Hi, this is detailed post with every step that I’ve performed to deploy Snort HIDS on Ubuntu with Barnyard2, BASE, MySQL, SnortReport and JPGraph.
Login with limited user, set root password (if logging in for the first time)
Login: attique
Password: <hidden>
$ sudo passwd root
> Provide “attique” user password
> Provide New password to set for Root user
$ su –
$ <Provide Root Pass>
Set Static IP for interface:
— Set IP settings format is shown below:
– Restart host or network service. I’ll restart host by:
Update the Host:
Install Apache, PHP and MySQL:
Install further Dependencies:
Download and Install libdnet:
Easiest and best method for latest version is installation from Source. Download the following file and install it with these commands from your download directory:
# cd /usr/local/snort
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar xzvf libdnet-1.12.tgz
# cd libdnet-1.12/
# ./configure
# make
# make install
# ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
Installing DAQ before libpcap fails, as it require libpcap, so let’s install libpcap now.
Download libpcap from tcpdump.org and install, I’ll download latest version by wget.
# wget http://www.tcpdump.org/release/libpcap-1.6.2.tar.gz
# tar -xzvf libpcap-1.6.2.tar.gz
# cd libpcap-1.6.2
# ./configure
# make
# make install
# echo “/usr/local/lib” >> /etc/ld.so.conf
# ldconfig -v
Downloading & Installing DAQ:
# wget https://www.snort.org/downloads/snort/daq-2.0.4.tar.gz
# tar zxvf daq-2.0.4.tar.gz
# cd daq-2.0.4
# ./configure
# make
# make install
Download and Install Snort:
# wget https://www.snort.org/downloads/snort/snort-2.9.7.0.tar.gz
# tar -xzvf snort-2.9.7.0.tar.gz
# cd snort-2.9.7.0
# ./configure -prefix=/usr/local/snort -enable-sourcefire
# make
# make install
# mkdir /var/log/snort
# mkdir /var/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort
Download the Latest Snort Rules:
Download latest Tools by signing in as shown in fig below:
Extract & Copy Rules to Snort directory.
# tar zxf snortrules-snapshot-2962.tar.gz -C /usr/local/snort
# mkdir /usr/local/snort/lib/snort_dynamicrules
# cp /usr/local/snort/so_rules/precompiled/Ubuntu-12-04/x86-64/2.9.6.2/* /usr/local/snort/lib/snort_dynamicrules
# touch /usr/local/snort/rules/white_list.rules
# touch /usr/local/snort/rules/black_list.rules
# ldconfig -v
Now we need to edit the snort.conf configuration file:
== Set Values as given Below:
var WHITE_LIST_PATH /usr/local/snort/rules
var BLACK_LIST_PATH /usr/local/snort/rules
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
output unified2: filename snort.u2, limit 128
Also shown in Figure below how to set these values.
Download and Install Barnyard2:
Barnyard2 improves the efficiency of Snort by reducing the load on the main detection engine. It reads Snort’s unified logging output files and enters them into a database. If the database is unavailable Barnyard will input all data when the database comes back online so no alerts will be lost.
Download Barnyard2 from GitHub & Install:
# git clone http://github.com/firnsy/barnyard2.git barnyard2
# cd barnyard2
# autoreconf -fvi -I ./m4
# ./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
# make
# make install
# cp etc/barnyard2.conf /usr/local/snort/etc
# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
# chown snort.snort /var/log/snort/barnyard2.waldo
Create Database for Snort to be used by Barnyard for Storage:
mysql> create database snortdb;
mysql> grant create, insert, select, delete, update on snortdb.* to snortuser@localhost identified by ‘3ngin33r’;
mysql> flush privileges;
Populate Snort DB:
Modify the Barnyard2 configuration file with the following command:
Set Values as given below:
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0
output database: log, mysql, dbname=snortdb user=snortuser password=3ngin33r host=localhost
== SAVE & Quit
Copy Required Files from Snort Source Directory:::
Testing Snort:
It’s time to test if Snort has been installed and configured correctly by using this command:
“Commencing packet processing” must be shown at the end of the execution of the command, this means Snort is Installed & configured correctly.
To set Snort to start automatically on your machine edit the rc.local file with the following command:
Add following lines before “exit” command.
ifconfig eth0 up
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
SAVE & Quit by :wq!
Download and Set up Snort Report (Optional):
Download Snort Report from:
or
# wget http://symmetrixtech.com/wp/wp-content/uploads/2014/09/snortreport-1.3.4.tar.gz
# tar -xzf snortreport-1.3.4.tar.gz -C /var/www/html
# vim /var/www/html/snortreport-1.3.4/srconf.php
Set Database details:
$user = “snortuser”;
$pass = “3ngin33r”;
$dbname = “snortdb”;
Download and Install JPGraph:
# tar xvzf jpgraph-3.5.0b1.tar.gz -C /var/www/html/
# mv /var/www/html/jpgraph-3.5.0b1 /var/www/html/jpgraph
Download and Install ADODB5:
# tar -xzf adodb519.tar.gz -C /var/www/html
# mv adodb519 adodb5
Installing and configuring Acid: (Install Either Acid or BASE – BASE shown below)
# wget http://acidlab.sourceforge.net/acid-0.9.6b23.tar.gz
# tar -xzf acid-0.9.6b23.tar.gz -C /var/www/html
# cd /var/www/html/acid/
# vim acid_conf.php
– Set Options as:
$DBlib_path = “/var/www/html/adodb5”;
$alert_dbname = “snortdb”;
$alert_host = “localhost”;
$alert_port = “”;
$alert_user = “snortuser”;
$alert_password = “3ngin33r”;
/* Archive DB connection parameters */
$archive_dbname = “snortdb”;
$archive_host = “localhost”;
$archive_port = “”;
$archive_user = “snortuser”;
$archive_password = “3ngin33r”;
$ChartLib_path = “/var/www/html/jpgraph-3.5.0b1”;
— SAVE and Quit
– Restart Apache and Browse following URL in Browser:
http://<ServerIP>/acid
Installing BASE for Snort Front-end : RECOMMENDED for Snort
— I used BASE as ACID didn’t work for me.
– Check if all dependencies are installed or else install them by following command:
– Install pear Image_Graph
Download and extract BASE
# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar zxvf base-1.4.5.tar.gz
# mv base-1.4.5 base
Configure BASE
# cp base_conf.php.dist base_conf.php
# vim base_conf.php
– Set Directives as:
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/html/adodb5’;
$alert_dbname = ‘snortdb’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snortuser’;
$alert_password = ‘3ngin33r’;
Change the Ownership of all files to www-data:
# service apache2 restart
– Browse to: http://<snort_ip_address>/base/ and click on “setup page” link
– Click on “Create BASE AG” button on the upper right of the page
– Click on the “Main page” link
— Now, we should see BASE Dashboard like shown below:
More HoTos:
– Installing Snort Sensor on Windows Host with Remote Snort +MySQL using WinIDS
Thanks for this tutorial. Very helpful. Please note that I received the error “Error loading the DB Abstraction library: from “/adodb.inc.php” when hitting “http:///base/” After a little research, I tried installing “adodb518a.tgz” and it worked. There may be a problem with using “adodb519”
I’m glad this tutorial helped you. I’ll look into the issue, though I didn’t face any such error.
Regards.
Well Yes, this issue occurs if you skip AdoDB5 installation. I’ve already included its installation in this post. it must not be skipped.
./configure -with-mysql -with-mysql-libraries=/usr/lib/x86_64-linux-gnu
ERROR: unable to find mysqlclient library (libmysqlclient.*) but i tried installing apt-get install libmysqlclient* but same ERROR.
Are you installing on x86 or x86_64 bit version of Linux.?
Anyhow, try this:
Locate the “libmysqlclient” libraries by: # locate libmysqlclient
You will get result like:
# locate libmysqlclient
/usr/lib64/libmysqlclient.so
/usr/lib64/libmysqlclient.so.15
/usr/lib64/libmysqlclient.so.15.0.0
/usr/lib64/libmysqlclient_r.so
/usr/lib64/libmysqlclient_r.so.15
/usr/lib64/libmysqlclient_r.so.15.0.0
/usr/lib64/mysql/libmysqlclient.a
/usr/lib64/mysql/libmysqlclient.la
/usr/lib64/mysql/libmysqlclient.so
/usr/lib64/mysql/libmysqlclient_r.a
/usr/lib64/mysql/libmysqlclient_r.la
/usr/lib64/mysql/libmysqlclient_r.so
So, now change “–with-mysql-libraries=/usr/lib/x86_64-linux-gnu” portion in configure command with “–with-mysql-libraries=/usr/lib64/mysql/”
Hope this helps,
Also, if you are unable to execute “locate” command, Install MLocate Package by: # apt-get install mlocate
please help me
why one my BASE Dashboard view does not appear
—————————————————————————-
Sensors/Total: 0 / 1
Unique Alerts: 0
Categories: 0
Total Number of Alerts: 0
Src IP addrs: 0
Dest. IP addrs: 0
Unique IP links 0
Source Ports: 0
TCP ( 0) UDP ( 0)
Dest Ports: 0
TCP ( 0) UDP ( 0)
—————————————-
Hello, it means the sensor has been added into the server, but it is not providing data to server so far.
check the configuration again.