Home / Information Security / Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu

Install and Configure Snort HIDS with Barnyard2, Base & MySQL on Ubuntu

Muhammad Attique October 12, 2014 Information Security 7 Comments 2,182 Views

Hi, this is detailed post with every step that I’ve performed to deploy Snort HIDS on Ubuntu with Barnyard2, BASE, MySQL, SnortReport and JPGraph.

$ sudo passwd root

> Provide “attique” user password
> Provide New password to set for Root user

$ su –
$ <Provide Root Pass>

Set Static IP for interface:

# vim /etc/network/interfaces

— Set IP settings format is shown below:

– Restart host or network service. I’ll restart host by:

# init 6

Update the Host:

# apt-get update -y && apt-get upgrade -y

Install Apache, PHP and MySQL:

# apt-get -y install apache2 libapache2-mod-php5 mysql-server mysql-common mysql-client php5-mysql libmysqlclient-dev php5-gd php-pear libphp-adodb php5-cli

Install further Dependencies:

# apt-get -y install libwww-perl libnet1 libnet1-dev libpcre3 libpcre3-dev autoconf libcrypt-ssleay-perl libtool libssl-dev build-essential automake gcc make flex bison git

Download and Install libdnet:

Easiest and best method for latest version is installation from Source. Download the following file and install it with these commands from your download directory:

# mkdir /usr/local/snort
# cd /usr/local/snort
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar xzvf libdnet-1.12.tgz
# cd libdnet-1.12/
# ./configure
# make
# make install
# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Installing DAQ before libpcap fails, as it require libpcap, so let’s install libpcap now.
Download libpcap from tcpdump.org and install, I’ll download latest version by wget.

# cd /usr/local/snort
# wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
# tar -xzvf libpcap-1.6.2.tar.gz
# cd libpcap-1.6.2
# ./configure
# make
# make install
# echo “/usr/local/lib” >> /etc/ld.so.conf
# ldconfig -v

Downloading & Installing DAQ:

# cd /usr/local/snort
# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
# tar zxvf daq-2.0.4.tar.gz
# cd daq-2.0.4
# ./configure
# make
# make install

Download and Install Snort:

# cd /usr/local/snort
# wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
# tar -xzvf snort-2.9.7.0.tar.gz
# cd snort-2.9.7.0
# ./configure -prefix=/usr/local/snort -enable-sourcefire
# make
# make install
# mkdir /var/log/snort
# mkdir /var/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort

Download the Latest Snort Rules:

Download latest Tools by signing in as shown in fig below:

Extract & Copy Rules to Snort directory.

# cd /usr/local/src
# tar zxf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
# mkdir /usr/local/snort/lib/snort_dynamicrules
# cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.6.2/* /usr/local/snort/lib/snort_dynamicrules
# touch /usr/local/snort/rules/white_list.rules
# touch /usr/local/snort/rules/black_list.rules
# ldconfig -v

Now we need to edit the snort.conf configuration file:

# vim /usr/local/snort/etc/snort.conf

== Set Values as given Below:

var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules

dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

output unified2: filename snort.u2, limit 128

Also shown in Figure below how to set these values.

Download and Install Barnyard2:

Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all data when the database comes back online so no alerts will be lost.

Download Barnyard2 from GitHub & Install:

# cd /usr/local/src
# git clone http://github.com/firnsy/barnyard2.git barnyard2
# cd barnyard2
# autoreconf -fvi -I ./m4
# ./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
# make
# make install
# cp etc/barnyard2.conf /usr/local/snort/etc
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
# chown snort.snort /var/log/snort/barnyard2.waldo

Create Database for Snort to be used by Barnyard for Storage:

## mysql –u root –p
mysql> create database snortdb;

mysql> grant create, insert, select, delete, update on snortdb.* to snortuser@localhost identified by ‘3ngin33r’;
mysql> flush privileges;

Populate Snort DB:

# mysql -u root -p -D snortdb < ./schemas/create_mysql

Modify the Barnyard2 configuration file with the following command:

# vim /usr/local/snort/etc/barnyard2.conf

Set Values as given below:

config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0

output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost

== SAVE & Quit

Copy Required Files from Snort Source Directory:::

# cp /usr/local/snort/snort-2.9.6.2/etc/gen-msg.map /usr/local/snort/etc/

Testing Snort:

It’s time to test if Snort has been installed and configured correctly by using this command:

#/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0

“Commencing packet processing” must be shown at the end of the execution of the command, this means Snort is Installed & configured correctly.

To set Snort to start automatically on your machine edit the rc.local file with the following command:

# vim /etc/rc.local

Add following lines before “exit” command.

ifconfig eth0 up

/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D

SAVE & Quit by :wq!

Download and Set up Snort Report (Optional):

Download Snort Report from:

http://www.symmetrixtech.com/

# wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
# tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
# vim /var/www/html/snortreport-1.3.4/srconf.php

Set Database details:

$server = “localhost”;
$user = “snortuser”;
$pass = “3ngin33r”;
$dbname = “snortdb”;

Download and Install JPGraph:

# wget http://jpgraph.net/download/download.php?p=5 -O jpgraph-3.5.0b1.tar.gz
# tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
# mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph

Download and Install ADODB5:

# wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-519-for-php5/adodb519.tar.gz
# tar -xzf adodb519.tar.gz -C /var/www/html

# mv adodb519 adodb5

Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)

# cd /usr/local/src
# wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
# tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
# cd /var/www/html/acid/
# vim acid_conf.php

– Set Options as:

$DBlib_path = “/var/www/html/adodb5”;

$alert_dbname   = “snortdb”;
$alert_host     = “localhost”;
$alert_port     = “”;
$alert_user     = “snortuser”;
$alert_password = “3ngin33r”;

/* Archive DB connection parameters */
$archive_dbname   = “snortdb”;
$archive_host     = “localhost”;
$archive_port     = “”;
$archive_user     = “snortuser”;
$archive_password = “3ngin33r”;

$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1”;

— SAVE and Quit

– Restart Apache and Browse following URL in Browser:

http://<ServerIP>/acid

Installing BASE for Snort Front-end : RECOMMENDED for Snort

— I used BASE as ACID didn’t work for me.

– Check if all dependencies are installed or else install them by following command:

# apt-get install apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear unzip -y

– Install pear Image_Graph

# pear install -f Image_Graph

Download and extract BASE

# cd /var/www/html/
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz
# mv base-1.4.5 base

Configure BASE

# cd base
# cp base_conf.php.dist base_conf.php
# vim base_conf.php

– Set Directives as:

$BASE_urlpath = ‘/base’;

$DBlib_path = ‘/var/www/html/adodb5’;

$alert_dbname   = ‘snortdb’;
$alert_host     = ‘localhost’;
$alert_port     = ”;
$alert_user     = ‘snortuser’;
$alert_password = ‘3ngin33r’;

Change the Ownership of all files to www-data:

# chown -R www-data:www-data /var/www/html

# service apache2 restart

– Browse to: http://<snort_ip_address>/base/ and click on “setup page” link
– Click on “Create BASE AG” button on the upper right of the page

– Click on the “Main page” link

— Now, we should see BASE Dashboard like shown below:

More HoTos:

– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS

– Installing Snorby on Ubuntu for Snort with Barnyard2

Tags barnyard base HIDS HIPS snort ubuntu

About Muhammad Attique

Check these out :)

Kali Linux Error: following packages have unmet dependencies

While installing DHCP Server on Kali Linux, I faced following error: Shown Below: After doing …

7 comments

Tobias Jayne
December 22, 2014 at 9:20 pm

Thanks for this tutorial. Very helpful. Please note that I received the error “Error loading the DB Abstraction library: from “/adodb.inc.php” when hitting “http:///base/” After a little research, I tried installing “adodb518a.tgz” and it worked. There may be a problem with using “adodb519”

Reply
- Muhammad Attique
  December 23, 2014 at 7:17 am
  
  I’m glad this tutorial helped you. I’ll look into the issue, though I didn’t face any such error.
  
  Regards.
  
  Reply
- Muhammad Attique
  March 19, 2015 at 9:36 am
  
  Well Yes, this issue occurs if you skip AdoDB5 installation. I’ve already included its installation in this post. it must not be skipped.
  
  Reply
DDLJIK
July 13, 2015 at 3:06 pm

./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
ERROR: unable to find mysqlclient library (libmysqlclient.*) but i tried installing apt-get install libmysqlclient* but same ERROR.

Reply
- Muhammad Attique
  July 13, 2015 at 4:07 pm
  
  Are you installing on x86 or x86_64 bit version of Linux.?
  
  Anyhow, try this:
  
  Locate the “libmysqlclient” libraries by: # locate libmysqlclient
  
  You will get result like:
  
  # locate libmysqlclient
  /usr/lib64/libmysqlclient.so
  /usr/lib64/libmysqlclient.so.15
  /usr/lib64/libmysqlclient.so.15.0.0
  /usr/lib64/libmysqlclient_r.so
  /usr/lib64/libmysqlclient_r.so.15
  /usr/lib64/libmysqlclient_r.so.15.0.0
  /usr/lib64/mysql/libmysqlclient.a
  /usr/lib64/mysql/libmysqlclient.la
  /usr/lib64/mysql/libmysqlclient.so
  /usr/lib64/mysql/libmysqlclient_r.a
  /usr/lib64/mysql/libmysqlclient_r.la
  /usr/lib64/mysql/libmysqlclient_r.so
  
  So, now change “–with-mysql-libraries=/usr/lib/x86_64-linux-gnu” portion in configure command with “–with-mysql-libraries=/usr/lib64/mysql/”
  
  Hope this helps,
  Also, if you are unable to execute “locate” command, Install MLocate Package by: # apt-get install mlocate
  
  Reply
rizki
November 16, 2015 at 10:08 pm

please help me

why one my BASE Dashboard view does not appear

—————————————————————————-

Sensors/Total: 0 / 1
Unique Alerts: 0
Categories: 0
Total Number of Alerts: 0

Src IP addrs: 0

Dest. IP addrs: 0

Unique IP links 0

Source Ports: 0

TCP ( 0) UDP ( 0)

Dest Ports: 0

TCP ( 0) UDP ( 0)

—————————————-

Reply
- Muhammad Attique
  November 18, 2015 at 7:08 am
  
  Hello, it means the sensor has been added into the server, but it is not providing data to server so far.
  
  check the configuration again.
  
  Reply

Muhammad Attique's Blog