This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
freebsd:snort_base [2014/08/08 14:24] tschulz |
freebsd:snort_base [2014/08/08 14:43] tschulz |
||
---|---|---|---|
Line 3: | Line 3: | ||
===== Install Software ===== | ===== Install Software ===== | ||
<file> | <file> | ||
- | pkg install snort apache22 mysql56-server mod_php5 phpMyAdmin base wget | + | pkg install snort apache22 mysql56-server mod_php5 base wget |
</file> | </file> | ||
Line 13: | Line 13: | ||
make install | make install | ||
</file> | </file> | ||
+ | |||
+ | ===== Enable Services ===== | ||
+ | **Edit /etc/rc.conf** | ||
+ | <file config /etc/rc.conf> | ||
+ | ... | ||
+ | snort_enable="YES" | ||
+ | barnyard2_enable="YES" | ||
+ | barnyard2_flags="-d /var/log/snort -f snort.log" | ||
+ | apache24_enable="YES" | ||
+ | mysql_enable="YES" | ||
+ | ... | ||
+ | </file> | ||
+ | |||
===== Update Snort Rules ===== | ===== Update Snort Rules ===== | ||
Line 45: | Line 58: | ||
===== Configure Snort ===== | ===== Configure Snort ===== | ||
**Edit /usr/local/etc/snort/snort.conf** | **Edit /usr/local/etc/snort/snort.conf** | ||
- | <file> | + | <file config /usr/local/etc/snort/snort.conf> |
... | ... | ||
# Setup the network addresses you are protecting | # Setup the network addresses you are protecting | ||
Line 58: | Line 71: | ||
... | ... | ||
</file> | </file> | ||
+ | **Edit /usr/local/etc/snort/threshold.conf** | ||
+ | <file config /usr/local/etc/snort/threshold.conf> | ||
+ | ... | ||
+ | suppress gen_id 1, sig_id 536 | ||
+ | suppress gen_id 1, sig_id 648 | ||
+ | suppress gen_id 1, sig_id 8375 | ||
+ | suppress gen_id 1, sig_id 11192 | ||
+ | suppress gen_id 1, sig_id 12286 | ||
+ | suppress gen_id 1, sig_id 15147 | ||
+ | suppress gen_id 1, sig_id 15306 | ||
+ | suppress gen_id 1, sig_id 15362 | ||
+ | suppress gen_id 1, sig_id 17458 | ||
+ | suppress gen_id 1, sig_id 20583 | ||
+ | suppress gen_id 1, sig_id 2000334 | ||
+ | suppress gen_id 1, sig_id 2010516 | ||
+ | suppress gen_id 1, sig_id 2012088 | ||
+ | suppress gen_id 1, sig_id 2013222 | ||
+ | suppress gen_id 1, sig_id 2014819 | ||
+ | suppress gen_id 1, sig_id 2014520 | ||
+ | suppress gen_id 1, sig_id 2101390 | ||
+ | suppress gen_id 1, sig_id 2103134 | ||
+ | suppress gen_id 1, sig_id 2500056 | ||
+ | suppress gen_id 119, sig_id 2 | ||
+ | suppress gen_id 119, sig_id 4 | ||
+ | suppress gen_id 119, sig_id 14 | ||
+ | suppress gen_id 119, sig_id 15 | ||
+ | suppress gen_id 119, sig_id 19 | ||
+ | suppress gen_id 119, sig_id 31 | ||
+ | suppress gen_id 119, sig_id 32 | ||
+ | suppress gen_id 119, sig_id 33 | ||
+ | suppress gen_id 120, sig_id 2 | ||
+ | suppress gen_id 120, sig_id 3 | ||
+ | suppress gen_id 120, sig_id 4 | ||
+ | suppress gen_id 120, sig_id 6 | ||
+ | suppress gen_id 120, sig_id 8 | ||
+ | suppress gen_id 120, sig_id 9 | ||
+ | suppress gen_id 122, sig_id 19 | ||
+ | suppress gen_id 122, sig_id 21 | ||
+ | suppress gen_id 122, sig_id 22 | ||
+ | suppress gen_id 122, sig_id 23 | ||
+ | suppress gen_id 122, sig_id 26 | ||
+ | suppress gen_id 129, sig_id 3 | ||
+ | suppress gen_id 129, sig_id 12 | ||
+ | suppress gen_id 129, sig_id 15 | ||
+ | suppress gen_id 129, sig_id 17 | ||
+ | suppress gen_id 137, sig_id 1 | ||
+ | suppress gen_id 145, sig_id 2 | ||
+ | # Sensitive Data disable | ||
+ | # # Credit Card Numbers | ||
+ | suppress gen_id 138, sig_id 2 | ||
+ | # # U.S. Social Security Numbers (with dashes) | ||
+ | suppress gen_id 138, sig_id 3 | ||
+ | # # U.S. Social Security Numbers (w/out dashes) | ||
+ | suppress gen_id 138, sig_id 4 | ||
+ | # # Email Addresses | ||
+ | suppress gen_id 138, sig_id 5 | ||
+ | # # U.S. Phone Numbers | ||
+ | suppress gen_id 138, sig_id 6 | ||
+ | |||
+ | suppress gen_id 139, sig_id 1 | ||
+ | |||
+ | # Global event filter to limit events from a unique src to 1 in 60 seconds | ||
+ | # Disabled by default turn on if you want this functionality | ||
+ | # | ||
+ | |||
+ | # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 | ||
+ | |||
+ | ... | ||
+ | </file> | ||
+ | |||
+ | ===== Configure Barnyard ===== | ||
+ | ==== Configure Database ==== | ||
+ | **Start MySQL** | ||
+ | <file> | ||
+ | /usr/local/etc/rc.d/mysql start | ||
+ | </file> | ||
+ | **Create Database** | ||
+ | <file> | ||
+ | mysql | ||
+ | create database snort; | ||
+ | quit; | ||
+ | </file> | ||
+ | **Populate Database** | ||
+ | <file> | ||
+ | mysql snort < /usr/local/share/examples/barnyard2/create_mysql | ||
+ | </file> | ||
+ | **Create Database user** | ||
+ | <file> | ||
+ | mysql | ||
+ | CREATE USER 'snort'@'localhost' IDENTIFIED BY 'snortpass'; | ||
+ | GRANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost' WITH GRANT OPTION; | ||
+ | </file> | ||
+ | ==== Edit /usr/local/etc/barnyard2.conf ==== | ||
+ | <file config /usr/local/etc/barnyard2.conf> | ||
+ | ... | ||
+ | # Examples: | ||
+ | # output alert_fast | ||
+ | # output alert_fast: stdout | ||
+ | # | ||
+ | output alert_fast | ||
+ | ... | ||
+ | # Examples: | ||
+ | output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost | ||
+ | # output database: alert, postgresql, user=snort dbname=snort | ||
+ | # output database: log, odbc, user=snort dbname=snort | ||
+ | # output database: log, mssql, dbname=snort user=snort password=test | ||
+ | # output database: log, oracle, dbname=snort user=snort password=test | ||
+ | # | ||
+ | ... | ||
+ | </file> | ||
+ | |||
+ | ===== Start Snort and Barnyard2 ===== | ||
+ | <file> | ||
+ | /usr/local/etc/rc.d/snort start | ||
+ | /usr/local/etc/rc.d/barnyard2 start | ||
+ | </file> | ||
+ | |||
+ | ===== Configure Base (Snort Web Reporting) ===== | ||
+ | ==== Enable php ==== | ||
+ | * edit /usr/local/etc/apache24/httpd.conf | ||
+ | <file> | ||
+ | ... | ||
+ | LoadModule php5_module libexec/apache24/libphp5.so | ||
+ | |||
+ | AddType application/x-httpd-php .php | ||
+ | AddType application/x-httpd-php-source .phps | ||
+ | ... | ||
+ | # | ||
+ | # DirectoryIndex: sets the file that Apache will serve if a directory | ||
+ | # is requested. | ||
+ | # | ||
+ | <IfModule dir_module> | ||
+ | DirectoryIndex index.php index.html | ||
+ | </IfModule> | ||
+ | ... | ||
+ | </file> | ||
+ |