Thursday , October 18 2018
Home / Information Security / Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu

Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu

Hi, this is detailed post with every step that I’ve performed to deploy Snort HIDS on Ubuntu with Barnyard2, BASE, MySQL, SnortReport and JPGraph.

Login with limited user, set root password (if logging in for the first time)

Login: attique
Password: <hidden>

$ sudo passwd root

>    Provide “attique” user password
>    Provide New password to set for Root user

$ su –
$ <Provide Root Pass>

Set Static IP for interface:
# vim /etc/network/interfaces

— Set IP settings format is shown below:

1-interfaceSettings
–  Restart host or network service. I’ll restart host by:

# init 6

Update the Host:

# apt-get update -y && apt-get upgrade -y

Install Apache, PHP and MySQL:

# apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev php5-gd php-pear libphp-adodb php5-cli

6 - Install Apache MySql Php

7 - Enter MySQL Root Pass

Install further Dependencies:

# apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl libtool libssl-dev build-essential automake gcc make flex bison git

8 - Install Deps

Download and Install libdnet:

Easiest and best method for latest version is installation from Source. Download the following file and install it with these commands from your download directory:

# mkdir /usr/local/snort
# cd /usr/local/snort
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar xzvf libdnet-1.12.tgz
# cd libdnet-1.12/
# ./configure
# make
# make install
# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Installing DAQ before libpcap fails, as it require libpcap, so let’s install libpcap now.
Download libpcap from tcpdump.org and install, I’ll download latest version by wget.

# cd /usr/local/snort
# wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
# tar -xzvf libpcap-1.6.2.tar.gz
# cd libpcap-1.6.2
# ./configure
# make
# make install
# echo “/usr/local/lib” >> /etc/ld.so.conf
# ldconfig -v

Downloading & Installing DAQ:

# cd /usr/local/snort
# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
# tar zxvf daq-2.0.4.tar.gz
# cd daq-2.0.4
# ./configure
# make
# make install

Download and Install Snort:

# cd /usr/local/snort
# wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
# tar -xzvf snort-2.9.7.0.tar.gz
# cd snort-2.9.7.0
# ./configure -prefix=/usr/local/snort -enable-sourcefire
# make
# make install
# mkdir /var/log/snort
# mkdir /var/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort

Download the Latest Snort Rules:

Download latest Tools by signing in as shown in fig below:
9 - Sign In to get Snort Rules Snapshot
Extract & Copy Rules to Snort directory.

# cd /usr/local/src
# tar zxf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
# mkdir /usr/local/snort/lib/snort_dynamicrules
# cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.6.2/* /usr/local/snort/lib/snort_dynamicrules
# touch /usr/local/snort/rules/white_list.rules
# touch /usr/local/snort/rules/black_list.rules
# ldconfig -v

Now we need to edit the snort.conf configuration file:

    # vim /usr/local/snort/etc/snort.conf

== Set Values as given Below:

var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename snort.u2, limit 128

Also shown in Figure below how to set these values.
10 - Snort ConfigChanges

Download and Install Barnyard2:

Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all data when the database comes back online so no alerts will be lost.

Download Barnyard2 from GitHub & Install:

# cd /usr/local/src
# git clone  http://github.com/firnsy/barnyard2.git barnyard2
# cd barnyard2
# autoreconf -fvi -I ./m4
# ./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
# make
# make install
# cp etc/barnyard2.conf /usr/local/snort/etc
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
# chown snort.snort /var/log/snort/barnyard2.waldo

Create Database for Snort to be used by Barnyard for Storage:

## mysql –u root –p
mysql> create database snortdb;

mysql> grant create, insert, select, delete, update on snortdb.* to snortuser@localhost identified by ‘3ngin33r’;
mysql> flush privileges;

11 - Create Snort DB

Populate Snort DB:

# mysql -u root -p -D snortdb < ./schemas/create_mysql

Modify the Barnyard2 configuration file with the following command:

# vim /usr/local/snort/etc/barnyard2.conf

Set Values as given below:

config  reference_file: /usr/local/snort/etc/reference.config
config  classification_file: /usr/local/snort/etc/classification.config
config  gen_file: /usr/local/snort/etc/gen-msg.map
config  sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0

output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost

 

== SAVE & Quit

 

12 - Barnyard2 ConfigChange
Copy Required Files from Snort Source Directory:::

# cp /usr/local/snort/snort-2.9.6.2/etc/gen-msg.map /usr/local/snort/etc/

 Testing Snort:

It’s time to test if Snort has been installed and configured correctly by using this command:

#/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0

“Commencing packet processing” must be shown at the end of the execution of the command, this means Snort is Installed & configured correctly.
13 - Test Snort
To set Snort to start automatically on your machine edit the rc.local file with the following command:

# vim /etc/rc.local

Add following lines before “exit” command.

ifconfig eth0 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

 

SAVE & Quit  by   :wq!

 

14 - AutoStart at boot

Download and Set up Snort Report (Optional):

Download Snort Report from:

http://www.symmetrixtech.com/

or

# wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
# tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
# vim /var/www/html/snortreport-1.3.4/srconf.php

Set Database details:

$server = “localhost”;
$user = “snortuser”;
$pass = “3ngin33r”;
$dbname = “snortdb”;

15 - SnortGraph ConfigEdit

Download and Install JPGraph:

# wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
# tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
# mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph

Download and Install ADODB5:

# wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
# tar -xzf adodb519.tar.gz -C /var/www/html

# mv adodb519 adodb5

Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)

# cd /usr/local/src
# wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
# tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
# cd /var/www/html/acid/
# vim acid_conf.php

– Set Options as:

$DBlib_path = “/var/www/html/adodb5”;

$alert_dbname   = “snortdb”;
$alert_host     = “localhost”;
$alert_port     = “”;
$alert_user     = “snortuser”;
$alert_password = “3ngin33r”;

/* Archive DB connection parameters */
$archive_dbname   = “snortdb”;
$archive_host     = “localhost”;
$archive_port     = “”;
$archive_user     = “snortuser”;
$archive_password = “3ngin33r”;

$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1”;

 

— SAVE and Quit

 

16 - Acid ConfigEdit
– Restart Apache and Browse following URL in Browser:

http://<ServerIP>/acid

 

Installing BASE for Snort Front-end :        RECOMMENDED for Snort

— I used BASE as ACID didn’t work for me.

– Check if all dependencies are installed or else install them by following command:

# apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y

– Install pear Image_Graph

# pear install -f Image_Graph

Download and extract BASE

# cd /var/www/html/
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz
# mv base-1.4.5 base

Configure BASE

# cd base
# cp base_conf.php.dist base_conf.php
# vim base_conf.php

– Set Directives as:

$BASE_urlpath = ‘/base’;

$DBlib_path = ‘/var/www/html/adodb5’;

$alert_dbname   = ‘snortdb’;
$alert_host     = ‘localhost’;
$alert_port     = ”;
$alert_user     = ‘snortuser’;
$alert_password = ‘3ngin33r’;

 

17 - Base ConfigEdit

Change the Ownership of all files to www-data:

# chown -R www-data:www-data /var/www/html

# service apache2 restart

– Browse to:   http://<snort_ip_address>/base/ and click on “setup page” link
– Click on “Create BASE AG” button on the upper right of the page

 

18 - Base ConfigPage
– Click on the “Main page” link

 

19 - Config complete

 

— Now, we should see BASE Dashboard like shown below:

 

20 - BASE Dashboard

 

More HoTos:

Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS

Installing Snorby on Ubuntu for Snort with Barnyard2

About Muhammad Attique

Check these out :)

Kali Linux Error: following packages have unmet dependencies

While installing DHCP Server on Kali Linux, I faced following error: Shown Below: After doing …

7 comments

  1. Thanks for this tutorial. Very helpful. Please note that I received the error “Error loading the DB Abstraction library: from “/adodb.inc.php” when hitting “http:///base/” After a little research, I tried installing “adodb518a.tgz” and it worked. There may be a problem with using “adodb519”

    • I’m glad this tutorial helped you. I’ll look into the issue, though I didn’t face any such error.

      Regards.

    • Muhammad Attique

      Well Yes, this issue occurs if you skip AdoDB5 installation. I’ve already included its installation in this post. it must not be skipped.

  2. ./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
    ERROR: unable to find mysqlclient library (libmysqlclient.*) but i tried installing apt-get install libmysqlclient* but same ERROR.

    • Muhammad Attique

      Are you installing on x86 or x86_64 bit version of Linux.?

      Anyhow, try this:

      Locate the “libmysqlclient” libraries by: # locate libmysqlclient

      You will get result like:

      # locate libmysqlclient
      /usr/lib64/libmysqlclient.so
      /usr/lib64/libmysqlclient.so.15
      /usr/lib64/libmysqlclient.so.15.0.0
      /usr/lib64/libmysqlclient_r.so
      /usr/lib64/libmysqlclient_r.so.15
      /usr/lib64/libmysqlclient_r.so.15.0.0
      /usr/lib64/mysql/libmysqlclient.a
      /usr/lib64/mysql/libmysqlclient.la
      /usr/lib64/mysql/libmysqlclient.so
      /usr/lib64/mysql/libmysqlclient_r.a
      /usr/lib64/mysql/libmysqlclient_r.la
      /usr/lib64/mysql/libmysqlclient_r.so

      So, now change “–with-mysql-libraries=/usr/lib/x86_64-linux-gnu” portion in configure command with “–with-mysql-libraries=/usr/lib64/mysql/”

      Hope this helps,
      Also, if you are unable to execute “locate” command, Install MLocate Package by: # apt-get install mlocate

  3. please help me

    why one my BASE Dashboard view does not appear

    —————————————————————————-

    Sensors/Total: 0 / 1
    Unique Alerts: 0
    Categories: 0
    Total Number of Alerts: 0

    Src IP addrs: 0

    Dest. IP addrs: 0

    Unique IP links 0

    Source Ports: 0

    TCP ( 0) UDP ( 0)

    Dest Ports: 0

    TCP ( 0) UDP ( 0)

    —————————————-

    • Hello, it means the sensor has been added into the server, but it is not providing data to server so far.

      check the configuration again.

Leave a Reply

Your email address will not be published. Required fields are marked *