6. Download, Compile and Install Data Acquisition library for packet I/O
  7. Download and Install dumb networking library (libdnet)
  8. Download, Compile and Install Snort
  9. Download and Install Snort Rules
  10. Download, Compile and Install Barnyard2 2.10
  11. Create MySql Database and Schema
  12. Download Install BASE 1.4.5 (Basic Analysis and Security Engine)
  13. Download and Install PHP-Image support
  14. Download Install ADOdb (database abstraction library for PHP)
  15. Configure Snort Files
  16. Configure Barnyard2 Files
  17. Configure PHP5 Files
  18. Configure Snort Report Configuration File
  19. Configure BASE 1.4.5 (Basic Analysis and Security Engine) Configuration File
  20. Modify Interface file
  21. Reboot System
  22. Test Snort
  23. Setting Up Start Up Files

 


1.  Build a baseline Ubuntu 12.04 server:
Ubuntu 12.04 Baseline load (See Baseline Load Procedures)


2.  Install Additional Packages:
Logged into server with ssh (PuTTY)
sudo aptitude install nmap
sudo aptitude install nbtscan
sudo aptitude install apache2
sudo aptitude install php5
sudo aptitude install php5-mysql
sudo aptitude install php5-gd
sudo aptitude install libpcap0.8-dev
sudo aptitude install libpcre3-dev
sudo aptitude install g++
sudo aptitude install bison
sudo aptitude install flex
sudo aptitude install libpcap-ruby
sudo aptitude install make
sudo aptitude install autoconf
sudo aptitude install libtool
sudo aptitude install mysql-server
sudo aptitude install libmysqlclient-dev
sudo aptitude install php-pear


Or if you prefer, you can to all the installations with one command line:

sudo aptitude install nmap nbtscan apache2 php5 php5-mysql php5-gd \
libpcap0.8-dev libpcre3-dev g++ bison flex libpcap-ruby make \
autoconf libtool mysql-server libmysqlclient-dev php-pear


3. Update the Baseline server:
sudo aptitude update
sudo aptitude upgrade
sudo shutdown -r now (Reboots, This is not always needed, however, to be on the safe side, to ensure all updated that impact services are restated, just reboot).
One the system finishes rebooting, log back into the server with ssh (PuttY)


4.  Download and Install JpGraph:
Logged into server with ssh (PuTTY)
sudo wget http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
sudo mkdir /var/www/jpgraph
sudo tar zxvf jpgraph-1.27.1.tar.gz
sudo cp -r jpgraph-1.27.1/src /var/www/jpgraph/


5.  Download and Install Snort Report 1.3.3:
sudo wget http://www.symmetrixtech.com/ids/snortreport-1.3.3.tar.gz
sudo tar zxvf snortreport-1.3.3.tar.gz -C /var/www/


6.  Download, Compile and Install Data Acquisition library for packet I/O:
sudo wget http://www.snort.org/downloads/1850 -O daq-1.1.1.tar.gz
sudo tar zxvf daq-1.1.1.tar.gz
cd daq-1.1.1
sudo ./configure
sudo make
sudo make install
cd


7.  Download and Install dumb networking library (libdnet):
sudo wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
sudo tar zxvf libdnet-1.12.tgz
cd libdnet-1.12/
sudo ./configure
sudo make
sudo make install
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
cd


8.  Download, Compile and Install Snort:
sudo wget http://www.snort.org/downloads/1862 -O snort-2.9.3.1.tar.gz
sudo tar zxvf snort-2.9.3.1.tar.gz
cd snort-2.9.3.1
sudo ./configure --prefix=/usr/local/snort --enable-sourcefire
sudo make
sudo make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort
sudo groupadd snort
sudo useradd -g snort snort
sudo chown snort:snort /var/log/snort

cd


9.  Download and Install Snort Rules:
Note. There are two ways to download Snort Rules. The first way is to log into the snort.org web site, download the tarball to your local computer, the transfer the tarball from your local computer to the Ubuntu server. The second way to download the snort rules is with wget, but you will need to provide your "Oinkcode". Only Subscribers and Registered User can download the snort rules. When you register or subscribe, you will be assigned a "Oinkcode". In this example we will be using the wget with a registered user Oinkcode:

sudo wget http://www.snort.org/reg-rules/snortrules-snapshot-2931.tar.gz/<Enter Your oinkcode here> \
-O snortrules-snapshot-2931.tar.gz


sudo tar zxvf snortrules-snapshot-2931.tar.gz -C /usr/local/snort
sudo ln -s /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.3.1 /usr/local/snort/lib/snort_dynamicrules
sudo touch /usr/local/snort/rules/white_list.rules
sudo touch /usr/local/snort/rules/black_list.rules
sudo ldconfig


10.  Download, Compile and Install Barnyard2 2.10:

sudo wget https://nodeload.github.com/firnsy/barnyard2/tarball/master \
-O barnyard2-2.10.tar.gz
sudo tar zxvf barnyard2-2.10.tar.gz
cd firnsy-barnyard2-2f5d496
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
sudo make
sudo make install
sudo cp etc/barnyard2.conf /usr/local/snort/etc
sudo mkdir /var/log/barnyard2
sudo chmod 666 /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
cd


11.  Create MySql Database and Schema:
cd firnsy-barnyard2-2f5d496
echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to snort@localhost \
identified by 'SNORTPASSWORD'" | mysql -u root -p
cd


12.  Download Install BASE 1.4.5 (Basic Analysis and Security Engine):
sudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download -O base-1.4.5.tar.gz
sudo tar zxvf base-1.4.5.tar.gz -C /var/www/
cd /var/www
sudo mv base-1.4.5 base
sudo chown -R www-data:www-data /var/www
cd


13.  Download and Install PHP-Image support:
sudo pear install Image_Color-alpha
sudo pear install Image_Canvas-alpha
sudo pear install Image_Graph-alpha
sudo pear install Numbers_Roman-alpha
sudo pear install Numbers_Words-alpha
sudo ln -s /usr/share/fonts/truetype/ttf-dejavu/ /usr/share/php/Image/Canvas/Fonts


14.  Download Install ADOdb (database abstraction library for PHP):
sudo wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518a.tgz
sudo tar zxvf adodb518a.tgz -C /var/www/


15.  Configure Snort Files:
sudo vi /usr/local/snort/etc/snort.conf

Change Lines 113, 114 From:
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules

To:
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules


Change Lines 247, 250 and 253 From:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules

To:
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules


Change Line 520 From:
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

To:
output unified2: filename snort.u2, limit 128


16.  Configure Barnyard2 Files:
sudo vi /usr/local/snort/etc/barnyard2.conf

Change line 27, 28, 29 and 30 From:
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map

To:
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map


Change Line 58 and 59 from:
#config hostname: thor
#config interface: eth0

to
config hostname: localhost
config interface: eth1


Change line 335 from:
# output database: log, mysql, user=root password=test dbname=db host=localhost

To:
output database: log, mysql, user=snort password=SNORTPASSWORD dbname=snort host=localhost


17.  Configure PHP5 Files:
sudo vi /etc/php5/apache2/php.ini

Change line 521 from:
error_reporting = E_ALL & ~E_DEPRECATED

To:
error_reporting = E_ALL & ~E_DEPRECATED


18.  Configure Snort Report Configuration File:
sudo vi /var/www/snortreport-1.3.3/srconf.php

Change line 31 from:
$pass = "YOURPASS";

To:
$pass = "SNORTPASSWORD";


19.  Configure BASE 1.4.5 (Basic Analysis and Security Engine) Configuration File:
sudo cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
sudo vi /var/www/base/base_conf.php


Change  line 50 from:
$BASE_urlpath = '';

To:
$BASE_urlpath = '/base';

Change  Line 80 from:
$DBlib_path = '';

To:
$DBlib_path = '/var/www/adodb5';

Modify lines 102, 103, 104, 105 and 106 from:
$alert_dbname = 'snort_log';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
 $alert_password = 'mypassword';

To:
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'SNORTPASSWORD';


20.  Modify Interface file:
Add the following to the Interface File
sudo vi /etc/network/interfaces

auto eth1
iface eth1 inet manual


21.  Reboot System:
sudo shutdown -r now


22.  Test Snort:
Logged into server with ssh (PuTTY)
sudo ifconfig eth1 up
sudo /usr/local/snort/bin/snort -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1


23. Setting Up Start Up Files:
sudo vi /etc/rc.local

Before the "exit 0", add the following:
ifconfig eth1 up
/usr/local/snort/bin/snort -D -u snort -g snort \
-c /usr/local/snort/etc/snort.conf -i eth1

/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf \
-G /usr/local/snort/etc/gen-msg.map \
-S /usr/local/snort/etc/sid-msg.map \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-D


If anybody finds problems with these load procedures, has suggestions or comments, please feel free to email me.

Home Up