User Tools

Site Tools


freebsd:snort_base

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
freebsd:snort_base [2014/08/08 14:11]
tschulz
freebsd:snort_base [2014/08/08 14:50] (current)
tschulz
Line 3: Line 3:
 ===== Install Software ===== ===== Install Software =====
 <​file>​ <​file>​
-pkg install snort apache22 mysql56-server mod_php5 ​phpMyAdmin ​base wget+pkg install snort apache22 mysql56-server mod_php5 base wget
 </​file>​ </​file>​
  
Line 13: Line 13:
 make install make install
 </​file>​ </​file>​
 +
 +===== Enable Services =====
 +**Edit /​etc/​rc.conf**
 +<file config /​etc/​rc.conf>​
 +...
 +snort_enable="​YES"​
 +barnyard2_enable="​YES"​
 +barnyard2_flags="​-d /​var/​log/​snort -f snort.log"​
 +apache24_enable="​YES"​
 +mysql_enable="​YES"​
 +...
 +</​file>​
 +
  
 ===== Update Snort Rules ===== ===== Update Snort Rules =====
-<​file>​+==== Obtain a Onkcode ==== 
 +  - Go to https://​www.snort.org/​users/​sign_in 
 +  - Sign in or register 
 +  - Go to https://​www.snort.org/​oinkcodes 
 +  - Get your oinkcode from the line "​https://​www.snort.org/​rules/​snortrules-snapshot-2956.tar.gz?​oinkcode=########"​ 
 + 
 +==== Update Script ==== 
 +  * **Be sure to replace the Oinkcode** 
 +  * **We are using snort 2.9.6.2 so we are downloading snortrules-snapshot-2962.tar.gz** 
 +<​file ​bash update_snort_rules.sh> 
 +#!/bin/sh 
 cd /tmp cd /tmp
 wget --no-check-certificate https://​www.snort.org/​downloads/​community/​community-rules.tar.gz wget --no-check-certificate https://​www.snort.org/​downloads/​community/​community-rules.tar.gz
-tar xvzf community-rules.tar.gz -C /​usr/​local/​etc/​snort/​rules/​+tar xzf community-rules.tar.gz -C /​usr/​local/​etc/​snort/​rules/​ 
 +rm community-rules.tar.gz
  
 +wget --no-check-certificate https://​www.snort.org/​rules/​snortrules-snapshot-2962.tar.gz?​oinkcode=068c4616106479c8d9a55d11fc5eff4c9fbaaf6d
 +tar xzf snortrules-snapshot-2962.tar.gz?​oinkcode=<​Oinkcode from above> -C /​usr/​local/​etc/​snort/​
 +rm snortrules-snapshot-2962.tar.gz?​oinkcode=<​Oinkcode from above>
 +
 +rm /​usr/​local/​etc/​snort/​etc/​snort.conf
 +rm /​usr/​local/​etc/​snort/​etc/​threshold.conf
 +cd /​usr/​local/​etc/​snort/​etc
 +mv * ../
 +rm -r /​usr/​local/​etc/​snort/​etc
 +</​file>​
 +
 +===== Configure Snort =====
 +**Edit /​usr/​local/​etc/​snort/​snort.conf**
 +<file config /​usr/​local/​etc/​snort/​snort.conf>​
 +...
 +# Setup the network addresses you are protecting
 +ipvar HOME_NET 10.1.0.22,​192.168.111.0/​24,​127.0.0.1
 +
 +# Set up the external network addresses. Leave as "​any"​ in most situations
 +ipvar  EXTERNAL_NET 209.81.120.225/​27,​216.189.128.9/​30
 +...
 +# unified2
 +# Recommended for most installs
 +output unified2: filename snort.log, limit 128, mpls_event_types,​ vlan_event_types
 +...
 +</​file>​
 +**Edit /​usr/​local/​etc/​snort/​threshold.conf**
 +<file config /​usr/​local/​etc/​snort/​threshold.conf>​
 +...
 +suppress gen_id 1, sig_id 536
 +suppress gen_id 1, sig_id 648
 +suppress gen_id 1, sig_id 8375
 +suppress gen_id 1, sig_id 11192
 +suppress gen_id 1, sig_id 12286
 +suppress gen_id 1, sig_id 15147
 +suppress gen_id 1, sig_id 15306
 +suppress gen_id 1, sig_id 15362
 +suppress gen_id 1, sig_id 17458
 +suppress gen_id 1, sig_id 20583
 +suppress gen_id 1, sig_id 2000334
 +suppress gen_id 1, sig_id 2010516
 +suppress gen_id 1, sig_id 2012088
 +suppress gen_id 1, sig_id 2013222
 +suppress gen_id 1, sig_id 2014819
 +suppress gen_id 1, sig_id 2014520
 +suppress gen_id 1, sig_id 2101390
 +suppress gen_id 1, sig_id 2103134
 +suppress gen_id 1, sig_id 2500056
 +suppress gen_id 119, sig_id 2
 +suppress gen_id 119, sig_id 4
 +suppress gen_id 119, sig_id 14
 +suppress gen_id 119, sig_id 15
 +suppress gen_id 119, sig_id 19
 +suppress gen_id 119, sig_id 31
 +suppress gen_id 119, sig_id 32
 +suppress gen_id 119, sig_id 33
 +suppress gen_id 120, sig_id 2
 +suppress gen_id 120, sig_id 3
 +suppress gen_id 120, sig_id 4
 +suppress gen_id 120, sig_id 6
 +suppress gen_id 120, sig_id 8
 +suppress gen_id 120, sig_id 9
 +suppress gen_id 122, sig_id 19
 +suppress gen_id 122, sig_id 21
 +suppress gen_id 122, sig_id 22
 +suppress gen_id 122, sig_id 23
 +suppress gen_id 122, sig_id 26
 +suppress gen_id 129, sig_id 3
 +suppress gen_id 129, sig_id 12
 +suppress gen_id 129, sig_id 15
 +suppress gen_id 129, sig_id 17
 +suppress gen_id 137, sig_id 1
 +suppress gen_id 145, sig_id 2
 +# Sensitive Data disable
 +# # Credit Card Numbers
 +suppress gen_id 138, sig_id 2
 +# # U.S. Social Security Numbers (with dashes)
 +suppress gen_id 138, sig_id 3
 +# # U.S. Social Security Numbers (w/out dashes)
 +suppress gen_id 138, sig_id 4
 +# # Email Addresses
 +suppress gen_id 138, sig_id 5
 +# # U.S. Phone Numbers
 +suppress gen_id 138, sig_id 6
 +
 +suppress gen_id 139, sig_id 1
 +
 +# Global event filter to limit events from a unique src to 1 in 60 seconds
 +# Disabled by default turn on if you want this functionality
 +#
 +
 +# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
 +
 +...
 +</​file>​
 +
 +===== Configure Barnyard =====
 +==== Configure Database ====
 +**Start MySQL**
 +<​file>​
 +/​usr/​local/​etc/​rc.d/​mysql start
 +</​file>​
 +**Create Database**
 +<​file>​
 +mysql
 +create database snort;
 +quit;
 +</​file>​
 +**Populate Database**
 +<​file>​
 +mysql snort < /​usr/​local/​share/​examples/​barnyard2/​create_mysql
 +</​file>​
 +**Create Database user**
 +<​file>​
 +mysql
 +CREATE USER '​snort'​@'​localhost'​ IDENTIFIED BY '​snortpass';​
 +GRANT ALL PRIVILEGES ON snort.* TO '​snort'​@'​localhost'​ WITH GRANT OPTION;
 +</​file>​
 +==== Edit /​usr/​local/​etc/​barnyard2.conf ====
 +<file config /​usr/​local/​etc/​barnyard2.conf>​
 +...
 +# Examples:
 +#   ​output alert_fast
 +#   ​output alert_fast: stdout
 +#
 +output alert_fast
 +...
 +# Examples:
 +output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost
 +#   ​output database: alert, postgresql, user=snort dbname=snort
 +#   ​output database: log, odbc, user=snort dbname=snort
 +#   ​output database: log, mssql, dbname=snort user=snort password=test
 +#   ​output database: log, oracle, dbname=snort user=snort password=test
 +#
 +...
 +</​file>​
 +
 +===== Start Snort and Barnyard2 =====
 +<​file>​
 +/​usr/​local/​etc/​rc.d/​snort start
 +/​usr/​local/​etc/​rc.d/​barnyard2 start
 +</​file>​
 +
 +===== Configure Base (Snort Web Reporting) =====
 +==== Enable php ====
 +  * edit /​usr/​local/​etc/​apache24/​httpd.conf
 +<​file>​
 +...
 +LoadModule php5_module ​       libexec/​apache24/​libphp5.so
 +
 +AddType application/​x-httpd-php .php
 +AddType application/​x-httpd-php-source .phps
 +...
 +#
 +# DirectoryIndex:​ sets the file that Apache will serve if a directory
 +# is requested.
 +#
 +<​IfModule dir_module>​
 +    DirectoryIndex index.php index.html
 +</​IfModule>​
 +...
 +</​file>​
 +==== Make Base Accessible ====
 +<​file>​
 +cd /​usr/​local/​www/​
 +cp -rv base apache24/​data/​
 +cd apache24/​data/​
 +chown -R www base
 </​file>​ </​file>​
  
 +==== Configure Base ====
 +  - Navigate on a web browser to http://​127.0.0.1/​base/​setup/​index.php
 +  - Set adodb Path to /​usr/​local/​share/​adodb
 +  - Use the Database setting we used above (mysql, database_name,​ username, password)
freebsd/snort_base.1407525062.txt.gz · Last modified: 2014/08/08 14:11 by tschulz