ISD 820 Knowledge Base

User Tools

Site Tools

You are here: start » freebsd » snort_base
freebsd:snort_base

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
freebsd:snort_base [2014/08/08 14:11]
tschulz 		freebsd:snort_base [2014/08/08 14:45]
tschulz [Enable php]
Line 3: Line 3:
 ===== Install Software ===== ===== Install Software =====
 <​file>​ <​file>​
-pkg install snort apache22 mysql56-server mod_php5 ​phpMyAdmin ​base wget+pkg install snort apache22 mysql56-server mod_php5 base wget
 </​file>​ </​file>​
  
Line 13: Line 13:
 make install make install
 </​file>​ </​file>​
 +
 +===== Enable Services =====
 +**Edit /​etc/​rc.conf**
 +<file config /​etc/​rc.conf>​
 +...
 +snort_enable="​YES"​
 +barnyard2_enable="​YES"​
 +barnyard2_flags="​-d /​var/​log/​snort -f snort.log"​
 +apache24_enable="​YES"​
 +mysql_enable="​YES"​
 +...
 +</​file>​
 +
  
 ===== Update Snort Rules ===== ===== Update Snort Rules =====
-<​file>​+==== Obtain a Onkcode ==== 
 +  - Go to https://​www.snort.org/​users/​sign_in 
 +  - Sign in or register 
 +  - Go to https://​www.snort.org/​oinkcodes 
 +  - Get your oinkcode from the line "​https://​www.snort.org/​rules/​snortrules-snapshot-2956.tar.gz?​oinkcode=########"​ 
 + 
 +==== Update Script ==== 
 +  * **Be sure to replace the Oinkcode** 
 +  * **We are using snort 2.9.6.2 so we are downloading snortrules-snapshot-2962.tar.gz** 
 +<​file ​bash update_snort_rules.sh> 
 +#!/bin/sh 
 cd /tmp cd /tmp
 wget --no-check-certificate https://​www.snort.org/​downloads/​community/​community-rules.tar.gz wget --no-check-certificate https://​www.snort.org/​downloads/​community/​community-rules.tar.gz
-tar xvzf community-rules.tar.gz -C /​usr/​local/​etc/​snort/​rules/​+tar xzf community-rules.tar.gz -C /​usr/​local/​etc/​snort/​rules/​ 
 +rm community-rules.tar.gz
  
 +wget --no-check-certificate https://​www.snort.org/​rules/​snortrules-snapshot-2962.tar.gz?​oinkcode=068c4616106479c8d9a55d11fc5eff4c9fbaaf6d
 +tar xzf snortrules-snapshot-2962.tar.gz?​oinkcode=<​Oinkcode from above> -C /​usr/​local/​etc/​snort/​
 +rm snortrules-snapshot-2962.tar.gz?​oinkcode=<​Oinkcode from above>
 +
 +rm /​usr/​local/​etc/​snort/​etc/​snort.conf
 +rm /​usr/​local/​etc/​snort/​etc/​threshold.conf
 +cd /​usr/​local/​etc/​snort/​etc
 +mv * ../
 +rm -r /​usr/​local/​etc/​snort/​etc
 </​file>​ </​file>​
  
 +===== Configure Snort =====
 +**Edit /​usr/​local/​etc/​snort/​snort.conf**
 +<file config /​usr/​local/​etc/​snort/​snort.conf>​
 +...
 +# Setup the network addresses you are protecting
 +ipvar HOME_NET 10.1.0.22,​192.168.111.0/​24,​127.0.0.1
 +
 +# Set up the external network addresses. Leave as "​any"​ in most situations
 +ipvar  EXTERNAL_NET 209.81.120.225/​27,​216.189.128.9/​30
 +...
 +# unified2
 +# Recommended for most installs
 +output unified2: filename snort.log, limit 128, mpls_event_types,​ vlan_event_types
 +...
 +</​file>​
 +**Edit /​usr/​local/​etc/​snort/​threshold.conf**
 +<file config /​usr/​local/​etc/​snort/​threshold.conf>​
 +...
 +suppress gen_id 1, sig_id 536
 +suppress gen_id 1, sig_id 648
 +suppress gen_id 1, sig_id 8375
 +suppress gen_id 1, sig_id 11192
 +suppress gen_id 1, sig_id 12286
 +suppress gen_id 1, sig_id 15147
 +suppress gen_id 1, sig_id 15306
 +suppress gen_id 1, sig_id 15362
 +suppress gen_id 1, sig_id 17458
 +suppress gen_id 1, sig_id 20583
 +suppress gen_id 1, sig_id 2000334
 +suppress gen_id 1, sig_id 2010516
 +suppress gen_id 1, sig_id 2012088
 +suppress gen_id 1, sig_id 2013222
 +suppress gen_id 1, sig_id 2014819
 +suppress gen_id 1, sig_id 2014520
 +suppress gen_id 1, sig_id 2101390
 +suppress gen_id 1, sig_id 2103134
 +suppress gen_id 1, sig_id 2500056
 +suppress gen_id 119, sig_id 2
 +suppress gen_id 119, sig_id 4
 +suppress gen_id 119, sig_id 14
 +suppress gen_id 119, sig_id 15
 +suppress gen_id 119, sig_id 19
 +suppress gen_id 119, sig_id 31
 +suppress gen_id 119, sig_id 32
 +suppress gen_id 119, sig_id 33
 +suppress gen_id 120, sig_id 2
 +suppress gen_id 120, sig_id 3
 +suppress gen_id 120, sig_id 4
 +suppress gen_id 120, sig_id 6
 +suppress gen_id 120, sig_id 8
 +suppress gen_id 120, sig_id 9
 +suppress gen_id 122, sig_id 19
 +suppress gen_id 122, sig_id 21
 +suppress gen_id 122, sig_id 22
 +suppress gen_id 122, sig_id 23
 +suppress gen_id 122, sig_id 26
 +suppress gen_id 129, sig_id 3
 +suppress gen_id 129, sig_id 12
 +suppress gen_id 129, sig_id 15
 +suppress gen_id 129, sig_id 17
 +suppress gen_id 137, sig_id 1
 +suppress gen_id 145, sig_id 2
 +# Sensitive Data disable
 +# # Credit Card Numbers
 +suppress gen_id 138, sig_id 2
 +# # U.S. Social Security Numbers (with dashes)
 +suppress gen_id 138, sig_id 3
 +# # U.S. Social Security Numbers (w/out dashes)
 +suppress gen_id 138, sig_id 4
 +# # Email Addresses
 +suppress gen_id 138, sig_id 5
 +# # U.S. Phone Numbers
 +suppress gen_id 138, sig_id 6
 +
 +suppress gen_id 139, sig_id 1
 +
 +# Global event filter to limit events from a unique src to 1 in 60 seconds
 +# Disabled by default turn on if you want this functionality
 +#
 +
 +# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
 +
 +...
 +</​file>​
 +
 +===== Configure Barnyard =====
 +==== Configure Database ====
 +**Start MySQL**
 +<​file>​
 +/​usr/​local/​etc/​rc.d/​mysql start
 +</​file>​
 +**Create Database**
 +<​file>​
 +mysql
 +create database snort;
 +quit;
 +</​file>​
 +**Populate Database**
 +<​file>​
 +mysql snort < /​usr/​local/​share/​examples/​barnyard2/​create_mysql
 +</​file>​
 +**Create Database user**
 +<​file>​
 +mysql
 +CREATE USER '​snort'​@'​localhost'​ IDENTIFIED BY '​snortpass';​
 +GRANT ALL PRIVILEGES ON snort.* TO '​snort'​@'​localhost'​ WITH GRANT OPTION;
 +</​file>​
 +==== Edit /​usr/​local/​etc/​barnyard2.conf ====
 +<file config /​usr/​local/​etc/​barnyard2.conf>​
 +...
 +# Examples:
 +#   ​output alert_fast
 +#   ​output alert_fast: stdout
 +#
 +output alert_fast
 +...
 +# Examples:
 +output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
 +#   ​output database: alert, postgresql, user=snort dbname=snort
 +#   ​output database: log, odbc, user=snort dbname=snort
 +#   ​output database: log, mssql, dbname=snort user=snort password=test
 +#   ​output database: log, oracle, dbname=snort user=snort password=test
 +#
 +...
 +</​file>​
 +
 +===== Start Snort and Barnyard2 =====
 +<​file>​
 +/​usr/​local/​etc/​rc.d/​snort start
 +/​usr/​local/​etc/​rc.d/​barnyard2 start
 +</​file>​
 +
 +===== Configure Base (Snort Web Reporting) =====
 +==== Enable php ====
 +  * edit /​usr/​local/​etc/​apache24/​httpd.conf
 +<​file>​
 +...
 +LoadModule php5_module ​       libexec/​apache24/​libphp5.so
 +
 +AddType application/​x-httpd-php .php
 +AddType application/​x-httpd-php-source .phps
 +...
 +#
 +# DirectoryIndex:​ sets the file that Apache will serve if a directory
 +# is requested.
 +#
 +<​IfModule dir_module>​
 +    DirectoryIndex index.php index.html
 +</​IfModule>​
 +...
 +</​file>​
 +==== Make Base Accessible ====
 +<​file>​
 +cd /​usr/​local/​www/​
 +cp -rv base apache24/​data/​
 +cd apache24/​data/​
 +chown -R www base
 +</​file>​
freebsd/snort_base.txt · Last modified: 2014/08/08 14:50 by tschulz

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki