Instalar y configurar Sistema Detección de Intrusiones-Snort en ubuntu
- Comenazaremos por instalar dependencias:
apt-get install mysql-server nmap nbtscan apache2 php5 php5-mysql php5-gd
libpcap0.8-dev libpcre3-dev g++ bison flex libpcap-ruby make zlib1g-dev
libmysqld-dev libdnet libdnet-dev libpcre3 libpcre3-dev gcc make flex byacc
bison linux-headers-generic libxml2-dev libdumbnet-dev zlib1g zlib1g-dev
checkins
- Tras haber elegido una contraseña segura para el usuario root(mysql) y saltarnos la configuración de el paquete DECnet, actualizamos nuestro sistema, para asegurarnos que estamos a la última en lo que a parches de seguridad se refiere y reiniciamos.
apt-get update
apt-get upgrade
reboot
1. En primer lugar descargaremos e instalaremos la API de adquisición de datos que utiliza snort:
mkdir -p /usr/local/src/snort
cd /usr/local/src/snort
wget http://www.snort.org/dl/snort-current/daq-0.6.2.tar.gz
tar zxvf daq-0.6.2.tar.gz
cd daq-0.6.2
./configure
make
checkinstall
2. Instalar y configurar snort:
cd /usr/local/src/snort wget http://www.snort.org/dl/snort-current/snort-
2.9.2.3.tar.gz
tar zxvf snort-2.9.2.3.tar.gz
cd snort-2-9-2-3
./configure --prefix /usr/local/snort “/usr/local/snort es la ruta de instalación”
make
checkinstall
3. Creamos el usuario y grupo snort:
groupadd snort
useradd -g snort snort
4. Ceamos enlaces hacia los archivos snort:
5. Instalación de snort-rules:
5.1 Nos descargaremos las reglas que snort utilizara para detectar amenazas(debemos registrarnos):
cd /usr/local/src/snort
5.2 instalación snort-rules:
tar zxvf snortrules-snapshot-2923.tar.gz -C /usr/local/snort
mkdir /usr/local/snort/lib/snort_dynamicrules
cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/x86-64/2.9.2.3/*o /usr/local/snort/lib/snort_dynamicrules (para sistemas 64 bits, para 32 bits sustituir x86-64 por i386)
6. Creamos el directorio donde se albergaran los log de snort, y lo asignamos al usuario snort y se crean los enlaces necesarios:
mkdir –p /usr/local/snort/var/log
mkdir /var/log/snort
chown snort:snort /usr/local/snort/var/log
ln –s /usr/local/snort/var/log /var/log/snort
7. Creamos los enlaces para reglas dinamicas y le damos permisos a snort ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
ln -s /usr/local/snort/lib/snort_dynamicrules /usr/local/lib/snort_dynamicrules
chown -R snort:snort /usr/local/snort
8. Configuración snort:
8.1 Editar /usr/local/snort/etc/snort.confy buscamos:
- La sección # Reputation preprocessor y comentamos todas las lineas de esta sección
# Reputation preprocessor. For more information see README.reputation
#preprocessor reputation:
# memcap 500,
# priority whitelist,
# nested_ip inner,
# whitelist $WHITE_LIST_PATH/white_list.rules,
# blacklist $BLACK_LIST_PATH/black_list.rules
- Y por último buscamos la linea:#output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_typesy debajo añadiremos output unified2: filename snort.u2, limit 128
9. Volcamos las reglas dinamicas:
snort -c /usr/local/snort/etc/snort.conf –dump-dynamic-rules=/usr/local/snort/so_rules
- Al introducir este comando puede dar un error con las librerias, bien basta con hacer lo siguiente
LD_LIBRARY_PATH=/usr/local/lib
export LD_LIBRARY_PATH
10. Habilitamos las dynamicrules,para lo cual editamos /usr/local/snort/etc/snort.conf, buscamos la
sección dynamic library rules y descomentamos todas las lineas.
# dynamic library rules include $SO_RULE_PATH/bad-traffic.rules include $SO_RULE_PATH/chat.rules include $SO_RULE_PATH/dos.rules include $SO_RULE_PATH/exploit.rules include $SO_RULE_PATH/icmp.rules include $SO_RULE_PATH/imap.rules include $SO_RULE_PATH/misc.rules include $SO_RULE_PATH/multimedia.rules include $SO_RULE_PATH/netbios.rules include $SO_RULE_PATH/nntp.rules include $SO_RULE_PATH/p2p.rules include $SO_RULE_PATH/smtp.rules include $SO_RULE_PATH/snmp.rules include $SO_RULE_PATH/specific-threats.rules include $SO_RULE_PATH/web-activex.rules include $SO_RULE_PATH/web-client.rules include $SO_RULE_PATH/web-iis.rules
include $SO_RULE_PATH/web-misc.rules
11. Comprobamos el correcto funcionamiento de snort:
snort -c /usr/local/snort/etc/snort.conf -T
- Debemos obtener esta salida:
Snort successfully validated the configuration! Snort exiting
12. Arrancar snort automáticamente:
- Primero creamos el script lanzador de snort dentro de /etc/init.d touch /etc/init.d/snortd
- Editamos el script e introducimos el siguiente codigo:
nano /etc/init.d/snortd
******script*******
#!/bin/sh
# $Id$
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#
# Source the local configuration file
. /etc/default/snort
# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
ALERTMODE=""
else
ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
USER="snort"
fi
if [ "$GROUP"X = "X" ]; then
GROUP="snort"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
BINARY_LOG="-b"
else
BINARY_LOG=""
fi
if [ "$CONF"X = "X" ]; then
CONF="-c /etc/snort/snort.conf"
else
CONF="-c $CONF"
fi
if [ "$INTERFACE"X = "X" ]; then
INTERFACE="-i eth0"
else
INTERFACE="-i $INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
DUMP_APP="-d"
else
DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
NO_PACKET_LOG="-N"
else
NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
PRINT_INTERFACE="-I"
else
PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
PASS_FIRST="-o"
else
PASS_FIRST=""
fi
if [ "$LOGDIR"X = "X" ]; then
LOGDIR=/var/log/snort
fi
# These are used by the 'stats' option
if [ "$SYSLOG"X = "X" ]; then
SYSLOG=/var/log/messages
fi
if [ "$SECS"X = "X" ]; then
SECS=5
fi
if [ ! "$BPFFILE"X = "X" ]; then
BPFFILE="-F $BPFFILE"
fi
######################################
# Now to the real heart of the matter:
# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd $LOGDIR
if [ "$INTERFACE" = "-i ALL" ]; then
for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'`
do
mkdir -p "$LOGDIR/$i"
chown -R $USER:$GROUP $LOGDIR
/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
done
else
for i in `echo $INTERFACE | sed s/"-i "//`
do
mkdir -p "$LOGDIR/$i"
chown -R $USER:$GROUP $LOGDIR
/usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST $BPFFILE $BPF
done
fi
touch /var/lock/snort
echo
;;
stop)
echo -n "Stopping snort: "
killall snort
rm -f /var/lock/snort
echo
;;
reload)
echo "Sorry, not implemented yet"
;;
restart)
$0 stop
$0 start
;;
condrestart)
[ -e /var/lock/snort ] && $0 restart
;;
status)
status snort
;;
stats)
TC=125 # Trailing context to grep
SNORTNAME='snort' # Process name to look for
if [ ! -x "/sbin/pidof" ]; then
echo "/sbin/pidof not present, sorry, I cannot go on like this!"
exit 1
fi
#Grab Snort's PID
PID=`pidof -o $$ -o $PPID -o %PPID -x ${SNORTNAME}`
if [ ! -n "$PID" ]; then # if we got no PID then:
echo "No PID found: ${SNORTNAME} must not running."
exit 2
fi
echo ""
echo "*******"
echo "WARNING: This feature is EXPERIMENTAL - please report errors!"
echo "*******"
echo ""
echo "You can also run: $0 stats [long | opt]"
echo ""
echo "Dumping ${SNORTNAME}'s ($PID) statistics"
echo "please wait..."
# Get the date and tell Snort to dump stats as close together in
# time as possible--not 100%, but it seems to work.
startdate=`date '+%b %e %H:%M:%S'`
# This causes the stats to be dumped to syslog
kill -USR1 $PID
# Sleep for $SECS secs to give syslog a chance to catch up
# May need to be adjusted for slow/busy systems
sleep $SECS
if [ "$2" = "long" ]; then # Long format
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG |
grep snort.*:
elif [ "$2" = "opt" ]; then # OPTimize format
# Just show stuff useful for optimizing Snort
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG |
egrep "snort.*: Snort analyzed |snort.*: dropping|emory .aults:"
else # Default format
egrep -B 3 -A $TC "^$startdate .* snort.*: ={79}" $SYSLOG |
grep snort.*: | cut -d: -f4-
fi
;;
*)
echo "Usage: $0 {start|stop|reload|restart|condrestart|status|stats (long|opt)}"
exit 2
esac
exit 0
12. Lo hacemos ejecutable.
chmod +x /etc/init.d/snortd
13. configurar servicio para que arranque al inicio:
update-rc.d snortd defaults
14. Instalación y configuración de Barnyard2:
14.1 La anterior linea, output unified2: filename snort.u2, limit 128, escribe las alertas en un fichero local, con limite de 128 MB, y no directamente escribe la alerta en la base de datos. Esto es recomendable hacerlo en entornos donde snort va ha procesar gran cantidad de información, ya que snort no procesa el siguiente paquete hasta que no se ha escrito la aleta en la base de datos, proceso bastante lento, por lo que cabe la posibilidad de que se descarten paquetes. Bien pues Barnyard2 nos va ha interpretar este fichero y escribir las alertas en base de datos.
mysql -h localhost -u root -p;- Acceder como administrador a mysql.
- Crear base de datos snort.
CREATE DATABASE snort;
CREATE USER snort IDENTIFIED BY 'snort';- Creamos usuario snort con contraseña snort.
- Se le da permisos al usuario snort en la base de datos snort en nuestro servidor(localhost, en este caso) y salimos.
G
RANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost' IDENTIFIED BY 'snort' with grant option;
quit;
- Para crear las tablas necesarias en la base de datos usamos la siguiente instrucción:
/usr/local/src/snort/snort-2.9.2.3/schemas/create_mysql
14.2 Descargaremos el paquete de barnyard2, lo compilaremos y configuraremos:
wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
tar zxvf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure --with-mysql
make
checkinstall
cp etc/barnyard2.conf /usr/local/snort/etc
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
nano /usr/local/snort/etc/barnyard2.conf y buscamos la linea:
- #output database: log, mysql, user=root password=test dbname=db host=localhost, la descomentamos y la sustituiremos por output database: log, mysql, user=snort password=snort dbname=snort host=localhost
15. Hacemos que barnyard se ejecute al inicio:- Alocamos script dentro de /etc/init.d:touch /etc/init.d/barnyard2- Editamos el script y pegamos el siguiente contenido:nano /etc/init.d/barnyard2*****script*****#!/bin/sh
#
# Init file for Barnyard2
#
#
# chkconfig: 2345 40 60
# description: Barnyard2 is an output processor for snort.
#
# processname: barnyard2
# config: /etc/sysconfig/barnyard2
# config: /etc/snort/barnyard.conf
# pidfile: /var/lock/subsys/barnyard2.pid
[ -x /usr/sbin/snort ] || exit 1
[ -r /etc/snort/snort.conf ] || exit 1
### Default variables
SYSCONFIG="/etc/default/barnyard2"
### Read configuration
[ -r "$SYSCONFIG" ] && . "$SYSCONFIG"
RETVAL=0
prog="barnyard2"
desc="Snort Output Processor"
start() {
echo -n $"Starting $desc ($prog): "
for INT in $INTERFACES; do
PIDFILE="/var/lock/barnyard2-$INT.pid"
ARCHIVEDIR="$SNORTDIR/$INT/archive"
WALDO_FILE="$SNORTDIR/$INT/barnyard2.waldo"
BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR/${INT} -w $WALDO_FILE -l $SNORTDIR/${INT} -a $ARCHIVEDIR -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS"
$prog $BARNYARD_OPTS
done
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/$prog
return $RETVAL
}
stop() {
echo -n $"Shutting down $desc ($prog): "
killall $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/$prog
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading $desc ($prog): "
killall $prog -HUP
RETVAL=$?
echo
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -e /var/lock/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
dump)
dump
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status|dump}"
RETVAL=1
esac
exit $RETVAL- Lo hacemos ejecutable.chmod +x /etc/init.d/baryard2
- Configurar servicio para que arranque al inicio:
update-rc.d barnyard2 defaults
- Editamos e insertamos la linea:
nano /etc/default/barnyard2 – LOG_FILE="snort.log"
16. Instalar snort report:cd /usr/local/src/snort
tar zxvf snortreport-1.3.3.tar.gz -C /var/www/
nano /var/www/snortreport-1.3.3/srconf.php y buscamos la linea:
17. Probar snort://Put your snort database login credentials in this section$server = ”localhost”;$user = “snort”;$pass = “snort”;$dbname = “snort”;
- En este momento puede devolvernos un error, solución introducir comando:service snortd restart
service baryard2 restart
/usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0
IMPORTANTE:PONER INTERFAZ DE RED EN MODO POMISCUO.ldconfig
Este apartado esta dedicado a crear reglas en SNORT, y me encontré con una documentación bastante completa que trataba sobre este aspecto, por lo que me he decidido a compartirlo > Creación reglas SNORT.
