KnowledgeBase

User Tools

Site Tools

Trace: snortonubuntu
snortonubuntu

This is an old revision of the document!

Table of Contents

Setup Snort on Ubuntu Server

There are some areas of overlap, but the latter will be much simpler since CS-MARS is providing the correlation and front-end.

Hardware recommendations: CPU, RAM & HD Storage depends on the amount of traffic. At least 2 NIC's - 1 for sensing and 1 for management

Install a base Ubuntu Server. Here is a link to basic IP setup: ChangeUbuntuServerFromDHCPToAStaticIPAddress

Here is a sample /etc/network/interfaces file (MTU settings are optional): 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
mtu 9000
address 192.168.1.50
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.rules

auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ifconfig $IFACE mtu 9000
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Installing

Notes

Adventures in Multi-Snort

Multi-Snort Notes

Auto-update Rules

You will need to generate Oink code on the snort website for either method.

Oinkmaster

Edit /etc/oinkmaster.conf <br /> Look for the “url ” line.<br /> Comment it out and add the one generated on the snort site.<br /> Create a user “snort” and add it to the group “snort”.<br /> Run the follwing command and add the info to the crontabe file:<br />sudo crontab -u snort -e <file> # m h dom mon dow command 00 17 /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules </file> ==== Pulledpork ==== Edit /etc/snort/pulledpork/etc/pulledpork.conf <br /> Look for the “rule_url &#061;” line.<br /> Comment it out and add a new one using the code generated on the snort site.<br /> Verify that all the paths are correct.<br /> Create a user “snort” and add it to the group “snort”.<br /> Run the following command and add the pulledpork command info to the crontab file:<br /> sudo crontab -u snort -e <file> # m h dom mon dow command 00 17 /etc/snort/pulledpork/pulledpork.pl -c /etc/snort/pulledpork/etc/pulledpork.conf </file> Try running the pulledpork command to make sure it works. If not run the following commands and try again. <file> sudo apt-get install libssl-dev zlib1g-dev perl -MCPAN -e 'install Crypt::SSLeay' </file> ===== Configuring for CS-MARS ===== First, we need to add the device to CS-MARS. Login and click on the Admin tab. - Click on _Security and Monitor Devices_. - Click the Add button. - For the device type select _SW Security apps on a new host_. - Define Snort as a reporting application. - Specify the networks we are going to monitor. - Submit and Activate Now, back to the Snort sensor. We need to configure it to send events to CS-MARS. - Edit thesnort.conf file. - Change the output to the following: <file>output alert_syslog: LOG_LOCAL4 LOG_ALERT</file> - Add a redirector in thesyslog.conf file to send the syslog to the CS-MARS appliance. <file>local4.alert @x.x.x.x</file> x.x.x.x is the IP of MARS - Restart the Snort and Syslog daemons. ===== Tuning Snort ===== Edit thethreshold.conf file, and add the following lines if you are using the pre-processors. <file> # Get rid of annoying http_inspect alerts suppress gen_id 119, sig_id 19 suppress gen_id 119, sig_id 16 suppress gen_id 119, sig_id 15 suppress gen_id 119, sig_id 14 suppress gen_id 119, sig_id 3 suppress gen_id 119, sig_id 2 suppress gen_id 119, sig_id 4 suppress gen_id 119, sig_id 7 </file> * http://mikelococo.com/2011/08/snort-capacity-planning/ * http://www.netsieben.com/b2evo/blog7.php/2008/11/12/tuning-snort-and-flex-response * http://www.snort.org/assets/127/Snort_Perf_Tuning_webinar_Final.pdf * http://www.snortid.com/snortid.asp ←- SID Lookup ===== References ===== http://www.snort.org/assets/158/Ubuntu-snortinstallguide2903.pdf<br /> https://wwwx.cs.unc.edu/~hays/archives/2010/02/entry_23.php<br /> http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Snort<br /> http://www.informit.com/articles/article.aspx?p101171&seqNum''9<br /> http://baronne.mouton.co.uk/snort-on-ubuntu-server-810-intrepid-ibex-2/<br /> http://vrt-sourcefire.blogspot.com/2008/09/snort-startup-script-for-ubuntu.html<br /> http://ciscomars.blogspot.com/2006/11/cs-mars-using-snort-sensors.html<br /> http://manpages.ubuntu.com/manpages/intrepid/man8/snort.8.html

– Main.FredPettis - 12 May 2010

snortonubuntu.1359347354.txt.gz · Last modified: 2013/02/14 22:49 (external edit)