Snort 2.9.0.11 Fedora 14

Installation Guide

Nick Moore, Sourcefire, Inc.

Overview: Whatʼs Snort?" 4

Scope and Limitations" 4

Whatʼs New in This Version?" 4

Assumptions" 4

Why Snort in VM?" 4

VMWare Settings" 5

Set up Fedora Build" 5

Get libnet, libdnet, daq, Snort, BASE, adodb and Barnyard2" 6

Finish System Set-up and Compile Snort " 7

Set up Snort Environment " 8

Edit snort.conf" 9

Set up MySQL" 9

Gettinʼ GUI with it " 10

Barnyard Output (not as bad as it sounds)" 11

A Few More Steps in the Barnyard" 11

Starting Snort and Finishing Barnyard Config" 11

Test Snort " 12

Nick Moore, Sourcefire, Inc.

Starting Snort Automatically" 12

Starting Barnyard2 Automatically" 13

Updating Rules Automatically" 14

Future Topics" 18

Nick Moore, Sourcefire, Inc.

Overview: What’s Snort?

Snort is an open source Intrusion Detection/Prevention application (IPS) written in 1998 by Marty Roesch. It is the world’s most widely used IPS and has been downloaded over 4 million times. The 250,000+ active Snort users worldwide contribute new rules, plugins and complimentary applications to work with Snort.

Scope and Limitations

This paper covers Snort, not Linux system, web or database administration and is offered with no explicit or implied warranty. All code referenced in this paper is open source.

This paper is focused on the initial installation of Snort with some supporting applications. Tuning, rule writing, policy definition and other operational issues are outside this scope.

What’s New in This Version?

In addition to being updated for Fedora 14, Snort 2.9.0.1 and newer versions of BASE and Barnyard, this version of the Snort Setup Guide includes a a new section on starting Snort and Barnyard as a service.

Assumptions

This paper will cover the installation of Snort 2.8.6 on Fedora 13 with:

• MySQL 5.0.77• Libnet 1.0.2a• Libpcap 1.0.0-5• BASE-1.4.5• Barnyard2-1.8• Apache 2.2.11• Using VMWare

Why Snort in VM?

As a laptop user, I am mobile and often have to use public guest networks, such as those in hotels, coffee shops and others. One never knows when such an environment can be hostile (just because I’m paranoid doesn’t mean that people aren’t trying to get me).

Nick Moore, Sourcefire, Inc.

Also, using a web based GUI means that a web port has to be open, as well as MySQL. So I find that it’s helpful to have these on a virtual machine so that I don’t have these ports open on my laptop OS.

Last, snapshots are your friend. VMWare allows users to capture the virtual machine’s state at a point in time, which can be later restored. This is a huge advantage in the case that mistakes were made or the virtual machine has become unstable. If only real life was like that....

All of this being said, the instructions in this paper should also work for native Fedora and CentOS systems. It just won’t cover any of the machine specific details.

VMWare Settings

Within VMWare, the following settings are recommended:

• 1024 MB RAM• 20 GB Disk• Eth0 host only network• Eth1 bridged to host interface• No sound device, printer or accessories

Set up Fedora Build

First, download Fedora14 from http://fedoraproject.org. Once the operating system is installed from defaults, several packages will have to be installed to support the Snort installation and its supporting applications.

I created bubba as my non-root user and bubba’s home directory is referred to throughout this paper. If another user account is used, simply replace bubba with the appropriate user name.

From a command line interface, enter the following command:

yum install gcc gcc-c++ kernel-devel patch make vim ssh libxml2 libxml2-devel

After this step is complete, update the system by running the following:

yum -y update

Nick Moore, Sourcefire, Inc.

Now it’s time to install VMWare tools. While not completely necessary, the enhanced display resolution alone is worth the effort. Make sure you reboot your machine after the update and before you start the VMWare Tools install in order to have all the paths set properly.

Install VMWare Tools from the perl script in the menu bar under Virtual Machine > Install VMWare Tools. Once the disk is mounted on your desktop, un-tar it and run the *.pl script from a CLI as root user. For more information on this process, please see http://www.vmware.com/support/ws55/doc/ws_newguest_tools_linux.html

Reboot to allow kernel updates to take effect. This process will take about 30-60 minutes, depending on CPU, memory available, disk speed....

Once these steps are complete, the supporting applications need to be installed. Again, we are going to use yum:

yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison php-pear-Numbers-Roman php-pear-Numbers-Words php-pear-Image-Color php-pear-Image-Canvas php-pear-Image-Graph libpcap libpcap-devel mysql mysql-devel mysql-bench mysql-server

If you would like to download libnet, Snort, BASE and adodb from a command line rather than manually from a browser in the Fedora GUI, install wget using yum.

Once these are done, run ntsysv from CLI. Select httpd, mysqld and sshd to autostart.

As a recommendation, please consider statically defining the eth0 IP address, rather than letting the internal VMWare DHCP server define it for you. Also, make sure to edit the /etc/hosts file to reflect the fully qualified domain name of your server.

Get libnet, libdnet, daq, Snort, BASE, adodb and Barnyard2

Download libnet-1.0.2a.tar.gz from http://www.filewatcher.com/m/libnet-1.0.2a.tar.gz.140191.0.0.html.

Be careful with this: there are other sources for libnet, even some with the same version, but saved as a .tgz file rather than a .tar.gz. The .tgz file will NOT work and neither will versions of libnet beyond 1.0.2a.

Nick Moore, Sourcefire, Inc.

Download libdnet from http://code.google.com/p/libdnet/downloads/detail?name=libdnet-1.12.tgz&can=2&q=.

Go to http://snort.org and download snort-2.9.0.1.tar.gz. If you have a subscriber account with snort.org, you can get the most up to date rules. While this is very important for production systems, registered user rules are 30 days old and are good enough for most testing and home users.

BASE provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. Get base-1.4.5.tar.gz from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download.

Adodb is a database abstraction utility which allows multiple kinds of databases to interact with PHP. Get adodb4991.tar.gz from http://sourceforge.net/projects/adodb/files/adodb-php-4-and-5/adodb-4991-for-php/adodb4991.tgz/download

Barnyard2 is a separate process that allows snort to write to one or more output mechanisms. In our case, we will be using MySQL as a database to power BASE, but syslog, SGUIL and several others are also supported. You can get Barnyard2 at http://www.securixlive.com/barnyard2/download.php

Finish System Set-up and Compile Snort

Now we will finish the system set up by installing libnet, libdnet and daq. For more information on libnet, please see http://libnet.sourceforge.net/. Take the following steps:

• cd /usr/local• tar zxvf /home/bubba/Downloads/libnet-1.0.2a.tar.gz• cd Libnet-1.0.2a• ./configure && make && make install

The && in the last step is a shellcode convention which means that if statement A is true and completes successfully, then execute statement B. In short, it’s a shortcut to compile and install the libnet code extensions. If

Nick Moore, Sourcefire, Inc.

you’d like more information on configure, make and make install, please refer to http://www.codecoffee.com/tipsforlinux/articles/27.html.

Before compiling Snort, libdnet is also needed. While it can be installed from yum, there are a fair number of blog entires about users having problems compiling Snort when not installing it manually. Take the following steps:

• cd /usr/local• tar zxvf /home/bubba/Downloads/libdnet-1.12.tgz• cd libdnet-1.12• ./configure && make && make install

New in Snort 2.9.0.1 are the Data Acquisition libraries, referred to as daq. Download from http://www.snort.org/downloads/263and install these:

• cd /usr/local• tar zxvf /home/bubba/Downloads/daq-0.3.tar.gz• cd daq-0.3• ./configure && make && make install

To install Snort, execute the following commands:

• cd /usr/local• tar zxvf /home/bubba/Downloads/snort-2.9.0.1.tar.gz• cd snort-2.9.0.1• ./configure --enable-targetbased --enable-dynamicplugin --enable-

sourcefire --enable-reload --enable-zlib --enable-gre --enable-mpls --enable-ppm --enable-perfprofiling && make && make install

Set up Snort Environment

There are a few steps that need to take place in order to have snort run properly, mostly setting up some directories, getting the snort rules, moving some files around and creating the snort user. Execute the following:

• mkdir /etc/snort• mkdir /var/log/snort• cd /etc/snort• tar zxvf /home/bubba/Downloads/snortrules-snapshot-2900.tar.gz -C /etc/

snort

Nick Moore, Sourcefire, Inc.

• cp etc/* /etc/snort• groupadd snort• useradd -g snort snort• chown snort:snort /var/log/snort• touch /var/log/snort/alert• chown snort:snort /var/log/snort/alert• chmod 600 /var/log/snort/alert• mkdir /usr/local/lib/snort_dynamicrules• cp /etc/snort/so_rules/precompiled/FC-12/i386/2.9.0.0/*.so /usr/local/lib/

snort_dynamicrules• cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules

Edit snort.conf

The snort.conf file defines how snort will run once the application is started. It is long and complex, but for this paper, we will only be working on a few of the features.

• vim /etc/snort/snort.conf• Find the variable RULE_PATH and change to /etc/snort/rules• Find the variable PREPROC_RULE_PATH and change to /etc/snort/

preproc_rules• Find the variable SO_RULE_PATH and change to /etc/snort/so_rules• Find “unified2”. Uncomment the line, change merged.log to snort.log and

make sure to delete the nostamp option. Failing to remove nostamp will cause problems with Barnyard2 parsing the log files. Also, unless you are planning on using mpls and vlan event types, remove those statements as well.

Set up MySQL

MySQL will serve as the database for the snort application. While not required to run Snort on its own, a database makes it easier to track down events and is required by the BASE monitoring tool.

One short note: this paper does not assume any expertise in database administration, nor does the author claim any significant skill in this area.

Nick Moore, Sourcefire, Inc.

The commands in this section are sufficient to install and run snort. The BASE tool provides some database maintenance tools; nothing additional is required to administer snort.

• mysql• SET PASSWORD FOR root@localhost=PASSWORD(‘password’);• create database snort;• grant ALL PRIVILEGES on snort.* to snort@localhost with GRANT option;• SET PASSWORD FOR snort@localhost=PASSWORD(‘password’); • exit• cd /usr/local/snort-2.9.0.1/schemas• mysql -p < create_mysql snort

Now we will check to see that the Snort database has been correctly installed:

• mysql -p• SHOW DATABASES; There should be 4 rows• use snort;• SHOW TABLES; There should be 16 rows• exit;

Gettin’ GUI with it

In this step, we will set up the web environment. The first set of steps involve un-tarring adodb and BASE into the web directory, followed by setting up BASE from a web prompt.

From the CLI as root:

• cd /var/www/html• tar zxvf /home/bubba/Downloads/adodb4991.tgz• tar zxvf /home/bubba/Downloads/base-1.4.5.tar.gz• chown apache base-1.4.5/• chgrp apache base-1.4.5/• chmod 777 /var/www/html/base-1.4.5/• vim /etc/php.ini• Find error_reporting. Make sure it is set to: error_reporting = E_ALL &

~E_NOTICE• service httpd restart

Nick Moore, Sourcefire, Inc.

In a browser, go to http://localhost/base-1.4.5

• Click “continue”• Path to adodb is /var/www/html/adodb• Database Name=snort, Database Host=localhost, Database User=snort,

Database Password=password• Admin User Name=snort, Password=password, Full Name=snort• Click “Create BASE AG”.

Barnyard Output (not as bad as it sounds)

Barnyard was written to take over the various output processing tasks so that Snort could spend more resources on processing packets.

From usr/local:

• tar zxvf /home/bubba/Downloads/barnyard2-1.8.tar.gz• cd barnyard2-1.8• ./configure --with-mysql &&make && make install• cp etc/barnyard2.conf /etc/snort

A Few More Steps in the Barnyard

• vim /etc/snort/barnyard2.conf• Look for config hostname• replace “thor” with “localhost”• look for config interface• Make sure its eth0• Look for output and comment out all output methods until you get to

database. • Edit the mysql line to read: output database: log, mysql, user=snort

password=password dbname=snort host=localhost

Starting Snort and Finishing Barnyard Config

In this section, we will start Snort and Barnyard.

• In the CLI, type “snort -c /etc/snort/snort.conf -i eth1• Open a second CLI.

Nick Moore, Sourcefire, Inc.

• cp /dev/null /var/log/snort/barnyard.waldo• mkdir /var/log/barnyard2• Start barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /

var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

Test Snort

In this step, we will test Snort with a simple rule in the local.rules file. Local rules are rules that the administrator of Snort writes himself and have a convention of starting with SID (Snort ID) of 1,000,000-1,999,999.

• Open a third CLI• vim /etc/snort/rules/local.rules• Insert “alert tcp any any <> any 80 (msg: "Test web activity"; sid:

1000001;)”. Save and exit.• Restart Snort• Open a web browser• In the browser, go to any web page.• In the CLI, type [ctrl] + c• Go to http://localhost/base-1.4.5 and look at your events• If you see a number of events with SID 1000001, Snort works!• vim /etc/snort/rules/local.rules and disable the “Test web activity” rule.

Starting Snort Automatically

If you are creating a sensor that you would always like to be snorting, it’s best to make sure it starts upon reboot. In order to do so, please take the following steps:

• ln -s /usr/local/bin/snort /usr/sbin/snort• cp /usr/local/snort-2.9.0.1/rpm/snortd /etc/init.d• cp /usr/local/snort-2.9.0.1/rpm/snort.sysconfig /etc/sysconfig/snort• cd /etc/rc3.d• ln -s ../init.d/snortd S99snortd• cd ../rc0.d• ln -s ../init.d/snortd K99snortd• cd /etc/rc5.d• ln -s ../init.d/snortd S99snortd• cd ../rc6.d• ln -s ../init.d/snortd K99snortd

Nick Moore, Sourcefire, Inc.

• chmod 755 /etc/init.d/snortd

Now we have to edit the /etc/sysconfig/snort file to start snort with the proper options, in our case using the eth1 interface and the /etc/snort/snort.conf file.

• vim /etc/sysconfig/snort• Find eth0 and change to eth1• Find and comment out ALERTMODE=FAST, DUMP_APP=1, BINARY_LOG=1

• Save and close the file.

To test this, type the following:

/etc/init.d/snortd start

If snort starts OK, then you’ve done everything right.

Starting Barnyard2 Automatically

Just like starting Snort as a service on startup, here we will make sure Barnyard2 starts upon reboot. In order to do so, please take the following steps:

• vim /etc/snort/barnyard2.conf• Uncomment config daemon• Uncomment and set the path to your waldo file, /var/log/snort/barnyard2.waldo.

• vim /usr/local/barnyard2-1.8/rpm/barnyard2.config• Change the LOG_FILE to snort.log and change the CONF variable to /etc/snort/barnyard2.conf. Save the file and exit.

• ln -s /usr/local/bin/barnyard2 /usr/sbin/barnyard2• cp /usr/local/barnyard2-1.8/rpm/barnyard2 /etc/init.d• vim /etc/init.d/barnyard2• Change the BARNYARD_OPTS line to read BARNYARD_OPTS="-D -c $CONF -d $SNORTDIR -w $WALDO_FILE -f $LOG_FILE -X $PIDFILE $EXTRA_ARGS". Save and close file.

• cp /usr/local/barnyard2-1.8/rpm/barnyard2.config /etc/sysconfig/barnyard2• chmod 755 /usr/local/bin/barnyard2• cd /etc/rc3.d

Nick Moore, Sourcefire, Inc.

• ln -s ../init.d/barnyard2d S99barnyard2d• cd ../rc0.d• ln -s ../init.d/barnyard2d K99barnyard2d• cd /etc/rc5.d• ln -s ../init.d/barnyard2d S99barnyard2d• cd ../rc6.d• ln -s ../init.d/barnyard2d K99barnyard2d

To test, type /etc/init.d/barnyard2.

Updating Rules Automatically

The threat landscape in network security is always changing: new vulnerabilities and exploits are constantly being announced. Snort deals with this by updating the rules available, but doing this manually is a a task that not many administrators can manage. For this reason, methods of automatically updating rules have been scripted.

In a brief aside and a shameless commercial, we should discuss the difference between VRT subscription and registered user rules. VRT Subscription provides registered users of Snort.org with immediate access to the most up to date Sourcefire VRT Certified Rules available at subscription cost. These have been tested and verified by the Sourcefire VRT as effective in stopping the threats involved while also running efficiently on a Snort system. Registered user rules are also fully VRT certified and tested, but become available after 30 days for no cost. For home users and some organizations, this 30 day delay in protection against the latest threats is an acceptable security risk.

In addition to the certified rules available at Snort.org, a number of additional individuals and groups write rules for Snort. One of the most noteworthy is Emerging Threats, an open source project supported by some of the contributors to the snort mailing list. There are other sources of rules on the web; some are freely available, others are at a cost.

In the past, Snort.org and Sourcefire have recommended using Oinkmaster, but now Pulled_Pork is recommended. Pulled_Pork has a number of advantages over Oinkmaster, mostly surrounding its capability for handling shared object rules.

Nick Moore, Sourcefire, Inc.

Shared object (SO) rules were introduced in Snort 2.6.0 in early 2006 to provide a means to obscure the exact detection mechanism used in the rule and allow for more flexible detection criteria. For the most part, these rules are obfuscated because of contracts between Sourcefire and various software vendors providing advanced notice of vulnerabilities. In addition, the Sourcefire VRT provides SO rules for unannounced vulnerabilities it has discovered through research.

In order to update your rules automatically, you will need an oinkcode. You can get one on the snort.org website. Look on the bottom of the home page under Snort Links for the link “Get an Oinkcode”.

Just one note on oinkcodes: you will only be permitted to download snort rules once every 15 minutes. This means that if your download fails for any reason, you will have to wait 15 minutes before trying again. This is to prevent denial of service attacks or thoughtless users from making the downloads section of snort.org unavailable to other users.

In order to get Pulled_Pork running on the Fedora 13 system we’ve built here, follow these steps:

• Download Pulled_Pork: wget http://code.google.com/p/pulledpork/downloads/detail?name=pulledpork-0.4.2.tar.gz&can=2&q=

• cd /usr/local• tar zxvf /home/bubba/pulledpork-0.4.2.tar.gz• cd pulledpork-0.4.2/etc• vim pulledpork.conf• Find oinkcode. Replace with your own oinkcode. • Find and uncomment the line that reads ips_policy=security.• Find and change the rule_path to /etc/snort/rules/snort.rules• Find and change local_rules path to /etc/snort/rules/local.rules• Find and change sid_msg path to /etc/snort/sid-msg.map.• Find and change config_path to /etc/snort/snort.conf• Find and change sostub_path to /etc/snort/rules/so_rules.rules• Find and change the distro to FC-12• Find pid_path. Change the statement to read “pid_path=/var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid”.

• Save and exit• cp pulledpork.conf /etc/snort/

Nick Moore, Sourcefire, Inc.

Now we’ll have to install CPAN, the Comprehensive Perl Archive Network. It can be done from the CLI, but it’s much easier from the GUI by going to System > Adminstration > Add/Remove Software. Search for CPAN and select the following:• perl-CPAN• perl-App-cpanminus• perl-parse-CPAN-meta• perl-pip• perl-CPANPLUS

Once installed, we will need some additional modules. To get these, issue the following commands:

• cpan. This will cause an install script to run with several questions and default answers suggested. Accept the defaults and don’t be concerned with what appears to be several error messages.

• Install Test::More• Install Crypt::SSLeay• Install LWP::Simple• exit

Now test the application by running:

• /usr/local/pulledpork-0.4.2/pulledpork.pl -c /etc/snort/pulledpork.conf

If you get a message saying “Fly Piggy Fly!”, Pulled_Pork works.

Your Pig is Ready to Snort!

Nick Moore, Sourcefire, Inc.

Nick Moore, Sourcefire, Inc.

Future Topics

Some topics for the next revision are:

• More on using Pulled_Pork to maintain disabled rules. • Snorby as a GUI tool• Rulebase Tuning

I’m open to suggestions for improving this document and will be revisiting it on at least an annual basis. I cannot answer support questions; these are best addressed by the Snort Users mailing list. If you don’t already have a subscription to snort users, please go to https://lists.sourceforge.net/lists/listinfo/snort-users.

Also, if you do email the snort users list, make sure to include your snort.conf and barnyard2.conf files with your inquiry. In many cases, people WAY smarter than me that monitor the list can answer questions right away with the information contained in these files.

Nick Moore, November 2010

Nick Moore, Sourcefire, Inc.