Boy, when I started down the process of trying to get an IPS system setup, I had no idea what I was getting myself into. I’m not much of a security guy or a linux guy, but I thought I’d give it a go. I followed many different guides that all worked great for me, and thank you to those who put the following guides together: http://ubuntuforums.org/showthread.php?t=919472, http://www.openmaniak.com/inline.php, http://forum.learnit.vn/showthread.php?p=7007
Since I had an Ubuntu server disc, an Acer desktop with a Pentium D, 1GB of RAM an 3 nics (1 onboard and 2 100mb 3com’s) I thought I’d give it a go. After a clean basic install of ubuntu 9.04 server, I ran the following to get it up to 9.10:
sudo apt-get install update-manager-coresudo do-release-upgrade
The next step was installing all the dependencies:
sudo -iapt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev /mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 /php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep /libpcre3-dev iptables-dev bridge-utils
Next it was time to download and compile Snort and the rules:
cd /usr/src wget http://dl.snort.org/snort-current/snort-2.8.5.2.tar.gz tar zxvf snort-2.8.5.2.tar.gz wget http://dl.snort.org/reg-rules/snortrules-snapshot-CURRENT.tar.gz wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz cd snort-2.8.5.2 tar zxvf ../snortrules* tar zxvf ../emerging*./configure -enable-dynamicplugin --with-mysql --enabled-inlinemakemake install
It should compile and make without any problems, if it does check out http://openmaniak.com/inline_pre.php for a good list of requirements.
It’s now time to get mysql ready:
mysql -u root -pmysql> create database databasename;mysql> grant all privileges on databasename.* to 'username'@'localhost' identified by 'password';mysql> exit
Import the schema:
mysql -D databasename -u username -p < /usr/src/snort-2.8.5.2/schemas/create_mysql
Setup Snort:
cd /usr/src/snort-2.8.5.2mkdir -p /etc/snort/rules /var/log/snortcp etc/* /etc/snort/cp rules/* /etc/snort/rules
Next up, editing the /etc/snort/snort.conf file:
- Find var HOME_NET any and edit it to match your network(s) (var HOME_NET 192.168.0.0/16)
- Find var EXTERNAL_NET any and change it to var EXTERNAL_NET !$HOME_NET
- Find var RULE_PATH ../rules to var RULE_PATH /etc/snort/rules
- I also added include $RULE_PATH/emerging.conf to read the emerging.conf rules file
- Last, find the # output database: log, mysql, … and uncomment the line and change it to match your setup
Installing BASE:
First I upgraded and installed the required Pear modules:
pear upgrade-allpear install Image_Color Image_Canvas-alpha Image_Graph-alphapear install Mail Mail_mime
Edit your /etc/php5/apache2/php.ini file and add under Dynamic Extensions:
extension=mysql.so
extension=gd.so
Restart Apache2:
/etc/init.d/apache2 restart
Download and setup BASE:
cdwget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.4/base-1.4.4.tar.gz/downloadcd /var/wwwtar zxvf ~/base-1.4.4.tar.gzmv base-1.4.4 basecd basecp -R /usr/src/snort-2.8.5.2/doc/signatures .cd ..chown -R www-data.www-data base
Go ahead and visit your site at http://yoursite/base and click continue:
- Step 1: enter /usr/share/php/adodb
- Step 2: Database type = mysql; Database name = database name; Database host = localhost; Database username = username; Database Password = password
- Step 3: enter the name and password you’d like to use
- Step 4: click the Create BASE AG button
- Step 5: click Continue to go to the login screen
Bridging the Interfaces:
Load the bridge module:
modprobe bridge
Edit /etc/network/interfaces
# The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth2 iface eth2 inet static address 10.x.x.x netmask 255.x.x.x network 10.x.x.x broadcast 10.x.x.x gateway 10.x.x.x # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 10.x.x.x dns-search searchbase # The Bridge auto br0 iface br0 inet manual bridge_ports eth0 eth1 # Time to wait before loading bridge bridge_maxwait 0
/etc/init.d/networking restart
Then setup the box to load the bridge kernel at startup:
crontab -e@reboot root lsmod | grep bridge > /dev/null || /sbin/modprobe bridge;
The following is a startup script from http://openmaniak.com/inline_final.php that I used and modified for my setup. I saved it in /etc/init.d/snortd:
#!/bin/bash # # snort_inline start(){ # Start daemons. echo "Starting ip_queue module:" lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue; # echo "Starting iptables rules:" # iptables traffic sent to the QUEUE: # accept internal localhost connections iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # send all the incoming, outgoing and forwarding traffic to the QUEUE iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE iptables -A OUTPUT -j QUEUE # Start Snort_inline echo "Starting snort_inline: " /usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v \ -l /var/log/snort_inline # -Q -> process the queued traffic # -D -> run as a daemon # -v -> verbose # -l -> log path # -c -> config path } stop() { # Stop daemons. # Stop Snort_Inline # echo "Shutting down snort_inline: " killall snort_inline # Remove all the iptables rules and # set the default Netfilter policies to accept echo "Removing iptables rules:" iptables -F # -F -> flush iptables iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # -P -> default policy } restart(){ stop start } case "$1" in start) start ;; stop) stop ;; restart) restart ;; *) echo $"Usage: $0 {start|stop|restart|}" exit 1 esac
You can start snort with :
/etc/init.d/snortd start
And configure the server to run the snortd script at boot:
update-rc.d snortd defaults 95
And there we have it, what should be a functional Snort box compiled with inline support! Wrapping my head around this has been a chore, I’m pleased that it’s at least running! I haven’t put it in the middle of everything yet, so far I’ve just put it between my system and the network to play with rules. One downside I found deals with restarting the snort process to load new rules; doing so will interrupt traffic until snort starts up again which can be around a minute or so.
Where did you get your version of libnet from? I'm getting errors from the current on sourceforge, and the packetlife link doesn't appear to work.
Thanks!
Try I believe that is where I got a version that worked for me. You might need to try a couple of those links until you find one that downloads.
Where do you use install the iptables? how the iptables is affecting the snort? do you have it in the same machine that is the snort?
I have install the snort in my ubuntu but until this moment i havent be able to run it with the iptables, please help
Thanks
iptables-dev was installed in one of the prereq's at the top of the post. My understanding is all the packets are queued in iptables for snort to then analyze before sending down the line.
hi there
thnks a lot, great tuto
just can't get snortrules-snapshot-CURRENT.tar.gz
can u help me with this
thanks again
i just finished installing snort with your tutorial
but in the end i got error like this :
-bash: /etc/init.d/snortd: Permission denied
can u help me about this
thanks before
Hi,
Try to give the file right of execution.
# chmod +x snortd
Regards.
Thank you for your effort on the tutorial.
Please help!
I finished configuring snort online according to your script, but when i put it between a network and my laptop, I realise that when snortd is not yet running my laptop can access network, but when I start snort, after a short time, the connection to my laptop will break and never comes back again
when I stop the snortd then one of the messages will be "Snort_inline no process found"
for this I am wondering whether the snort – inline is running at all
When I look into the base, I do not notice anything
please can you help me