Snort Installation Notes Revision as of Sunday, 20 December 2015 at 19:56 UTC

Pre-Flight

I installed this on a 32-bit CentOS 5.6 system, with MySQL as the output
backend for snort. So make sure that your MySQL service is up and
running!

Installation

Install Snort

Snort v2.9+ use libpcap 1.0+. Unfortunately, CentOS 5.x still uses
v0.9.4. I tried (the hard way) to compile my own RPMs and stop swearing
at the screen. However, a gentleman by name Vincent Cojot has already
done some awesome
heavy-lifting
for all of us. Of course, the makers of Snort recommend that you compile
it and don’t vouch for Vincent RPMs. But I have shit to do.

Important: v2.9.0.5 RPMs have some
significant path-related issues when trying to find rulesets. I
recommend sticking with v2.9.0.4

Install Snort Rules

You’ll need to register on Snort’s website before you can download a
ruleset. New rulesets are released to subscribers ($$$) 30 days before
registered users (FREE!) can download them.

# The ruleset is a tarbomb
mkdir snort-rules; cd snort-rules
wget https://s3.amazonaws.com/snort-org/www/rules/20110329/snortrules-snapshot-2903.tar.gz
tar -xvzf snortrules-snapshot-2903.tar.gz
cp etc/* /etc/snort/
cp rules/* /etc/snort/rules/
cp so_rules/precompiled/Centos-5-4/i386/2.9.0.3/* /etc/snort/so_rules/
cp preproc_rules/* /etc/snort/preproc_rules/

Now we’re ready to bend Snort to our whim.

Set up the Snort user and group

The RPM should already set this up for you. If not,

[root@snort usr]# groupadd snort
[root@snort usr]# useradd -g snort snort
[root@snort usr]# id snort
uid=505(snort) gid=506(snort) groups=506(snort)

You’ll then need to chown /var/log/snort.

Set up the MySQL database

Set up your database (call it “snort”) and user (also called “snort”)
and password (“PASSWORD”). Now load the schema:

mysql -uroot -p snort < /usr/share/snort-2.9.0.5/schemas/create_mysql

Configuring Snort

Start editing /etc/snort/snort.conf (make a copy of the original
first!) Here are my modifications to the original file:

ipvar HOME_NET 19.25.78.0/24
portvar SSH_PORTS [22,3232]
portvar HTTP_PORTS [80,443,8080,9066]

# These were relative
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

# These were commented out
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules

# Listed as /usr/local/lib when they were actually in /usr/lib
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/lib/snort_dynamicrules

# Increased to 65535 to avoid startup errors (I don't know the full reason yet)
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535

# This was commented out; detects portscans!
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }

# MySQL connection params
output database: alert, mysql, user=snort password=PASSWORD dbname=snort host=localhost
output database: log, mysql, user=snort password=PASSWORD dbname=snort host=localhost

Then uncomment all the preprocessor rules includes.

IMPORTANT: Logging to MySQL

Although the Snort config above looks like it should log everything to
your MySQL database, you’ll soon find that it doesn’t. Running the test
command in the section below will lead to Snort declaring that
everything’s peachy. It will create a single row in snort.sensor and
nothing else.

I wasted about 4 hours attempting to reconfigure Snort, reading through
the config file again, making sure my DB was okay. It was this post on
the Snort
forum
that made my day. You basically open up /etc/sysconfig/snort and
comment out this stupid line:

ALERTMODE=fast

That’s it. Restart snortd and Snort will now log to /var/log/snort
and your MySQL instance. Thanks “aline”!

IMPORTANT: Logging to custom logfiles

It took me 24 painstaking hours to figure this out. I can write a poem
on the frustration. Basically, Snort wouldn’t write to a logfile of my
choice and I didn’t know why. Turns out that I had to turn off binary
logs in /etc/sysconfig/snort:

BINARY_LOG=0

If you don’t do this, Snort won’t care what you specify your unified2
logfiles to be; it will always write to snort.log.<timestamp>.

Test Run

Check your configuration with this:

/usr/sbin/snort -T -u snort -g snort -c /etc/snort/snort.conf

Using the -D flag will run snort in daemon mode and is not useful. If
everything looks OK,

[root@snort snort]# service snortd start
Starting snort: Spawning daemon child...
My daemon child 30815 lives...
Daemon parent exiting
[ OK ]

Installing Oinkmaster

This downloads and updates rulesets on a cron job. You’ll need an
“Oinkcode” which you can procure from your Snort.org account.

cd /opt
wget -O - http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz?download | tar -xvzf -
ln -s oinkmaster-2.0 oinkmaster
cd oinkmaster
cp oinkmaster.conf oinkmaster.conf.original
mkdir tmp backup.rules

Then edit the config file to specify URLs and oinkcodes:

url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2900.tar.gz
tmpdir = /opt/oinkmaster/tmp

I prefer keeping oinkmaster in /opt. For a trial run, I issue:

mkdir /tmp/snort
/opt/oinkmaster/oinkmaster.pl -c -v -C /opt/oinkmaster/oinkmaster.conf -o /tmp/snort/

As a poor registered user, you have to wait 15 minutes between
downloads. If all’s well, you can now set a cron job with:

# Download new Snort rulesets every Friday at midnight
0 0 * * 5 /opt/oinkmaster/oinkmaster.pl -C /opt/oinkmaster/oinkmaster.conf \
-o /etc/snort/rules/ -b /opt/oinkmaster/backup.rules \
2>&1 | mail -s "snrt - oinkmaster" support@example.com

Backs up rules, emails you everything on Friday at midnight. Awesome.

Using Barnyard to Spool Data

Preconfiguring Snort

Open up /etc/snort/snort.conf change this line:

output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

to this:

output unified2: filename merged.log, limit 128

For some reason, barnyard2 will not work if you don’t do this. Now
comment out every other output declaration and restart Snort.

Installing Barnyard

Important: You need to install
barnyard2 and not
barnyard! The latter hasn’t been updated in 4 years and is horribly
difficult to set up. Barnyard2 also uses the newer “unified2” output
format of Snort. Compilation will install everything in
/usr/local/{bin,etc}. I’ve archived the
RPM
if you don’t feel like it.
Important: Make sure that you’ve set up your MySQL database and
that it’s completely empty. I’d drop and re-create if unsure.
“Continuous mode” refers to barnyard continually processing a single
logfile that’s created when the Snort service is started. You can
manually crunch through multiple log files in “batch” mode.

Edit /usr/local/etc/barnyard2.conf. Here’s a diff of the original
(<) and my modifications (>):

60,61c60,61
< #config hostname: thor
< #config interface: eth0
---
> config hostname: snort.example.com
> config interface: eth0
115c115
< #config show_year
---
> config show_year
131c131
< #config waldo_file: /tmp/waldo
---
> config waldo_file: /var/log/snort/barnyard2.waldo
152c152
< #config archivedir: /tmp
---
> config archivedir: /var/log/barnyard2
215c215
< output alert_fast: stdout
---
> #output alert_fast: stdout
324,325c324,325
<
<
---
> output database: log, mysql, user=snort password=PASSWORD dbname=snort host=localhost
> output database: alert, mysql, user=snort password=PASSWORD dbname=snort host=localhost

Now set up the waldo file and a few folders:

mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
chown snort:snort /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort:snort /var/log/snort/barnyard2.waldo

I highly recommend testing this configuration:

/usr/local/bin/barnyard2 -T -c /usr/local/etc/barnyard2.conf

Now start barnyard in daemon mode:

/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf \
                          -d /var/log/snort \
                          -f merged.log \
                          -w /var/log/snort/barnyard2.waldo \
                          -a /var/log/barnyard2 \
                          -u snort -g snort \
                          -D

You can now add this snippet to /etc/rc.local run barnyard2 at
startup.

Installing BASE

First make sure you have php-adodb installed (available at EPEL). This
installs everything in /usr/share/php/adodb.

yum -y install php-adodb --enablerepo=epel

Then install BASE in your siteroot (assuming default here):

cd /var/www/html/
wget -O http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz | tar -xvzf -
ln -s base-1.4.5 base
cp base/base_conf.php.dist base_conf.php

Then edit the base_conf.php file. Here are my additions/modifications
(other than the Snort MySQL and SMTP info that BASE needs). I used the
same MySQL settings for the “Archive DB” parameters.

$BASE_urlpath = 'http://snort.example.com/base';
$DBlib_path = '/usr/share/php/adodb';
$resolve_IP = 1;

Now navigate to the page and click “Create Base AG”. BAM! Now make sure
that you at least htpasswd the page, since BASE doesn’t have any login
system.

Sources

Miscellaneous

Barnyard2 compilation flags

./configure --with-mysql=/usr/bin/mysql \
--with-mysql-includes=/usr/include/ \
--with-mysql-libraries=/usr/lib/mysql/

A Note on Waldo Files

To keep track of the most recent logfiles between service restarts,
barnyard uses a “waldo” file. Its contents look like this:

/var/log/snort snort.log 1305050676 0

1305050676 is the most recent timestamp. However, with the setup
above (where I just touch-ed the file), the contents generated by my
command look like this:

/var/log/snort

merged.log

??M?

Strange.

Category:Nikhil’s Notes
Category:Installation Logs
Category:From a past sysadmin
life