====== Setup Snort on Ubuntu Server ======


  * !MySQL Method
  * CS-MARS Method
  * [[http://openinfosecfoundation.org/documentation/index.html|Suricata - Snort Alternative]]

There are some areas of overlap, but the latter will be much simpler since CS-MARS is providing the correlation and front-end.

Hardware recommendations: CPU, RAM & HD Storage depends on the amount of traffic. At least 2 NIC's - 1 for sensing and 1 for management 

Install a base Ubuntu Server. Here is a link to basic IP setup: [[ChangeUbuntuServerFromDHCPToAStaticIPAddress]]

Here is a sample /etc/network/interfaces file (MTU settings are optional):
<file>
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
mtu 9000
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.rules

auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ifconfig $IFACE mtu 9000
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
</file>

===== Installing =====
[[SnortNotes|Notes]]

===== Adventures in Multi-Snort =====
[[Multi-SnortNotes|Multi-Snort Notes]] 

===== Auto-update Rules =====
You will need to generate Oink code on the snort website for either method.
==== Oinkmaster ====
Edit ''/etc/oinkmaster.conf'' <br /> Look for the "url ''" line.<br /> Comment it out and add the one generated on the snort site.<br /> Create a user "snort" and add it to the group "snort".<br /> Run the follwing command and add the info to the crontabe file:<br />**sudo crontab -u snort -e**
<file>
# m h  dom mon dow   command
00 17****** /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules
</file>

==== Pulledpork ====
Edit ''/etc/snort/pulledpork/etc/pulledpork.conf'' <br />
Look for the "rule_url &#061;" line.<br /> Comment it out and add a new one using the code generated on the snort site.<br /> Verify that all the paths are correct.<br /> Create a user "snort" and add it to the group "snort".<br />
Run the following command and add the pulledpork command info to the crontab file:<br /> 
''sudo crontab -u snort -e''
<file>
# m h  dom mon dow   command
00 17****** /etc/snort/pulledpork/pulledpork.pl -c /etc/snort/pulledpork/etc/pulledpork.conf
</file>
Try running the pulledpork command to make sure it works.  If not run the following commands and try again.
<file>
sudo apt-get install libssl-dev zlib1g-dev
perl -MCPAN -e 'install Crypt::SSLeay' 
</file>

===== Configuring for CS-MARS =====

First, we need to add the device to CS-MARS. Login and click on the Admin tab.
  - Click on _Security and Monitor Devices_.
  - Click the Add button.
  - For the device type select _SW Security apps on a new host_.
  - Define Snort as a reporting application.
  - Specify the networks we are going to monitor.
  - Submit and Activate

Now, back to the Snort sensor. We need to configure it to send events to CS-MARS.
  - Edit the**snort.conf** file.
  - Change the output to the following:
   <file>output alert_syslog: LOG_LOCAL4 LOG_ALERT</file>
  - Add a redirector in the**syslog.conf** file to send the syslog to the CS-MARS appliance.
   <file>local4.alert @x.x.x.x</file>
   x.x.x.x is the IP of MARS
  - Restart the Snort and Syslog daemons.

===== Tuning Snort =====
Edit the**threshold.conf** file, and add the following lines if you are using the pre-processors.
<file>
# Get rid of annoying http_inspect alerts
suppress gen_id 119, sig_id 19
suppress gen_id 119, sig_id 16
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 3
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 7
</file>

  * [[http://mikelococo.com/2011/08/snort-capacity-planning/|http://mikelococo.com/2011/08/snort-capacity-planning/]]
  * [[http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response|http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response]]
  * [[http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf|http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf]]
  * [[http://www.snortid.com/snortid.asp|http://www.snortid.com/snortid.asp]] <-- SID Lookup
===== References =====
[[http://www.snort.org/assets/158/Ubuntu-snortinstallguide2903.pdf]]<br />
[[https://wwwx.cs.unc.edu/~hays/archives/2010/02/entry_23.php]]<br />
http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Snort<br />
http://www.informit.com/articles/article.aspx?p''101171&seqNum''9<br />
http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex-2/<br />
http://vrt-sourcefire.blogspot.com/2008/09/snort-startup-script-for-ubuntu.html<br />
http://ciscomars.blogspot.com/2006/11/cs-mars-using-snort-sensors.html<br />
http://manpages.ubuntu.com/manpages/intrepid/man8/snort.8.html

-- Main.FredPettis - 12 May 2010