Table of Contents
Setup Snort on Ubuntu Server
- !MySQL Method
- CS-MARS Method
There are some areas of overlap, but the latter will be much simpler since CS-MARS is providing the correlation and front-end.
Hardware recommendations: CPU, RAM & HD Storage depends on the amount of traffic. At least 2 NIC's - 1 for sensing and 1 for management
Install a base Ubuntu Server. Here is a link to basic IP setup: ChangeUbuntuServerFromDHCPToAStaticIPAddress
Here is a sample /etc/network/interfaces file (MTU settings are optional):
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet static mtu 9000 address 192.168.1.50 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 pre-up iptables-restore < /etc/iptables.rules auto eth1 iface eth1 inet manual up ifconfig $IFACE 0.0.0.0 up up ifconfig $IFACE mtu 9000 up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
Installing
Adventures in Multi-Snort
Auto-update Rules
You will need to generate Oink code on the snort website for either method.
Oinkmaster
Edit /etc/oinkmaster.conf
<br /> Look for the “url ” line.<br /> Comment it out and add the one generated on the snort site.<br /> Create a user “snort” and add it to the group “snort”.<br /> Run the follwing command and add the info to the crontabe file:<br />sudo crontab -u snort -e
<file>
# m h dom mon dow command
00 17 /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules
</file>
==== Pulledpork ====
Edit
101171&seqNum''9<br />
http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex-2/<br />
http://vrt-sourcefire.blogspot.com/2008/09/snort-startup-script-for-ubuntu.html<br />
http://ciscomars.blogspot.com/2006/11/cs-mars-using-snort-sensors.html<br />
http://manpages.ubuntu.com/manpages/intrepid/man8/snort.8.html
/etc/snort/pulledpork/etc/pulledpork.conf
<br />
Look for the “rule_url =” line.<br /> Comment it out and add a new one using the code generated on the snort site.<br /> Verify that all the paths are correct.<br /> Create a user “snort” and add it to the group “snort”.<br />
Run the following command and add the pulledpork command info to the crontab file:<br />
sudo crontab -u snort -e
<file>
# m h dom mon dow command
00 17 /etc/snort/pulledpork/pulledpork.pl -c /etc/snort/pulledpork/etc/pulledpork.conf
</file>
Try running the pulledpork command to make sure it works. If not run the following commands and try again.
<file>
sudo apt-get install libssl-dev zlib1g-dev
perl -MCPAN -e 'install Crypt::SSLeay'
</file>
===== Configuring for CS-MARS =====
First, we need to add the device to CS-MARS. Login and click on the Admin tab.
- Click on _Security and Monitor Devices_.
- Click the Add button.
- For the device type select _SW Security apps on a new host_.
- Define Snort as a reporting application.
- Specify the networks we are going to monitor.
- Submit and Activate
Now, back to the Snort sensor. We need to configure it to send events to CS-MARS.
- Edit thesnort.conf file.
- Change the output to the following:
<file>output alert_syslog: LOG_LOCAL4 LOG_ALERT</file>
- Add a redirector in thesyslog.conf file to send the syslog to the CS-MARS appliance.
<file>local4.alert @x.x.x.x</file>
x.x.x.x is the IP of MARS
- Restart the Snort and Syslog daemons.
===== Tuning Snort =====
Edit thethreshold.conf file, and add the following lines if you are using the pre-processors.
<file>
# Get rid of annoying http_inspect alerts
suppress gen_id 119, sig_id 19
suppress gen_id 119, sig_id 16
suppress gen_id 119, sig_id 15
suppress gen_id 119, sig_id 14
suppress gen_id 119, sig_id 3
suppress gen_id 119, sig_id 2
suppress gen_id 119, sig_id 4
suppress gen_id 119, sig_id 7
</file>
* http://mikelococo.com/2011/08/snort-capacity-planning/
* http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response
* http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf
* http://www.snortid.com/snortid.asp ←- SID Lookup
===== References =====
http://www.snort.org/assets/158/Ubuntu-snortinstallguide2903.pdf<br />
https://wwwx.cs.unc.edu/~hays/archives/2010/02/entry_23.php<br />
http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Snort<br />
http://www.informit.com/articles/article.aspx?p
– Main.FredPettis - 12 May 2010