본문 바로가기
조회 수 8802 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
IDS with snort in CentOS (Snort, Barnyard2)

Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It may be in a very vulnerable position, facing that filthy and scary Internet.

1. Minimal install
- add another NIC

2. set interface
ifconfig eth0 192.168.122.171 netmask 255.255.255.0 up
route add default gw 192.168.122.2
echo 'nameserver 8.8.8.8' > /etc/resolv.conf

yum -y install system-config-network-tui openssh-clients tcpdump

system-config-network <------------ set ip, gw and dns

vi /etc/sysconfig/network-scripts/ifcfg-eth0
--------8<-------
ONBOOT=yes
--------8<-------

vi /etc/sysconfig/network-scripts/ifcfg-eth1
--------8<-------
ONBOOT=yes
--------8<-------
service network restart

Note: eth1은 Stealth NIC으로 span/tap에서 패킷을 받음. ONBOOT=yes만 설정하고 IP는 설정하지 않는다

3. install ntp and timesync

yum -y install ntp
service ntpd start
chkconfig ntpd on
ntpdate pool.ntp.org

4. install packages

yum -y install wget zip unzip

5. disable SELinux
echo 0 > /selinux/enforce
vi /etc/selinux/config
--------------------
SELINUX=disabled
--------------------

6. Install Dependencies
yum -y install gcc gcc-c++ flex bison pcre-devel zlib-devel libpcap-devel postgresql-devel automake libtool
yum -y update

7. Download and Install Sources

** libdnet
cd /usr/src
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar xfz libdnet-1.12.tgz
rm -f libdnet-1.12.tgz && cd libdnet-1.12
./configure && make && make install

** DAQ
cd /usr/src
wget http://www.procyonlabs.com/mirrors/snort/daq-2.0.2.tar.gz
tar xfz daq-2.0.2.tar.gz
rm -f daq-2.0.2.tar.gz && cd daq-2.0.2
./configure && make && make install

** Snort
cd /usr/src
wget http://www.procyonlabs.com/mirrors/snort/snort-2.9.6.0.tar.gz
tar xfz snort-2.9.6.0.tar.gz
rm -f snort-2.9.6.0.tar.gz && cd snort-2.9.6.0
./configure --enable-sourcefire
make && make install

** Barnyard2
cd /usr/src
wget https://github.com/firnsy/barnyard2/archive/master.zip -O by2.zip
unzip by2.zip
rm -f by2.zip && cd barnyard2-master
./autogen.sh

<If using PostgreSQL>
./configure --with-postgresql
make && make install

<If *only* using Syslog>
./configure
make && make install

8. Configure Snort

** create dirs
mkdir /etc/snort
mkdir /var/log/snort

** Download latest rules/signatures
- Download Snort rules files from https://www.snort.org/downloads/#rule-downloads to /etc/snort
- ex: snortrules-snapshot-2962.tar

** Install Rules
cd /etc/snort/
tar xf snortrules-snapshot-2962.tar
rm -f snortrules-snapshot-2962.tar
mkdir /usr/local/lib/snort_dynamicrules
cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.2/*.so /usr/local/lib/snort_dynamicrules/ 
cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules

** Configure snort.conf
vi /etc/snort/etc/snort.conf
------------------8<--------------------
ipvar HOME_NET [192.168.0.0/16]
ipvar EXTERNAL_NET !$HOME_NET
output unified2: filename /var/log/snort/merged.log, limit 128

# Reputation preprocessor. For more information see README.reputation
#preprocessor reputation: \ <------- reputation preprocessor를 사용하지 않을 경우 이하 comment
#   memcap 500, \
#   priority whitelist, \
#   nested_ip inner, \
#   whitelist $WHITE_LIST_PATH/white_list.rules, \
#   blacklist $BLACK_LIST_PATH/black_list.rules

# dynamic library rules
include $SO_RULE_PATH/bad-traffic.rules
include $SO_RULE_PATH/browser-ie.rules
include $SO_RULE_PATH/chat.rules
include $SO_RULE_PATH/dos.rules
include $SO_RULE_PATH/exploit.rules
include $SO_RULE_PATH/file-flash.rules
include $SO_RULE_PATH/icmp.rules
include $SO_RULE_PATH/imap.rules
include $SO_RULE_PATH/misc.rules
include $SO_RULE_PATH/multimedia.rules
include $SO_RULE_PATH/netbios.rules
include $SO_RULE_PATH/nntp.rules
include $SO_RULE_PATH/p2p.rules
include $SO_RULE_PATH/smtp.rules
include $SO_RULE_PATH/snmp.rules
include $SO_RULE_PATH/specific-threats.rules
include $SO_RULE_PATH/web-activex.rules
include $SO_RULE_PATH/web-client.rules
include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
------------------8<--------------------

9. Configure Barnyard2
: using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting PostgreSQL or to a remote syslog server.

cp /usr/src/barnyard2-master/etc/barnyard2.conf /etc/snort/
vi /etc/snort/barnyard2.conf
------------------8<--------------------
config reference_file: /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file: /etc/snort/etc/gen-msg.map
config sid_file: /etc/snort/etc/sid-msg.map

config logdir: /var/log/snort

config hostname: titan   (this it the sensor's hostname)
config interface: eth0   (the management interface (NIC to database or syslog server))

config daemon   (uncomment to run in background)

config show_year   (uncomment to include year in timestamps)

config waldo_file: /var/log/snort/by2.waldo   (uncomment, define waldo file location)

<If using PostgreSQL>
output database: log, postgresql, user=snort dbname=snort host=pg-server

<If using syslog (in this example, to a Splunk instance)>
output alert_syslog_full: sensor_name phobos-eth1, server 192.168.2.3, protocol udp, port 518, operation_mode default
------------------8<--------------------
touch /var/log/snort/by2.waldo

10. Check snort rules
snort -c /etc/snort/etc/snort.conf -T

11. Start Snort and Barnyard2
snort -c /etc/snort/etc/snort.conf -i eth1 -D
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log


Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
448 How to install Java on linux with no Internet connectivity (using local repository) Hojung 2015.12.22 3751
447 How to install tcpreplay on CentOS 6.5 Hojung 2015.08.21 8492
446 Install et131x network interface driver in CentOS 6 (LW25-BDUO3) file Hojung 2015.07.03 4870
445 How to find CentOS and kernel version Hojung 2015.04.30 4270
444 MD5 Test Hojung 2015.04.01 4434
443 MAC times in Linux (atime, mtime, ctime, crtime, touch, stat, debugfs) Hojung 2015.01.13 5344
442 How to generate a key with passphrase Hojung 2014.11.22 5613
441 Most Common OpenSSL Commands Hojung 2014.11.21 6055
440 How to use screen command Hojung 2014.11.17 4520
439 snorby (on testing) Hojung 2014.11.17 7236
438 APM (Apache + PHP + MySQL) with phpmyadmin in CentOS VM Hojung 2014.11.16 5401
437 10 Ways to Generate a Random Password from the Command Line Hojung 2014.11.16 4724
436 How to increase the size of a Linux LVM by adding a new disk file Hojung 2014.11.14 4933
435 Configuring logrotate for Rails logs file Hojung 2014.11.13 5385
434 Installing Splunk on CentOS file Hojung 2014.10.31 7240
433 Web performance test with ab (ruby web, dd, ab) file Hojung 2014.10.01 6234
432 Web performance test with Pylot (ruby web, dd, pylot) file Hojung 2014.10.01 5785
431 Install and Configure NTP to Synchronize The System Clock (ntpd, ntpdate) Hojung 2014.09.17 5300
430 How to disable IPv6 in CentOS 6 Hojung 2014.09.04 5424
» IDS with snort in CentOS (Snort, Barnyard2) Hojung 2014.08.19 8802
Board Pagination ‹ Prev 1 2 3 4 5 6 7 8 9 10 ... 23 Next ›
/ 23

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5