We start off by building another Ubuntu minimal server instance. Following its installation, we opted for the "OpenSSH package". This VM leverages a management interface (eth0) and two interfaces that will become an inline pair (eth1 and eth2). Obviously, we recommend that you update its repository listings and installed packages.
$ sudo apt-get -y update && sudo apt-get -y dist-upgrade
$ sudo ifconfig eth1 up && sudo ifconfig eth2 up
Install dependencies:
$ sudo apt-get install -y build-essential bison flex libpcap0.8 libpcap0.8-dev zlib1g-dev ethtool libpcap-dev libpcre3-dev libdumbnet-dev openssl libssl-dev
$ cd ~
$ wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
$ tar xzvf libdnet-1.11.tar.gz
$ cd libdnet-1.11/
$ ./configure
$ make
$ sudo make install
$ cd ~
$ wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
$ tar xzvf LuaJIT-2.0.2.tar.gz
$ cd LuaJIT-2.0.2/
$ make
$ sudo make install
If LuaJit fails to install, perform the following two commands:
$ sudo apt-get -y install pkg-config
$ pkg-config --libs luajit #Should return "-L/usr/local/lib"
$ mkdir ~/snort_src && cd ~/snort_src/
$ wget http://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
$ tar xvfz daq-2.0.6.tar.gz && cd daq-2.0.6/ && ./configure && make && sudo make install
$ cd ~/snort_src
$ wget https://www.snort.org/downloads/snort/snort-2.9.7.6.tar.gz
$ tar -xvzf snort-2.9.7.6.tar.gz && cd snort-2.9.7.6/
$ ./configure --prefix=/usr/local/snort --enable-sourcefire --enable-open-appid
$ make
$ sudo make install
$ sudo ldconfig
$ sudo ln -s /usr/local/snort/bin/snort /usr/sbin/snort
Verify you have compiled the latest version: "Version 2.9.7.6 GRE (Build 285)":
$ snort -V
$ sudo groupadd snort
$ sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
$ sudo mkdir /etc/snort
$ sudo mkdir /etc/snort/rules
$ sudo mkdir /etc/snort/preproc_rules
$ sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules /etc/snort/rules/local.rules
$ sudo mkdir /var/log/snort
$ sudo mkdir /usr/local/lib/snort/snort_dynamicrules
$ sudo mkdir /usr/local/lib/snort/snort_dynamicpreprocessor
$ sudo chmod -R 5775 /etc/snort
$ sudo chmod -R 5775 /var/log/snort
$ sudo chmod -R 5775 /usr/local/lib/snort/snort_dynamicrules
$ sudo chmod -R 5775 /usr/local/lib/snort/snort_dynamicpreprocessor
$ sudo chown -R snort:snort /etc/snort
$ sudo chown -R snort:snort /var/log/snort
$ sudo chown -R snort:snort /usr/local/lib/snort/snort_dynamicrules
$ sudo chown -R snort:snort /usr/local/lib/snort/snort_dynamicpreprocessor
$ sudo cp ~/snort_src/snort-2.9.7.6/etc/*.conf* /etc/snort
$ sudo cp ~/snort_src/snort-2.9.7.6/etc/*.map /etc/snort
$ sudo cp ~/snort_src/snort-2.9.7.6/etc/attribute_table.dtd /etc/snort/
$ sudo vim /etc/snort/snort.conf
-----
preprocessor appid: app_stats_filename appstats-u2.log, app_stats_period 60, app_detector_dir
....
#If commented, uncomment the "Inline packet normalization preprocessors.
#Uncomment and add the respective variables
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024
output unified2: filename snort.log, limit 128, appid_event_types
Change 'dynamic preprocessor libraries" paths to reflect "/usr/local/snort/lib/snort_dynamicpreprocessor"
Change "var RULE_PATH ../rules" to "var RULE_PATH /rules"
Change "whitelist $WHITELIST/white_list.rules" to "whitelist /etc/snort/rules/white_list.rules"
Change "blacklist $BLACKLIST/white_list.rules" to "blacklist /etc/snort/rules/black_list.rules"
Comment out all rule paths with the exception of the local.rule.
.-----
Verify Snort was compiled with DAQ's afpacket module
$ snort --daq-list
To enable all the rules, one would simply run the following command against the configuration file. However, we will limit our attention to the community local.rules and application ID rules.
$ sudo sed -i ’s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf
$ cd ~/snort_src/
$ wget -N https://www.snort.org/downloads/community/community-rules.tar.gz
$ tar xvfz community-rules.tar.gz
$ sudo cp /etc/snort/rules/local.rules /etc/snort/rules/local.rules.bkp
$ sudo sed -i 's/#/ /' community-rules/community.rules
$ sudo vim community-rules/community.rules #Add comment (#) to header, above alerts.
$ sudo cp ~/snort_src/community-rules/community.rules /etc/snort/rules/local.rules
$ sudo cp /tmp/app-detect.rules /etc/snort/rules/app-detect.rules
$ sudo cp snort-openappid.tar.gz /usr/local/snort
$ tar xzvf snort-openappid.tar.gz
Note inline interface labels (ex. eth1, eth2).
$ ifconfig
Add IP forwarding.
$ sudo vi /etc/sysctl.conf
Add the following lines to the above configuration file:
net.ipv4.ip_forward = 1
net.ipv6.ip_forward = 1 #Or "net.ipv6.conf.all.forwarding=1" depending on Ubuntu version.
Reboot.
$ sudo shutdown -r now
Ensure IPTables are flushed.
$ sudo iptables -F
Test validation:
$ sudo snort -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --daq afpacket -i eth1:eth2 -T
-devsb -A full
Run Snort:
$ sudo snort -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort --daq afpacket -i eth1:eth2
-devsb -A full
Alerts are stored in the "/var/log/snort/" directory.
cat appMapping.data | cut -f2
tools/u2openappid /var/log/snort/appstats-u2.log.<time_stamp>
References:
- http://seclists.org/snort/2015/q2/395
- http://blog.snort.org/2014/03/openappid-install-video.html
