Slackware Snort Installation Guide Copyright (c) 2007 Jeffrey Denton http://www.cochiselinux.org/files/slackware-snort-0.2.txt Written by Jeffrey Denton <dentonj@gmail.com> 23 Sept 2007 Version - 0.2 This is written for: $ cat /etc/slackware-version Slackware 12.0.0 This document was originally based on the Snort Enterprise Install document by Patrick Harper. The following will be installed and/or configured: Snort Barnyard BASE Oinkmaster MySQL Apache with SSL ModSecurity OSSEC HIDS Server and Agent LogWatch NTOP Stunnel --{ Required Reading ]-- The Snort Users Manual - http://www.snort.org/docs/snort_htmanuals/htmanual_2615 / The Snort FAQ - http://www.snort.org/docs/faq/3Q06/ Oinkmaster README - http://oinkmaster.sourceforge.net/readme.shtml Oinkmaster FAQ - http://oinkmaster.sourceforge.net/docs.shtml How to stop Snort alerts from being generated / how to (not) ignore traffic - http://oinkmaster.sourceforge.net/avoiding_snort_alerts.txt README files - located in the "doc" directory of the source code --[ Resources ]-- Snort Website - http://www.snort.org The Snort-users mailing list - http://lists.sourceforge.net/lists/listinfo/snort-users Snort Forums - http://www.snort.org/reg-bin/forums.cgi Bleeding Edge Threats - http://www.bleedingthreats.net Bleeding Sigs mailing list - http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs Base Forums - http://base.secureideas.net/support.php OSSEC Users mailing list - http://www.ossec.net/ossec-list/ ModSecurity documentation - http://www.modsecurity.org/documentation/index.html NTOP mailing list - http://listgateway.unipi.it/pipermail/ntop/ Safari Library (paid subscription required) - http://safari.oreilly.com --[ Books ]-- Snort Intrusion Detection and Prevention Toolkit, by Jay Beale, Syngress Publishing, February 2007, ISBN - 1597490997 The Tao of Network Security Monitoring, by Richard Bejtlich, Addison-Wesley, July 2004, ISBN - 0321246772 Extrusion Detection, by Richard Bejtlich, Addison-Wesley, November 2005, ISBN - 0321349962 --[ Bash Prompt ]-- In this document, the shell prompts are included as part of the commands that I use. The current working directory is listed to prevent readers from getting lost in the directory tree while commands are being run. I've modified the default shell prompt for this document to list only the current working directory without listing the entire path. I made the change to minimize the number of lines in the guide that wrap from one line to the next. If you would like to use the same shell prompt, change the following to: root@darkstar:~# vi /etc/profile PS1='\u@\h:\w\$ ' To: PS1='\u@\h:\W\$ ' To have this change take effect, run the follow for each terminal: root@darkstar:~# source /etc/profile --[ Snort Installation ]-- Create a downloads and a src directory. The directories will be used to store downloads and to compile source code. dentonj@darkstar:~$ mkdir downloads src dentonj@darkstar:~$ cd downloads dentonj@darkstar:downloads$ wget http://www.snort.org/dl/current/snort-2.7.0 .1.tar.gz dentonj@darkstar:downloads$ wget http://www.snort.org/dl/current/snort-2.7.0 .1.tar.gz.md5 dentonj@darkstar:downloads$ md5sum -c snort-2.7.0.1.tar.gz.md5 snort-2.7.0.1.tar.gz: OK If this file does not exist, there is a more recent version of Snort available. Check http://www.snort.org to determine which version of Snort is the latest. If you would like to use the version of Snort listed above, replace the "current" directory with "old". Using an older version of Snort is generally not recommended. dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/snort-2.7.0.1.tar.gz | tar xf - dentonj@darkstar:src$ cd snort-2.7.0.1 dentonj@darkstar:snort-2.7.0.1$ ./configure --enable-dynamicplugins --enable-timestamps --enable-perfprofiling --enable-gre --with-mysql If your network does not normally use GRE tunnels, you can remove the "--enable-gre" option. dentonj@darkstar:snort-2.7.0.1$ make dentonj@darkstar:snort-2.7.0.1$ su root@darkstar:snort-2.7.0.1# make install Create a user account that Snort will use while running. root@darkstar:snort-2.7.0.1# groupadd snort root@darkstar:snort-2.7.0.1# useradd -g snort snort -s /bin/false root@darkstar:snort-2.7.0.1# passwd -S snort The newly created user account is locked by default. Setting the shell to "/bin/false" is an extra precaution. Create the directories that are going to be used by Snort: root@darkstar:snort-2.7.0.1# mkdir -p /etc/snort/rules root@darkstar:snort-2.7.0.1# mkdir -p /var/log/snort/archive root@darkstar:snort-2.7.0.1# chown -R snort.snort /var/log/snort Copy the configuration files to the configuration directory for Snort: root@darkstar:snort-2.7.0.1# cd etc root@darkstar:etc# cp * /etc/snort Register as a user on http://www.snort.org. Then download the month old VRT Certified Rules. The downloaded rules contained Shared Object rules that need to be compiled. To compile the Shared Object rules, extract the download in the Snort source code directory. dentonj@darkstar:downloads$ ls snortrules-snapshot-CURRENT.tar.gz* snortrules-snapshot-CURRENT.tar.gz snortrules-snapshot-CURRENT.tar.gz.md5 dentonj@darkstar:downloads$ md5sum -c snortrules-snapshot-CURRENT.tar.gz.md5 snortrules-snapshot-CURRENT.tar.gz: OK dentonj@darkstar:downloads$ cd ../src/snort-2.7.0.1 dentonj@darkstar:snort-2.7.0.1$ gzip -cd ../../downloads/snortrules-snapshot -CURRENT.tar.gz | tar xf - dentonj@darkstar:snort-2.7.0.1$ cd so_rules dentonj@darkstar:so_rules$ make dentonj@darkstar:so_rules$ cat *.rules > so.rules dentonj@darkstar:so_rules$ su root@darkstar:so_rules# cp so.rules /etc/snort/rules root@darkstar:so_rules# mkdir /usr/local/lib/snort_dynamicrule root@darkstar:so_rules# cp *.so /usr/local/lib/snort_dynamicrule Configure Snort to use the Shared Object rules: root@darkstar:so_rules# vi /etc/snort/snort.conf dynamicdetection directory /usr/local/lib/snort_dynamicrule/ include $RULE_PATH/so.rules Copy the rest of the rules to the rule configuration directory for Snort: root@darkstar:so_rules# cd ../rules root@darkstar:rules# cp * /etc/snort/rules Bleeding Edge Threats provides Snort rules for the latest vulnerabilities and computer security threats. Download the rules: dentonj@darkstar:downloads$ wget http://www.bleedingthreats.net/rules/bleedi ng.rules.tar.gz dentonj@darkstar:downloads$ su - root@darkstar:~# cd /etc/snort root@darkstar:snort# gzip -cd /home/dentonj/downloads/bleeding.rules.tar.gz | tar xf - Configure Snort to use the Bleeding Edge Threats rules: root@darkstar:snort# vi snort.conf include $RULE_PATH/bleeding.conf include $RULE_PATH/bleeding-attack_response.rules #include $RULE_PATH/bleeding-botcc-BLOCK.rules include $RULE_PATH/bleeding-botcc.excluded include $RULE_PATH/bleeding-botcc.rules #include $RULE_PATH/bleeding-compromised-BLOCK.rules include $RULE_PATH/bleeding-compromised.rules include $RULE_PATH/bleeding-dos.rules #include $RULE_PATH/bleeding-drop-BLOCK.rules #include $RULE_PATH/bleeding-drop.rules #include $RULE_PATH/bleeding-dshield-BLOCK.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules #include $RULE_PATH/bleeding-storm-BLOCK.rules include $RULE_PATH/bleeding-storm.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-web_sql_injection.rules include $RULE_PATH/bleeding.rules The Community Rules are available from http://www.snort.org. A registered user account on http://www.snort.org is not needed to download the rules. dentonj@darkstar:downloads$ wget http://www.snort.org/pub-bin/downloads.cgi/ Download/comm_rules/Community-Rules-CURRENT.tar.gz dentonj@darkstar:downloads$ wget http://www.snort.org/pub-bin/downloads.cgi/ Download/comm_rules/Community-Rules-CURRENT.tar.gz.md5 dentonj@darkstar:downloads$ md5sum Community-Rules-CURRENT.tar.gz f236b8a4ac12e99d3e7bd81bf3b5a482 dentonj@darkstar:downloads$ cat Community-Rules-CURRENT.tar.gz.md5 f236b8a4ac12e99d3e7bd81bf3b5a482 dentonj@darkstar:downloads$ su - root@darkstar:~# cd /etc/snort root@darkstar:snort# gzip -cd /home/dentonj/downloads/Community-Rules-CURREN T.tar.gz | tar xf - Configure Snort to use the Community Rules: root@darkstar:snort# vi snort.conf include $RULE_PATH/community-bot.rules #include $RULE_PATH/community-deleted.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-icmp.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules include $RULE_PATH/community-misc.rules include $RULE_PATH/community-nntp.rules include $RULE_PATH/community-oracle.rules include $RULE_PATH/community-policy.rules include $RULE_PATH/community-sip.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-attacks.rules include $RULE_PATH/community-web-cgi.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-iis.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules Create the startup script for Snort. root@darkstar:~# vi /etc/rc.d/rc.snort #!/bin/sh # # Start/Stop/Restart Snort NIDS # # Specify network interface INTERFACE="eth1" CONF="/etc/snort/snort.conf" snort_start() { if ! /sbin/ifconfig $INTERFACE | grep "RUNNING" 1> /dev/null; then echo "Bringing up interface $INTERFACE..." /sbin/ifconfig $INTERFACE up -arp /usr/bin/touch /var/run/snort.$INTERFACE fi echo "Starting Snort..." /usr/local/bin/snort -u snort -g snort -i $INTERFACE -c $CONF \ -D -F /etc/snort/excludes.conf } snort_stop() { echo "Stopping Snort..." /bin/killall snort if [ -e /var/run/snort.$INTERFACE ]; then echo "Shutting down interface $INTERFACE..." /sbin/ifconfig $INTERFACE down /usr/bin/rm -f /var/run/snort.$INTERFACE fi } snort_restart() { snort_stop /usr/bin/sleep 2 snort_start } case "$1" in 'start') snort_start ;; 'stop') snort_stop ;; 'restart') snort_restart ;; *) echo "usage $0 start|stop|restart" esac --[ Configure Snort ]-- Unless otherwise specified, the configurations are for the file /etc/snort/snort.conf. Snort has a habit of using relative paths in snort.conf. In my experience, the relative paths tend to do nothing but cause problems. The relative paths assume that Snort is being started from /etc/snort. But if Snort is restarted after editing a rule and the current working directory is /etc/snort/rules or $HOME, then the startup may encounter problems. Yes, running the command "cd /etc/snort" as part of the startup script could fix some of the problems. But this assumes that Snort is always going to be started using rc.snort. Starting Snort from the commandline with a current working directory anywhere in the filesystem other than /etc/snort may cause problems. An example problem is Snort reading the threshold.conf file in /etc/snort/rules instead of /etc/snort. Use absolute paths to keep from wasting time tracking down weird startup problems. root@darkstar:~# vi /etc/snort/snort.conf var RULE_PATH /etc/snort/rules include /etc/snort/classification.config include /etc/snort/reference.conf include /etc/snort/threshold.conf Snort sets HOME_NET to "any" by default. HOME_NET is used to specify the IPs that are used by the network that you are trying to protect. HOME_NET can either be left as "any", or it can be set. If the Snort sensor is located near a firewall or border router, set HOME_NET to list the IP subnets that are used on the LAN. If the Snort sensor is located in a DMZ or a single subnet on the LAN, then set HOME_NET to the traffic the sensor can see. Setting HOME_NET to something other than "any" can potentially reduce the number of false positive alerts generated by Snort. To determine the network subnets the Snort sensor can see, look at the ARP traffic. root@darkstar:~# tcpdump -ni eth0 'arp' var HOME_NET [192.168.0.0/16,172.16.0.0/12,10.0.0.0/8] Set the DNS_SERVERS variable to list the DNS servers used by the network. var DNS_SERVERS [192.168.2.3,172.18.2.4,10.1.1.5] Set the SMTP_SERVERS variable to list the servers or bridge heads that will be generating SMTP traffic. Setting this can cause problems with false positives on networks that have Digital Senders if they are not listed in the variable. Setting this variable can help detect mass-mailing worms that have infected clients. var SMTP_SERVERS [192.168.5.21,192.168.5.22] If there are dedicated SQL servers on the network, set the SQL_SERVERS variable. Setting this to list specific IPs can prevent alerts from being generated by unauthorized SQL servers or SQL servers not listed in the variable, such as the Snort sensor. I prefer to leave this variable set to $HOME_NET. var SQL_SERVERS $HOME_NET I generally the variables TELNET_SERVERS and SNMP_SERVERS set to $HOME_NET. Add a variable for multicast traffic and modify an existing rule to reduce the number of false positives. var MULTICAST_NET 224.0.0.0/4 Enable alerting on oversized lengths. Read the Snort Manual for more information. config enable_decode_oversized_alerts Configure the detection engine. By default, the detection engine that is used is "ac". With the configuration and rulesets that I use, the "ac" detection engine can cause the Snort process to consume over 2 GB of memory. If the system contains anything less than 4 GB of memory, use the "ac-bnfa" detection engine. config detection: search-method ac-bnfa Configure the order that rules are processed. Set pass rules to be processed first. config order: pass alert log activation Configure performance profiling to locate poorly performing rules. Poorly written rules can increase the time it takes to process each packet. This configuration will list the top 10 rules that take the most time when evaluating a packet. The list wll be generated in /var/log/messages when Snort is shutdown. Read the file README.PertProfiling for more information. config profile_rules: print 10, sort total_ticks Increase the tagged packet limit from 256 to 512. config tagged_packet_limit: 512 Configure the target-based frag3 preprocessor. The frag3 preprocessor defines how fragmented packets are reassembled. Different operating systems do not reassemble fragmented packets the same way. If most of the computers on the network are Windows systems, use the policy "windows". If you have the systems on your network separated on different subnets, such as Linux servers on one subnet and Windows clients on another subnet, use the "bind_to" option to set multiple policies. I'd suggest reading the README.frag3 file, but it is not up to date. Read the following paper for more information, "http://www.snort.org/reg/docs/target_based_frag.pdf". preprocessor frag3_global: max_frags 65536, prealloc_frags 65536 preprocessor frag3_engine: policy windows detect_anomalies Configure the target-based Stream5 preprocessor. As with the frag3 preprocessor , configure the policy to match the computers on the network. Read the file READEME.stream5 for more information. preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes preprocessor stream5_tcp: policy windows, detect_anomalies preprocessor stream5_udp: Configure capturing of performance statistics. Read the Snort Manual for more information. preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats \ pktcnt 10000 Configure the arpspoof preprocessor to watch the default gateway. To get the MAC address, either ping the gateway or do a DNS query. Then run the "arp" command. root@darkstar:~# route -n | grep UG 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 root@darkstar:~# host google.com root@darkstar:~# arp Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:00:DE:AD:BE:EF C eth0 preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.1.1 00:00:DE:AD:BE:EF Configure the SSH preprocessor. The protocol mismatch and payload size detection tend to cause a large number of false positives. Read the file README.ssh for more information. preprocessor ssh: server_ports { 22 } \ max_client_bytes 19600 \ max_encrypted_packets 20 \ disable_protomismatch \ disable_paysize Configure the DCERPC preprocessor. Read the file README.dcerpc for more information. preprocessor dcerpc: \ ports smb { 139 445 } ports dcerpc { 135 } \ max_frag_size 3000 \ memcap 100000 \ alert_memcap Configure the DNS preprocessor. Read the file README.dns for more information. preprocessor dns: \ ports { 53 } \ enablerdata_overflow \ enable_obsolete_types \ enable_experimental_types Configure the Snort output for Barnyard. output log_unified: filename snort.log, limit 512 Add a file for IP exclusions. The rc.snort file needs to have the "-F" option added to use the exclusions. IP exclusions can be used to ignore IP addresses that generate a large number of false positives. An example of a system that create a large number of false positive are the systems used to scan the network for vulnerabilities and to verify patch compliance. Backup servers also tend to generate a large number of alerts. root@darkstar:~# touch /etc/snort/excludes.conf root@darkstar:~# vi /etc/snort/excludes.conf not src host 192.168.15.234 and not src host 192.168.17.27 Add the classification "local" for use on custom rules. The addition makes it easier for BASE to list the custom rules. root@darkstar:~# vi /etc/snort/classification.config config classification: local,Local custom rules,1 Custom rules can be added to the local.rules file. An example rule is a Blackhole IP Address. This is a rule that looks for network traffic going to an IP address that is not being used. Network traffic will not originate from it, and as such, legitimate network traffic should not go to the IP address. Anyone scanning the network for live hosts or running services will trigger the rule and generate an alert. Read the Snort man page for more information. root@darkstar:~# vi /etc/snort/rules/local.rules alert ip any any -> 192.168.3.127 any (msg:"Blackhole IP Address"; class type:local; sid:1000001; rev:1;) Network monitoring utilities can cause the Blackhole IP Address rule to generate alerts. These alerts are false positives, meaning the traffic the rule is detecting is valid network traffic coming from a known host. To suppress alerts that are known to be false positives, add a suppress rule. Add a comment to the suppress rule to serve as a reminder six months from now. root@darkstar:~# vi /etc/snort/threshold.conf # Blackhole IP Address, Network Monitor suppress gen_id 1, sig_id 1000001, track by_src, ip 192.168.5.34 Snort can have problems with dropping packets. A Snort sensor configured to use all of the preprocessors and a large ruleset on a congested network will more than likely drop packets. If the Snort sensor has problems with dropping packets, disable some of the preprocessors and reduce the size of the ruleset. Read the documentation on the Snort website and the books mentioned in the Resources section for more information on optimizing Snort. Snort generates and logs statistics while shutting down. root@darkstar:~# grep Dropped /var/log/messages* root@darkstar:~# zgrep Dropped /var/log/messages*.gz If the preprocessor perfmonitor is configured, Snort will periodically insert statistics into the file snort.stats. Each line of this file contains 52 fields. A listing of information contained in each field is listed in the Snort Manual. The "Drop Rate" is listed in the second field. Yes, the Snort Manual does not explain what all of the fields are for. Ask the developers or look at the source code. http://www.snort.org/docs/snort_htmanuals/htmanual_2615/node59.html root@darkstar:~# tail -n 1 /var/log/snort/snort.stats | awk -F, '{print NF}' root@darkstar:~# less /var/log/snort/snort.stats The snort.conf configuration file: root@darkstar:~# grep -v "^#" /etc/snort/snort.conf | grep -v "^$" var HOME_NET [192.168.0.0/16,172.16.0.0/12,10.0.0.0/8] var EXTERNAL_NET any var DNS_SERVERS [192.168.2.3,172.18.2.4,10.1.1.5] var SMTP_SERVERS [192.168.5.21,192.168.5.22] var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var MULTICAST_NET 224.0.0.0/4 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/ 24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,20 5.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules config enable_decode_oversized_alerts config detection: search-method ac-bnfa config order: pass alert log activation config profile_rules: print 10, sort total_ticks dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/local/lib/snort_dynamicrule/ preprocessor frag3_global: max_frags 65536, prealloc_frags 65536 preprocessor frag3_engine: policy windows detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes preprocessor stream5_tcp: policy windows, detect_anomalies preprocessor stream5_udp: preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats \ pktcnt 10000 preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.1.27 00:00:DE:AD:BE:EF preprocessor ssh: server_ports { 22 } \ max_client_bytes 19600 \ max_encrypted_packets 20 \ disable_protomismatch \ disable_paysize preprocessor dcerpc: \ ports smb { 139 445 } ports dcerpc { 135 } \ max_frag_size 3000 \ memcap 100000 \ alert_memcap preprocessor dns: \ ports { 53 } \ enable_rdata_overflow \ enable_obsolete_types \ enable_experimental_types output log_unified: filename snort.log, limit 512 include /etc/snort/classification.config include /etc/snort/reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/experimental.rules include $RULE_PATH/so.rules include $RULE_PATH/bleeding.conf include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-botcc.rules include $RULE_PATH/bleeding-compromised.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-storm.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-voip.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/bleeding-web_sql_injection.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/community-bot.rules include $RULE_PATH/community-deleted.rules include $RULE_PATH/community-dos.rules include $RULE_PATH/community-exploit.rules include $RULE_PATH/community-ftp.rules include $RULE_PATH/community-game.rules include $RULE_PATH/community-icmp.rules include $RULE_PATH/community-imap.rules include $RULE_PATH/community-inappropriate.rules include $RULE_PATH/community-mail-client.rules include $RULE_PATH/community-misc.rules include $RULE_PATH/community-nntp.rules include $RULE_PATH/community-oracle.rules include $RULE_PATH/community-policy.rules include $RULE_PATH/community-sip.rules include $RULE_PATH/community-smtp.rules include $RULE_PATH/community-sql-injection.rules include $RULE_PATH/community-virus.rules include $RULE_PATH/community-web-attacks.rules include $RULE_PATH/community-web-cgi.rules include $RULE_PATH/community-web-client.rules include $RULE_PATH/community-web-dos.rules include $RULE_PATH/community-web-iis.rules include $RULE_PATH/community-web-misc.rules include $RULE_PATH/community-web-php.rules include /etc/snort/threshold.conf --[ Configure MySQL ]-- MySQL should be installed during the installation of Slackware. To check to see if MySQL is installed: dentonj@darkstar:~$ /usr/libexec/mysqld --version usr/libexec/mysqld Ver 5.0.37 for slackware-linux-gnu on i486 (Source distr ibution) By default, MySQL will not start in Slackware. The mysql database must first be created. dentonj@darkstar:~$ su - root@darkstar:~# su - mysql mysql@darkstar:~$ mysql_install_db mysql@darkstar:~$ exit Slackware prevents MySQL from accepting network connections by default. Comment out the following line: root@darkstar:~# vi /etc/rc.d/rc.mysqld #SKIP="--skip-networking" Change the permissions on the RC file and start MySQL: root@darkstar:~# chmod 700 /etc/rc.d/rc.mysqld root@darkstar:~# /etc/rc.d/rc.mysqld start Secure MySQL before continuing. Run the following command and answer the questions as follows: root@darkstar:~# mysql_secure_installation Set root password? Y Remove anonymous users? Y Disallow root login remotely? Y Remove test database and access to it? Y Reload privilege tables now? Y Create the tables for the snort database: root@darkstar:~# mysql -p < /home/dentonj/src/snort-2.7.0.1/schemas/create_m ysql snort Check the tables: root@darkstar:~# mysql -p mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | snort | +--------------------+ 3 rows in set (0.01 sec) mysql> use snort; mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 16 rows in set (0.01 sec) mysql> exit The mysql client logs all commands to a history file. Any commands that set passwords will be saved in the history file. If the idea of passwords to MySQL being present in the history file bothers you, overwrite the file. root@darkstar:~# less .mysql_history root@darkstar:~# cat /dev/null > .mysql_history There are four example my.cnf files in the /etc directory. The differences between them is how much memory is configured for use by MySQL. Copy the appropriate configuration file to /etc/my.cnf. root@darkstar:~# cp /etc/my-huge.cnf /etc/my.cnf From "man mysqld", "To avoid a possible security hole where a user adds a --user=root option to a my.cnf file (thus causing the server to run as root), mysqld uses only the first --user option specified and produces a warning if there are multiple --user options. Options in /etc/my.cnf and $MYSQL_HOME/my.cnf are processed before command-line options, so it is recommended that you put a --user option in /etc/my.cnf and specify a value other than root." Add the following the the "[mysqld]" section of the configuration file: root@darkstar:~# vi /etc/my.cnf user = mysql The Snort sensor is not going to have any entries in a DNS server. Hostnames do not need to be resolved. All grant statements must be an IP address or localhost. A slight performance increase may be gained by not resolving hostnames. Add the following in the "[mysqld]" section of the configuration file: root@darkstar:~# vi /etc/my.cnf skip-name-resolve There is only going to be one instance of mysqld running on the Snort sensor. The snort database is not going to be shared with any other process. External locking can be disabled to gain a slight performance boost. Add the following in the "[mysqld]" section of the configuration file: root@darkstar:~# vi /etc/my.cnf skip-external-locking Do not allow authentication to mysqld for accounts that use old (pre-4.1) passwords. Prevent the mysql client from connecting to a server that requires a password in the old format. Add the following in the "[mysqld]" and "[mysql]" sections of the configuration file: root@darkstar:~# vi /etc/my.cnf secure-auth The MySQL storage engine that is used by default is MyISAM. The InnoDB storage engine can be disabled. Add the following: root@darkstar:~# vi /etc/rc.d/rc.mysqld SKIP="--skip-innodb" Restart MySQL so the configuration changes take effect: root@darkstar:~# /etc/rc.d/rc.mysqld restart --[ BASE Installation ]-- Before we can install BASE, some prerequisits for PHP must first be installed. The command "pear" is used to download and install packages from the PHP Extension and Application Repository. dentonj@darkstar:~$ su - root@darkstar:~# pear install --alldeps Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman root@darkstar:~# pear list Installed packages, channel pear.php.net: ========================================= Package Version State Archive_Tar 1.3.2 stable Console_Getopt 1.2.2 stable Image_Canvas 0.3.1 alpha Image_Color 1.0.2 stable Image_Graph 0.7.2 alpha Numbers_Roman 0.2.0 stable Numbers_Words 0.15.0 beta PEAR 1.5.4 stable Structures_Graph 1.0.2 stable ADODB is a database abstraction library for PHP. It is required by BASE. Download ADODB and BASE: dentonj@darkstar:~/downloads$ wget http://easynews.dl.sourceforge.net/source forge/adodb/adodb480.tgz dentonj@darkstar:~/downloads$ wget http://easynews.dl.sourceforge.net/source forge/secureideas/base-1.3.8.tar.gz Check http://base.secureideas.net to determine which verson of BASE is the latest. Note: base-1.3.8 was not listed on the home page when this was written. Check the "Downloads" link. Extract ADODB: dentonj@darkstar:downloads$ su - root@darkstar:~# cd /var/www root@darkstar:www# tar xvf /home/dentonj/downloads/adodb480.tgz ADODB is nice enough to be distributed with world writable files. Fix this problem: root@darkstar:www# chmod -R o-w adodb Extract BASE: root@darkstar:www# cd htdocs root@darkstar:htdocs# tar zxf /home/dentonj/downloads/base-1.3.8.tar.gz root@darkstar:htdocs# mv base-1.3.8 frontend It's common to rename the base-1.3.8 directory to base or create a symlink. I rename the directory to something that is not so obvious and is not checked by Nikto to provide some obfuscation. Configure BASE: root@darkstar:htdocs# cd frontend root@darkstar:frontend# cp base_conf.php.dist base_conf.php root@darkstar:frontend# vi base_conf.php $BASE_urlpath = '/frontend'; $DBlib_path = '/var/www/adodb'; $DBtype = 'mysql'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'mysqlsnortpassword'; $show_rows = 90; $show_expanded_query = 1; $colored_alerts = 1; Change the following line from: $priority_colors = array('FF0000','FFFF00','FF9900','999999','FFFFFF','0 06600'); To: $priority_colors = array('000000','FF0000','FF9900','FFFF00','999999'); Snort uses the priorities 1 through 4. The array starts counting from zero. I also changed the order of the colors and remove the excess. Some of the Snort rules are documented to explain what the rule is looking for. BASE is setup to create links to this documentation. Copy the rule documentation directory into the BASE directory. root@darkstar:frontend# cd /home/dentonj/src/snort-2.7.0.1/doc root@darkstar:doc# cp -r signatures /var/www/htdocs/frontend --[ Configure the web server ]-- BASE should only be accessed using SSL. The Apache web server needs to be configured to use SSL. Apache also needs to be locked down a little bit. Enable loading of the SSL modules and the configuration file for SSL. Uncomment the following lines: root@darkstar:~# vi /etc/httpd/httpd.conf LoadModule ssl_module lib/httpd/modules/mod_ssl.so Include /etc/httpd/extra/httpd-ssl.conf Set the server's name to localhost and add a line to slow down fingerprinting of the server. Add the following: root@darkstar:~# vi /etc/httpd/httpd.conf ServerName localhost ServerSignature Off Configure the Pseudo Random Number Generator. Uncomment the following lines: root@darkstar:~# vi /etc/httpd/extra/httpd-ssl.conf SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 The web server needs a server certificate and a server private key to use SSL. The keys are going to be created without a passphrase. If a passphrase is used, that passphrase must be entered everytime the web server starts. root@darkstar:~# openssl genrsa -out server.key 2048 root@darkstar:~# openssl req -new -key server.key -out server.csr root@darkstar:~# openssl x509 -reg -days 1095 -in server.csr -signkey server .key -out server.crt Copy the server certificate and the server private key into /etc/httpd: root@darkstar:~# cp server.key /etc/httpd root@darkstar:~# cp server.crt /etc/httpd root@darkstar:~# chmod 400 /etc/httpd/server.* There are a number of files and directories in /var/www/htdocs that can be used to identify the web server. We are not going to use a local search engine, so htdig can be removed from the system. The Apache manual can be moved to another location so that it is still available if needed. The rest of the files can be deleted. root@darkstar:~# removepkg htdig root@darkstar:~# mv /var/www/htdocs/manual /var/www root@darkstar:~# rm /var/www/htdocs/apache_pb* Create an empty index.html file. root@darkstar:~# cat /dev/null > /var/www/htdocs/index.html Restrict access to the BASE directory to authorized users. Create the password file and configure the users that will be allowed to access BASE. root@darkstar:~# mkdir /var/www/passwords root@darkstar:~# htpasswd -c /var/www/passwords/passwords dentonj root@darkstar:~# htpasswd /var/www/passwords/passwords baseuser root@darkstar:~# chmod -R o-rwx /var/www/passwords Configure the BASE directory to only allow access to authorized users. Slackware follows the Filesystem Hierarchy Standard. Because of this standard, the directory /srv is the location for data for services provided by the system. While the directory /srv contains a symlink to /var/www, the directive DocumentRoot is set to /srv/httpd/htdocs. Basic authentication is OK when used with SSL. I have not been able to get BASE to work properly with Digest authentication. Add the following: root@darkstar:~# vi /etc/httpd/httpd.conf <Directory "/srv/httpd/htdocs/frontend"> AuthType Basic AuthName "Authentication" AuthUserFile /srv/httpd/passwords/passwords Require user dentonj baseuser </Directory> Most of the Apache modules are not needed. Comment out the following: root@darkstar:~# vi /etc/httpd/httpd.conf #LoadModule authn_dbm_module lib/httpd/modules/mod_authn_dbm.so #LoadModule authn_anon_module lib/httpd/modules/mod_authn_anon.so #LoadModule authn_dbd_module lib/httpd/modules/mod_authn_dbd.so #LoadModule authn_default_module lib/httpd/modules/mod_authn_default.so #LoadModule authn_alias_module lib/httpd/modules/mod_authn_alias.so #LoadModule authz_groupfile_module lib/httpd/modules/mod_authz_groupfile .so #LoadModule authz_dbm_module lib/httpd/modules/mod_authz_dbm.so #LoadModule authz_owner_module lib/httpd/modules/mod_authz_owner.so #LoadModule authnz_ldap_module lib/httpd/modules/mod_authnz_ldap.so #LoadModule authz_default_module lib/httpd/modules/mod_authz_default.so #LoadModule auth_digest_module lib/httpd/modules/mod_auth_digest.so #LoadModule file_cache_module lib/httpd/modules/mod_file_cache.so #LoadModule cache_module lib/httpd/modules/mod_cache.so #LoadModule disk_cache_module lib/httpd/modules/mod_disk_cache.so #LoadModule mem_cache_module lib/httpd/modules/mod_mem_cache.so #LoadModule dbd_module lib/httpd/modules/mod_dbd.so #LoadModule dumpio_module lib/httpd/modules/mod_dumpio.so #LoadModule ext_filter_module lib/httpd/modules/mod_ext_filter.so #LoadModule include_module lib/httpd/modules/mod_include.so #LoadModule filter_module lib/httpd/modules/mod_filter.so #LoadModule deflate_module lib/httpd/modules/mod_deflate.so #LoadModule ldap_module lib/httpd/modules/mod_ldap.so #LoadModule log_forensic_module lib/httpd/modules/mod_log_forensic.so #LoadModule logio_module lib/httpd/modules/mod_logio.so #LoadModule env_module lib/httpd/modules/mod_env.so #LoadModule cern_meta_module lib/httpd/modules/mod_cern_meta.so #LoadModule expires_module lib/httpd/modules/mod_expires.so #LoadModule headers_module lib/httpd/modules/mod_headers.so #LoadModule ident_module lib/httpd/modules/mod_ident.so #LoadModule usertrack_module lib/httpd/modules/mod_usertrack.so #LoadModule version_module lib/httpd/modules/mod_version.so #LoadModule proxy_module lib/httpd/modules/mod_proxy.so #LoadModule proxy_connect_module lib/httpd/modules/mod_proxy_connect.so #LoadModule proxy_ftp_module lib/httpd/modules/mod_proxy_ftp.so #LoadModule proxy_http_module lib/httpd/modules/mod_proxy_http.so #LoadModule proxy_ajp_module lib/httpd/modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module lib/httpd/modules/mod_proxy_balancer.s o #LoadModule dav_module lib/httpd/modules/mod_dav.so #LoadModule status_module lib/httpd/modules/mod_status.so #LoadModule autoindex_module lib/httpd/modules/mod_autoindex.so #LoadModule asis_module lib/httpd/modules/mod_asis.so #LoadModule info_module lib/httpd/modules/mod_info.so #LoadModule cgi_module lib/httpd/modules/mod_cgi.so #LoadModule dav_fs_module lib/httpd/modules/mod_dav_fs.so #LoadModule vhost_alias_module lib/httpd/modules/mod_vhost_alias.so #LoadModule negotiation_module lib/httpd/modules/mod_negotiation.so #LoadModule imagemap_module lib/httpd/modules/mod_imagemap.so #LoadModule actions_module lib/httpd/modules/mod_actions.so #LoadModule userdir_module lib/httpd/modules/mod_userdir.so #LoadModule alias_module lib/httpd/modules/mod_alias.so #LoadModule rewrite_module lib/httpd/modules/mod_rewrite.so Change the permissions of the startup script and start the web server: root@darkstar:~# chmod 700 /etc/rc.d/rc.httpd root@darkstar:~# /etc/rc.d/rc.httpd start To test SSL on the web server, run the following command. When the cursor is sitting on a blank line, type "GET /frontend". dentonj@darkstar:~$ openssl s_client -connect localhost:443 GET /frontend <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> closed When running the above command, ensure the following is seen: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit --[ Configure PHP ]-- PHP must be configured before BASE will function. root@darkstar:~# vi /etc/httpd/httpd.conf Include /etc/httpd/mod_php.conf Change the DirectoryIndex directive to allowing loading of PHP index files. root@darkstar:~# vi /etc/httpd/httpd.conf Modify the following line from: DirectoryIndex index.html To: DirectoryIndex index.html index.php Secure PHP a bit by changing the following: root@darkstar:~# vi /etc/httpd/php.ini safe_mode = On all_url_fopen = Off allow_url_fopen = Off file_uploads = Off open_basedir = /var/www disable_functions = system,exec,shell_exec,eval,include,require,include_ once,require_once expose_php = Off error_log = /var/log/httpd/php_error_log Create the php_error_log and restart the web server so the configuration changes take effect: root@darkstar:~# touch /var/log/httpd/php_error_log root@darkstar:~# /etc/rc.d/rc.httpd restart --[ Configure the firewall ]-- The startup script /etc/rc.d/rc.inet2 will start the file /etc/rc.d/rc.firewall if it exists. The file rc.firewall does not exist by default. Create the file and add the following: root@darkstar:~# vi /etc/rc.d/rc.firewall # rc.firewall # firewall_start() { echo "Starting Iptables..." /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A INPUT -p icmp --icmp-type any -j DROP /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j AC CEPT /usr/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192. 168.1.0/24 --dport 22 -j ACCEPT /usr/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192. 168.1.0/24 --dport 443 -j ACCEPT /usr/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192. 168.1.0/24 --dport 3001 -j ACCEPT /usr/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192. 168.1.0/24 --dport 3307 -j ACCEPT # Drop broadcasts before logging /usr/sbin/iptables -A INPUT -d 192.168.1.255 -j DROP /usr/sbin/iptables -A INPUT -j LOG --log-ip-options --log-tcp-options #/usr/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibi ted /usr/sbin/iptables -A INPUT -j DROP } firewall_stop() { echo "Stopping Iptables..." /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT /usr/sbin/iptables -F } firewall_restart() { firewall_stop /usr/bin/sleep 2 firewall_start } case "$1" in 'start') firewall_start ;; 'stop') firewall_stop ;; 'restart') firewall_restart ;; *) echo "usage $0 start|stop|restart" esac If you regularly VPN into your network, remember to add that subnet to allow access. Change the permissions and start the firewall script: root@darkstar:~# chmod 700 /etc/rc.d/rc.firewall root@darkstar:~# /etc/rc.d/rc.firewall start root@darkstar:~# iptables -L -nv --[ Create the BASE tables ]-- With a web browser: - Go to https://<sensor ip>/frontend - Click on the "Setup page" link - Click on the "Create BASE AG" button - Click on the "Main Page" link --[ Create the archive database]-- There probably is a better way to do this, but it works. Unfortunately, the setup page for BASE is not able to create the BASE specific tables in the Snort archive database. Copy the snort database and name the copy snort_archive. root@darkstar:~# /etc/rc.d/rc.mysqld stop root@darkstar:~# cd /var/lib/mysql root@darkstar:mysql# cp -pr snort snort_archive root@darkstar:mysql# /etc/rc.d/rc.mysqld start Configure the permissions in MySQL: root@darkstar:~# mysql -p mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | snort | | snort_archive | +--------------------+ 4 rows in set (0.00 sec) mysql> grant create,insert,select,delete,update on snort_archive.* to snort@ localhost; mysql> grant create,insert,select,delete,update on snort_archive.* to snort; mysql> flush privileges; mysql> use snort; mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 22 rows in set (0.00 sec) mysql> exit Configure BASE to use the archive database: root@darkstar:~# vi /var/www/htdocs/frontend/base_conf.php $archive_exists = 1; $archive_dbname = 'snort_archive'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = 'mysqlsnortpassword'; --[ Barnyard Installation ]-- Barnyard is used to separate Snort from the database. Snort uses a single process for all packet processing and logging. Logging directory from Snort into a database is slow and can potentially cause Snort to start dropping packets. The solution is to have Snort log to files and use Barnyard to take the alerts in the files and stuff them into the database. dentonj@darkstar:downloads$ wget http://www.snort.org/dl/barnyard/barnyard-0 .2.0.tar.gz dentonj@darkstar:downloads$ wget http://www.snort.org/dl/barnyard/barnyard-0 .2.0.tar.gz.md5 dentonj@darkstar:downloads$ md5sum barnyard-0.2.0.tar.gz be3283028cf414b52b220308ceb411e9 barnyard-0.2.0.tar.gz dentonj@darkstar:downloads$ cat barnyard-0.2.0.tar.gz.md5 md5 : be3283028cf414b52b220308ceb411e9 barnyard-0.2.0.tar.gz sha1 : 4adfcabb2702def5a9a6c68cbde1b90a70f7e67a barnyard-0.2.0.tar.gz dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/barnyard-0.2.0.tar.gz | tar xf - dentonj@darkstar:src$ cd barnyard-0.2.0 denotnj@darkstar:barnyard-0.2.0$ ./configure --enable-mysql dentonj@darkstar:barnyard-0.2.0$ make dentonj@darkstar:barnyard-0.2.0$ su root@darkstar:barnyard-0.2.0# make install Barnyard does not insert an entry into the sensor table in the snort database. Not having an entry in this table will prevent BASE from updating its tables and prevent alerts from being displayed through the BASE interface in the web browser. Manually add an entry into the snort.sensor table: root@darkstar:~# mysql -p mysql> use snort; mysql> insert into snort.sensor (sid,hostname,interface,filter,detail,encodi ng,last_cid) values (1,"localhost","eth1","",1,0,0); mysql> select * from snort.sensor; mysql> exit The commands used to troubleshoot this problem: root@darkstar:~# mysql -p mysql> use snort; mysql> select count(*) from event; +----------+ | count(*) | +----------+ | 4561 | +----------+ 1 row in set (0.00 sec) mysql> select count(*) from acid_event; +----------+ | count(*) | +----------+ | 0 | +----------+ 1 row in set (0.00 sec) mysql> select * from sensor; Empty set (0.00 sec) Barnyard uses a file to keep track of the alerts that have been inserted into the database. Create this file: root@darkstar:~# vi /var/log/snort/barnyard.waldo /var/log/snort snort.log 0 0 Configure Barnyard: root@darkstar:~# vi /etc/snort/barnyard.conf config daemon config localtime config hostname: localhost config interface: eth0 config filter: not src host 192.168.15.234 and \ not src host 192.168.17.27 config sid-msg-map: /etc/snort/sid-msg.map config gen-msg-map: /etc/snort/gen-msg.map config class-file: /etc/snort/classification.config output log_acid_db: mysql, sensor_id 1, database snort, server localhost , user snort, detail full, password mysqlsnortpassword Create the startup script used to start Barnyard: root@darkstar:~# vi /etc/rc.d/rc.barnyard #!/bin/sh # # Start/Stop/Restart Barnyard # CONF="/etc/snort/barnyard.conf" barnyard_start() { echo "Starting Barnyard..." /usr/local/bin/barnyard -v -c $CONF \ -d /var/log/snort \ -f snort.log \ -w /var/log/snort/barnyard.waldo \ -a /var/log/snort/archive \ -X /var/run/barnyard.pid } barnyard_stop() { echo "Stopping Barnyard..." /bin/killall barnyard } barnyard_restart() { barnyard_stop /usr/bin/sleep 2 barnyard_start } case "$1" in 'start') barnyard_start ;; 'stop') barnyard_stop ;; 'restart') barnyard_restart ;; *) echo "usage $0 start|stop|restart" esac Change the permissions for the startup script: root@darkstar:~# chmod 700 /etc/rc.d/rc.barnyard --[ Oinkmaster Installation ]-- Oinkmaster is used to manage the rules used by Snort. Oinkmaster can download and update new rules. It can also enable, disable, and modify rules after each update. dentonj@darkstar:downloads$ wget http://easynews.dl.sourceforge.net/sourcefo rge/oinkmaster/oinkmaster-2.0.tar.gz dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/oinkmaster-2.0.tar.gz | tar xf - dentonj@darkstar:src$ cd oinkmaster-2.0 dentonj@darkstar:oinkmaster-2.0$ su root@darkstar:oinkmaster-2.0# cp oinkmaster.pl /usr/local/sbin root@darkstar:oinkmaster-2.0# cp oinkmaster.conf /etc root@darkstar:oinkmaster-2.0# cp oinkmaster.1 /usr/local/man/man1 root@darkstar:oinkmaster-2.0# cd contrib root@darkstar:contrib# cp *.pl /usr/local/sbin Configure Oinkmaster to update the rules. If you have registered as a user on the Snort website, then get the Oink Code to download the VRT rules. The Oink Code can be obtained on the user preference page on the Snort website. Setup Oinkmaster to download the VRT rules, the latest Bleeding Threats rules, and the Community rules. root@darkstar:~# vi /etc/oinkmaster.conf url = http://www.snort.org/pub-bin/oinkmaster.cgo/GetYourOwnCode012345ab cde6789fg0123456789/snortrules-snapshot-CURRENT.tar.gz url = http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz url = http://www.snort.org/pub-bin/downloads.cgi/ Download/comm_rules/Community-Rules-CURRENT.tar.gz path = /bin:/usr/bin:/usr/local/bin update_files = \.rules$|\.txt$|\.map$ skipfile local.rules skipfile snort.conf skipfile threshold.conf skipfile classification.config skipfile reference.config When updating the rules, run a check first. The only problem with this is the Snort website only allows downloads of the VRT rules once every 15 minutes. If this annoys you too, download the VRT rules separately and configure Oinkmaster with , "url = file///home/dentonj/downloads/snortrules-snapshot-CURRENT.tar.gz". root@darkstar:~# oinkmaster.pl -c -o /etc/snort/rules > oinktest 15 minutes later.... root@darkstar:~# oinkmaster.pl -o /etc/snort/rules Each rules contains a unique Snort rule ID (SID). The file sid-msg.map contains the mapping of alert messages to SIDs. Since Barnyard does not read the rules files, the sid-msg.map file is used when feeding alerts into MySQL. If the file is out of date, meaning there are SIDs in the rules files that are not listed in the sid-msg.map file, Barnyard will not be able to insert the alert message into MySQL. The result will be seen in BASE with an alert such as "Snort Alert [1:1948:15]". Everytime the rules are updated or a new rule is added, the sid-msg.map file needs to be recreated. root@darkstar:~# create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map There are over 3600 rules disabled by default in the VRT rules. There are over 400 rules disabled by default in the Bleeding Threat rules. The rules are disabled by default for various reasons. - The rules could generate a large number of false positive either generally or in certain environments. - The rules are only useful in specific environments, so it's not worth making Snort work harder unless your environment has the specific thing the rule is looking for. - The rules are performance hogs and should be enabled only if you are really concerned about what the rule is looking for. Spend some time going through the rules files to determine if there is anything that needs to be enabled. To generate a list of the disabled SIDs: root@darkstar:~# makesidex.pl /etc/snort/rules > /etc/snort/disablesid.conf To enable a rule, uncomment the rule itself in the appropriate file. To ensure that Oinkmaster does not disable the rule when rules are updated, add an "enablesid" line to the Oinkmaster configuration file. root@darkstar:~# cd /etc/snort/rules root@darkstar:rules# grep -n "DNS zone transfer" * dns.rules:23:# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone tr ansfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; metada ta:service dns; reference:arachnids,212; reference:cve,1999-0532; reference:ness us,10595; classtype:attempted-recon; sid:255; rev:15;) dns.rules:24:# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone tr ansfer UDP"; content:"|00 00 FC|"; offset:14; metadata:service dns; reference:ar achnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempte d-recon; sid:1948; rev:8;) Uncomment lines 23 and 24. root@darkstar:rules# vi +23 dns.rules Configure Oinkmaster to enable the rules during every update. Oinkmaster uses the SID to determine which rules should be enabled. Add a comment to each entry to help identify the SID. I list the revision of the rule when I create the entry. The rule may change at a later date. The revision information may help troubleshoot any possible problems with an updated rule. It's a good idea to review the enablesid and disablesid entries every month or so. If a rule was disabled because of false positives, a new revision of that rule may have eliminated the problem. root@darkstar:rules# vi /etc/oinkmaster.conf enablesid 255 # DNS zone transfer TCP, rev 15 enablesid 1948 # DNS zone transfer UDP, rev 8 If the "MULTICAST_NET" variable was added to snort.conf, modify the follow rule during updates. root@darkstar:~# vi /etc/oinkmaster.conf modifysid 2189 "->\s*any" | "-> !\$MULTICAST_NET" # IP Proto 103, rev 4 To disable rules, comment out the rule in the appropriate file. To ensure Oinkmaster does not enable the rule when rules are updated, add a "disablesid" line to the Oinkmaster configuration file. root@darkstar:~# vi /etc/oinkmaster.conf disablesid 376 # ICMP PING Microsoft Windows, rev 7 An alternative to editing the oinkmaster.conf file is to run makesidex.pl everytime a rules is disabled. root@darkstar:~# makesidex.pl /etc/snort/rules > /etc/snort/disablesid.conf root@darkstar:~# oinkmaster.pl -C /etc/oinkmaster.conf \ -C /etc/snort/disablesid.conf -o /etc/snort/rules To enable all of the rules, even the ones that are disabled by default: root@darkstar:~# oinkmaster.pl -e -o /etc/snort/rules --[ Configure SSH ]-- Make a few changes to the SSH server: root@darkstar:~# vi /etc/ssh/sshd_config Protocol 2 PermitRootLogin no The following are already set by default. If it makes you feel better, add them to the configuration file: PermitEmptyPasswords no UsePrivilegeSeparation yes StrictMode yes SyslogFacility AUTH LogLevel INFO Restart SSH so the changes take effect: root@darkstar:~# /etc/rc.d/rc.sshd restart --[ mod_security Installation ]-- From the webpage for ModSecurity, "ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis." dentonj@darkstar:downloads$ wget http://www.modsecurity.org/download/modsecu rity-apache_2.1.1.tar.gz dentonj@darkstar:downloads$ wget http://www.modsecurity.org/download/modsecu rity-apache_2.1.1.tar.gz.md5 dentonj@darkstar:downloads$ wget http://www.modsecurity.org/download/modsecu rity-core-rules_2.1-1.4.tar.gz dentonj@darkstar:downloads$ md5sum modsecurity-apache_2.1.1.tar.gz ab74ed5f320ffc4ed9f56487bf17c670 modsecurity-apache_2.1.1.tar.gz dentonj@darkstar:downloads$ cat modsecurity-apache_2.1.1.tar.gz.md5 ab74ed5f320ffc4ed9f56487bf17c670 /home/ivanr/work/mod_security/build/modsec urity-apache_2.1.1.tar.gz dentonj@darkstar:downloads$ echo "Hi ivanr" dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/modsecurity-apache_2.1.1.tar.gz | tar xf - dentonj@darkstar:src$ cd modsecurity_2.1.1/apache2 Before compiling ModSecurity, change the following: dentonj@darkstar:apache2$ vi Makefile top_dir = /usr/lib/httpd #DEFS = -DWITH_LIBXML2 dentonj@darkstar:apache2$ make dentonj@darkstar:apache2$ su root@darkstar:apache2# make install root@darkstar:apache2# mkdir /etc/httpd/modsecurity root@darkstar:apache2# cd /etc/httpd/modsecurity root@darkstar:modsecurity# gzip -cd /home/dentonj/downloads/modsecurity-core -rules_2.1-1.4.tar.gz | tar xf - Change the configuration file for the web server to load the ModSecurity module and the ModSecurity configuration files: root@darkstar:rules# vi /etc/httpd/httpd.conf LoadModule security2_module lib/httpd/modules/mod_security2.so Include /etc/httpd/modsecurity/*.conf One of the features is to mask the server identify. Before this feature can work, the ServerTokens directive for Apache needs to be set to Full. Add the following: root@darkstar:~# vi /etc/httpd/httpd.conf ServerTokens Full Restart the web server so the configuration changes take effect: root@darkstar:~# /etc/rc.d/rc.httpd restart Configure and create the log files for ModSecurity. Logrotate is setup to look for "/var/log/httpd/*_log". root@darkstar:rules# vi modsecurity_crs_10_config.conf SecAuditLog /var/log/httpd/modsec_audit_log SecDebugLog /var/log/httpd/modsec_debug_log root@darkstar:rules# touch /var/log/httpd/modsec_audit_log root@darkstar:rules# touch /var/log/httpd/modsec_debug_log Since a DNS entry is not going to be configured for the Snort sensor, the web browser will have to use the IP address when connecting to the web server. One of the ModSecurity rules will trigger when this happens. Comment out the following to prevent this alert from filling up the logs: root@darkstar:rules# cd /etc/httpd/modsecurity root@darkstar:modsecurity# vi modsecurity_crs_21_protocol_anomalies.conf #SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400, msg:'Host header is a numeric IP address', severity:'2',id:'960017'" id:'960015' --[ OSSEC Installation ]-- From the webpage for OSSEC, "OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response." dentonj@darkstar:downloads$ wget http://www.ossec.net/files/ossec-hids-1.3.t ar.gz dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/ossec-hids-1.3.tar.gz | tar xf - dentonj@darkstar:src$ cd ossec-hids-1.3 dentonj@darkstar:ossec-hids-1.3$ su root@darkstar:ossec-hids-1.3# ./install.sh For installation in English, choose [en]. en Press ENTER to continue What kind of installation do you want? server Choose where to install the OSSEC HIDS: /var/ossec Do you want e-mail notifications? y What's your e-mail address? root@localhost We found your SMTP server as: 127.0.0.1 Do you want to use it? y Do you want to run the integrity check daemon? y Do you want to run the rootkit detection engine? y Do you want to enable active response? y Do you want to enable remote syslog? y Configure OSSEC to monitor the PHP, ModSecurity, and SSL log files. Add the following: root@darkstar:~# vi /var/ossec/etc/ossec.conf <localfile> <log_format>syslog</log_format> <location>/var/log/httpd/php_error_log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/httpd/modsec_audit_log</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/httpd/modsec_debug_log</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/ssl_request_log</location> </localfile> OSSEC will parse syslog files looking for key words. One of the words that it looks for, "bad", can be displayed by Snort during startup. An example message is "Bad Payload Size Alert: ENABLED". To prevent Snort from triggering this alert in OSSEC, change the following from: root@darkstar:~# vi /var/ossec/rules/syslog_rules.xml <rule id="1002" level="7"> <match>$BAD_WORDS</match> <description>Unknown problem somewhere in the system.</description> </rule> To: <rule id="1002" level="7"> <regex>$BAD_WORDS</regex> <if_matched_regex>!snort</if_matched_regex> <description>Unknown problem somewhere in the system.</description> </rule> OSSEC will look for network interfaces that go into promiscuous mode. Snort will place the listening interface in promiscuous mode everytime is starts. To prevent Snort from triggering this alert in OSSEC, change the following from: root@darkstar:~# vi /var/ossec/rules/syslog_rules.xml <rule id="5104" level="8"> <if_sid>5100</if_sid> <regex>Promiscuous mode enabled|</regex> <regex>device \S+ entered promiscuous mode</regex> <description>Interface entered in promiscuous(sniffing) mode.</descr iption> <group>promisc,</group> </rule> To: <!-- <rule id="5104" level="8"> <if_sid>5100</if_sid> <regex>Promiscuous mode enabled|</regex> <regex>device \S+ entered promiscuous mode</regex> <description>Interface entered in promiscuous(sniffing) mode.</descr iption> <group>promisc,</group> </rule> --> Add an agent to be monitored. An encryption key will be created to encrypt communications between the OSSEC server and the agent. root@darkstar:~# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v1.3 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: a - Adding a new agent (use '\q' to return to the main menu). Please provide the following: * A name for the new agent: linuxclient * The IP Address of the new agent: 192.168.1.27 * An ID for the new agent[001]: Agent information: ID:001 Name:linuxclient IP Address:192.168.1.27 Confirm adding it?(y/n): y Agent added. **************************************** * OSSEC HIDS v1.3 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: e Available agents: ID: 001, Name: linuxclient, IP: 192.168.1.27 Provide the ID of the agent to extract the key (or '\q' to quit): 001 Agent key information for '001' is: GetYourOwnKeyMDAxIGRlYXRoc5MDk1NA== ** Press ENTER to return to the main menu. **************************************** * OSSEC HIDS v1.3 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your action: A,E,L,R or Q: q ** You must restart the server for your changes to have effect. Install the OSSEC agent on a computer that is going to be monitored. nick@linuxclient:downloads$ wget http://www.ossec.net/files/ossec-hids-1.3.t ar.gz nick@linuxclient:downloads$ cd ../src nick@linuxclient:src$ gzip -cd ../downloads/ossec-hids-1.3.tar.gz | tar xf - nick@linuxclient:src$ cd ossec-hids-1.3 nick@linuxclient:ossec-hids-1.3$ su root@linuxclient:ossec-hids-1.3# ./install.sh For installation in English, choose [en]. en Press ENTER to continue What kind of installation do you want? server Choose where to install the OSSEC HIDS: /var/ossec What's the IP Address of the OSSEC HIDS server? 192.168.1.2 Do you want to run the integrity check daemon? y Do you want to run the rootkit detection engine? y Do you want to enable active response? y Import the key generated by the server: root@linuxclient:~# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v1.3 Agent manager. * * The following options are available: * **************************************** (I)mport key from the server (I). (Q)uit. Choose your action: I or Q: i * Provide the Key generated by the server. * The best approach is to cut and paste it. *** OBS: Do not include spaces or new lines. Paste it here (or '\q' to quit): GetYourOwnKeyMDAxIGRlYXRoc5MDk1NA== Agent information: ID:001 Name:linuxclient IP Address:192.168.1.27 Confirm adding it?(y/n): y Added. ** Press ENTER to return to the main menu. Restart the OSSEC server and agent. root@darkstar:~# /var/ossec/bin/ossec-control restart root@linuxclient:~# /vaar/ossec/bin/ossec-control restart Check the status of the agent. root@darkstar:~# /var/ossec/bin/list_agents -a linuxclient-192.168.1.27 is available. --[ LogWatch Installation ]-- Install LogWatch to monitor the system and the logs for abnormal behavior. Yes, OSSEC is installed for this purpose. Yes, installing LogWatch is redundant. It's a good idea anyways. dentonj@darkstar:downloads$ wget ftp://ftp.kaybee.org/pub/linux/logwatch-7.3 .6.tar.gz dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/logwatch-7.3.6.tar.gz | tar xf - dentonj@darkstar:src$ cd logwatch-7.3.6 dentonj@darkstar:logwatch-7.3.6$ su root@darkstar:logwatch-7.3.6# chmod 700 install_logwatch.sh root@darkstar:logwatch-7.3.6# ./install_logwatch.sh Enter the path to the Logwatch BaseDir: Use Default Enter the path for the Logwatch ConfigDir: Use Default Enter the dir name to be used for temp files: Use Default Enter the location of perl: Use Default Enter the dir name to used for the manpage: /usr/man Configure LogWatch: root@darkstar:~# cd /usr/share/logwatch/default.conf root@darkstar:default.conf# cp -R * /etc/logwatch/conf root@darkstar:default.conf# cd ../scripts root@darkstar:scripts# cp -R * /etc/logwatch/scripts root@darkstar:scripts# vi /etc/logwatch/conf/logwatch.conf Print = No Detail = High #Service = "-zz-network" #Service = "-zz-sys" #Service = "-eximstats" --[ Increase system log retention ]-- By default, system logs are only maintained for 4 weeks. Login logs are only retained for an extra month. Change the log retention to one year: root@darkstar:~# vi /etc/logrotate.conf compress rotate 52 /var/log/wtmp { monthly create 0664 root utmp rotate 12 } /var/log/btmp { monthly create 0600 root root rotate 12 } root@darkstar:~# vi /etc/logrotate.d/httpd rotate 52 --[ Keep the system clock synced ]-- root@darkstar:~# vi /etc/cron.daily/ntpdate #!/bin/sh /usr/sbin/ntpdate clock.via.net && /sbin/hwclock --systohc root@darkstar:~# chmod 700 /etc/cron.daily/ntpdate --[ Optimize the kernel ]-- The file /etc/sysctl.conf is called by /etc/rc.d/rc.S. However, the file does not exist by default. Create the file and add the following: root@darkstar:~# vi /etc/sysctl.conf net.core.netdev_max_backlog = 2500 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 87380 16777216 net.ipv4.tcp_no_metrics_save = 1 Look at http://www-didc.lbl.gov/TCP-tuning/linux.html for more information. --[ Optimize the network interface ]-- Change the rx ring parameters for the interface. Run the following to get the current settings. root@darkstar:~# ethtool -g eth0 Look at the "RX" settings. If the current setting is lower than the pre-set maximum, run the following command, replacing 512 with the maximum: root@darkstar:~# ethtool -G eth0 rx 512 root@darkstar:~# vi /etc/rc.d/rc.local /usr/sbin/ethtool -G eth0 rx 512 --[ Optimizing MySQL ]-- Some of the configuration changes that have already been made were to increase the performance of MySQL. On busy networks, the tables in the Snort database can quickly become fragmented. I run the following SQL script once a week to optimize the tables. Since a password is require, I do not use cron to run this script. root@darkstar:~# vi optimize_snort.sql optimize table acid_ag; optimize table acid_ag_alert; optimize table acid_event; optimize table acid_ip_cache; optimize table base_roles; optimize table base_users; optimize table data; optimize table detail; optimize table encoding; optimize table event; optimize table icmphdr; optimize table iphdr; optimize table opt; optimize table reference; optimize table reference_system; optimize table schema; optimize table sensor; optimize table sig_class; optimize table sig_reference; optimize table signature; optimize table tcphdr; optimize table udphdr; root@darkstar:~# mysql -p snort < optimize_snort.sql --[ Start Snort and Barnyard ]-- Start Snort and Barnyard: root@darkstar:~# /etc/rc.d/rc.snort start root@darkstar:~# /etc/rc.d/rc.barnyard start Verify Snort and Barnyard are running: root@darkstar:~# ps auxww | grep snort root@darkstar:~# ps auxww | grep barnyard If either one is not running, check the logs to determine the problem: root@darkstar:~# less /var/log/messages root@darkstar:~# less /var/log/syslog If Barnyard seems to start, but then exits without an error, comment out the "config daemon" line in the configuration file. Start Barnyard and look for any errors. After everything is working properly, change rc.local so Snort and Barnyard starts during bootup: root@darkstar:~# vi /etc/rc.d/rc.local if [ -x /etc/rc.d/rc.snort ]; then /etc/rc.d/rc.snort start fi if [ -x /etc/rc.d/rc.barnyard ]; then /etc/rc.d/rc.barnyard start fi --[ NTOP Installation ]-- From the webpage for ntop, "ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does." Before ntop can be installed, rrdtool must be installed. dentonj@darkstar:downloads$ wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1 .2.23.tar.gz dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/rrdtool-1.2.23.tar.gz | tar xf - dentonj@darkstar:src$ cd rrdtool-1.2.23 dentonj@darkstar:rrdtool-1.2.23$ ./configure dentonj@darkstar:rrdtool-1.2.23$ make dentonj@darkstar:rrdtool-1.2.23$ su root@darkstar:rrdtool-1.2.23# make install root@darkstar:rrdtool-1.2.23# cd /usr/local root@darkstar:local# ln -s rrdtool-1.2.23 rrdtool Download and install ntop. dentonj@darkstar:downloads$ wget http://easynews.dl.sourceforge.net/sourcefo rge/ntop/ntop-3.3.tar.gz dentonj@darkstar:downloads$ cd ../src dentonj@darkstar:src$ gzip -cd ../downloads/ntop-3.3.tar.gz | tar xf - dentonj@darkstar:src$ cd ntop-3.3 dentonj@darkstar:ntop-3.3$ ./autogen.sh dentonj@darkstar:ntop-3.3$ make dentonj@darkstar:ntop-3.3$ su root@darkstar:ntop-3.3# make install Create a user account that ntop will use while running. root@darkstar:ntop-3.3# groupadd ntop root@darkstar:ntop-3.3# useradd -g ntop ntop -s /bin/false root@darkstar:ntop-3.3# chown -R ntop.ntop /usr/local/share/ntop Copy files that will need to be used by ntop to the configuration directory. root@darkstar:ntop-3.3# mkdir /etc/ntop root@darkstar:ntop-3.3# cp etter.finger.os.gz /etc/ntop root@darkstar:ntop-3.3# cp oui.txt.gz /etc/ntop root@darkstar:ntop-3.3# cp specialMAC.txt.gz /etc/ntop root@darkstar:ntop-3.3# cp ntop-cert.pem /etc/ntop root@darkstar:ntop-3.3# cp p2c.opt.table.gz /etc/ntop root@darkstar:ntop-3.3# mkdir /var/ntop root@darkstar:ntop-3.3# cp packages/debian.official/protocol.list /usr/local /share/ntop/ root@darkstar:ntop-3.3# cp ntop.8 /usr/local/man/man8/ Copy the configuration file for ntop to the configuration directory. root@darkstar:ntop-3.3# cp packages/RedHat/ntop.conf.sample /etc/ntop.conf Configure ntop: root@darkstar:ntop-3.3# vi /etc/ntop.conf --interface eth0 --https-server 3001 #--daemon --use-syslog=daemon --no-mac Set a password for ntop: root@darkstar:ntop-3.3# /usr/local/bin/ntop @/etc/ntop.conf -A Configure ntop to run in daemon mode: root@darkstar:ntop-3.3# vi /etc/ntop.conf --daemon Create the startup script to start ntop: root@darkstar:ntop-3.3# vi /etc/rc.d/rc.ntop #!/bin/sh # # Start/Stop/Restart NTOP # # Basic checks [ -x "/usr/local/bin/ntop" ] || exit 1 [ -r "/etc/ntop.conf" ] || exit 1 [ -r "/var/ntop/ntop_pw.db" ] || exit 1 ntop_start() { echo "Starting NTOP..." /usr/local/bin/ntop -d -L @/etc/ntop.conf } ntop_stop() { echo "Stopping NTOP..." /bin/killall ntop } ntop_restart() { ntop_stop /usr/bin/sleep 2 ntop_start } case "$1" in 'start') ntop_start ;; 'stop') ntop_stop ;; 'restart') ntop_restart ;; *) echo "usage $0 start|stop|restart" esac root@darkstar:ntop-3.3# chmod 700 /etc/rc.d/rc.ntop root@darkstar:ntop-3.3# /etc/rc.d/rc.ntop start Change rc.local so NTOP starts during bootup: root@darkstar:ntop-3.3# vi /etc/rc.d/rc.local if [ -x /etc/rc.d/rc.ntop ]; then /etc/rc.d/rc.ntop start fi --[ Stunnel ]-- Stunnel should already be installed with Slackware. To verify Stunnel is installed: root@darkstar:~# stunnel -version On the server (the system running MySQL): Create the Stunnel configuration file: root@darkstar:~# vi /etc/stunnel/stunnel.conf ; ; stunnel.conf ; cert = /etc/stunnel/stunnel.pem pid = /var/run/stunnel.pid client = no [3306] accept = 3307 connect = 3306 Generate a new stunnel.pem key. Answer the question appropriately: root@darkstar:~# cd /etc/stunnel && ./generate-stunnel-key.sh Generating a 1024 bit RSA private key .....++++++ ............................++++++ writing new private key to 'stunnel.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [PL]:US State or Province Name (full name) [Some-State]:Arizona Locality Name (eg, city) []:Sierra Vista Organization Name (eg, company) []: Cochiselinux Organizational Unit Name (eg, section) []: Common Name (FQDN of your server) [localhost]: subject= /C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost notBefore=Aug 23 14:14:21 2007 GMT notAfter=Aug 22 14:14:21 2008 GMT SHA1 Fingerprint=A0:CA:38:AA:B4:5E:2E:7C:A2:F9:82:24 Modify the sensor table in the snort database: root@darkstar:~# mysql -p mysql> insert into snort.sensor (sid,hostname,interface,filter,detail,encodi ng,last_cid) values (2,"192.168.1.27","eth1","",1,0,0); mysql> select * from snort.sensor; +-----+--------------+-----------+--------+--------+----------+----------+ | sid | hostname | interface | filter | detail | encoding | last_cid | +-----+--------------+-----------+--------+--------+----------+----------+ | 1 | localhost | eth1 | | 1 | 0 | 2969 | | 2 | 192.168.1.27 | eth1 | | 1 | 0 | 0 | +-----+--------------+-----------+--------+--------+----------+----------+ 2 rows in set (0.00 sec) Create the startup script for Stunnel: root@darkstar:~# vi /etc/rc.d/rc.stunnel #!/bin/sh # # Stop/Restart Stunnel # stunnel_start() { echo "Starting stunnel..." /usr/sbin/stunnel /etc/stunnel/stunnel.conf } stunnel_stop() { echo "Stopping stunnel..." /bin/killall stunnel } stunnel_restart() { stunnel_stop /usr/bin/sleep 2 stunnel_start } case "$1" in 'start') stunnel_start ;; 'stop') stunnel_stop ;; 'restart') stunnel_restart ;; *) echo "usage $0 start|stop|restart" esac root@darkstar:~# chmod 700 /etc/rc.d/rc.stunnel root@darkstar:~# vi /etc/rc.d/rc.local if [ -x /etc/rc.d/rc.stunnel ]; then /etc/rc.d/rc.stunnel start fi root@darkstar:~# /etc/rc.d/rc.stunnel start On the client: Install and configure Snort Install and configure Barnyard Install and configure Oinkmaster Install and configure Logwatch Configure the firewall Configure the kernel Configure Logrotate Install and configure OSSEC Agent Create the Stunnel configuration file: root@snortsensor:~# vi /etc/stunnel/stunnel.conf ; ; stunnel.conf ; pid = /var/run/stunnel.pid client = yes [3307] accept = 3306 connect = 192.168.1.2:3307 Create the startup script for Stunnel: root@snortsensor:~# vi /etc/rc.d/rc.stunnel Use the same file as the server. root@darkstar:~# chmod 700 /etc/rc.d/rc.stunnel root@darkstar:~# vi /etc/rc.d/rc.local if [ -x /etc/rc.d/rc.stunnel ]; then /etc/rc.d/rc.stunnel start fi Test the Stunnel connection: root@snortsensor:~# openssl s_client -connect 192.168.1.2:3307 CONNECTED(00000003) depth=0 /C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost verify return:1 --- Certificate chain 0 s:/C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost i:/C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost --- Server certificate -----BEGIN CERTIFICATE----- MIICaTCCAdKgAwIBAgIJAONNMRMSpxQqMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRUwEwYDVQQHEwxTaWVycmEgVmlzdGEx HzAdBgNVBAoTFlN0dW5uZWwgRGV2ZWxvcGVycyBMdGQxEjAQBgNVBAMTCWxvY2Fs -----END CERTIFICATE----- subject=/C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost issuer=/C=US/ST=Arizona/L=Sierra Vista/O=Cochiselinux/CN=localhost --- No client certificate CA names sent --- SSL handshake has read 783 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E42CFF92027106F3FE0344EBFC9ED51800AB Session-ID-ctx: Master-Key: 7280027DEC46FF305EBECDA8225B43E191D2 Key-Arg : None Start Time: 1190554391 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 8 5.0.37-log=Ui1U<j!c,OB=LG_&@MCI%closed Ensure that MySQL is not running on the client and start Stunnel: root@snortsensor:~# /etc/rc.d/rc.mysql stop root@snortsensor:~# chmod 600 /etc/rc.d/rc.mysql root@snortsensor:~# /etc/rc.d/rc.stunnel start Configure the output for Barnyard. Specify the IP that the client is using with the "server" entry. Using "localhost" will cause Barnyard to attempt to connect to "/var/run/mysql/mysql.sock". Since MySQL is not running on the client, Barnyard will exit with an error. root@snortsensor:~# vi /etc/snort/barnyard.conf output log_acid_db: mysql, sensor_id 2, database snort, server 192.168.2 .27, user snort, detail full, password mysqlsnortpassword If the line "config daemon" is commented out from "/etc/snort/barnyard.conf", the following should be seen when starting Barnyard: root@snortsensor:~# /etc/rc.d/rc.snort start root@snortsensor:~# /etc/rc.d/rc.barnyard start Starting Barnyard... Barnyard Version 0.2.0 (Build 32) Starting data processing using information from bookmark file Opened spool file '/var/log/snort/snort.log.1190549663' OpAcidDB configured Database Flavour: mysql Database Server: 192.168.1.27 Database User: snort SensorID: 2 Next CID: 1 Waiting for new data Use IPTraf to verify the Stunnel connection. root@snortsensor:~# iptraf 192.168.1.2:3307 = 50205 7118351 -PA- eth0 192.168.1.27:54356 = 50696 18768688 --A- eth0 192.168.1.27:54355 = 101379 30158512 --A- lo 192.168.1.27:3306 = 100345 7899016 -PA- lo On the server, verify the client is inserting entries in the snort database: root@darkstar:~# mysql -p mysql> select * from snort.sensor; +-----+--------------+-----------+--------+--------+----------+----------+ | sid | hostname | interface | filter | detail | encoding | last_cid | +-----+--------------+-----------+--------+--------+----------+----------+ | 1 | localhost | eth1 | | 1 | 0 | 64338 | | 2 | 192.168.1.27 | eth1 | | 1 | 0 | 11002 | +-----+--------------+-----------+--------+--------+----------+----------+ 2 rows in set (0.00 sec) To add another Snort sensor, repeat the above. --[ When You Are Done ]-- Join the irc channel #slackware on irc.oftc.net and talk about everything but Slackware.