Posts in Category: Snort
Snort 2.9.9.x on Ubuntu – Part 5: Installing PulledPork
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
- Conclusion
Onwards
In the previous two sections of this article, we installed Snort and configured it to work as a NIDS with Barnyard2 processing packets that generated alerts based on a rule. In this article, we are going to install a Perl script called PulledPork, which will automatically download the latest rulesets from the Snort website.
Oinkcode
To download the main free ruleset from Snort, you need an oinkcode. Register on the Snort website and save your oinkcode before continuing, as the oinkcode is required for the most popular free ruleset.
Installing PulledPork
Install the PulledPork pre-requisites:
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
Download the latest PulledPork and install. Here we copy the actual perl file to /usr/local/bin and the needed configuration files to /etc/snort:
cd ~/snort_src wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz tar xzvf pulledpork-master.tar.gz cd pulledpork-master/ sudo cp pulledpork.pl /usr/local/bin sudo chmod +x /usr/local/bin/pulledpork.pl sudo cp etc/*.conf /etc/snort
Test that PulledPork runs by running the following command, looking for the output below:
user@snortserver:~$ /usr/local/bin/pulledpork.pl -V PulledPork v0.7.3 - Making signature updates great again! user@snortserver:~$
Now that we are sure that PulledPork works, we need to configure it:
sudo vi /etc/snort/pulledpork.conf
Make the following changes to the pulledpork.conf file. Anywhere you see ‹oinkcode› enter your oinkcode from the Snort website. I have included line numbers to help you identify the location of these lines in the configuration file.
Line 19: enter your oinkcode where appropriate (or comment out if no oinkcode) Line 29: Un-comment for Emerging threats ruleset (not tested with this guide) Line 74: change to: rule_path=/etc/snort/rules/snort.rules Line 89: change to: local_rules=/etc/snort/rules/local.rules Line 92: change to: sid_msg=/etc/snort/sid-msg.map Line 96: change to: sid_msg_version=2 Line 119: change to: config_path=/etc/snort/snort.conf Line 133: change to: distro=Ubuntu-12-04 Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules Line 150: change to: IPRVersion=/etc/snort/rules/iplists
We want to run PulledPork once manually to make sure it works. We use the following flags:
-c /etc/snort/pulledpork.conf the location of the snort.conf file -l Write detailed logs to /var/log
Run the following command:
sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
After this command runs (it takes some time), you should now see snort.rules in /etc/snort/rules, and .so rules in /usr/local/lib/snort_dynamicrules. Pulled Pork combines all the rulesets that it downloads into these two files. You need to make sure to add the line: include $RULE_PATH/snort.rules to the snort.conf file, or the pulled pork rules will never be read into memory when Snort starts:
sudo vi /etc/snort/snort.conf
Add the following line to enable snort to use the rules that PulledPork downloaded (line 547), after the line for local.rules:
include $RULE_PATH/snort.rules
Since we have modified snort.conf, we should test that Snort loads correctly in NIDS mode with the PulledPork rules included:
sudo snort -T -c /etc/snort/snort.conf -i eth0
Once that is successful, we want to test that Snort and Barnyard2 load correctly when run manually as daemons:
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
As before, ping the IP address of the Snort eth0 interface, and then check the database for more events (remember to use the MYSQLSNORTPASSWORD):
mysql -u snort -p -D snort -e "select count(*) from event"
The number of events reported should be greater than what you saw the last time you ran this command. Now that we are sure that PulledPork runs correctly, we want to add PulledPork to root’s crontab to run daily:
sudo crontab -e
Choose any editor if prompted
The Snort team has asked you to randomize when PulledPork connects to their server to help with load balancing. In the example below, we have PulledPork checking at 04:01 every day. Change the minutes value (the 01 below) to a value between 0 and 59, and the hours value (the 04 below) to a value between 00 and 23. For more info on crontab layout, check here:
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
Stop the running daemons from earlier testing:
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$ ps aux | grep barnyard2 snort 1298 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D user 1316 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto barnyard2 user@snortserver:~$ sudo kill 1298
Note: Snort needs to be reloaded to see the new rules. This can be done with kill -SIGHUP snort-pid, or you can restart the snort service (once that’s created in a later part of this guide).
Additional note about shared object rules: In addition to regular rules, The above section will download Shared object rules. Shared object rules are also known as ”Shared Object rules”, ”SO rules”, ”pre-compiled rules”, or ”Shared Objects”. These are detection rules that are written in the Shared Object rule language, which is similar to C.
These rules are pre-compiled by the provider of the rules, and allow for more complicated rules, and allow for obfuscation of rules (say to detect attacks that haven’t been patched yet, but the vendor wants to allow detection without revealing the vulnerability). These rules are compiled by the vendor for specific systems. One of these systems is Ubuntu 12, and luckily these rules also work on Ubuntu 14 and 15.
Congratulations, if you have output similar to the above then you have successfully Configured PulledPork. Continue to the next section to install startup scripts for Snort and Barnyard2. Choose one of the two following links, depending on your version of Ubuntu. You will create an Upstart scripts for Ubuntu 12 and 14, and a systemD scripts for Ubuntu 15.
Choose One of the following to continue:
Ubuntu 14: Creating Upstart Scripts for Snort and Barnyard2
Ubuntu 16: Creating systemD Scripts for Snort
Snort 2.9.9.x on Ubuntu – Part 3: Writing and Testing a Single Rule With Snort
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
- Conclusion
Writing and Testing a Single Rule With Snort
In the previous two articles in this series, we installed Snort an configured it to run as a NIDS. In this article, we are going to create a rule which causes Snort to generate an alert whenever it sees an ICMP message. If you want, you can skip this section, as it is not required to get a Snort NIDS up and running, but it will help you to gain a much better understanding of how Snort rules are created and loaded.
Onward
In the previous article, we created the /etc/snort/rules/local.rules file and left it empty. We also edited the snort.conf file to tell Snort to load this local.rules file (when we un-commented the line: include $RULE_PATH/local.rules in snort.conf). When Snort starts, it will use the include directive in snort.conf to load all rules in local.rules. The local.rules file is a place where we can place rules that are specific to our environment, and is great for testing.
First, we need to edit the local.rules file:
sudo vi /etc/snort/rules/local.rules
input the following text and save the file:
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
What this rule says is that for any ICMP packets it sees from any network to our HOME_NET, generate an alert with the text ICMP test. The other information here (GID, REV, classtype) are used group the rule, and will be helpful when you install BASE.
Barnyard2 doesn’t read meta-information about alerts from the local.rules file. Without this information, Barnyard2 won’t know any details about the rule that triggered the alert, and will generate non-fatal errors when adding new rules with PulledPork (done in a later step). To make sure that barnyard2 knows that the rule we created with unique identifier 10000001 has the message ”ICMP Test Detected”, as well as some other information (please see this blog post for more information). We add the following two lines to the /etc/snort/sid-msg.map file:
#v2 1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792
(the #v2 tells barnyard2 that the next line is the version 2 format, rather than v1)
Since we have made changes to the file that snort loads (local.rules), it is a good idea to test the configuration file again:
sudo snort -T -c /etc/snort/snort.conf -i eth0
If successful, you should be able to scroll up through the output and see that Snort has loaded our rule:
+++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read 1 detection rules 0 decoder rules 0 preprocessor rules 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 0 0 1 0 | nc 0 0 1 0 | s+d 0 0 0 0 +----------------------------------------------------------------------------
Now to test the rule. We need to verify that Snort generates an alert when it processes an ICMP packet. We will launch Snort with the following options:
-A console the console option prints fast mode alerts to stdout -q Quiet. Don't show banner and status report. -u snort run snort as the following user after startup -g snort run snort as the following group after startup -c /etc/snort/snort.conf the path to our snort.conf file -i eth0 the interface to listen on
Run Snort with the command below, modifying the parameters as required specific for your configuration:
sudo /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Note: If you are running Ubuntu 16, remember that your interface name is not eth0.
Once you have started Snort with the above command, you need use another computer or another terminal window to ping the interface that you directed Snort to listen on. You should see output similar to the below on the terminal of the Snort machine:
10/31-02:27:19.663643 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:19.663675 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:20.658378 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:20.658404 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:21.766521 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:21.766551 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
10/31-02:27:22.766167 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.74 -> 10.0.0.64
10/31-02:27:22.766197 [**] [1:10000001:1] ICMP test detected [∗∗] [Classification: Generic ICMP event] [Priority:3] {ICMP} 10.0.0.64 -> 10.0.0.74
^C*** Caught Int-Signal
You have to use ctrl-c to stop snort from running after the above output. What the above example shows is the 4 ICMP Echo Request and Reply messages between our Snort server (IP 10.0.0.64) and our other machine (10.0.0.74). If you look in /var/log/snort, you will also see a file with the name snort.log.nnnnnnnnnn (the n’s are replaced by numbers), which contains the same information that Snort printed to the screen.
Congratulations, if you have output similar to the above then you have successfully created a rule for Snort to alert on. Continue to the next section to Install Barnyard2.
Snort 2.9.9.x on Ubuntu – Part 2: Configuring Snort to Run as a NIDS
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
- Conclusion
Configure Snort to Run as a NIDS
This is the second in a set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS). In the previous article we installed the Snort binary and verified that it correctly executed. In this section, we will configure Snort to run as a NIDS by creating the files and folders that Snort expects when running as a NIDS, and we will learn about the Snort configuration file: snort.conf.
Basic Configuration
First off, for security reasons we want Snort to run as an unprivileged user. We create a snort user and group for this purpose:
sudo groupadd snort sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
Next, we need to create a number of files and folders that Snort expects when running in NIDS mode. We will then change the ownership of those files to our new snort user. Snort stores configuration files in /etc/snort, rules in /etc/snort/rules, /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:
# Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules # Change Ownership on folders: sudo chown -R snort:snort /etc/snort sudo chown -R snort:snort /var/log/snort sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
We now need to move the following files from the extracted Snort tarball to the snort configuration folder:
- classification.config describes the types of attack classifications that Snort understands (grouping rules into these types of classifications), such as trojan-activity or system-call-detect. The list of classifications can be found in section 3.4.6 of the Snort Manual
- file_magic.conf describes rules for identifying file types.
- reference.config contains urls that are referenced in the rules that provide more information about alerts.
- snort.conf is the configuration file for Snort, it tells Snort where resources are located, and how to output alerts, among other things.
- threshold.conf allows you to control the number of events that are required to generate an alert, which can help suppress noisy alerts. More information here.
- attribute table.dtd lets Snort use outside information to determine protocols and policies. More information here.
- gen-msg.map tells Snort which pre-processor is used by which rule. More information here.
- unicode.map provides a mapping between Unicode languages and the identifier. This file is required by Snort in order to start.
Run the commands below to move the files listed above to the /etc/snort folder:
cd ~/snort_src/snort-2.9.9.0/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
The Snort configuration folder and file structure should now look like the following:
user@snortserver:~$ tree /etc/snort /etc/snort ├── attribute_table.dtd ├── classification.config ├── file_magic.conf ├── gen-msg.map ├── preproc_rules ├── reference.config ├── rules │.. ├── local.rules │.. ├── iplists │ .. ├── black_list.rules │ .. ├── white_list.rules ├── sid-msg.map ├── snort.conf ├── so_rules ├── threshold.conf └── unicode.map
Editing the Snort Configuration File
The Snort configuration file is stored at /etc/snort/snort.conf, and contains all the settings that Snort will use when it is run in NIDS mode. This is a large file (well over 500 lines), and contains a number of options for the configuration of Snort. We are interested in only a few settings at this time.
First, we need to comment out the lines that causes Snort to import the default set of rule files. We do this because we will be using PulledPork to manage our rulesets, which saves all the rules into a single file. The easy way to comment out all these lines is to use sed to append the “#” (hash) character to those lines. This is accomplished by running the following command:
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
The result of this command is that lines 547 to 651 in snort.conf will now be commented out, which will prevent Snort from loading those rule files on start-up. These rule files do not exist, and will cause Snort to generate an error if it tries to load a file that doesn’t exist. If you were to manually download the rule files from the snort website and extract them to the /etc/snort/rules folder, then you would want those rules to be un-commented out. We will use PulledPork (configured later) to manage all our rules and save them into a single file, which is why we need all those rule files to be commented out.
Next, we need to manually edit a few lines in the snort.conf file. Use vi (or your favorite editor) to edit /etc/snort/snort.conf:
sudo vi /etc/snort/snort.conf
First, we need to let Snort know the network range of your home network (the assets you are trying to protect) and all other external networks. We do this by editing lines 45 and 48 of snort.conf to tell it the IP ranges of these two networks. In the example below, our home network is 10.0.0.0 with a 24 bit subnet mask (255.255.255.0), and our external networks are all other networks.
ipvar HOME_NET 10.0.0.0/24 # (line 45) make this match your internal (friendly) network
Note: it is not recommended to set EXTERNAL_NET to !$HOME NET as recommended in some guides, since it can cause Snort to miss alerts.
Next we need to tell Snort about the locations of all the folders we created earlier. These settings are also part of the snort.conf file. I have included the line numbers after the hash so you can more easily find the setting (do not write the line number, just change the path to match what is below):
var RULE_PATH /etc/snort/rules # line 104 var SO_RULE_PATH /etc/snort/so_rules # line 105 var PREPROC_RULE_PATH /etc/snort/preproc_rules # line 106 var WHITE_LIST_PATH /etc/snort/rules/iplists # line 113 var BLACK_LIST_PATH /etc/snort/rules/iplists # line 114
Finally, we want to enable one included rule file: /etc/snort/rules/local.rules. We will use this file to store our own rules, including one rule that we will write in the next article in this series that will allow us to easily check that Snort is correctly generating alerts. Un-comment the following line (line 545) by deleting the hash from the beginning of the line:
include $RULE_PATH/local.rules
Testing Snort with our Configuration File
Snort has the ability to validate the configuration file, and you should do this whenever you make modifications to snort.conf. Run the following command to have Snort test the configuration file:
sudo snort -T -c /etc/snort/snort.conf -i eth0
The -T tells snort to test, and -c tells snort the path to the configuration file, and you are required to specify an interface you want to listen to with -i (this is a new requirement as of 2.9.8.x version of snort). Make sure to use the correct interface. You should see some output, with the following lines at the end:
...
Snort successfully validated the configuration!
Snort exiting
Congratulations, if you have output similar to the above then you have successfully Configured Snort to run as a NIDS. Continue to the next section: Writing and Testing a Single Rule With Snort.
Snort 2.9.9.x on Ubuntu – Part 1: Installing Snort
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
- Conclusion
Overview
This detailed set of articles will guide you through the steps of installing and configuring Snort as a Network Intrusion Detection System (NIDS), along with additional software that extends the functionality of your Snort system. These articles are based on the Snort Installation guide I wrote, and which was posted in the documents section of the Snort website. If you are instead looking for a quick install guide for Snort on Ubuntu, please see my other standalone article: Snort 2.9.9.x on Ubuntu (quick install guide). If you want to test the new alpha version of Snort, please see my articles: Installing Snort++ (Version 3.0 Alpha 4) in Ubuntu.
These articles are designed to take you step-by-step through the installation, configuration, and testing of each component of a Snort system. I will explain the design decisions and the purpose of specific commands throughout this guide, which will will help you understand how Snort is installed, configured, tested, executed, and how it interfaces with its supporting software. You can follow the steps in this guide, but choose to skim the detailed explanations if you would like, and you will still end up with a working Snort system. However, if you take the effort to understand every step you will have a much deeper understanding of Snort, be better able to troubleshoot issues, and fully customize your Snort installation.
Supported Software Versions
This guide has been tested with Snort 2.9.9.0 on both the x86 and x64 architectures of Ubuntu 14, and 16. This guide will probably work on other Ubuntu-derived distributions, and I have been told that it works fairly well (with some modifications) for Debian systems including the Raspberry Pi. This guide will note VMware specific configuration options, if you want to run Snort as a virtual machine. At the time of this writing, the latest version of Snort is 2.9.9.0, and the instructions below are tailored for that version. If you want to use more recent versions of any of the software installed below (updated versions released after the publication of this guide), it should work without significant changes, but obviously you may encounter issues I can’t foresee.
On its own, Snort runs in standalone mode as a packet sniffer and logger. With a few additional applications and some configuration, a Snort system becomes much more useful as a NIDS. The supporting software components we will install in this set of articles are:
- Barnyard2 is a dedicated spooler for Snort’s unified2 binary output format. Packet processing is very resource intensive, so to reduce the load on the Snort process: we have Snort save suspicious packets to a directory in a native binary format without processing the packets. Barnyard2 then asynchronously processes those packets and saves them in a MySQL database.
- PulledPork is a Perl script that automatically downloads the latest Snort rulesets. Since the threat landscape is constantly evolving, new rulesets are required by Snort to identify the latest types of suspicious traffic (rulesets are similar to antivirus signatures).
- BASE provides a web front-end to query and analyze the alerts coming from a Snort system.
Alternatives to This Guide
If you just want a Snort system installed and running without having to compile and install all the individual components, there are some alternatives:
- Autosnort: a script that will install Snort and supporting software on your system.
- Install Snort from the Ubuntu repository: This version of Snort tends to be out of date, and doesn’t give you the flexibility provided by compiling your own version of Snort.
- Security Onion: A live CD based on Ubuntu with Snort already installed.
Recommendations for Running Snort in a Virtual Machine
If you are running Snort as a VMware ESXi virtual machine, it is recommended that you use the vmxnet 3 network adapter.
Onwards
So let’s get started. First, we need to ensure that the network card does not truncate over-sized packets. From The Snort Manual:
Some network cards have features named “Large Receive Offload” (lro) and “Generic Receive Offload” (gro). With these features enabled, the network card performs packet reassembly before they’re processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and GRO.
Edit /etc/network/interfaces as an admin:
sudo vi /etc/network/interfaces
Append the following two lines for each network interface you will have Snort listen on, making sure to change eth0 to match your interface name (See note below for Ubuntu 16):
post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Important note for people running Ubuntu 16: Begining with Ubuntu 15.10, network interfaces no longer follow the ethX standard (eth0, eth1, …). Instead, interfaces names are assigned as Predictable Network Interface Names. This means you need to check the names of your interfaces using ifconfig -a. In my case, what was originally eth0 is now ens160. If you are running Ubuntu 15.10, anywhere in this guide you see eth0, you will need to replace with your new interface name.
an example of how the /etc/network/interfaces file should look for a single interface:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we need to install all the prerequisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
Breakdown of the packages you are installing:
- build-essential: provides the build tools (GCC and the like) to compile software.
- bison, flex: parsers required by DAQ (DAQ is installed later below).
- libpcap-dev: Library for network traffic capture required by Snort.
- libpcre3-dev: Library of functions to support regular expressions required by Snort.
- libdumbnet-dev: the libdnet library provides a simplified, portable interface to several low-level networking routines. Many guides for installing Snort install this library from source, although that is not necessary.
- zlib1g-dev: A compression library required by Snort.
- liblzma-dev: Provides decompression of swf files (adobe flash)
- openssl and libssl-dev: Provides SHA and MD5 file signatures
The final library that Snort requires is the development library for Nghttp2: a HTTP/2 C Library which implements the HPAC header compression algorithm.
In Ubuntu 16 the install is easy:
# Ubuntu 16 only: sudo apt-get install -y libnghttp2-dev
for Ubuntu 14, we need to compile from source:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Snort uses the Data Acquisition library (DAQ) to abstract calls to packet capture libraries. DAQ is downloaded and installed from the Snort website:
cd ~/snort_src wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source. When we configure the build of Snort, we use the --enable-sourcefire flag, which enables Packet Performance Monitoring (PPM), and matches the way the sourcefire team builds Snort.
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar -xvzf snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is a good policy to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to show the version number:
/usr/sbin/snort -V
and you should see output similar to the following:
user@snortserver:~$ snort -V
Version 2.9.9.0 GRE (Build 56)
By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
Congratulations, if you have output similar to the above then you have successful installed Snort. Continue to the next section to Configure Snort to Run as a NIDS.
Installing OpenAppID with Snort 2.9.9.x on Ubuntu
The instructions below show how to install OpenAppId in Snort 2.9.9.x on Ubuntu 14 and Ubuntu 16.
If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality, see my in-depth series for installing Snort on Ubuntu, or my Quick Install Guide for Snort 2.9.9.x on Ubuntu. If you want to test the new alpha version of Snort (Version 3.0 Alpha 4), please see my article: Installing Snort 3 Alpha in Ubuntu.
Let Us Get Started
So let’s get started. First we need tocreate a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev
Snort 2.9.9.x needs the development libraries for Nghttp2. On Ubuntu 16 this is simple:
# Ubuntu 16 only (not Ubuntu 14) sudo apt-get install -y libnghttp2-dev
On Ubuntu 14, we do this from scratch:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Next we want to install the pre-requisites that are specific to OpenAppID:
sudo apt-get install -y libluajit-5.1-dev pkg-config openssl libssl-dev
Download and install Data Acquisition library (DAQ) from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Installing Snort
Now we are ready to install Snort from source. We use the ‑‑enable-open-appid option, which prepares Snort to be built with OpenAppID support. We also use the ‑‑enable-sourcefire option, which enables the Sourcefire-specific build options:
Now we are ready to install Snort from source:
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar -xvzf snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire --enable-open-appid make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
We need to a few configuration things to prepare Snort for use. More detailed information on the steps below can be found here .
Create the needed directories and empty files:
# Create the Snort directories: sudo mkdir /etc/snort sudo mkdir /etc/snort/rules sudo mkdir /etc/snort/rules/iplists sudo mkdir /etc/snort/preproc_rules sudo mkdir /usr/local/lib/snort_dynamicrules sudo mkdir /etc/snort/so_rules # Create some files that stores rules and ip lists sudo touch /etc/snort/rules/iplists/black_list.rules sudo touch /etc/snort/rules/iplists/white_list.rules sudo touch /etc/snort/rules/local.rules sudo touch /etc/snort/sid-msg.map # Create our logging directories: sudo mkdir /var/log/snort sudo mkdir /var/log/snort/archived_logs # Adjust permissions: sudo chmod -R 5775 /etc/snort sudo chmod -R 5775 /var/log/snort sudo chmod -R 5775 /var/log/snort/archived_logs sudo chmod -R 5775 /etc/snort/so_rules sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
Finally copy some files:
cd ~/snort_src/snort-2.9.9.0/etc/ sudo cp *.conf* /etc/snort sudo cp *.map /etc/snort sudo cp *.dtd /etc/snort cd ~/snort_src/snort-2.9.9.0/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/ sudo cp * /usr/local/lib/snort_dynamicpreprocessor/
Comment out the rule files that are automatically loaded by Snort in snort.conf (since we don’t have any rule files downloaded at this time) by running the following command:
sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf
Next we need to edit the /etc/snort/snort.conf Snort configuration file as root.
sudo vi /etc/snort/snort.conf
Line 45 of /etc/snort/snort.conf: the variable HOME_NET should match your internal (defended) network. In the below example our HOME NET is 10.0.0.0 with a 24-bit subnet mask (255.255.255.0):
ipvar HOME_NET 10.0.0.0/24
Still editing snort.conf, next we need to modify some file paths to match the lines below, beginning at line 104:
var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules var WHITE_LIST_PATH /etc/snort/rules/iplists var BLACK_LIST_PATH /etc/snort/rules/iplists
Still editing snort.conf, next we need to enable the local.rules file by un-commenting (remove the hash symbol from the beginning) line 546 so it looks like the following:
include $RULE_PATH/local.rules
Once you have saved your edits to snort.conf, you should test that snort can load this configuration file without any errors. You do this by running snort with the -T flag to tell snort to test the file, the -c flag to identify the path of the snort.conf file, and the -i flag for a network interface that Snort will listen on (Note that Ubuntu 16 can have different interface names, which you can check with the ifconfig command). This is shown below. Output has been truncated to the final few lines to show success:
user@snortserver:~$ sudo snort -T -i eth0 -c /etc/snort/snort.conf (...) Snort successfully validated the configuration! Snort exiting user@snortserver:~$
Download and Extract the Application Detector Package
Now we need to download the Application Detector Package, which contains the rules for detecting types of traffic. You can find this file on the Snort.org download page, listed as snort-openappid.tar.gz. You should download the latest version of this package, the version below is the latest as of writing, but will probably have changed, as the Snort team is updating regularly:
cd ~/snort_src wget https://snort.org/downloads/openappid/4602 -O snort-openappid.tar.gz tar -xvzf snort-openappid.tar.gz
The result of the above command will create a odp directory which holds all the application detector files. We want to move that folder under our Snort rules folder:
sudo cp -r ~/snort_src/odp/ /etc/snort/rules/
and create one folder for third-party developed application detectors:
sudo mkdir /usr/local/lib/thirdparty
Editing snort.conf to enable OpenAppID
We need to enable the OpenAppID pre-processor, then we need to have Snort output the AppID data. The 2.9.9.0 release of snort doesn’t seem to create the default snort.conf correctly (which would include the necessary OpenAppID settings), so rather than enabling them by uncommeting them, we will need to add these lines manually. To enable the pre-processor, edit the snort.conf file (located at /etc/snort/snort.conf) as root, and add the following lines before the commented-out section 6 (line 513 for me):
preprocessor appid: app_stats_filename appstats-u2.log, \ app_stats_period 60, \ app_detector_dir /etc/snort/rules
This tells Snort the file name of the log to output statistics to (appstats-u2-log), how often to write to the log (every 60 seconds), and where to find the odf folder we downloaded earlier.
While still in the /etc/snort/snort.conf file, add the following lower down (below the commented-out section 6, around line 526 ):
output unified2: filename snort.u2, limit 128, appid_event_types
this directive tells Snort to output alerts in the unified2 binary format to the snort.log, the size of the log, and also to output AppID data to the same location.
Now test the Snort configuration file to verify there are no errors:
sudo /usr/local/bin/snort -T -c /etc/snort/snort.conf -i eth0
as above, you should see the text: Snort successfully validated the configuration! If not, fix the errors that are reported.
Collecting OpenAppID Data
Use the below command to start collecting packets (change the interface as needed), and use ctrl-c to stop the collection:
sudo /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 ctrl-c
To generate OpenAppID data while Snort is running as above, try browsing to a website, making sure the data is visible to the interface that snort is listening on, either by passing that data directly through the Snort interface, or by ensuring that your network infrastructure copies network traffic to the Snort server (span port, port mirroring, or promiscuous mode, for example).
Once you have collected data (remember that we are writing data out every 60 seconds, so wait longer than a minute before cancelling the collection), you should see file(s) in /var/log/snort/ with the name: appstats-u2.log.nnnnnnnnnn (where the n’s are numbers). these are the OpenAppID data files. We can process them with u2openappid, which is located in /usr/local/bin.
A simple example of this processing:
noah@snort:~$ sudo u2openappid /var/log/snort/appstats-u2.log.1483841898 statTime="1449426240",appName="HTTP",txBytes="0",rxBytes="8152" statTime="1449426300",appName="HTTP",txBytes="0",rxBytes="9542" statTime="1449426240",appName="DNS",txBytes="301",rxBytes="0" statTime="1449426240",appName="__unknown",txBytes="12376",rxBytes="1118" statTime="1449426300",appName="DNS",txBytes="761",rxBytes="0"
In the above example, I used curl over the same interface snort was listening on to request www.xkcd.com. The various application detectors show the amount of traffic for each detector, DNS, HTTP, and the like.
An more complex example of this processing (from an older version of OpenAppID, but still valid):
noah@snort:~$ sudo /usr/local/bin/u2openappid /var/log/snort/appstats-u2.log.1428300780 statTime="1428300720",appName="curl",txBytes="740",rxBytes="6894" statTime="1428300720",appName="http",txBytes="1306",rxBytes="7384" statTime="1428300720",appName="ubuntu",txBytes="566",rxBytes="490" statTime="1428300720",appName="python_urllib",txBytes="566",rxBytes="490" statTime="1428300780",appName="https",txBytes="777",rxBytes="1444" statTime="1428300780",appName="https",txBytes="1040",rxBytes="2116" statTime="1428300840",appName="google",txBytes="3001",rxBytes="4684" statTime="1428300840",appName="facebook",txBytes="66705",rxBytes="1841294" statTime="1428300840",appName="firefox",txBytes="9080",rxBytes="29282" statTime="1428300840",appName="google_analytic",txBytes="2441",rxBytes="17912" statTime="1428300840",appName="http",txBytes="10591",rxBytes="49907" statTime="1428300840",appName="https",txBytes="68049",rxBytes="1846327" statTime="1428300840",appName="ssl_client",txBytes="66013",rxBytes="1840694" statTime="1428300840",appName="linux_mint",txBytes="955",rxBytes="2912" statTime="1428300840",appName="python_urllib",txBytes="1511",rxBytes="20625" statTime="1428300720",appName="dns",txBytes="380",rxBytes="538" statTime="1428300720",appName="ssh",txBytes="10487",rxBytes="24943" statTime="1428300720",appName="rtp",txBytes="592",rxBytes="0" statTime="1428300780",appName="dhcp",txBytes="1368",rxBytes="0" statTime="1428300780",appName="dns",txBytes="482",rxBytes="936" statTime="1428300780",appName="vnc",txBytes="219685",rxBytes="5131591" statTime="1428300780",appName="https",txBytes="210284",rxBytes="1373974" statTime="1428300780",appName="mdns",txBytes="8316",rxBytes="0" statTime="1428300840",appName="dns",txBytes="1754",rxBytes="5372" statTime="1428300840",appName="facebook",txBytes="3109",rxBytes="11074" statTime="1428300840",appName="https",txBytes="3109",rxBytes="11074" statTime="1428300840",appName="ssl_client",txBytes="3109",rxBytes="11074"
If you have output similar to the above, then Snort is installed and works. To generate the above output, I browsed to xkcd.com with curl on one computer, and to facebook with firefox on another computer. Looking through the output, the applications listed with the same statTime are from the same request. When I used curl to request xkcd.com, snort detected the various types of traffic defined by the various detectors.
If you want to learn more about how to run Snort, and how to install additional software to enhance a Snort system, see my in-depth series on installing Snort on Ubuntu. If you have any feedback (recommendations or corrections), please let me know here.
Snort 2.9.9.x on Ubuntu – Quick Install Guide
The instructions below show how to install Snort 2.9.9.x on both the x86 and x64 architectures for Ubuntu 14 and 16. If you want a more in-depth explanation of the install steps, as well as instructions on how to configure and enhance Snort’s functionality, see my in-depth series for installing Snort on Ubuntu.
If you want to test the new alpha version of Snort (Version 3.0 Alpha 4), please see my article: Installing Snort 3 Alpha in Ubuntu
If you want to work with OpenAppID, please see my guide for OpenAppID for Snort 2.9.9.x on Ubuntu.
Let Us Begin:
So let’s get started. First we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
Next we need to install all the pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev
We need the development libraries for Nghttp2. On Ubuntu 16 this is simple:
# Ubuntu 16 only (not Ubuntu 14) sudo apt-get install -y libnghttp2-dev
On Ubuntu 14, we do this from scratch:
# Ubuntu 14 only (not Ubuntu 16) sudo apt-get install -y autoconf libtool pkg-config cd ~/snort_src wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-1.17.0.tar.gz tar -xzvf nghttp2-1.17.0.tar.gz cd nghttp2-1.17.0 autoreconf -i --force automake autoconf ./configure --enable-lib-only make sudo make install
Disable LRO and GRO for all interfaces Snort will listen on under /etc/network/interfaces. using ethtool. An explanation of LRO and GRO are in the The Snort Manual. Use an editor to edit the network interfaces file:
sudo vi /etc/network/interfaces
and for every interface that Snort will listen on (one interface for simple setups, multiple interfaces for more complex setups), add the following two lines, changing eth0 to match the interface:
post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
for example, my /etc/network/interfaces file looks like this:
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp post-up ethtool -K eth0 gro off post-up ethtool -K eth0 lro off
Reboot the system and verify that LRO and GRO are off:
user@snortserver:~$ ethtool -k eth0 | grep receive-offload generic-receive-offload: off large-receive-offload: off
Download and install Data Acquisition library (DAQ) from the Snort website:
cd ~/snort_src wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz tar -xvzf daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make sudo make install
Now we are ready to install Snort from source:
cd ~/snort_src wget https://snort.org/downloads/snort/snort-2.9.9.0.tar.gz tar -xvzf snort-2.9.9.0.tar.gz cd snort-2.9.9.0 ./configure --enable-sourcefire make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Since the Snort installation places the Snort binary at /usr/local/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /usr/local/bin/snort /usr/sbin/snort
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snortserver:~$ snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.9.0 GRE (Build 56)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.38 2015-11-23
Using ZLIB version: 1.2.8
user@snortserver:~$
If you have output similar to the above, then Snort is installed and works. If you want to learn more about how to run Snort, and how to install additional software to enhance a Snort system, see my in-depth series for installing Snort on Ubuntu.
If you have any questions or recommendations, please contact me. I can’t always answer questions right away, but I will do my best to get back to you. I welcome all recommendations and corrections.
Installing Snort++ in Ubuntu (Version 3.0 Alpha 4)
NOTE: this article is out of date and has been replaced with a newer article: Installing Snort++ (Snort 3 Alpha 4 build 239) in Ubuntu.
The instructions below show how to install Snort 3 alpha 4 build 223 on Ubuntu. This install has been tested on Ubuntu 14 and 16, for both the x86 and x64 architectures. For an outdated Ubuntu 12 version of these instructions, please go here. Note that Snort 3 is Alpha software, and therefore has bugs and issues, and should be installed for testing purposes only (not on production systems).
Snort 3 Alpha 4 Build 233 was released on December 22, 2016, and this guide has been tested with that version (releases after this specific release may not follow the same steps). Generic build instructions, prerequisites, and detailed notes are available in the manual.
If you want a more in-depth explanation of the install steps, which are very similar to the 2.9.9.x version of Snort, as well as instructions on how to configure and enhance Snort’s functionality, see my series on installing Snort 2.9.9.x on Ubuntu.
So let’s get started. First we need to install all the Snort pre-requisites from the Ubuntu repositories:
sudo apt-get install -y build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev libpcre3-dev zlib1g-dev pkg-config libhwloc-dev cmake
Install the optional (recommended) software:
sudo apt-get install -y liblzma-dev openssl libssl-dev cpputest cmake
Install tools required for compiling the source from github:
sudo apt-get install -y libtool git autoconf
Install the DAQ pre-requisites:
sudo apt-get install -y bison flex
If you want to build the documentation as well (not really needed, unless you want it, usually about 700 MB of libraries):
sudo apt-get install -y asciidoc dblatex source-highlight
Next we will create a directory to save the downloaded tarball files:
mkdir ~/snort_src cd ~/snort_src
First and install safec for runtime bounds checks on certain legacy C-library calls (this is optional but recommended):
cd ~/snort_src wget http://downloads.sourceforge.net/project/safeclib/libsafec-10052013.tar.gz tar -xzvf libsafec-10052013.tar.gz cd libsafec-10052013 ./configure make sudo make install
One of the Snort recommended prerequisites is Hyperscan 4.2.0. From their webpage: “Hyperscan is a regular expression engine designed to offer high performance, the ability to match multiple expressions simultaneously and flexibility in scanning operation.” Hyperscan needs Ragel 6.9 and the Boost header libraries.
Install Ragel 6.9 from source:
cd ~/snort_src wget http://www.colm.net/files/ragel/ragel-6.9.tar.gz tar -xzvf ragel-6.9.tar.gz cd ragel-6.9 ./configure make sudo make install
Download the Boost 1.63 libraries, but do not install:
cd ~/snort_src wget http://downloads.sourceforge.net/project/boost/boost/1.63.0/boost_1_63_0.tar.gz tar -xvzf boost_1_63_0.tar.gz
Install Hyperscan 4.2.0 from source, referencing the location of the Boost source directory:
cd ~/snort_src wget https://github.com/01org/hyperscan/archive/v4.2.0.tar.gz tar -xvzf v4.2.0.tar.gz mkdir ~/snort_src/hyperscan-4.2.0-build cd hyperscan-4.2.0-build/ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_63_0/ ../hyperscan-4.2.0 make sudo make install
If you want to test that Hyperscan works, from the build directory, run:
cd ~/snort_src/hyperscan-4.2.0-build/ ./bin/unit-hyperscan
The unit tests will run (this takes a few minutes).
Download and install Data AcQuisition library (DAQ) from the Snort website (note that DAQ for Snort 3 is a different DAQ than for the 2.9.9.x series of Snort):
cd ~/snort_src wget https://www.snort.org/downloads/snortplus/daq-2.2.1.tar.gz tar -xvzf daq-2.2.1.tar.gz cd daq-2.2.1 ./configure make sudo make install
Run the following command to update shared libraries:
sudo ldconfig
Now we are ready to install Snort from source. This command downloads and installs the latest version of Snort 3 (currently 3.0.0 Alpha 4, build 223). If you want to install all the snort directories under a single directory, see the section at the bottom of this document titled Changing the install location of Snort. Here we choose to install the entire Snort directory structure to a single folder under /opt/:
cd ~/snort_src wget https://github.com/snortadmin/snort3/archive/master.tar.gz tar -xvzf master.tar.gz cd snort3-master/ autoreconf -isvf ./configure --prefix=/opt/snort make sudo make install
Since the Snort installation places the Snort binary at /opt/snort/bin/snort, it is common to create a symlink to /usr/sbin/snort:
sudo ln -s /opt/snort/bin/snort /usr/sbin/snort
Snort 3 requires a few environmental variables, we store them temporarily in the current session so we can continue working, and save them permanently to the ~/.bashrc file (you’ll need to do this for every user profile):
export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=/opt/snort/etc/snort sh -c "echo 'export LUA_PATH=/opt/snort/include/snort/lua/\?.lua\;\;' >> ~/.bashrc" sh -c "echo 'export SNORT_LUA_PATH=/opt/snort/etc/snort' >> ~/.bashrc"
to ensure that these two environmental variables are available when using sudo, we need to add them to the /etc/sudoers file:
sudo visudo
in the editor, add the following to to the bottom of the file:
Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"
use ctrl-x to exit, save when prompted by pressing y, then press enter to save the file to /etc/sudoers.tmp (which will get copied automatically to /etc/sudoers).
The last step of our Snort installation is to test that the Snort Binary runs. Execute Snort with the -V flag, which causes Snort to print the current version. You should see output similar to the following:
user@snort3:~$ snort -V
,,_ -*> Snort++ <*-
o" )~ Version 3.0.0-a4 (Build 223) from 2.9.8-383
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 2.2.1
Using libpcap version 1.5.3
Using LuaJIT version 2.0.2
Using PCRE version 8.31 2012-07-06
Using ZLIB version 1.2.8
Using LZMA version 5.1.0alpha
Using OpenSSL 1.0.1f 6 Jan 2014
Using Hyperscan version 4.2.0 2017-01-07
user@snort3:~$
Now let’s test snort with the default configuration file and ruleset:
user@snort3:~$ /opt/snort/bin/snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/sample.rules
--------------------------------------------------
o")~ Snort++ 3.0.0-a4-223
--------------------------------------------------
Loading /opt/snort/etc/snort/snort.lua:
ssh
rpc_decode
pop
stream_user
stream_tcp
smtp
ssl
gtp_inspect
stream_ip
appid
stream_icmp
reputation
stream_udp
file_id
back_orifice
classifications
port_scan
dnp3
ftp_data
ftp_server
telnet
ftp_client
http_inspect
stream
references
arp_spoof
sip
wizard
dns
imap
stream_file
Finished /opt/snort/etc/snort/snort.lua.
Loading rules:
Loading /opt/snort/etc/snort/sample.rules:
Finished /opt/snort/etc/snort/sample.rules.
Finished rules.
--------------------------------------------------
rule counts
total rules loaded: 3974
text rules: 3974
option chains: 3974
chain headers: 187
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 119 31 29 26
src 1685 4 0 0
dst 1927 232 0 0
both 0 1 0 0
total 3731 268 29 26
--------------------------------------------------
flowbits
defined: 124
not checked: 9
not set: 2
--------------------------------------------------
service rule counts - tcp to-srv to-cli
dcerpc: 3 0
drda: 3 0
ftp: 8 2
http: 1161 1553
ident: 1 0
imap: 29 1044
ircd: 1 1
ldap: 5 0
mysql: 29 1
netbios-ns: 4 0
netbios-ssn: 25 7
pop3: 12 1043
rtsp: 2 0
smtp: 550 3
ssl: 5 1
sunrpc: 9 0
telnet: 5 1
vnc-server: 1 3
total: 1853 3659
--------------------------------------------------
service rule counts - udp to-srv to-cli
dcerpc: 2 0
dns: 170 2
kerberos: 4 4
netbios-dgm: 7 7
netbios-ns: 1 1
netbios-ssn: 1 1
ntp: 1 0
snmp: 1 1
ssdp: 8 0
sunrpc: 7 3
tftp: 1 0
total: 203 19
--------------------------------------------------
fast pattern port groups src dst any
packet: 27 125 4
key: 23 107 1
header: 23 107 1
body: 0 2 0
file: 23 107 1
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 29 17
key: 3 0
header: 1 3
body: 1 0
file: 1 4
--------------------------------------------------
search engine
instances: 566
patterns: 24676
pattern chars: 515657
num states: 409159
num match states: 23816
memory scale: MB
total memory: 8.27426
pattern memory: 1.05602
match list memory: 1.96014
transition memory: 5.20412
--------------------------------------------------
pcap DAQ configured to passive.
Snort successfully validated the configuration.
o")~ Snort exiting
user@snort3:~$
If you have output similar to the above, then Snort 3.0.0 Alpha 4 is installed and works.
A note on install locations:
When you install snort to /opt/snort, you get the following folder structure:
user@snort3x86:/opt/snort$ tree /opt/snort -L 3
/opt/snort
├── bin
│ ├── snort
│ ├── snort2lua
│ ├── u2boat
│ └── u2spewfoo
├── etc
│ └── snort
│ ├── file_magic.lua
│ ├── sample.rules
│ ├── snort_defaults.lua
│ └── snort.lua
├── include
│ └── snort
│ ├── actions
│ ├── codecs
│ ├── daqs
│ ├── decompress
│ ├── detection
│ ├── events
│ ├── file_api
│ ├── filters
│ ├── flow
│ ├── framework
│ ├── hash
│ ├── latency
│ ├── log
│ ├── lua
│ ├── main
│ ├── managers
│ ├── mime
│ ├── profiler
│ ├── protocols
│ ├── search_engines
│ ├── sfip
│ ├── sfrt
│ ├── stream
│ ├── time
│ └── utils
├── lib
│ ├── pkgconfig
│ │ └── snort.pc
│ └── snort
│ └── daqs
└── share
└── doc
└── snort
37 directories, 9 files
The /opt/snort/bin folder contains the following Snort binaries:
- snort : The Snort binary.
- snort2lua : Tool to convert a Snort 2.9.8.x configuration file into a 3.x configuration file. More notes here.
- u2boat : U2boat is a tool for converting unified2 files into different formats.
- u2spewfoo: U2SpewFoo is a lightweight tool for dumping the contents of unified2 files to stdout.
Additionally, the following folders are created / used:
- /opt/snort/bin : Binaries for Snort and supporting software.
- /opt/snort/etc/snort : The configuration files for Snort.
- /opt/snort/include/snort : All include files for Snort.
- /opt/snort/lib/pkgconfig : The pkgconfig file for Snort (compilation details for Snort).
- /opt/snort/share/doc/snort : The documentation for the installed version of Snort.
Changing the install location of Snort
If you would rather have all these folders install to a more normal location (/usr/local) , add ‑‑prefix=/usr/local/ to the ./configure command when preparing to build Snort. This will install all these folders under the path you choose. You also need to modify some of the other paths detailed above, so if you decide to install in that manner, you should follow the install instructions detailed in the Snort blog.
Where to go from here
If you want to learn more about how to run the 2.9.9.x version of Snort, and how to install additional software to enhance a Snort system, see my series on installing Snort on Ubuntu. If you want to work with protocol (layer 7) detection, please see my article on OpenAppID.
I would love to get feedback from you about this guide. Recommendations, issues, or ideas, please contact me here.
Snort IPS Inline Mode on Ubuntu
Overview
This guide will cover configuring Snort 2.9.8.x as an NIPS (Network Intrusion Prevention System), also known as “inline” mode on Ubuntu. In inline mode Snort creates a bridge between two network segments, and is responsible for passing traffic bewteen the segments. It can inspect the traffic it passes, as well as drop suspicious traffic. This guide will assume that you have a basic familiarity with Snort, and you should have a Snort system setup and installed (Barnyard2, PulledPork, and a web GUI like BASE or Snorby are optional but helpful). You can follow any of my guides for installing Snort: my in-depth series of articles, my quick install guide, or my guide for installing OpenAppID. I recommend you follow the in-depth series of articles, paired with the OpenAppID article to give you the most fully-featured Snort system.
This guide is tested on Ubuntu 14.04 LTS x64, but should work on any current version of Ubuntu (12, 14, 15) as well as with similar distribution (Mint, Debian, Raspberry Pi, etc.).
Network Configuration
Snort in inline mode creates a transparent bridge between two network segments. What this means is that Snort has two network interfaces: each on a different network segment. You will configure these interfaces without an IP address and in promiscuous mode. When you run Snort it will listen for traffic on each interface. When a packet arrives on an interface, Snort will inspect the packet based on your rules, then either drop the packet, or send it out the other interface without any modification. Because of this the two network segments that snort bridges must be part of the same logical subnet (and therefore broadcast domain).
You can bridge multiple networks, but remember that you create a bridge between two networks, not between multiple networks (there is a 1 to 1 mapping between bridged networks). If you bridge eth1 to eth2, and bridge eth3 to eth4, traffic will not pass between the two bridges (traffic will not pass between eth1 and eth3 or eth4, for example). Traffic originating on eth1 will only go to eth2, and vice versa. The same holds true for traffic betwee eth3 and eth4.
You will also want a third network interface on the Snort system configured with an IP address for administrative access. If you are running Ubuntu 15.10, your interface names may be much different because interfaces names are assigned as Predictable Network Interface Names.
Note that because the Snort application is responsible for bridging (passing traffic between) the two network segments. If Snort is not running, computers on one network segment will not be able to communicate across the Snort system to computers on the other segment.
We need to configure each bridged interface without an IP address, in promiscuous mode, and disable LRO an GRO. Run sudo vi /etc/network/interfaces, and for each bridged interface, configure similar to the example below. Here I will use eth0 as my administrative interface (with an IP address assigned by DHCP), and I will configure eth1 and eth2 so that they can be bridged by Snort (no IP address, in promiscuous mode, and disabling LRO and GRO):
# Administrative interface auto eth0 iface eth0 inet dhcp # First bridged interface auto eth1 iface eth1 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on post-up ethtool -K $IFACE gro off post-up ethtool -K $IFACE lro off down ip link set $IFACE promisc off down ifconfig $IFACE down # Second Bridged Interface auto eth2 iface eth2 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on post-up ethtool -K $IFACE gro off post-up ethtool -K $IFACE lro off down ip link set $IFACE promisc off down ifconfig $IFACE down
If you are bridging multiple networks, eth1 to eth2, and separately eth3 to eth4 for example, make sure every interface that will be bridged is configured as above. Use ifconfig -a to show all interfaces (including interfaces that aren’t configured) to determine your interface names.
Configuration
To run Snort in inline mode, you need to make a few modifications to your snort.conf, and add a few command line options when you run Snort (either from the command line, or from your startup script).
First, make sure you have the afpacket DAQ available. Run snort ‑‑daq-list and check the output for the DAQ libraries that are installed:
snort@snortIPS:~$ snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv
here you can see that afpacket is available, and can do inline in unprivileged mode. Next we add two lines to our snort.conf to enable afpacket in inline mode. Add these two lines to your snort.conf (around line number 168 is probably the correct place for it):
config daq: afpacket config daq_mode: inline
Since we have modified our snort.conf, we should test that it works. Run the following command to have Snort verify the configuration. The parameters we pass to Snort will differ slightly from before, because we are enabling inline mode:
sudo snort -T -c /etc/snort/snort.conf -Q -i eth1:eth2
you’ll notice the -Q, and the -i eth1:eth2 flags are new. The -Q flag tells Snort to run in inline mode, while -i eth1:eth2 tells snort to bridge those two interfaces (to be inline between those two interfaces). If you are bridging multiple interfaces, you would use the following format:
sudo snort -T -c /etc/snort/snort.conf -Q -i eth1:eth2::eth3:eth4
where we have a double-colon separating the bridged interface sets.
Running Snort Inline
Now that we have verified that the Snort configuration is correct, let’s run Snort from the command line, and output alerts directly to the screen.
Add the following alert to your local.rules file, and make sure that Snort loads it by testing your configuration and scrolling up to see that the rule is loaded (if you need help with this, please see this article). This rule will generate an alert whenever it sees an ICMP message (a ping), which makes testing easy.
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
test snort again as above, and scroll up through the output to make sure the one ICMP rule loads. If it doesn’t show as loaded, make sure you have included your local.rules file in your snort.conf.
Next, we will run Snort in inline mode. We add a couple of flags here:
-A Console will cause snort to generate fast alerts out to the console (the screen for us to see)
-N will cause snort to not write any output files to your output directory.
Run the following:
sudo /usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i eth1:eth2 -N
and once Snort is loaded (you’ll see the message: Commencing packet processing), generate a ping across the bridged interface. A good test is to have one computer (the client) on one side of the bridge with a static IP, and the gateway on the other side of the bridge. Ping the gateway from the client (they will both need IP addresses on the same subnet), and the traffic should cross the bridged interface. When Snort passes the traffic between the networks, you should see an alert generated on the screen (because of our ICMP rule created above). Snort should outpout something similar to the following:
02/15-19:30:05.602117 [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 10.0.0.1 -> 10.0.0.116
hit ctrl-c to stop Snort from running. The ping should have succeeded between the client and the gateway, because the ICMP rule was written as an alert rather than a drop rule (the first part of the rule). If you check the ARP table on your client, with arp -a, you will notice that the MAC address of the gateway is correct. This shows you that Snort is not modifying the packet in any way as it moves it from one network segment to the other. This is how DHCP requests and other traffic can correctly move between segments without any issues.
Next we will change the ICMP rule to drop traffic instead of generating an alert.
Dropping Traffic
To have Snort drop traffic, you just need to modify the rule created above in your local rules from alert to drop. It should now look like this:
drop icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
restart Snort as above, and test your ping again between your client and the gateway. The ping should fail, and Snort should output something similar to the following:
02/15-19:33:38.952784 [Drop] [**] [1:10000001:1] ICMP test detected [**] [Classification: Generic ICMP event] [Priority: 3] {ICMP} 10.0.0.116 -> 10.0.0.1
Conclusion
This covers the very basics of setting up Snort in Inline mode. Future articles will discuss configuring PulledPork to work with inline mode (modifying rules automatically), as well as using OpenAppID to block types of traffic (youtube, facebook, etc).
If you have any feedback (recommendations or corrections), please let me know here.
Recommended Reading and Links
Useful Links:
Snort IPS using DAQ AFPacket
Network IDS & IPS Deployment Strategies
Snort Packet Acquisition manual
Snort DAQ readme
SANS Analysis of DAQ modules
Snort Talos DAQ Essentials
Books:
Snort IDS and IPS Toolkit (Jay Beale’s Open Source Security)
Snort Cookbook
Applied Network Security Monitoring: Collection, Detection, and Analysis
Snort 2.9.8.x on Ubuntu – Part 7: Installing Snorby on Ubuntu 12
UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Installing Snort
- Configure Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort
- Creating systemD Scripts for Snort
- Installing Snorby on Ubuntu 12
- Installing Snorby on Ubuntu 14
- Installing Snorby on Ubuntu 15
- Conclusion
Installing Snorby On Ubuntu 12
Snorby is a web GUI for managing your Snort system. The Snort daemon created in the last section will write all alerts to a Unified2 file, and Barnyard2 will process those alerts into a MySQL database. Snorby will let you browse, search, and profile those alerts from the database in a easy to view way. Snorby is a ruby on rails application, which we will launch with Phusion Passenger on Apache server. An alternative to Snorby is BASE, which is a simpler (less web-2.0) interface that still has a lot of popularity. You can read my article on BASE here (note that that guide hasn’t been updated in a few months, so you should be able to find newer versions of some of the supporting software, like ADOdb).
The bad news is that neither Snorby or BASE are still actively developed. They will work just fine for a hobby or small business setup, but you may want to look at other alternatives if you have more stringent requirements, or need to be able to view more complex visualizations of your data. One option is sguil, and another popular one is Splunk Enterprise (a commercial product, but free for up to 500 MB of log data per day). Splunk has a great interface for Snort alert data. An example of this can be seen in this video from DerbyCon starting at the 43:40 minute mark (this video is also an excellent overview of OpenAppID).
Installation
First, let’s install the pre-requisites:
sudo apt-get install -y imagemagick apache2 libyaml-dev libxml2-dev libxslt-dev git ruby1.9.3
Snorby installs a number of Ruby gems. To speed up their installation, run the following two commands to prevent the install of documentation when gems are installed:
echo "gem: --no-rdoc --no-ri" > ~/.gemrc sudo sh -c "echo gem: --no-rdoc --no-ri > /etc/gemrc"
Install the gems required for management and installation:
# These gems will also install other required gems sudo gem install wkhtmltopdf sudo gem install bundler sudo gem install rails sudo gem install rake --version=0.9.2
Download the 2.6.2 version of Snorby and move it to your web root directory:
cd ~/snort_src/ wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz -O snorby-2.6.2.tar.gz tar xzvf snorby-2.6.2.tar.gz sudo cp -r ./snorby-2.6.2/ /var/www/snorby/
Install all of the Snorby pre-requisites. Ignore warnings about running bundle as root. If you get connection errors when trying to download gems, just re-run the command until it succeeds.
cd /var/www/snorby sudo bundle install
Snorby uses database.yml to tell it how to connect to the MySQL server. We will copy the example file to the correct location and edit it with our MySQL root credentials (Snorby will need to create a database):
sudo cp /var/www/snorby/config/database.yml.example /var/www/snorby/config/database.yml sudo vi /var/www/snorby/config/database.yml
You need to change the password field in this database.yml file to reflect the MySQL root password you set when installing MySQL (MySqlROOTpassword if you are following this guide exactly). Note that we will change this later after Snorby has setup the database it needs to use a lower-priviledged MySQL account. The beginning of the file should look like this after editing:
# Snorby Database Configuration
#
# Please set your database password/user below
# NOTE: Indentation is important.
#
snorby: &snorby
adapter: mysql
username: root
password: "MySqlROOTpassword" # Example: password: "s3cr3tsauce"
host: localhost
... and so on
Now we need to create the Snorby configuration file (copied from it’s example file), and update it to point to the correct version of wkhtmlpdf (we use sed to make this change):
sudo cp /var/www/snorby/config/snorby_config.yml.example /var/www/snorby/config/snorby_config.yml sudo sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g /var/www/snorby/config/snorby_config.yml
Now we want to install Snorby. The below command will download the necessary gems and will create a new database called Snorby for use. This can take some time to complete. You can ignore errors about ”Jammit Warning: Asset compression disabled – Java unavailable.”.
cd /var/www/snorby sudo bundle exec rake snorby:setup
Now we want to edit the MySQL Snorby database to grant access to a lower privilidged user (we don’t want the Snorby application using the root password to interface with the database). Run the following commands to create a new MySQL user named snorby with password PASSWORD123. You will be prompted for your MySQL root password (MySqlROOTpassword) after the first command:
$ mysql -u root -p myslq> create user 'snorby'@'localhost' IDENTIFIED BY 'PASSWORD123'; myslq> grant all privileges on snorby.* to 'snorby'@'localhost' with grant option; myslq> flush privileges; myslq> exit
Now that we’ve created a new MySQL snorby user and password, edit Snorby’s database.yml to tell Snorby to use the new account rather than the root MySQL account:
sudo vi /var/www/snorby/config/database.yml
The file should now look like this (note the changes to lines 8 and 9):
# Snorby Database Configuration # # Please set your database password/user below # NOTE: Indentation is important. # snorby: &snorby adapter: mysql username: snorby password: "PASSWORD123" # Example: password: "s3cr3tsauce" host: localhost development: database: snorby <<: *snorby test: database: snorby <<: *snorby production: database: snorby <<: *snorby
Now we are ready to test Snorby. Run Snorby with:
cd /var/www/snorby/ sudo bundle exec rails server -e production
This will start Snorby listening on port 3000. Navigate to http://ip_of_snorby_server:3000 and you should see the logon screen. Don’t log in at this time as we are only testing that the software runs. Use ctrl-c at the command prompt to stop the Snorby server.
Installing Phusion Passenger
We will use Phusion Passenger, an application server module for Apache to launch Snorby. First install pre-requisites:
sudo apt-get install -y libcurl4-openssl-dev apache2-threaded-dev libaprutil1-dev libapr1-dev
Next, install the Passenger gem and the Apache module (we don’t install the Ubuntu repository version of Phusion Passenger because it doesn’t work well).
sudo gem install passenger sudo passenger-install-apache2-module
The Phusion Passenger install wizard will start. Un-check the Python language support (we only need Ruby support) using the arrows and space bar, then use enter to continue through the menu options. After compiling software, the wizard will finally tell you to copy some text to your Apache configuration file. We don’t want to copy the entire output to the Apache configuration file, because Apache now uses separate files for modules (one for the path to the .so file for the module, and one for configuration for the module). We do want the information that is printed, we will just use it slightly differently. Copy the five lines of text that are shown on the screen, as you’ll need them. Hit enter twice to exit the wizard.
My install showed the following 5 lines of text that are needed (yours may be different):
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /var/lib/gems/1.9.1/gems/passenger-5.0.21
PassengerDefaultRuby /usr/bin/ruby1.9.1
</IfModule>
The first line tells Apache the path to the shared object library to load the Phusion passenger module. We want to create a new file for this line. Create this file:
sudo vi /etc/apache2/mods-available/passenger.load
And paste the first line into that file. In my case, I pasted:
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-5.0.21/buildout/apache2/mod_passenger.so
The final 4 lines specify the configuration for Phusion Passenger. Create the configuration file as follows:
sudo vi /etc/apache2/mods-available/passenger.conf
And paste the two content lines in. You do not need the <ifmodule> tags In my case, I pasted:
PassengerRoot /var/lib/gems/1.9.1/gems/passenger-5.0.21 PassengerDefaultRuby /usr/bin/ruby1.9.1
Note: yes, the lines above say ruby1.9.1, and we did install ruby 1.9.3. Ubuntu 12 does some file system redirection that makes this happen, but it doesn’t cause any issues.
Next, enable the Passenger module:
sudo a2enmod passenger sudo service apache2 restart
and then verify that it loaded by running the following command (look for Passenger in the output):
apache2ctl -t -D DUMP_MODULES
Now we need to create an Apache website for Snorby:
sudo vi /etc/apache2/sites-available/snorby.conf
with the following content:
<virtualhost *:80>
ServerAdmin webmaster@localhost
ServerName snorby.sublimerobots.com
DocumentRoot /var/www/snorby/public
<directory "/var/www/snorby/public">
AllowOverride all
Order deny,allow
Allow from all
Options -MultiViews
</directory>
</virtualhost>
Now enable the new site, disable the default site, and reload Apache to see the new configurations:
cd /etc/apache2/sites-available/ sudo a2ensite snorby.conf sudo service apache2 reload cd /etc/apache2/sites-enabled sudo a2dissite 000-default sudo service apache2 reload
Now we need to tell Barnyard2 to output events to the Snorby database that we created above.
sudo vi /etc/snort/barnyard2.conf
Append at the end off the file:
output database: log, mysql, user=snorby password=PASSWORD123 dbname=snorby host=localhost sensor_name=sensor1
We can disable the other output file that you created during the Barnyard2 testing by deleting the previous line (or putting a hash in front of it to disable it), so that it looks like the following:
# output database: log, mysql, user=snort password=MySqlSNORTpassword dbname=snort host=localhost)
Restart Barnyard2 to load the new configuration:
sudo service barnyard2 restart
Creating an Upstart daemon for the Snorby worker process
Snorby needs one service running for database maintenance (a Snorby worker daemon). We will create an Upstart daemon for this task. First we need to create the startup script:
sudo vi /etc/init/snorby_worker.conf
with the following content:
description "Snorby Delayed Job"
stop on runlevel [!2345]
start on runlevel [2345]
chdir /var/www/snorby
script
exec /usr/bin/ruby script/delayed_job start
end script
Now make the script executable, and tell Upstart that the script exists, and then verify that it installed correctly:
user@snortserver:~$ sudo chmod +x /etc/init/snorby_worker.conf user@snortserver:~$ initctl list | grep snorby_worker snorby_worker stop/waiting user@snortserver:~$
Note that this daemon will often list as stop/waiting, and that is ok, because of how it works. You can check the worker job status use the web interface (look under Administration –> Worker and Job Queue).
To log into the web interface: open a web browser and navigate to http://ip_of_snorby_server. You don’t need to enter the port number, as it is listening on port 80 now. The default login information is:
E-mail: snorby@snorby.org
Password: snorby
(current Snorby documentation lists the email as example.com, not snorby.org. That is incorrect for the 2.6.2 version of Snorby, where the username remains snorby@snorby.org)
If you are logged into the Snorby web interface, then congratulations, your system is fully setup. Continue on to the last part of this guide to see where to go from here: Conclusion.