rootninja

Legal disclaimer

An IDS may also be called a full content wiretap, which would be regulated by federal laws in the United States such as the Communications Privacy Act of 1986. Intercepting network traffic may be illegal if you are not the network administrator performing duties within your realm of work or are not done in direct support of a criminal investigation. In other words, you should not install an IDS to spy on your neighbours wireless traffic!

BASE

The Basic Analysis and Security Engine (BASE) is the old ACID. So when you see references to things like acid_db, that’s talking about BASE.

Straight from the pigs mouth

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and over 250,000 registered users, Snort has become the de facto standard for IPS.

I’ll go through the complete installation of Snort, BASE/ACID, Barnyard, Apache, PHP, and Mysql starting from a generic installation of Fedora 11 (could be 8, could be 12, whatever it will pretty much be the same on any RPM based distribution) and go from there. I’ll download the tarballs for Snort, BASE, libnet, and Barnyard. These pieces will be compiled and installed from source code. The rest will be RPMs installed via YUM. Start by installing all of these required dependencies. Here’s the list, but your specific package list and versions may vary. I’m just letting yum install all the latest packages. And I finish by running a “yum update -y” to get the whole system up to date. Your list may be larger or smaller than this since you may already have php, mysql, or other packages installed.

php-common-5.2.9-2.fc11.i586
mysql-libs-5.1.37-1.fc11.i586
mysql-5.1.37-1.fc11.i586
perl-DBI-1.607-2.fc11.i586
perl-DBD-MySQL-4.010-1.fc11.i586
php-cli-5.2.9-2.fc11.i586
php-pdo-5.2.9-2.fc11.i586
t1lib-5.1.2-3.fc11.i586
14:libpcap-devel-0.9.8-4.fc11.i586
php-5.2.9-2.fc11.i586
mysql-devel-5.1.37-1.fc11.i586
flex-2.5.35-5.fc11.i586
bison-2.4.1-2.fc11.i586
php-mysql-5.2.9-2.fc11.i586
mysql-server-5.1.37-1.fc11.i586
php-gd-5.2.9-2.fc11.i586
1:php-pear-1.7.2-3.fc11.noarch
php-pear-Numbers-Roman-1.0.2-3.fc11.noarch
php-pear-Numbers-Words-0.16.1-1.fc11.noarch
php-pear-Image-Color-1.0.3-1.fc11.noarch
php-pear-Image-Canvas-0.3.1-3.fc11.noarch
php-pear-Image-Graph-0.7.2-5.fc11.noarch
mysql-bench-5.1.37-1.fc11.i586
pcre-devel-7.8-2.fc11.i586

There are newer versions of the libnet package available, but you specifically need libnet-1.0.2a.tar.gz. You can search and find a bunch of mirrors or try the one I used below:

$ wget ftp://ftp.fi.debian.org/pub/gentoo/distfiles/libnet-1.0.2a.tar.gz
–2009-11-02 10:40:55– ftp://ftp.fi.debian.org/pub/gentoo/distfiles/libnet-1.0.2a.tar.gz
=> `libnet-1.0.2a.tar.gz’
Resolving ftp.fi.debian.org… 130.230.54.99, 2001:708:310:54::99
…
2009-11-02 10:40:58 (148 KB/s) - `libnet-1.0.2a.tar.gz’ saved [140191]

Unpack the tarball and run configure.

$ tar xzvf libnet-1.0.2a.tar.gz && cd Libnet* && ./configure
…
creating example/Makefile
creating libnet-config
creating include/config.h

Now make and install.

$ make && make install
…
./install-sh include/libnet/libnet-ospf.h /usr/include/libnet
./install-sh doc/libnet.3 /usr/man/man3/
./install-sh libnet-config /usr/bin/

Download snort from snort.org

# wget http://dl.snort.org/snort-current/snort-2.8.5.1.tar.gz

Run ./configure && make && make install

…
(make and make install will take awhile)
….
test -z “/usr/local/man/man8″ || mkdir -p — “/usr/local/man/man8″
/usr/bin/install -c -m 644 ‘./snort.8′ ‘/usr/local/man/man8/snort.8′
test -z “/usr/local/lib/pkgconfig” || mkdir -p — “/usr/local/lib/pkgconfig”
/usr/bin/install -c -m 644 ’snort.pc’ ‘/usr/local/lib/pkgconfig/snort.pc’
make[2]: Leaving directory `/opt/snort-2.8.5.1′
make[1]: Leaving directory `/opt/snort-2.8.5.1′

Add the snort group and user

# groupadd snort
# useradd -g snort snort
# passwd snort

Create config and log directores. Then make sure the snort user owns them.

# mkdir /etc/snort && chown snort:snort /etc/snort
# mkdir /var/log/snort && chown snort:snort /var/log/snort

Create the alert file, owned and readable/writable only by the snort user.

# cd /var/log/snort/
# touch alert && chown snort:snort alert
# chmod 600 /var/log/snort/alert
# ls -l
total 0
-rw——-. 1 snort snort 0 2009-11-02 11:44 alert

Register an account with snort and download the latest definition file.

# wget http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz

If you’re not logged in, you’ll get 403′d.

403 Forbidden
You do not have permission to download this file.
Please make sure you’re logged into Snort.org.
If you are logged into Snort.org, you may need a VRT subscription to access this file.

or from a shell:

# wget http://dl.snort.org/sub-rules/snortrules-snapshot-CURRENT_s.tar.gz
awaiting response… 403 Forbidden
2009-11-02 11:32:31 ERROR 403: Forbidden.

Unpack the rules into /etc/snort/

# tar xzvf snortrules* -C /etc/snort/

Move the contents of the etc directory to your /etc/snort/

# mv /etc/snort/etc/* /etc/snort/
# rmdir /etc/snort/etc

Make a backup of snort.conf so you can compare your settings to the defaults later

# cp snort.conf snort.conf.orig

At 1027 lines, the default snort.conf is pretty long. But more than 800 lines of that are comments. Here’s a quick way to see configuration settings (for all kinds of config files) without having all the comments in the way.

# grep -v -e “^#” -e “^$” snort.conf

Change the RULE_PATH to /etc/snort/rules. The default is “../rules”

# sed ’s/var RULE_PATH ../rules/var RULE_PATH /etc/snort/rules/ -i /etc/snort/snort.conf

Comment out additional “config detection” lines. My default had 2, you can just drop the 2nd one or move the pattern to the first line.

config detection: search-method ac-bnfa
#config detection: max_queue_events 5

Add snort.log output. I have seen guides that use “output unified2″ but that didn’t work for me. I ended up getting regular output instead. Here’s what did work for me:

echo “output alert_unified: filename snort.alert, limit 128″ >> /etc/snort/snort.conf
echo “output log_unified: filename snort.log” >> /etc/snort/snort.conf

Copy the precompiled rules for your distribution. I saw a guide on snort.org that called for copying or link them without the ’s’ at the end which is a typo, but it’s not a typo, at least anymore. I am running FC11 with the latest free rules that are tagged FC9. If you need to link them, here’s how:

# cp /etc/snort/so_rules/precompiled/FC-9/i386/2.8.4/* /usr/local/lib/snort_dynamicrules/
# cd /usr/local/lib/
# ln -s snort_dynamicrules snort_dynamicrule
# ls -l
total 16
drwxr-xr-x. 2 root root 4096 2009-11-02 11:26 pkgconfig
drwxr-xr-x. 2 root root 4096 2009-11-02 11:26 snort_dynamicengine
drwxr-xr-x. 2 root root 4096 2009-11-02 11:26 snort_dynamicpreprocessor
lrwxrwxrwx. 1 root root 18 2009-11-02 12:51 snort_dynamicrule -> snort_dynamicrules
drwxr-xr-x. 2 root root 4096 2009-11-02 12:45 snort_dynamicrules

Start apache and mysql and set them to start in the default runlevels

# /etc/init.d/httpd start
# /etc/init.d/mysqld start
# chkconfig httpd on
# chkconfig mysqld on

Create the snort user and database.

# mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2
Server version: 5.1.37 Source distribution

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.

mysql> set password for root@localhost=PASSWORD(’mah_root_passwrd’);
Query OK, 0 rows affected (0.00 sec)

mysql> create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> grant create,select,update,insert,delete on snort.* to snort@localhost;
Query OK, 0 rows affected (0.01 sec)

mysql> set password for snort@localhost=PASSWORD(’mah_snort_passwrd’);
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

Go back to the source directory where you unpacked the snort tarball and create the snort database schema

# cd /opt/snort-2.8.5.1
# cd schemas
# ls -l
total 80
-rw-r–r–. 1 root root 7592 2007-07-06 10:57 create_db2
-rw-r–r–. 1 root root 10167 2007-07-06 10:57 create_mssql
-rw-r–r–. 1 root root 8290 2007-07-06 10:57 create_mysql
-rw-r–r–. 1 root root 9219 2007-07-06 10:57 create_oracle.sql
-rw-r–r–. 1 root root 7210 2007-07-06 10:57 create_postgresql
-rw-r–r–. 1 root root 9475 2009-11-02 11:18 Makefile
-rw-r–r–. 1 root root 158 2006-06-30 13:17 Makefile.am
-rw-r–r–. 1 root root 9482 2009-10-19 16:08 Makefile.in
# mysql -p < create_mysql snort
Enter password:

You should see the snort database and a bunch of tables now. I double checked because there was no output since I redirected the schema file to mysql.

mysql> connect snort;

Connection id: 6
Current database: snort

mysql> show tables;
+——————+
| Tables_in_snort
+——————+
| data
| detail
| encoding
| event
| icmphdr
| iphdr
| opt
| reference
| reference_system
| schema
| sensor
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+——————+
16 rows in set (0.00 sec)

Download Acid, I mean BASE, the Basic Analysis and Security Engine Setup Program.

http://sourceforge.net/projects/secureideas/files/
(I used base-1.4.4.tar.gz)

Unpack it in your web root and make a ‘base’ link pointing to your base-version.

# tar xzvf base-1.4.4 -C /var/www/html/
# cd /var/www/html/
# ln -s base-1.4.4 base

Change “$resolveIP = 0;” to 1 if you don’t mind the DNS traffic. Names are always prettier than IP addresses right?

$ grep resolve_IP /var/www/html/base/base_conf.php
resolv_IP = 0;

Open a browser and point it to your base installation.

http://192.168.1.2/base

Setup BASE through the browser with these settings:

adodb path = /usr/share/php/adodb

db type = MySQL
db name = snort
db host = localhost
db port = default
db user = snort
db pass = mah_snort_passwrd

(check “User Archive Database”)
archive db name = snort
archive db host = localhost
archive port = default
archive user name = snort
archive db pass = mah_snort_passwrd

admin user name = admin
password = mah_snort_passwrd
full name = Administrator

Click “Create BASE AG” and you should see the following results:

Successfully created ‘acid_ag’
Successfully created ‘acid_ag_alert’
Successfully created ‘acid_ip_cache’
Successfully created ‘acid_event’
Successfully created ‘base_roles’
Successfully INSERTED Admin role
Successfully INSERTED Authenticated User role
Successfully INSERTED Anonymous User role
Successfully INSERTED Alert Group Editor role
Successfully created ‘base_users’

Boom, Headshot! Now click the “Now continue to step 5…” link, to uhh, continue.

Download Barnyard

http://sourceforge.net/projects/barnyard/files/barnyard-0.2/0.2.0/barnyard-0.2.0.tar.gz/download

Configure using “–enable-mysql”, make, install. Some guides say to use “–with-mysql” but looking at the configure options, that doesn’t seem to work. You can specify a nonstandard mysql or postgres include and library path using “with”, but you start by specifying “–enable-mysql” or “–enable-postgres”.

# ./configure –enable-mysql && make && make install
…
make[2]: Nothing to be done for `install-data-am’.
make[2]: Leaving directory `/opt/barnyard-0.2.0′
make[1]: Leaving directory `/opt/barnyard-0.2.0′
# cp etc/barnyard.conf /etc/snort/

Change “snorthost” to “localhost” in barnyard.conf

# sed ’s/config hostname: snorthost/config hostname: localhost/’ -i /etc/snort/barnyard.conf

Change the interface too. I’ll use eth0 in the example below. This is a local interface on my machine. My external is eth1.

# sed ’s/config interface: fxp0/config interface: eth0/’ -i /etc/snort/barnyard.conf

Enable output to your mysql database using the following lines. (Note that even though it lists “sensor_id” as an argument, you don’t want to specify that. I read somewhere in the book, “Snort 2.1 Intrusion Detection”, that this variable is determined for you, and you should not specify it. I tried it both ways and I only got database output without it.)

output alert_acid_db: mysql, database snort, server localhost, user snort, password mah_snort_passwrd
output log_acid_db: mysql, database snort, server localhost, user snort, password mah_snort_passwrd

Now start snort from a shell. Specify the config file and interface to listen on. You need to start it to get the log file generated to use as a starting point for barnyard. In the future, you would start barnyard first I guess, so you dont miss any snort alerts. If all goes well it should end at this point below:

# snort -c /etc/snort/snort.conf -i eth1
Initializing Network Interface eth1
Decoding Ethernet on interface eth1

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info Summary]——————————
| Instances : 804
| Patterns : 265516
| Pattern Chars : 5146782
| Num States : 2630821
| Num Match States : 266525
| Memory : 57.63Mbytes
| Patterns : 10.98M
| Match Lists : 15.69M
| Transitions : 30.77M
+————————————————-

–== Initialization Complete ==–

,,_ -*> Snort! <*-
o" )~ Version 2.8.5.1 (Build 114)
By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.11
Rules Object: web-misc Version 1.0
Rules Object: web-client Version 1.0
Rules Object: sql Version 1.0
Rules Object: smtp Version 1.0
Rules Object: p2p Version 1.0
Rules Object: nntp Version 1.0
Rules Object: netbios Version 1.0
Rules Object: multimedia Version 1.0
Rules Object: misc Version 1.0
Rules Object: imap Version 1.0
Rules Object: exploit Version 1.0
Rules Object: dos Version 1.0
Rules Object: chat Version 1.0
Rules Object: bad-traffic Version 1.0
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
_

Leave snort running and open another shell. Look for the snort log file. Note the ten difigit file suffix, in this case “1257194837″

# ls -l /var/log/snort/snort*
-rw——-. 1 root root 0 2009-11-02 14:47 /var/log/snort/snort.log.1257194837

Create a file named “barnyard.waldo” in the same directory with the following four lines of content:

/var/log/snort
snort.log
1257194837
0

Start barnyard with a snort config, gen-msg map, sid-msg map, spool dir, base name, and bookmarking. You can run barnyard with no options and it will tell you what each switch does. If you get a magic output error, you probably didn’t configure snort.conf to output in the correct format. The guides on snort.org confused me at this point for awhile, but once you have snort.conf’s unified output set up properly, the synergy begins.

# /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
…
Opened spool file ‘/var/log/snort/snort.log.1257194837′
OpLogDump configured
Filename: dump.log
OpAcidDB configured
Database Flavour: mysql
Detail Level: Fast
Database Server: localhost
Database User: snort
SensorID: 1
Next CID: 1
Waiting for new data

If you’re not on a busy network (a test machine, a virtual environment, whatever), make some noise on your network. try pinging, or port scanning with nmap. Now go back to your browser and check the base page. You should start seeing traffic and alerts being processed.

If you want to make this run by default, create a few init scripts to launch snort and barnyard. I’ll post my init scripts later… (since I haven’t actually written them yet.)