Prerequisites
You first need to get a base image up and running which we won't cover here.This guide also assumes that you are already spanning relevant traffic to eth1 of your snort box
Now you need to install Snort. Generally speaking I like using the source repositories as its easier to maintain and update. So lets get going...
# sudo su -
# apt-get update
# apt-get upgrade
# apt-get install snort-mysql
When prompted for the default home range, I normally use 10.0.0.0/8, yours might be different but most internal networks are in the 10.x.x.x range.
When asked whether a snort database should be created, choose "Yes" as we will be logging to Snorby that will be running on a separate server but that we will configure later
I always install swatch as I use it to monitor the log files for error messages
# apt-get install swatch
Now we need to install oinkmaster that will keep snort updated
# apt-get install oinkmaster
Now we need to configure oinkmaster to use our ET PRO rules instead of the default ones
First check what version of Snort you are running
# snort -V
In my case the version is 2.9.2 as can be seen below
,,_ -*> Snort! <*-
o" )~ Version 2.9.2 IPv6 GRE (Build 78)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3.4
Now edit the oinkmaster.conf file and add the ET Pro line like so
# vi /etc/oinkmaster.conf
Add the following line to the file
url = http://rules.emergingthreatspro.com/<etpro code goes here>/snort-2.9.2/etpro.rules.tar.gz
Next up you need to edit snort.conf to reflect your preferences. Below are the settings that I normally change, just search for them in the snort.conf file
# vi /etc/snort/snort.conf
Here are my changes:
# syslog
output alert_syslog: LOG_LOCAL7 LOG_ALERT
# pcap
#output log_tcpdump: tcpdump.log
Just before "Step #8:", I add the following
# Include the ETPRO rules
include $RULE_PATH/etpro.conf
Configure Swatch
Edit the swatch.conf file# vi /etc/swatch.conf
Add the following line
watchfor /(ERROR)/
echo=red
mail addresses=<put your email address here>,subject=Snort FATAL Error
Starting Snort
Now I prefer starting and stopping snort via a cron script as can control exactly what is going on. So create the following script:# vi /etc/cron.daily/5.snort
Add the following lines to the file:
#!/bin/sh -e
test -f /usr/sbin/snort || exit 0
PATH=/bin:/usr/bin:/sbin:/usr/sbin
# Kill Snort
kill -INT `cat /etc/snort/snort_eth1.pid` || true
# Kill Swatch
kill -INT `cat /etc/swatch.pid` || true
sleep 10
# Delete log files to keep the disks clean
/bin/rm /var/log/snort/unified* || true
/bin/rm /var/log/snort/snort* || true
# Restart SYSLOG so everything is nice and clean
service rsyslog restart || true
#Run Oinkmaster
/usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules
# Start swatch
/usr/bin/swatch --config-file=/etc/swatch.conf --tail-file=/var/log/syslog --daemon --pid-file /etc/swatch.pid
sleep 10
# Start SNORT
/usr/sbin/snort -x -c /etc/snort/snort.conf --pid-path /etc/snort -i eth1 2>>/var/log/syslog &
exit 0
Another reason I start snort like this is also to be able to catch error messages with swatch and email it to myself which will come in very handy, trust me...
Now we run the cron file to start everything up
# /etc/cron.daily/5snort
If all goes according to plan, snort should start up and you can see the snort alerts by running
# tail -f /var/log/syslog
But things rarely go acccording to plan so you probably need to fix a few things....
Troubleshooting
Since I use swatch, I get the following error popping up on my terminal which shows something went wrong when I try and start up snortERROR: /etc/snort/rules/policy.rules(298) !any is not allowed: ![$DNS_SERVERS,$SMTP_SERVERS].
This means there is an unsupported option in the policy.rules file. Oinkmaster to the rescue since it can be used to modify rules as its downloaded
At the bottom of the /etc/oinkmaster.conf file, add the following line
disablesid 2003195
The above line disables the rule that is giving us trouble.
Now run the cron file again and deal with the next issue in a similar fashion
No comments:
Post a Comment