KnowledgeBase

User Tools

Site Tools

Trace: snortonubuntu
snortonubuntu

Table of Contents

Setup Snort on Ubuntu Server

There are some areas of overlap, but the latter will be much simpler since CS-MARS is providing the correlation and front-end.

Hardware recommendations: CPU, RAM & HD Storage depends on the amount of traffic. At least 2 NIC's - 1 for sensing and 1 for management

Install a base Ubuntu Server. Here is a link to basic IP setup: ChangeUbuntuServerFromDHCPToAStaticIPAddress

Here is a sample /etc/network/interfaces file (MTU settings are optional): 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
mtu 9000
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.rules

auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ifconfig $IFACE mtu 9000
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Installing

Notes

Adventures in Multi-Snort

Multi-Snort Notes

Auto-update Rules

You will need to generate Oink code on the snort website for either method.

Oinkmaster

Edit /etc/oinkmaster.conf <br /> Look for the “url ” line.<br /> Comment it out and add the one generated on the snort site.<br /> Create a user “snort” and add it to the group “snort”.<br /> Run the follwing command and add the info to the crontabe file:<br />sudo crontab -u snort -e <file> # m h dom mon dow command 00 17 /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules </file> ==== Pulledpork ==== Edit /etc/snort/pulledpork/etc/pulledpork.conf <br /> Look for the “rule_url &#061;” line.<br /> Comment it out and add a new one using the code generated on the snort site.<br /> Verify that all the paths are correct.<br /> Create a user “snort” and add it to the group “snort”.<br /> Run the following command and add the pulledpork command info to the crontab file:<br /> sudo crontab -u snort -e <file> # m h dom mon dow command 00 17 /etc/snort/pulledpork/pulledpork.pl -c /etc/snort/pulledpork/etc/pulledpork.conf </file> Try running the pulledpork command to make sure it works. If not run the following commands and try again. <file> sudo apt-get install libssl-dev zlib1g-dev perl -MCPAN -e 'install Crypt::SSLeay' </file> ===== Configuring for CS-MARS ===== First, we need to add the device to CS-MARS. Login and click on the Admin tab. - Click on _Security and Monitor Devices_. - Click the Add button. - For the device type select _SW Security apps on a new host_. - Define Snort as a reporting application. - Specify the networks we are going to monitor. - Submit and Activate Now, back to the Snort sensor. We need to configure it to send events to CS-MARS. - Edit thesnort.conf file. - Change the output to the following: <file>output alert_syslog: LOG_LOCAL4 LOG_ALERT</file> - Add a redirector in thesyslog.conf file to send the syslog to the CS-MARS appliance. <file>local4.alert @x.x.x.x</file> x.x.x.x is the IP of MARS - Restart the Snort and Syslog daemons. ===== Tuning Snort ===== Edit thethreshold.conf file, and add the following lines if you are using the pre-processors. <file> # Get rid of annoying http_inspect alerts suppress gen_id 119, sig_id 19 suppress gen_id 119, sig_id 16 suppress gen_id 119, sig_id 15 suppress gen_id 119, sig_id 14 suppress gen_id 119, sig_id 3 suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 4 suppress gen_id 119, sig_id 7 </file> * http://mikelococo.com/2011/08/snort-capacity-planning/ * http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response * http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf * http://www.snortid.com/snortid.asp ←- SID Lookup ===== References ===== http://www.snort.org/assets/158/Ubuntu-snortinstallguide2903.pdf<br /> https://wwwx.cs.unc.edu/~hays/archives/2010/02/entry_23.php<br /> http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Snort<br /> http://www.informit.com/articles/article.aspx?p101171&seqNum''9<br /> http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex-2/<br /> http://vrt-sourcefire.blogspot.com/2008/09/snort-startup-script-for-ubuntu.html<br /> http://ciscomars.blogspot.com/2006/11/cs-mars-using-snort-sensors.html<br /> http://manpages.ubuntu.com/manpages/intrepid/man8/snort.8.html

– Main.FredPettis - 12 May 2010

snortonubuntu.txt · Last modified: 2013/02/14 22:49 by deftesprit