====== Setup Snort on Ubuntu Server ======
* !MySQL Method
* CS-MARS Method
* [[http://openinfosecfoundation.org/documentation/index.html|Suricata - Snort Alternative]]
There are some areas of overlap, but the latter will be much simpler since CS-MARS is providing the correlation and front-end.
Hardware recommendations: CPU, RAM & HD Storage depends on the amount of traffic. At least 2 NIC's - 1 for sensing and 1 for management
Install a base Ubuntu Server. Here is a link to basic IP setup: [[ChangeUbuntuServerFromDHCPToAStaticIPAddress]]
Here is a sample /etc/network/interfaces file (MTU settings are optional):
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
mtu 9000
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.rules
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ifconfig $IFACE mtu 9000
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
===== Installing =====
[[SnortNotes|Notes]]
===== Adventures in Multi-Snort =====
[[Multi-SnortNotes|Multi-Snort Notes]]
===== Auto-update Rules =====
You will need to generate Oink code on the snort website for either method.
==== Oinkmaster ====
Edit ''/etc/oinkmaster.conf''
Look for the "url ''" line.
Comment it out and add the one generated on the snort site.
Create a user "snort" and add it to the group "snort".
Run the follwing command and add the info to the crontabe file:
**sudo crontab -u snort -e**
# m h dom mon dow command
00 17****** /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules
==== Pulledpork ====
Edit ''/etc/snort/pulledpork/etc/pulledpork.conf''
Look for the "rule_url =" line.
Comment it out and add a new one using the code generated on the snort site.
Verify that all the paths are correct.
Create a user "snort" and add it to the group "snort".
Run the following command and add the pulledpork command info to the crontab file:
''sudo crontab -u snort -e''
# m h dom mon dow command
00 17****** /etc/snort/pulledpork/pulledpork.pl -c /etc/snort/pulledpork/etc/pulledpork.conf
Try running the pulledpork command to make sure it works. If not run the following commands and try again.
sudo apt-get install libssl-dev zlib1g-dev
perl -MCPAN -e 'install Crypt::SSLeay'
===== Configuring for CS-MARS =====
First, we need to add the device to CS-MARS. Login and click on the Admin tab.
- Click on _Security and Monitor Devices_.
- Click the Add button.
- For the device type select _SW Security apps on a new host_.
- Define Snort as a reporting application.
- Specify the networks we are going to monitor.
- Submit and Activate
Now, back to the Snort sensor. We need to configure it to send events to CS-MARS.
- Edit the**snort.conf** file.
- Change the output to the following:
output alert_syslog: LOG_LOCAL4 LOG_ALERT
- Add a redirector in the**syslog.conf** file to send the syslog to the CS-MARS appliance.
local4.alert @x.x.x.x
x.x.x.x is the IP of MARS
- Restart the Snort and Syslog daemons.
===== Tuning Snort =====
Edit the**threshold.conf** file, and add the following lines if you are using the pre-processors.
# Get rid of annoying http_inspect alerts
suppress gen_id 119, sig_id 19
suppress gen_id 119, sig_id 16
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 3
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 7
* [[http://mikelococo.com/2011/08/snort-capacity-planning/|http://mikelococo.com/2011/08/snort-capacity-planning/]]
* [[http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response|http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response]]
* [[http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf|http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf]]
* [[http://www.snortid.com/snortid.asp|http://www.snortid.com/snortid.asp]] <-- SID Lookup
===== References =====
[[http://www.snort.org/assets/158/Ubuntu-snortinstallguide2903.pdf]]
[[https://wwwx.cs.unc.edu/~hays/archives/2010/02/entry_23.php]]
http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Snort
http://www.informit.com/articles/article.aspx?p''101171&seqNum''9
http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex-2/
http://vrt-sourcefire.blogspot.com/2008/09/snort-startup-script-for-ubuntu.html
http://ciscomars.blogspot.com/2006/11/cs-mars-using-snort-sensors.html
http://manpages.ubuntu.com/manpages/intrepid/man8/snort.8.html
-- Main.FredPettis - 12 May 2010