본문 바로가기
조회 수 3088 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print Files
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print Files
Snort on Ubuntu 14 (Barnyard2, PulledPork, BASE, Snort with pcap)

#####################
# Software Versions
#####################

- Ubuntu-14.10-server-amd64
- Snort 2.0.4
- Barnyard2
- PUlledPork
- BASE

###################
# OS Installation
###################

Note: Install VM with VMXNET 3 network adapter (not the default adapter) 
Note: Assume that IP address assigned to interface by dhcp when installed

** Configuring SSH
sudo apt-get install -y openssh-server
sudo update-rc.d -f ssh remove
sudo update-rc.d -f ssh defaults

** Installing VMware tool
sudo mount /dev/cdrom /media/cdrom
cd /tmp
cp /media/cdrom/VMwareTools-* ./
tar xfz VMwareTools-*
cd vmware-tools-distrib
sudo ./vmware-install.pl -default

** Configure interface with static IP address (easier to do via ssh from now on)
sudo vi /etc/network/interfaces
------------------8<--------------------
# The primary network interface auto eth0
auto eth0
iface eth0 inet static
address 192.168.1.171
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 8.8.8.8 8.8.4.4
------------------8<--------------------
sudo service networking restart
sudo reboot

** Configure auth with public/private key
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
vi ~/.ssh/authorized_keys <----------- ADD YOUR PUBLIC KEY

** Updating system and rebooting to apply all patches
sudo apt-get update && sudo apt-get upgrade -y
sudo reboot

** Network Card Configuration (turn off LRO and GRO for specific network cards)
sudo apt-get install -y ethtool 
sudo ethtool -K eth0 gro off 
sudo ethtool -K eth0 lro off


#################################
# Pre-Requisites for Snort/DAQ 
#################################

** Pre-Requisites
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex

** Download and install the latest version of DAQ from the Snort website (please check the website to ensure you are getting the latest version).
mkdir ~/snort_src
cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz 
tar xvzf daq-2.0.4.tar.gz
cd daq-2.0.4
./configure
make
sudo make install

** additional Snort pre-requisite
sudo apt-get install -y zlib1g-dev


#####################
# Installing Snort
#####################

** Installing Snort
cd ~/snort_src
wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
tar xvzf snort-2.9.7.0.tar.gz
cd snort-2.9.7.0
./configure --enable-sourcefire
make
sudo make install

** update shared libraries
sudo ldconfig

** Place a symlink to the SNORT binary
sudo ln -s /usr/local/bin/snort /usr/sbin/snort

** Configuring Snort to Run in NIDS Mode
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules

sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

sudo cp ~/snort_src/snort-2.9.7.0/etc/*.conf* /etc/snort 
sudo cp ~/snort_src/snort-2.9.7.0/etc/*.map /etc/snort

Note: directory structure
sudo apt-get install -y tree
tree /etc/snort
10.png

sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.ori
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
sudo vi /etc/snort/snort.conf
------------------8<--------------------
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules 
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
------------------8<--------------------
or
sudo sed -i 's/\.\./\/etc\/snort/' /etc/snort/snort.conf

sudo vi /etc/snort/snort.conf
------------------8<--------------------
#ipvar HOME_NET any <------------- any로 사용할 !any가 경우 허용되지 않는 rule들이 있어 rule 체크시 에러
ipvar HOME_NET 192.168.0.0/16
------------------8<--------------------
sudo snort -T -c /etc/snort/snort.conf

NOTE: HOME_NET이 특정 IP 대역으로 지정되어 pcap 파일을 대상으로 snort를 실행하면 위 HOME_NET에 매칭되지 않은 IP는 (rule에 따라) 검사되지 않을 수 있다. HOME_NET을 any로 할 경우 위에서 polledpork로 다운받은 rule중 일부에서 충돌이 발생한다.


########################
# Installing Barnyard2
########################
: Snort outputs events in binary form to a folder, and then Barnyard2 reads those events asynchronously and copies them to our MySQL database.

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
sudo vi /etc/snort/snort.conf
------------------8<--------------------
# output unified2: filename merged.log , limit 128, nostamp, mpls event types , vlan event types} 
output unified2: filename snort.u2, limit 128
------------------8<--------------------

cd ~/snort_src
wget https://github.com/firnsy/barnyard2/archive/master.tar.gz -O barnyard2-2-1.13.tar.gz 
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-master
autoreconf -fvi -I ./m4
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make
sudo make install

cd ~/snort_src/barnyard2-master
sudo cp etc/barnyard2.conf /etc/snort 
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo 
sudo touch /etc/snort/sid-msg.map

echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ~/snort_src/barnyard2-master/schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'MYSQLSNORTPASSWORD'" | mysql -u root -p

Note: DB info
username: snort
password: MYSQLSNORTPASSWORD
db: snort

sudo vi /etc/snort/barnyard2.conf
------------------8<--------------------
output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort host=localhost
------------------8<--------------------
sudo chmod o-r /etc/snort/barnyard2.conf


#########################
# Installing PulledPork
#########################
: perl script that will download, combine, and install/update snort rulesets from various locations for use by Snort

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

cd ~/snort_src
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz 
tar xfz pulledpork-0.7.0.tar.gz
cd pulledpork-0.7.0/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

sudo mkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist
/usr/local/bin/pulledpork.pl -V

** Rulesets and a Snort Code
Get your Oinkcode from snort site
12.png

sudo cp /etc/snort/pulledpork.conf /etc/snort/pulledpork.conf.ori
sudo sed -i 's!<oinkcode>!<YOUR_OINKCODE>!' /etc/snort/pulledpork.conf <---------- SET YOUR OINKCODE HERE BEFORE RUNNING THIS COMMAND
sudo sed -i 's!#\(.*emergingthreatspro.*open\)!\1!' /etc/snort/pulledpork.conf
sudo sed -i 's!/usr/local/etc!/etc!' /etc/snort/pulledpork.conf
sudo sed -i 's/distro=.*/distro=Ubuntu-10-4/' /etc/snort/pulledpork.conf
sudo sed -i 's/# enablesid=/enablesid=/' /etc/snort/pulledpork.conf
sudo sed -i 's/# dropsid=/dropsid=/' /etc/snort/pulledpork.conf
sudo sed -i 's/# disablesid=/disablesid=/' /etc/snort/pulledpork.conf
sudo sed -i 's/# modifysid=/modifysid=/' /etc/snort/pulledpork.conf

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Note: You should now see snort.rules in /etc/snort/rules, and .so rules in /usr/local/lib/snort dynamicrules.

sudo vi /etc/snort/snort.conf
------------------8<----------
include $RULE_PATH/snort.rules <-------- append to the end (new line)
------------------8<----------

sudo snort -T -c /etc/snort/snort.conf
24.png


##################################
# cronjob and start/stop scripts
##################################

** Cronjob to download new rules by pulledpork 
sudo crontab -e
------------------8<--------------------
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
------------------8<--------------------

** Creating Startup Scripts
sudo vi /etc/init/snort.conf
------------------8<--------------------
description "Snort NIDS Service" 
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/sbin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D 
end script
------------------8<--------------------
sudo chmod +x /etc/init/snort.conf 

sudo vi /etc/init/barnyard2.conf
------------------8<--------------------
description "Barnyard2 service" 
stop on runlevel [!2345]
start on runlevel [2345]
script
exec /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
end script
------------------8<--------------------
sudo chmod +x /etc/init/barnyard2.conf 

initctl list | egrep "snort|barnyard"
initctl list | grep barnyard
14.png

sudo service snort start
sudo service barnyard2 start
service snort status
service barnyard2 status
15.png


###################
# Installing BASE
###################

sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear
sudo pear install -f Image_Graph
13.png

sudo sed -i 's/Listen 80/Listen 0.0.0.0:80/' /etc/apache2/ports.conf

cd ~/snort_src
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz 
tar xfz adodb518.tgz
sudo mv adodb5 /var/adodb

cd ~/snort_src
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz 
tar xfz base-1.4.5.tar.gz

sudo mv base-1.4.5 /var/www/html/base/ 
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo vi /var/www/html/base/base_conf.php
------------------8<--------------------
$BASE_urlpath = '/base';
$DBlib_path = '/var/adodb';

$alert_dbname   = 'snort';
$alert_host     = 'localhost';
$alert_port     = '';
$alert_user     = 'snort';
$alert_password = 'MYSQLSNORTPASSWORD';
------------------8<--------------------
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php

sudo service apache2 restart
http://192.168.1.171/base/index.php
16.png

17.png

18.png

19.png


############################
# Performing test (option)
############################

1. uncomment the following line in snort.conf
sudo vi /etc/snort/snort.conf
------------------8<--------------------
# site specific rules
include $RULE_PATH/local.rules
------------------8<--------------------

2. add the following rule to local.rules
sudo vi /etc/snort/rules/local.rules
------------------8<--------------------
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
------------------8<--------------------

3. restart snort (no need to restart barnyard2)
sudo service snort restart && sudo service barnyard2 restart

4. start watching the number of event
watch -d -n 1 'mysql -usnort -pMYSQLSNORTPASSWORD -D snort -e "select count(*) from event"'

5. send icmp echo request from remote host and check the watch-output
23.png

6. comment the rule after testing
sudo vi /etc/snort/rules/local.rules
------------------8<--------------------
#alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)
------------------8<--------------------
sudo service snort restart


#############################
# ESXi in Promiscuous Mode
#############################
20.png


#############################################
# Appendix: Installing Snort Rules Manually
#############################################

** 현재의 event수 쿼리
mysql -usnort -pMYSQLSNORTPASSWORD -D snort -e "select count(*) from event"
watch -d -n 1 'mysql -usnort -pMYSQLSNORTPASSWORD -D snort -e "select count(*) from event"'


##################################
# Appendix: Re-Creating the Snort Database
##################################

sudo service snort stop 
sudo service barnyard2 stop

mysql -u root -p
drop database snort;
create database snort;
exit

mysql -u root -p -D snort < ~/snort_src/barnyard2-master/schemas/create_mysql
echo "grant create, insert, select, delete, update on snort.* to snort@localhost identified by 'MYSQLSNORTPASSWORD'" | mysql -u root -p
sudo reboot

service snort status && service barnyard2 status
sudo rm /var/log/snort/*

http://192.168.1.171/base/index.php <-------- re-create tables
nmap -sS -PN 192.168.1.171


###############################################################
# Appendix: Installing Snort Rules Manually without PulledPork
###############################################################

1. create a backup of snort.conf
sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.bak

2. Download the rule (REPLACE <SNORTCODE> WITH YOUR OINKCODE)
cd ~/snort_src
wget https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz/<SNORTCODE> -O snortrules-snapshot-2970.tar.gz
sudo tar xfz snortrules-snapshot-2970.tar.gz -C /etc/snort

3. Move all new files from /etc/snort/etc to /etc/snort
cd /etc/snort/etc
sudo mv ./*.conf* ../
sudo mv ./*.map ../
cd /etc/snort
sudo rm -rf /etc/snort/etc

4. modify new /etc/snort/snort.conf
sudo sed -i 's/\.\./\/etc\/snort/' /etc/snort/snort.conf

Note1: /etc/snort/snort.conf is not configured to send snort result to DB
Note2: rules are included individually by default
27.png

5. validate snort.conf
sudo snort -T -c /etc/snort/snort.conf
25.png

Note. PulledPork를 사용시보다 rule수는 적으나 HOME_NET이 any임

6. test with offline pcap
sudo snort -c /etc/snort/snort.conf -l . -q -r 2014-03-01-Neutrino-EK-traffic.pcap
cat alert
26.png


#######################
# Appendix: Autosnort
#######################
If you want to go through all these automatically, download autosnort script from:


Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
20 How to Decrypt SSL and TLS Traffic using Wireshark (test with sample file) file Hojung 2015.01.23 2334
19 자바스크립트 난독화 기법 / 분석 방법론 (정리예정) Hojung 2015.01.05 1363
18 Base64 encode/decode with OpenSSL Hojung 2015.01.04 1266
17 Convert ascii to hex and vice versa (hexdump, od, xxd, echo -e) Hojung 2015.01.04 979
16 Simple ruby script to de-obfuscate with XOR string Hojung 2015.01.01 616
15 Installing yara on CentOS and test with Ruby script Hojung 2014.12.31 1860
14 Installing Yara for ruby on Mac Hojung 2014.12.31 667
13 How to find the original email sender (check X-Originating-IP or Received headers) Hojung 2014.12.29 766
12 Links for FireEye Deployment Check Hojung 2014.12.11 2422
11 Get timezone info from system logs which is /var/log/messages Hojung 2014.12.07 678
10 Analysing NTPd logs file Hojung 2014.12.07 1362
9 Sguil with tcpreplay (Security Onion) file Hojung 2014.12.01 2165
8 Wireshark settings for traffic analysis file Hojung 2014.11.29 998
7 Security Onion with Snort and Snorby (pulledpork and snort with offline pcap included) file Hojung 2014.11.24 3399
» Snort on Ubuntu 14 (Barnyard2, PulledPork, BASE, Snort with pcap) file Hojung 2014.11.22 3088
5 How to install Snorby in Kali (snort) file Hojung 2014.11.21 8312
4 install geoiplookup on Mac Hojung 2014.08.06 2717
3 DDoS 공격대응 가이드 Hojung 2014.07.29 3835
2 DDoS 분석도구 설치 및 분석 (tcpdstat, ngrep, httpry) Hojung 2014.07.25 3272
1 Perl script to push samples to Virustotal Hojung 2014.02.20 1169
Board Pagination ‹ Prev 1 Next ›
/ 1

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5