User Tools

Site Tools


freebsd:snort_base

This is an old revision of the document!


Snort + Barnyard2 + Base on FreeBSD 10

Install Software

pkg install snort apache22 mysql56-server mod_php5 phpMyAdmin base wget

Barnyard2 needs to be built from port to have mysql support

cd /usr/ports/security/barnyard2
make config (enable mysql)
make install

Enable Services

Edit /etc/rc.conf

/etc/rc.conf
...
snort_enable="YES"
barnyard2_enable="YES"
barnyard2_flags="-d /var/log/snort -f snort.log"
apache24_enable="YES"
mysql_enable="YES"
...

Update Snort Rules

Obtain a Onkcode

Update Script

  • Be sure to replace the Oinkcode
  • We are using snort 2.9.6.2 so we are downloading snortrules-snapshot-2962.tar.gz
update_snort_rules.sh
#!/bin/sh
 
cd /tmp
wget --no-check-certificate https://www.snort.org/downloads/community/community-rules.tar.gz
tar xzf community-rules.tar.gz -C /usr/local/etc/snort/rules/
rm community-rules.tar.gz
 
wget --no-check-certificate https://www.snort.org/rules/snortrules-snapshot-2962.tar.gz?oinkcode=068c4616106479c8d9a55d11fc5eff4c9fbaaf6d
tar xzf snortrules-snapshot-2962.tar.gz?oinkcode=<Oinkcode from above> -C /usr/local/etc/snort/
rm snortrules-snapshot-2962.tar.gz?oinkcode=<Oinkcode from above>
 
rm /usr/local/etc/snort/etc/snort.conf
rm /usr/local/etc/snort/etc/threshold.conf
cd /usr/local/etc/snort/etc
mv * ../
rm -r /usr/local/etc/snort/etc

Configure Snort

Edit /usr/local/etc/snort/snort.conf

/usr/local/etc/snort/snort.conf
...
# Setup the network addresses you are protecting
ipvar HOME_NET 10.1.0.22,192.168.111.0/24,127.0.0.1
 
# Set up the external network addresses. Leave as "any" in most situations
ipvar  EXTERNAL_NET 209.81.120.225/27,216.189.128.9/30
...
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types
...

Edit /usr/local/etc/snort/threshold.conf

/usr/local/etc/snort/threshold.conf
...
suppress gen_id 1, sig_id 536
suppress gen_id 1, sig_id 648
suppress gen_id 1, sig_id 8375
suppress gen_id 1, sig_id 11192
suppress gen_id 1, sig_id 12286
suppress gen_id 1, sig_id 15147
suppress gen_id 1, sig_id 15306
suppress gen_id 1, sig_id 15362
suppress gen_id 1, sig_id 17458
suppress gen_id 1, sig_id 20583
suppress gen_id 1, sig_id 2000334
suppress gen_id 1, sig_id 2010516
suppress gen_id 1, sig_id 2012088
suppress gen_id 1, sig_id 2013222
suppress gen_id 1, sig_id 2014819
suppress gen_id 1, sig_id 2014520
suppress gen_id 1, sig_id 2101390
suppress gen_id 1, sig_id 2103134
suppress gen_id 1, sig_id 2500056
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 19
suppress gen_id 119, sig_id 31
suppress gen_id 119, sig_id 32
suppress gen_id 119, sig_id 33
suppress gen_id 120, sig_id 2
suppress gen_id 120, sig_id 3
suppress gen_id 120, sig_id 4
suppress gen_id 120, sig_id 6
suppress gen_id 120, sig_id 8
suppress gen_id 120, sig_id 9
suppress gen_id 122, sig_id 19
suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 22
suppress gen_id 122, sig_id 23
suppress gen_id 122, sig_id 26
suppress gen_id 129, sig_id 3
suppress gen_id 129, sig_id 12
suppress gen_id 129, sig_id 15
suppress gen_id 129, sig_id 17
suppress gen_id 137, sig_id 1
suppress gen_id 145, sig_id 2
# Sensitive Data disable
# # Credit Card Numbers
suppress gen_id 138, sig_id 2
# # U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
# # U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# # Email Addresses
suppress gen_id 138, sig_id 5
# # U.S. Phone Numbers
suppress gen_id 138, sig_id 6
 
suppress gen_id 139, sig_id 1
 
# Global event filter to limit events from a unique src to 1 in 60 seconds
# Disabled by default turn on if you want this functionality
#
 
# event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
 
...

Configure Barnyard

Bold Text

freebsd/snort_base.1407526210.txt.gz · Last modified: 2014/08/08 14:30 by tschulz