Before you start to cheer please take a look at the requirements to get this stuff rolling:
* Processor x86 preferably 1 ghz + (Depends on how many rules, preprocessors and mbit/s.)
* 2 or 3 Nic preferably 10/100/1000 (3 Nics if you want one separate for mgmt, you can manage it with 2 nics also but for security reasons you should invenst in a third.)
* 256+ ram, the more the better especially if your going to run alot of rules.
(Ive ran this on my 1.6 ghz laptop with 512mb ram and 2 * 100 mbits nics for testing purposes and it pushed 10 mb(megabytes)/s with 100 rules and all preprocessors activated. with 19000 rules it could handle around 2-3 mb/s with alot of packet drops.
For my setup this time i will be using a IBM x350 with Intel Xeon Quad Core 2.8ghz, 3 gb Ram and 1* 100mbit interface for mgmt and 2*1000mbit interface for the bridge. Note that it should be able to run on anything that can handle xubuntu.
So as always start with a clean installation of Xubuntu 7.10 (it can be found here http://cdimage.ubuntu.com/xubuntu/releases/gutsy/release/)
This should be working with 8.10 also, havent tried it yet though.
Always update an upgrade before using it. This is important since Xubuntu 7.10 comes preinstalled with a big flaw in the OpenSSL software.
sudo apt-get update
sudo apt-get upgrade
So lets get started on the long and narrow road to getting a snort inline.
Ive used alot of tutorials as a base for this one:
http://openmaniak.com/inline.php
http://www.intarwebz.com/snort-ips/
http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node7.html
http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10
So if something looks very similar then ive proberly copied it from the above. The reason for this tutorial is that none of them describes howto get the latest snort 2.8.3.1 running inline.
So before heading to the first step you should get a cup of coffe/tea.
1. Installing the packages
So lets get started with installing all the crap that snort/base needs.
i will list them with a short comment:
bridge-utils - makes bridging of interfaces possible
libnet0-dev - development files for libnet, its needed for snort inline
iptables-dev - development files for iptables, used when compiling snort inline
build-essential - important files for compiling, gcc etc
libpcap0.8-dev - snort inline does not use this but perfmonitor does
libmysqlclient15- dev - needed by mysql
mysql-client-5.0 - client for accessing mysql
mysql-server-5.0 - mysql server for storing information for Base
apache2 - webserver
libapache2-mod-php5 - library used by apache
php5-gd - php-gd for drawing graphs
php5-mysql - php extension for mysql
libphp-adodb - library for adodb
php-pear - php extension for pear
bison - language parser
flex - recognises patterns for base
gedit - text editor
Type:
sudo apt-get install build-essential libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear iptables-dev libnet0-dev gedit bridge-utilsThis will install everything you need.
During the installation Mysql will prompt you for root password and give you a warning message about a moved library. This is normal.
2. Manual install of some packages
So now we need to manually install some crap. yes life sucks.
Start by creating a temporary folder that we will be using.
Ive put mine under the filesystem at /layer8/
Do this by typing:
sudo mkdir /layer8/Or you can do this by opening Thunar(the file manager) as root and rightclick and create a new folder. If you prefer this way type:
sudo thunarNow head over to www.pcre.org and download the latest package of Perl Compatible Regular Expressions (ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/) (7.8 at the time of writing)
Download it and put it in the /layer8/ directory.
Extract pcre-7.8.tar.gz to the directory.
Now configure and install it:cd /layer8
sudo tar -xzvf /layer8/pcre-7.8.tar.gz
cd pcre-7.8/Now you need to install Libnet (i use the latest 1.1.2.1). Head over to: http://www.packetfactory.net/libnet/
sudo ./configure
sudo make
sudo make install
And download it to the /layer8/ folder then install it.
cd /layer8
sudo tar -xzvf libnet.tar.gz
cd /layer8/libnet/
sudo ./configure
sudo make
sudo make install
3. Install and compile Snort Inline + rules
Now lets download the latest version of snort and some nice rules. Put them in the /layer8/ folder. I will be writing about adding rules from bleedinsnort and emerging threats later so for now you can download the stable vrt registered user release. (snortrules-snapshot-2.8.tar.gz)
Extract Snort
cd /layer8
sudo tar -xzvf /layer8/snort-2.8.3.1.tar.gz
Extract Snort rules to the snort directory(you need to move the rules into the snort directory first) cd /layer8/snort-2.8.3.1/Feel free to delete any old tar.gz files that you have already used.
sudo tar -xzvf /layer8/snort-2.8.3.1/snortrules-snapshot-2.8.tar.gz
Now configure and install it:
cd /layer8/snort-2.8.3.1/sudo ./configure -enable-dynamicplugin --with-mysql--enable-inline --with-libipq-includes=/usr/include/libipq/sudo makesudo make install
Done! If you get any errors while trying to configure it, here is a good helplist to see what you are missing: http://openmaniak.com/inline_pre.php
4. Pre Launch
Now before we testdrive our inline snort there is a little bit left to do. First create these 3 directorys:
sudo /etc/snort /etc/snort/rules /var/log/snortNow lets copy some files:
cd /layer8/snort-2.8.3.1/rulessudo cp * /etc/snort/rules/cd /layer8/snort-2.8.3.1/etcsudo cp * /etc/snort/sudo cp /usr/local/lib/libpcre.so.0 /usr/lib
So now our config file snort.conf resides in /etc/snort. Sweet.
So now Edit /etc/snort/snort.conf and change
var RULE_PATH ../rules to var RULE_PATH /etc/snort/rule
Now testdrive snort inline!!!
sudo snort -Q -c /etc/snort/snort.conf -v
The -Q is for snort inline to take packages from the ip_queue module. Currently you wont have any because we havent edited Iptables to forward to QUEUE yet, be patient. The -c is where is will find snort.conf and the -v is for Verbose output so you can see what is happening on the screen, if you want to you can launch it as a Daemon using the -D.
If everything went succesful you will se a little pig and some text after its done loading:
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.8.3.1 (Build 17) inline
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2008 Sourcefire Inc., et al.
Using PCRE version: 7.8 2008-09-05
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.9
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_DCERPC Version 1.1
Not Using PCAP_FRAMES
So now you have a working SNORT INLINE!!! But hey, were far from done yet :'(
You can stop snort by pressing CTRL + C anytime.
So whats left to do?
Base, Mysql setup,Apache2, Bridging the Nics and setting up Iptabels.
5. Download Base + Adodb Extension for PHP
Head over to http://sourceforge.net/project/showfiles.php?group_id=42718&package_id=220409&release_id=636410
And download the adodb-php5-only to the /layer8/ folder.
Untar and move it.
cd /layer8/sudo tar -xzvf adodb506a.tgzsudo mv /layer8/adodb5 /var/www/
Done.
Head over to sourceforge and download latest version of Base ( http://sourceforge.net/project/showfiles.php?group_id=103348&package_id=128846&release_id=617636)
Dowload it to /layer8/, untar it and move it:
cd /layer8/sudo tar -xzvf base-1.4.1.tar.gzsudo mv /layer8/base-php4 /var/www/base
6. Configure Mysql Server
Now lets setup the Mysql server:
Type:
sudo mysql -u root -p
in the prompt that appears type:
SET PASSWORD FOR root@localhost=PASSWORD('Your password!!!!');
It will return something like: Query OK, 0 rows affected (0.00 sec)
Then type:
create database snort;
exit
use the snort schema for the layout of the database.
sudo mysql -D snort -u root -p < /layer8/snort-2.8.3.1/schemas/create_mysql
7. Apache2 + Pear
Now edit /etc/php5/apache2/php.ini:
sudo gedit /etc/php5/apache2/php.iniAdd under Dynamic Extensions:extension=mysql.soextension=gd.so
Restart apache by typing:
sudo /etc/init.d/apache2 restartNow we need writing to be enabled at the /var/www folder:
sudo chmod 757 /var/www/baseNow install som pear graphic tools:
sudo pear upgrade-allsudo pear install Image_Colorsudo pear install Image_Canvas-alphasudo pear install Image_Graph-alphasudo pear install Mailsudo pear install Mail_mime
8. Setup Base
Now base should be able to be installed using the websetup, use your browser and open:
http://YOURIPADRESS/base/setup/
When they prompt you for path to ADODB enter:
/var/www/adodb5
Page 2:
Database Name: snort
Database Host: localhost
Database Port: leave blank
Database User Name: root
Database Password: Your password!!!
page 3: Self-explanatory
page 4: Press the create database button and you will get som text:
- Successfully created 'acid_ag'
- Successfully created 'acid_ag_alert'
- Successfully created 'acid_ip_cache'
- Successfully created 'acid_event'
- Successfully created 'base_roles'
- Successfully INSERTED Admin role
- Successfully INSERTED Authenticated User role
- Successfully INSERTED Anonymous User role
- Successfully INSERTED Alert Group Editor role
- Successfully created 'base_users'
9. Configure Output in snort.conf
edit /etc/snort/snort.conf and uncomment the line:
#output database: log, mysql, user=root password=Your Password!! dbname=snort host=localhost
Edit it so it looks like above.
10. Snort inline + Iptables
We want to test snort again but lets add som Iptables first.
Check that ip_queue is loaded:
sudo modprobe ip_queueip_queue 11792 0
sudo lsmod |grep ip_queue
This should return something like:
Now add Iptables rule(you will loose any remote connection you have):
sudo iptables -A INPUT -j QUEUE
Check your iptables:You can flush/delete your Iptables at any time by issuing "sudo iptables -F"
sudo iptables -L
Now test snort again:
sudo snort -Q -v -c /etc/snort/snort.confYou should now see any traffic going from your snort.
11. Bridging the interfaces
So lets bridge the interfaces you are going to have traffic passing through.
To do this you need to load the bridge module:
sudo modprobe bridgeNow edit /etc/network/interfaces:
sudo gedit /etc/network/interfacesMake it look like this:( if you have 3 Nics, 1 for Mgmt, if you dont check out http://openmaniak.com/inline_bridge.php):
###############################
# Loopback interface
auto lo
iface lo inet loopback
# the bridge
auto br0
iface br0 inet manual
# Ethernet Interfaces you want to add to bridge !!!!
bridge_ports eth0 eth1
# Time to wait before loading the bridge
bridge_maxwait 0
# Mgmt Interface:
auto eth2
iface eth2 inet static
address 10.2.96.155
netmask 255.255.255.0
broadcast 10.2.96.255
gateway 10.2.96.254
#################################
After you have saved the file restart your NICS
sudo /etc/init.d/networking restart12. Snort Inline Bridge mode + Forward Ip_queue
So now eth1 and eth0 should be bridged, and we have a port for mgmt!
Now send the packages that you want to the QUEUE and snort will alert, drop, log, alter etc. This is done by issuing Iptables to send all packets it would normally forward in the bridge to the QUEUE.
sudo iptables -A FORWARD -j QUEUENow all you got to do is to start snort with the -Q argument.
sudo snort -Q -v -c /etc/snort/snort.confEnjoy!!!
Now remember all rules are set to "Alert" by default so you will have to edit them and change them to drop manually or by using oinkmaster. I preffer IDSPM and i will write a howto on that soon. I will also write a Howto on getting splunk to eat snort alert logs and report some nice stuff about them. Check out these screens for a preview :)
14 comments:
I have gotten to the test drive part and I get: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directory
Also, should I have the 2 other nic in? So far I'm just at the configuring stage.
PS: nice howto, I've always wanted to setup a snort inline box.
Hi, im not sure but i think youve missed the pcre files. get them at:
http://www.pcre.org
www.pcre.org
Ok, there's few issues here. I made a sym link
"sudo ln -s /etc/snort/rules etc/rules" and that enabled snort to start without the whole missing rules error. I did this just prior to the Now testdrive snort inline!!! entry.
The path in "sudo chmod 757 /var/www/web/base" should not have the "web" part.
and sudo lsmod grep ip_queue needs a pipe.
such as "sudo lsmod | grep ip_queue".
Reading up on how to make the bridge work, had to buy some network cards that were different. (3 nics, same brand & make = no fun)
Hi thanks for the input! ive added the pipe and deleted the /web/.
The rules were adressed just before you testdrive snort on the line:
Change:
var RULE_PATH ../rules to var RULE_PATH /etc/snort/rule
Thanks again!
SUCCESS! It works after much massaging fo nic cards. (10/100 3com mngmnt, intel gigabit & dlink gigabit for the br0)
This was to ensure that the nodules were different. 3 identical nics is feasable, just not by me, I guess.
Also, I *HAD* to disconnect the cable on the 3com to prevent snort from listening to it (despite an ifdown eth0 command!)
Many thanks on this invaluable howto again. :)
hI, Im just a begginer with snort.I follow all steps but when I run it I cant see any alert in the manager, what could be the problem, . During the installation i had to change the version of libnet cause appear an error with the newest version, it was normal
Check you /var/log/snort alert file if theyre in there!
Thanks for the great HowTo. I ran into a problem that nobody seems to have exprienced, at least based on my google search. I've been able to get all the way to step 3 of the set up for BASE and then when I click "Submit Query" I get a blank page. Nothing. Any idea why I'm not getting the next gui with "Create BASE AG" button? The browser shows localhost/base-php4/setup/setup4.php, but setup4.php is not served somehow. No error or anything...just a white page.
Thank you very much for any suggestions.
Hi, please try to follow the howto again and pay attention to the detail, its very easy to forget something very small!
Actually I did pay attention to every step. I finally solved this issue and I thought somebody might come across it so I am going to share it here. When I checked my http logs I found that there was a PHP parse error due to an unexpected "{" in /var/www/base/include/base_signature.inc.php on line 463. I can read php ok but I'm no php programmer, so I just commented out the block where the problem seemed to be (which was a try-catch block) and I was able to proceed with the set up fine. I have to figure out how to fix the code because I am a believer in error handling but at least I am able to make some progress finally. I was surprised that there isn't much on the internet about this issue although I found a couple of people who asked the same question...they got no answer unfortunately. Hope this helps somebody. Thanks.
seems very complex .need to learn step by step .Thanks
Nice post. Great blog. Thanks for sharing.
Yelp Clone Script| Angry birds clone| Groupon Clone
Thanks so much for the post, quite helpful piece of writing.
Howdy! Would you mind if I share your blog with my myspace group? There's a lot of folks that I think would really enjoy your content. Please let me know. Thank you
Post a Comment