Installing Snort, SnortReport and Oinkmaster on Ubuntu 10.04

The majority of this guide was borrowed from:
David Gullett
Published: February 14, 2011
Version: 1.0
Copyright 2011, Symmetrix Technologies

http://www.symmetrixtech.com

Assumptions:

1. You already have Ubuntu 10.04 installed.
2. All commands will be run as root.
3. You will check for the latest versions of any downloaded software.

ssh into your snort box and update your system:

apt-get update
apt-get dist-upgrade
shutdown -r now

Log in again:

apt­-get install nmap nbtscan apache2 php5 php5-mysql php5-gd libpcap0.8-dev libpcre3-dev g++ bison flex libpcap-­ruby apt-get install libmysqlclient16­dev

2. Snort Report
Download and Install JpGraph (Optional)
This step is not required – it’s only to provide the graphics library for the pie chart on the main page of Snort
Report. As of this writing, the current “old” version of JpGraph is 1.27.1. Even though the documentation says
this version will not work on PHP5 it does have enough functionality for our purposes. You can download it at
this location: http://hem.bredband.net/jpgraph/jpgraph-1.27.1.tar.gz
Download that file to a directory on your Snort machine and unpack it with the following commands:
 wget http://hem.bredband.net/jpgraph/jpgraph­1.27.1.tar.gz
 mkdir /var/www/jpgraph
 tar zxvf jpgraph­1.27.1.tar.gz
 cp -­r jpgraph­1.27.1/src /var/www/jpgraph/

Download and Set up Snort Report
The next step is to download and configure Snort Report. It’s available at http://www.symmetrixtech.com under
the downloads section.

wget http://www.symmetrixtech.com/ids/snortreport-1.3.2.tar.gz
tar zxvf snortreport­1.3.2.tar.gz
cp -r snortreport-1.3.1 /var/www/snortreport

Now we need to modify the Snort Report configuration file to reflect your MySQL login info and location of the
jpgraph libraries. Change the file by editing srconf.php with this command:

vim /var/www/snortreport­/srconf.php

Change database values as required.

Save the file and exit.

3. Snort
Download and Install the Data Acquisition API
Snort 2.9.0 introduces the new Data Acquisition API. We’ll need to download and install it before we set up the
core Snort package.

Download DAQ.

wget http://www.snort.org/downloads/1221 -O daq-0.6.2
tar zxvf daq­-0.6.2.tar.gz
cd daq­0.6.2
 ./configure
 make
 make install
 ldconfig
Download and Install libdnet
There are Ubuntu packages for libdnet but this is an easier method of installation. Download the following file
(http://libdnet.googlecode.com/files/libdnet-1.12.tgz) and install it with these commands from your download
directory:
tar zxvf libdnet­1.12.tgz
cd libdnet­1.12/
./configure 
make 
make install 
ln ­s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
Download and Install Snort
While we could install the Snort packages from the Ubuntu 10.04 repositories, that doesn’t guarantee the latest
and greatest version of Snort being set up so we’re going to compile and install the source code. Open
http://www.snort.org/snort-downloads with your browser and download the newest stable version (the following steps will install Snort into /usr/local/snort but you can change this to a directory of your liking by modifying the paths below.).

wget http://www.snort.org/downloads/1207 -O snort-2.9.1.2

tar zxvf snort-­2.9.1.2.tar.gz
cd snort­-2.9.1.2
./configure ­­prefix=/usr/local/snort ­­–enable­-ipv6 –­­enable­-gre –­­enable­-mpls ­­–enable­-targetbased -­-­enable­-decoder-­preprocessor-­rules —enable-­ppm ­–­enable-­perfprofiling –­­enable-­zlib ­–­enable­a-ctive­response –­­enable-­normalizer ­–­enable-­reload ­–­enable­-react ­­–enable­flexresp3

make && make install
mkdir /var/log/snort
groupadd snort
useradd ­g snort snort
chown snort:snort /var/log/snort

You’ll have to enter the MySQL password that you chose earlier in the next two steps in order to create the Snort
database:
mysql ­u root ­p
create database snort;
quit;

mysql ­u root ­p -­D snort < ./schemas/create_mysql

Next we need to create an additional MySQL user for Snort to use as it's not a good idea to run the daemon as
root. Remember the password that you enter below. Also note the single quotes around the password in
addition to the double quotes around the entire echo statement:

mysql -u root -p
grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'YOURPASSWORD';

Download the Latest Snort Rules. Log into www.snort.org to get the latest version number of the rules appropriate for the version of snort you downloaded.

wget http://www.snort.org/reg-rules// -O

tar zxvf snort-rules­-snapshot­-xxxx.tar.gz ­-C /usr/local/snort
mkdir /usr/local/snort/lib/snort_dynamicrules
cp /usr/local/snort/so_rules/precompiled/Ubuntu­10­4/i386/2.9.0.4/* /usr/local/snort/lib/snort_dynamicrules

Download and Install Barnyard2
Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s
unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all
data when the database comes back online so no alerts will be lost.

Barnyard2 can be found at http://www.securixlive.com/download/barnyard2/

wget http://www.securixlive.com/download/barnyard2/barnyard2-1.8.tar.gz
tar zxvf barnyard2­1.8.tar.gz
cd barnyard2­1.8
./configure ­­with­mysql
make
make install
cp etc/barnyard2.conf /usr/local/snort/etc
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort:snort /var/log/snort/barnyard2.waldo 

Modify the Barnyard2 configuration file with the following command:
vim /usr/local/snort/etc/barnyard2.conf

Change the following lines from this:
config reference_file: /etc/snort/reference.config 
config classification_file: /etc/snort/classification.config 
config gen_file: /etc/snort/gen­msg.map 
config sid_file: /etc/snort/sid­msg.map
#config hostname: thor
#config interface: eth0
#output database: log, mysql, user=root password=test dbname=db host=localhost
To this (use your MySQL password instead of YOURPASSWORD on the last line below):
config reference_file: /usr/local/snort/etc/reference.config 
config classification_file: /usr/local/snort/etc/classification.config 
config gen_file: /usr/local/snort/etc/gen­msg.map 
config sid_file: /usr/local/snort/etc/sid­msg.map
config hostname: localhost
config interface: eth1
output database: log, mysql, user=snort password=YOURPASSWORD dbname=snort \ 
output alert_syslog: LOCAL5 LOG_AUTH LOG_INFO
host=localhost

Save and exit

Outputting to LOCAL5 will allow us to use rsyslog to forward to an external syslog server.

Configuring and Running Snort
Let’s configure Snort and start capturing data.
Edit the Snort configuration file with the following command:
vim /usr/local/snort/etc/snort.conf

We need to change the following lines from this:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ 
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 
dynamicdetection directory /usr/local/lib/snort_dynamicrules 
to this:
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/ 
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so 
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
Below this line (this is to output the unified2 logs for Barnyard):
#output unified2: filename merged.log, limit 128, nostamp, \
mpls_event_types, vlan_event_types
Add this line:
output unified2: filename snort.u2, limit 128

Save the file and exit back to the command prompt.
Testing Snort
You can test to see if Snort will run by using this command:
 
/usr/local/snort/bin/snort ­-u snort ­-g snort -­c /usr/local/snort/etc/snort.conf ­-i eth0

You should see a message saying “Commencing packet processing.” You can cancel out of it by hitting Control-C. If it fails to initialize please see the forums at snort.org to determine the problem. It will usually be something
in the configuration file.

To set Snort to start automatically on your machine edit the rc.local file with the following command:
vim /etc/rc.local

Then paste the following content in the file (before the “exit 0” line):

ifconfig eth0 up
/usr/local/snort/bin/snort -­D ­-u snort ­-g snort -c /usr/local/snort/etc/snort.conf -­i eth0 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -­G /usr/local/snort/etc/gen­msg.map -­S /usr/local/snort/etc/sid­msg.map -­d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -­D

Save the file and exit. This will start snort and barnyard2 on startup but is inefficient for restarting the services when you are logged in. For restarting snort and barnyard2 after being logged in do the following:

vim /etc/init.d/snort

#!/bin/sh

case $1 in
start)
echo “starting $0…”
# /usr/local/bin/barnyard2 -d /var/log/snort -f snort.u2
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
echo -e ‘done.’
;;
stop)
echo “stopping $0…”
killall snort
echo -e ‘done.’
;;
restart)
$0 stop
$0 start
;;
*)
echo “usage: $0 (start|stop|restart)”
;;
esac

Save and exit

Snort can now be stopped and started with /etc/init.d/snort start or stop

vim /etc/init.d/barnyard2
#!/bin/sh

case $1 in
start)
echo “starting $0…”
# /usr/local/bin/barnyard2 -d /var/log/snort -f snort.u2
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snnort.u2 -w /var/log/snort/barnyard2.waldo -D
echo -e ‘done.’
;;
stop)
echo “stopping $0…”
killall barnyard2
echo -e ‘done.’
;;
restart)
$0 stop
$0 start
;;
*)
echo “usage: $0 (start|stop|restart)”
;;
esac

Save and exit.
Barnyard2 can now be stopped and started with /etc/init.d/barnyard2 start or stop

To keep the snort rules up to date we need to install oinkmaster.

apt-get install oinkmaster

snort -V (get the version number). SMI’s oinkcode is included in the url already e08e11b99e3daf16313a1a93a93b9ca6859f7ca2

vim /etc/oinkmaster

url=http://www.snort.org/pub-bin/oinkmaster.cgi/e08e11b99e3daf16313a1a93a93b9ca6859f7ca2/snortrules-snapshot-4DigitVersionNumber.tar.gz

(edit the above line snortrules-snapshot-xxxx.tar.gz to include the 4 digit version number of snort you are running, if it doesn’t work after go to snort.org and check which is the latest rules you can download without a subscription.)

Save and exit

Then:

cd /etc
/usr/share/oinkmaster/makesidex.pl /usr/local/snort/rules > autodisable.conf

To run oinkmaster:

oinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /usr/local/snort/rules

To have it run automatically:

crontab -e

30 5 * * * oinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /usr/local/snort/rules

Save and exit
This will run oinkmaster at 5:30 every morning.

To have your syslogs forwarded to an external syslog service using rsyslog do:

vim /etc/rsyslog.conf

*.* @@hostipaddress:port

To connect to a udp syslog server (less secure) remove one of the @ symbols.

/etc/init.d/rsyslog restart

If all has gone right you should be able to scan your network and see it in your syslog server as well as at http://hostname/snortreport/alert.php

To test your snort:

nmap -T4 -A -v hostname or ip address

Now check your syslog server and or snortreport and you should see entries into both.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>