Wednesday, 19 December 2012

Installing Snort with ETPRO rules on Ubuntu 12.04


You first need to get a base image up and running which we won't cover here.
This guide also assumes that you are already spanning relevant traffic to eth1 of your snort box

Now you need to install Snort. Generally speaking I like using the source repositories as its easier to maintain and update. So lets get going...

# sudo su -
# apt-get update
# apt-get upgrade
# apt-get install snort-mysql

When prompted for the default home range, I normally use, yours might be different but most internal networks are in the 10.x.x.x range.

When asked whether a snort database should be created, choose "Yes" as we will be logging to Snorby that will be running on a separate server but that we will configure later

I always install swatch as I use it to monitor the log files for error messages

# apt-get install swatch

Now we need to install oinkmaster that will keep snort updated

# apt-get install oinkmaster

Now we need to configure oinkmaster to use our ET PRO rules instead of the default ones

First check what version of Snort you are running

# snort -V

In my case the version is 2.9.2 as can be seen below

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78)
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 1998-2011 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version:

Now edit the oinkmaster.conf file and add the ET Pro line like so

# vi /etc/oinkmaster.conf

Add the following line to the file

url =<etpro code goes here>/snort-2.9.2/etpro.rules.tar.gz

Next up you need to edit snort.conf to reflect your preferences. Below are the settings that I normally change, just search for them in the snort.conf file

# vi /etc/snort/snort.conf

Here are my changes:

# syslog
output alert_syslog: LOG_LOCAL7 LOG_ALERT

# pcap
#output log_tcpdump: tcpdump.log

Just before "Step #8:", I add the following

# Include the ETPRO rules
include $RULE_PATH/etpro.conf

Configure Swatch

Edit the swatch.conf file

# vi /etc/swatch.conf

Add the following line

watchfor /(ERROR)/
        mail addresses=<put your email address here>,subject=Snort FATAL Error

Starting Snort

Now I prefer starting and stopping snort via a cron script as can control exactly what is going on. So create the following script:

# vi /etc/cron.daily/5.snort

Add the following lines to the file:

#!/bin/sh -e
test -f /usr/sbin/snort || exit 0

# Kill Snort
kill -INT `cat /etc/snort/` || true

# Kill Swatch
kill -INT `cat /etc/` || true

sleep 10

# Delete log files to keep the disks clean
/bin/rm /var/log/snort/unified* || true
/bin/rm /var/log/snort/snort* || true

# Restart SYSLOG so everything is nice and clean
service rsyslog restart || true

#Run Oinkmaster
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules

# Start swatch
/usr/bin/swatch --config-file=/etc/swatch.conf --tail-file=/var/log/syslog --daemon --pid-file /etc/

sleep 10

# Start SNORT
/usr/sbin/snort -x -c /etc/snort/snort.conf --pid-path /etc/snort -i eth1 2>>/var/log/syslog &

exit 0

Another reason I start snort like this is also to be able to catch error messages with swatch and email it to myself which will come in very handy, trust me...

Now we run the cron file to start everything up

# /etc/cron.daily/5snort

If all goes according to plan, snort should start up and you can see the snort alerts by running

# tail -f /var/log/syslog

But things rarely go acccording to plan so you probably need to fix a few things....


Since I use swatch, I get the following error popping up on my terminal which shows something went wrong when I try and start up snort

ERROR: /etc/snort/rules/policy.rules(298) !any is not allowed: ![$DNS_SERVERS,$SMTP_SERVERS].

This means there is an unsupported option in the policy.rules file. Oinkmaster to the rescue since it can be used to modify rules as its downloaded

At the bottom of the /etc/oinkmaster.conf file, add the following line

disablesid 2003195

The above line disables the rule that is giving us trouble.

Now run the cron file again and deal with the next issue in a similar fashion

No comments:

Post a Comment

Splunk & Active Directory Password Expiry

So the other day I was asked by our IT Helpdesk if I could send them an alert when a VIP user's password is close to expiring so that th...