====== Snort + Barnyard2 + Base on FreeBSD 10 ======
===== Install Software =====
pkg install snort apache22 mysql56-server mod_php5 base wget
**Barnyard2 needs to be built from port to have mysql support**
cd /usr/ports/security/barnyard2
make config (enable mysql)
make install
===== Enable Services =====
**Edit /etc/rc.conf**
...
snort_enable="YES"
barnyard2_enable="YES"
barnyard2_flags="-d /var/log/snort -f snort.log"
apache24_enable="YES"
mysql_enable="YES"
...
===== Update Snort Rules =====
==== Obtain a Onkcode ====
- Go to https://www.snort.org/users/sign_in
- Sign in or register
- Go to https://www.snort.org/oinkcodes
- Get your oinkcode from the line "https://www.snort.org/rules/snortrules-snapshot-2956.tar.gz?oinkcode=########"
==== Update Script ====
* **Be sure to replace the Oinkcode**
* **We are using snort 2.9.6.2 so we are downloading snortrules-snapshot-2962.tar.gz**
#!/bin/sh
cd /tmp
wget --no-check-certificate https://www.snort.org/downloads/community/community-rules.tar.gz
tar xzf community-rules.tar.gz -C /usr/local/etc/snort/rules/
rm community-rules.tar.gz
wget --no-check-certificate https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=068c4616106479c8d9a55d11fc5eff4c9fbaaf6d
tar xzf snortrules-snapshot-2962.tar.gz?oinkcode= -C /usr/local/etc/snort/
rm snortrules-snapshot-2962.tar.gz?oinkcode=
rm /usr/local/etc/snort/etc/snort.conf
rm /usr/local/etc/snort/etc/threshold.conf
cd /usr/local/etc/snort/etc
mv * ../
rm -r /usr/local/etc/snort/etc
===== Configure Snort =====
**Edit /usr/local/etc/snort/snort.conf**
...
# Setup the network addresses you are protecting
ipvar HOME_NET 10.1.0.22,192.168.111.0/24,127.0.0.1
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET 209.81.120.225/27,216.189.128.9/30
...
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
...
**Edit /usr/local/etc/snort/threshold.conf**
...
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 19
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 119, sig_id 33
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 129, sig_id 3
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 15
suppress gen_id 129, sig_id 17
suppress gen_id 137, sig_id 1
suppress gen_id 145, sig_id 2
# Sensitive Data disable
# # Credit Card Numbers
suppress gen_id 138, sig_id 2
# # U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
# # U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# # Email Addresses
suppress gen_id 138, sig_id 5
# # U.S. Phone Numbers
suppress gen_id 138, sig_id 6
suppress gen_id 139, sig_id 1
# Global event filter to limit events from a unique src to 1 in 60 seconds
# Disabled by default turn on if you want this functionality
#
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
...
===== Configure Barnyard =====
==== Configure Database ====
**Start MySQL**
/usr/local/etc/rc.d/mysql start
**Create Database**
mysql
create database snort;
quit;
**Populate Database**
mysql snort < /usr/local/share/examples/barnyard2/create_mysql
**Create Database user**
mysql
CREATE USER 'snort'@'localhost' IDENTIFIED BY 'snortpass';
GRANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost' WITH GRANT OPTION;
==== Edit /usr/local/etc/barnyard2.conf ====
...
# Examples:
# output alert_fast
# output alert_fast: stdout
#
output alert_fast
...
# Examples:
output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
#
...
===== Start Snort and Barnyard2 =====
/usr/local/etc/rc.d/snort start
/usr/local/etc/rc.d/barnyard2 start
===== Configure Base (Snort Web Reporting) =====
==== Enable php ====
* edit /usr/local/etc/apache24/httpd.conf
...
LoadModule php5_module libexec/apache24/libphp5.so
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
...
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
DirectoryIndex index.php index.html
...
==== Make Base Accessible ====
cd /usr/local/www/
cp -rv base apache24/data/
cd apache24/data/
chown -R www base
==== Configure Base ====
- Navigate on a web browser to http://127.0.0.1/base/setup/index.php
- Set adodb Path to /usr/local/share/adodb
- Use the Database setting we used above (mysql, database_name, username, password)