Setup SNORT IDS on CentOS 6.4

0 comments

Posted on 2nd May 2013 by Mike in Network Security How To's

, , ,

#SNORT config
#Centos 6.4 Installed

yum install flex bison gcc gcc-c++ gcc-cpp make byacc zlib* pcre*
cd /tmp

mkdir snortinstalls

cd snortinstalls

cd /tmp
wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
tar -zxvf libpcap-1.3.0.tar.gz
cd libpcap[tab]
./configure
make
make install

cd ..
wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar -xvf libdnet-1.12.tgz
cd libdnet[tab]
./configure
make
make install

cd..
wget http://www.snort.org/downloads/2266
tar -zxvf daq[tab]
cd daq[tab]
./configure
make
make install

cd..
wget http://www.snort.org/downloads/2275
tar -zxvf snor[tab]
cd snor[tab]
./configure
make
make install

#Init scripts:
#Snort 2.9.3.x and 2.9.4.x init script.
#
#This is a shell script which works for CentOS 6.x installations:
#
#Name this script ‘snort’ and place the shell script below into the
#/etc/init.d directory on your CentOS 6.x box:
#
#Note: The script should have permissions of 700 and be owned
##by user/group: snort

—– CUT HERE —–
#!/bin/bash
#
# snort Start up the SNORT Intrusion Detection System daemon
#
# chkconfig: 2345 55 25
# description: SNORT is a Open Source Intrusion Detection System
# This service starts up the snort daemon.
#
# processname: snort
# pidfile: /var/run/snort_eth0.pid

### BEGIN INIT INFO
# Provides: snort
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $syslog
# Should-Start: $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start up the SNORT Intrusion Detection System daemon
# Description: SNORT is an application for Open Source Intrusion Detection.
# This service starts up the Snort IDS daemon.
### END INIT INFO

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/snort ] && . /etc/sysconfig/snort

RETVAL=0
prog=”snort”
lockfile=/home/snort/processlock/$prog

# Some functions to make the below more readable
SNORTD=/usr/local/bin/snort
#OPTIONS=”-A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort”
#PID_FILE=/var/run/snort_eth0.pid

# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ “$ALERTMODE”X = “X” ]; then
ALERTMODE=””
else
ALERTMODE=”-A $ALERTMODE”
fi

if [ “$USER”X = “X” ]; then
USER=”snort”
fi

if [ “$GROUP”X = “X” ]; then
GROUP=”snort”
fi

if [ “$BINARY_LOG”X = “1X” ]; then
BINARY_LOG=”-b”
else
BINARY_LOG=””
fi

if [ “$LINK_LAYER”X = “1X” ]; then
LINK_LAYER=”-e”
else
LINK_LAYER=””
fi

if [ “$CONF”X = “X” ]; then
CONF=”-c /etc/snort/snort.conf”
else
CONF=”-c $CONF”
fi

if [ “$INTERFACE”X = “X” ]; then
HW_INTF=”eth0″
INTERFACE=”-i eth0″
PID_FILE=”/var/run/snort_eth0.pid”
else
HW_INTF=$INTERFACE
PID_FILE=”/var/run/snort_$INTERFACE.pid”
INTERFACE=”-i $INTERFACE”
fi

if [ “$DUMP_APP”X = “1X” ]; then
DUMP_APP=”-d”
else
DUMP_APP=””
fi

if [ “$NO_PACKET_LOG”X = “1X” ]; then
NO_PACKET_LOG=”-N”
else
NO_PACKET_LOG=””
fi

if [ “$PRINT_INTERFACE”X = “1X” ]; then
PRINT_INTERFACE=”-I”
else
PRINT_INTERFACE=””
fi

if [ “$PASS_FIRST”X = “1X” ]; then
PASS_FIRST=”-o”
else
PASS_FIRST=””
fi

if [ “$LOGDIR”X = “X” ]; then
LOGDIR=/var/log/snort
fi

# These are used by the ‘stats’ option
if [ “$SYSLOG”X = “X” ]; then
SYSLOG=/var/log/messages
fi

if [ “$SECS”X = “X” ]; then
SECS=5
fi

if [ ! “$BPFFILE”X = “X” ]; then
BPFFILE=”-F $BPFFILE”
fi

runlevel=$(set — $(runlevel); eval “echo \$$#” )

start()
{
[ -x $SNORTD ] || exit 5

echo -n $”Starting $prog: ”
daemon –pidfile=$PID_FILE $SNORTD $ALERTMODE $BINARY_LOG $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $lockfile
echo
return $RETVAL
}

stop()
{
echo -n $”Stopping $prog: ”
killproc $SNORTD
if [ -e $PID_FILE ]; then
RUN_FILE=/var/run/snort_$HW_INTF
chown $USER:$GROUP $RUN_FILE.* &&
rm -f $PID_FILE
rm -f $PID_FILE.lck
rm -f $lockfile
fi
RETVAL=$?
# if we are in halt or reboot runlevel kill all running sessions
# so the TCP connections are closed cleanly
if [ “x$runlevel” = x0 -o “x$runlevel” = x6 ] ; then
trap ” TERM
killall $prog 2>/dev/null
trap TERM
fi
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
return $RETVAL
}

restart() {
stop
start
}

rh_status() {
status -p $PID_FILE $SNORTD
}

rh_status_q() {
rh_status >/dev/null 2>&1
}

case “$1″ in
start)
rh_status_q && exit 0
start
;;
stop)
if ! rh_status_q; then
rm -f $lockfile
exit 0
fi
stop
;;
restart)
restart
;;
status)
rh_status
RETVAL=$?
if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
RETVAL=2
fi
;;
*)
echo $”Usage: $0 {start|stop|restart|status}”
RETVAL=2
esac
exit $RETVAL

—– CUT HERE —–

This file contains configuration variables for the shell script above.

The file below should be named ‘snort’ and placed into the
/etc/sysconfig directory on your CentOS 6.x system:

—– CUT HERE —–

# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $

#### General Configuration

INTERFACE=eth0
CONF=/home/snort/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0

#### Logging & Alerting

LOGDIR=/var/log/snort
ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0

—– CUT HERE —–

#end init scripts;

chkconfig –list snort
#gives no results
chkconfig –add snort
chkconfig –list snort
#gives the following results: (this is what we want)
snort 0:off 1:off 2:on 3:on 4:on 5:on 6:off

#Go to snort.org, sign up for an account, login to account, click on My account, click on subcriptions and oinkcodes, click oinkcode, click get oink code

#find the number & naming convention for the latest ruleset. Go to https://www.snort.org/snort-rules/, under Register Users Release look for the highest number:
#snortrules-snapshot-2931.tar.gz
#snortrules-snapshot-2940.tar.gz
#snortrules-snapshot-2941.tar.gz <- this is the highest number under Registered Users Release as of the writing of this documentation #Now download it from command line cd /tmp cd snortdownloads wget http://www.snort.org/sub-rules/snortrules-snapshot-2941.tar.gz/ -O snortrules-snapshot-2941.tar.gz
#ex. wget http://www.snort.org/sub-rules/snortrules-snapshot-2941.tar.gz/ffa9e34a226f1cf49ca71e9ecb1c100aac452202 -O snortrules-snapshot-2941.tar.gz
tar -zxvf snortrules[tab]

#Create snort user
useradd snort

#copy configs to snort’s home
cp -R /tmp/snortdownloads/etc/* /home/snort/
#copy rules to snort’s home
mkdir /home/snort/rules
cp -R /tmp/snortdownloads/rules/* /home/snort/rules
mkdir /home/snort/preproc_rules
cp -R /tmp/snortdownloads/preproc_rules/* /home/snort/preproc_rules
mkdir /home/snort/so_rules
cp -R /tmp/snortdownloads/so_rules/* /home/snort/so_rules
#make process lockfile directory
mkdir /home/snort/processlock

#modify snort.conf
nano /home/snort/snort.conf
#change these
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules
dynamicdetection directory /usr/local/lib/snort_dynamicrules

#to these
var RULE_PATH /home/snort/rules
var SO_RULE_PATH /home/snort/so_rules
var PREPROC_RULE_PATH /home/snort/preproc_rules
var WHITE_LIST_PATH /home/snort/rules
var BLACK_LIST_PATH /home/snort/rules
dynamicdetection directory /home/snort/rules

#change this:
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules

#to this:
# Reputation preprocessor. For more information see README.reputation
#preprocessor reputation: \
# memcap 500, \
# priority whitelist, \
# nested_ip inner, \
# whitelist $WHITE_LIST_PATH/white_list.rules, \
# blacklist $BLACK_LIST_PATH/black_list.rules

#save file (ctrl+o) exit nano (ctrl+x)

#use sed to enable all rules
sed -i -e ‘s/# alert/alert/’ /home/snort/rules/*

#make log directory
mkdir /var/log/snort

#change owner to snort so service will run as snort user not root
chown -R snort:snort /home/snort
chown snort:snort /var/log/snort
chown snort:snort /etc/sysconfig/snort
chown snort:snort /etc/init.d/snort
chmod 700 /etc/init.d/snort

#run this to test for errors:
snort -A fast -b -dev -c /home/snort/snort.conf

#if any errors, correct the errors as needed and try again. If no errors, ctrl+c to exit

#if no errors, you should be able to start snort as a service:
service snort start

#should give the following results:
#Starting snort: Spawning daemon child…
#My daemon child 6263 lives…
#Daemon parent exiting (0)
# [ OK ]

#stop the service with:
service snort stop

#su to snort and test service
su snort
service snort start

#should give the following results:
#Starting snort: Spawning daemon child…
#My daemon child 6263 lives…
#Daemon parent exiting (0)
# [ OK ]

#you’ll note the service isnt actually running though:
ps -ef|grep snort

#outputs this:
#[snort@343020-R-SQL01 init.d]$ ps -ef|grep snort
#root 6385 23168 0 07:10 pts/0 00:00:00 su snort
#snort 6386 6385 0 07:10 pts/0 00:00:00 bash
#snort 6458 6386 0 07:18 pts/0 00:00:00 ps -ef
#snort 6459 6386 0 07:18 pts/0 00:00:00 grep snort

#log off of snort user
exit
service snort start

#should give the following results:
#Starting snort: Spawning daemon child…
#My daemon child 6263 lives…
#Daemon parent exiting (0)
# [ OK ]

#you’ll note the service is running now:
ps -ef|grep snort

#outputs this:
#snort 6483 1 0 07:19 ? 00:00:00 /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c /home/snort/snort.conf -l /var/log/snort
#root 6487 23168 0 07:19 pts/0 00:00:00 grep snort

#see if log file & process locks are being created:
ls -al /var/log/snort

#total 16
#drwxr-xr-x 2 snort snort 4096 Apr 29 07:19 .
#drwxr-xr-x. 8 root root 4096 Apr 29 06:48 ..
#-rw-r–r– 1 snort snort 456 Apr 29 07:24 alert <-- today's date #-rw------- 1 snort snort 236 Apr 29 07:24 snort.log.1367237978 <-- today's date ls -al /home/snort/processlock #total 8 #drwxrwxr-x 2 snort snort 4096 Apr 29 07:13 . #drwx------ 6 snort snort 4096 Apr 29 07:13 .. #-rw-r--r-- 1 snort snort 0 Apr 29 07:19 snort <-- file exists #try to create duplicate service service snort start # outputs nothing #stop the service service snort stop #reboot to and test again to see if process is running, log file created, and process lock file created. reboot now #now reboot and check to see if the service auto starts #snort manual http://s3.amazonaws.com/snort-org/www/assets/166/snort_manual.pdf #at this point we need documentation for oinkmaster... automating rule downloands: not written yet. wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz?download tar -zxvf oink[tab] cd oink[tab] cp oinkmaster.pl /home/snort chown snort:snort /home/snort/oinkmaster.pl cp oinkmaster.conf /home/snort/oinkmaster.conf chown snort:snort /home/snort/oinkmaster.conf #change default path to oinkmaster.conf nano /home/snort/oinkmaster.pl #change this: my @DEFAULT_CONFIG_FILES = qw( /etc/oinkmaster.conf /usr/local/etc/oinkmaster.conf ); #to this my @DEFAULT_CONFIG_FILES = qw( /home/snort/oinkmaster.conf /usr/local/etc/oinkmaster.conf ); # and this my $RULES_DIR = 'rules'; # to this my $RULES_DIR = 'community-rules'; #save and exit (ctrl+o then ctrl+x) #add this to oinkmaster.conf url = https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz #add this to /home/snort/snort.conf under include $RULE_PATH/chat.rules include $RULE_PATH/community.rules #run oinkmaster ./home/snort/oinkmaster.pl -o /home/snort/rules # if no error, proceed to add to cron su snort crontab -e # you're now in vi, press 'i' for insert then type the following 0 0 * * * ./home/snort/oinkmaster.pl -o /home/snort/rules # to save and exit press escape a couple times, then type :wq and press enter # run the following crontab -l # you should see this result: 0 0 * * * ./home/snort/oinkmaster.pl -o /home/snort/rules #exit snort user's shell exit #edit root's crontab crontab -e # you're now in vi, press 'i' for insert then type the following 5 0 * * * chown -R snort:snort /home/snort/* 10 0 * * * service snort restart # to save and exit press escape a couple times, then type :wq and press enter # run the following crontab -l # you should see this result: 5 0 * * * chown -R snort:snort /home/snort/* 10 0 * * * service snort restart