Snort - Ernest G. Wilson II's FreeBSD Pages

Snort on FreeBSD 6.2

Prerequisites:

FreeBSD (Base + Autoconf, Automake, Bash and GCC)
unixODBC (Optional if you are building with --with-odbc)
wget - from UNIX Network Tools
MySQL (Needed to compile MySQL logging into snort)
PHP and Apache (Only if this install will also be your BASE console)

Snort – Network Intrusion Detection

Home:

http://www.snort.org

# Download (Notes: Users behind a Proxy Server should read this and users without Internet but have a CDRom read this.)

# Install libdnet
cd /usr/ports/net/libdnet
make install clean

# Install libnet
cd /usr/ports/net/libnet10
make install clean

# Install Snort
cd /usr/ports/security/snort
make install PREFIX=/opt/snort

# Manual clean-up
mv /opt/snort/etc/rc.d/snort /opt/snort/share/examples/snort.sh.example
mv /opt/snort/lib /usr/local/lib
mv /opt/snort/etc/snort/* /opt/snort/etc/
mv /opt/snort/share/doc/snort/* /opt/snort/share/doc
mv /opt/snort/share/examples/snort/* /opt/snort/share/examples
rm -R /opt/snort/share/doc/snort/
rm -R /opt/snort/share/examples/snort/
rm -R /opt/snort/etc/snort
rm -R /opt/snort/etc/rc.d
rm -R /opt/snort/include
rm -R /opt/snort/info
rm -R /opt/snort/libdata
rm -R /opt/snort/libexec
rm -R /opt/snort/man
rm -R /opt/snort/sbin
rm -R /opt/snort/share/aclocal
rm -R /opt/snort/share/dict
rm -R /opt/snort/share/doc/ja
rm -R /opt/snort/share/emacs
rm -R /opt/snort/share/java
rm -R /opt/snort/share/locale
rm -R /opt/snort/share/misc
rm -R /opt/snort/share/nls
rm -R /opt/snort/share/sgml
rm -R /opt/snort/share/skel
rm -R /opt/snort/share/xml
rm -R /opt/snort/www
rm -R /opt/snort/etc/pam.d
rm -R /opt/snort/src
mkdir /opt/snort/etc/rules-backup

# Clean the src directory
make clean

# Create a startup script for boot-time
vi /usr/local/etc/rc.d/snort.sh
#!/bin/sh echo -n " Snort IDS" case "$1" in start) # For multiple interfaces uncomment or edit multiple lines /opt/snort/bin/snort -i em3 -u snort -g snort -c /opt/snort/etc/snort.conf & #/opt/snort/bin/snort -i em0 -u snort -g snort -c /opt/snort/etc/snort.conf & #/opt/snort/bin/snort -i em1 -u snort -g snort -c /opt/snort/etc/snort.conf & #/opt/snort/bin/snort -i xl0 -u snort -g snort -c /opt/snort/etc/snort.conf & ;; stop) killall snort ;; *) echo "" echo "Usage: `basename $0` {start|stop}" >&2 exit 64 ;; esac exit 0
# Make the startup script executable
chmod +x /usr/local/etc/rc.d/snort.sh

# Create the snort database
# Create the snort table
/opt/mysql/bin/mysqladmin --user=mysql -p create snort
# Import the snort table structure
/opt/mysql/bin/mysql --user=mysql -p snort < /opt/snort/share/examples/create_mysql
# Give permission for the snort database user to access the snort database tables
/opt/mysql/bin/mysql --user=mysql -p mysql
GRANT ALL ON snort.* TO snort@localhost IDENTIFIED BY 'snortpassword';
GRANT ALL ON snort.* TO snort@"%" IDENTIFIED BY 'snortpassword';
flush privileges;
exit

# Edit the snort configuration file
vi /opt/snort/etc/snort.conf
################################################################################ # www.NMSWorld.com Example Snort v2.6.0.1 config file # # Version: Sep 10, 2006 # ################################################################################ # # Sections # -------- # 1) Set the variables for your network # 2) Configure dynamic loaded libraries # 3) Configure preprocessors # 4) Configure output plugins # 5) Add any runtime config directives # 6) Customize your rules sets ################################################################################ ################################################################################ # Section 1. Variables ###################### # Rules files directory location var RULE_PATH /opt/snort/etc/rules # Set your home network or networks, some examples: # var HOME_NET 10.1.1.0/24 # var HOME_NET [172.28.0.0/24,192.168.100.0/24] var HOME_NET any # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET # Configure your service ports (note about syntax: [80,8080] does not work!) var HTTP_PORTS 80 ## include somefile.rules var HTTP_PORTS 8080 ## include somefile.rules # SHELLCODE var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # AIM servers for AOL var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] ################################################################################ ################################################################################ # Section 2. Dynamic Loaded Libraries ###################################### # Fix for bug on FreeBSD running snort v2.6x "ACSM-No Memory: acsmCompile!" config detection: search-method lowmem # Same as command line option: --dynamic-engine-lib dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so # Same as command line option: --dynamic-preprocessor-lib-dir # This would load ALL preprocessors found in this directory # dynamicpreprocessor directory /usr/opt/snort/lib/snort_dynamicpreprocessor/ # Same as command line option: --dynamic-preprocessor-lib # These preprocessors are already set to load in Section 3, don't load them twice! # dynamicpreprocessor file /usr/opt/snort/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so # dynamicpreprocessor file /usr/opt/snort/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so # Same as command line option: --dynamic-detection-lib-dir # dynamicdetection directory /usr/local/lib/snort_dynamicrule/ # Same as command line option: --dynamic-detection-lib # dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so ################################################################################ ################################################################################ # Section 3. Preprocessors ############################ # Flow tracking module (See README.flow) preprocessor flow: stats_interval 0 hash 2 # frag2: IP defragmentation support preprocessor frag2 # frag3: Target-based IP defragmentation preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies # stream4: stateful inspection/stream reassembly for Snort preprocessor stream4: disable_evasion_alerts # tcp stream reassembly directive preprocessor stream4_reassemble # Performance Statistics # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # http_inspect: normalize and detect HTTP traffic and protocol anomalies preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 # rpc_decode: normalize RPC traffic preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector preprocessor bo # telnet_decode: Telnet negotiation string normalizer # DEPRECATED in favor of ftp_telnet dynamic preprocessor # preprocessor telnet_decode # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so # or use commandline option # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so> preprocessor ftp_telnet: global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol: telnet \ normalize \ ayt_attack_thresh 200 preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ data_chan preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes # smtp: SMTP normalizer, protocol enforcement and buffer overflow dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_smtp_preproc.so # or use commandline option # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so> preprocessor smtp: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } # sfPortscan preprocessor sfportscan: proto { all } \ memcap { 10000000 } \ sense_level { low } # arpspoof # preprocessor arpspoof # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 ################################################################################ ################################################################################ # Section 4. Output Plugins ############################# # alert_syslog: log alerts to syslog # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # output log_tcpdump: tcpdump.log # database: log to a variety of databases # See the README.database output database: alert, mysql, dbname=snort user=snort host=localhost password=snortpassword detail=full # output database: log, mysql, user=root password=test dbname=db host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, odbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # output database: log, oracle, dbname=snort user=snort password=test # unified: Snort unified binary format alerting and logging # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # prelude: log to the Prelude Hybrid IDS system # profile = Name of the Prelude profile to use (default is snort). # Snort priority to IDMEF severity mappings: # high < medium < low < info # output alert_prelude: profile=snort-profile-name # You can optionally define new rule types and associate one or more output # plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog and a mysql # database: # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE: # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) ################################################################################ ################################################################################ # Section 5. Config Statements ############################## # Include files include /opt/snort/etc/classification.config include /opt/snort/etc/reference.config include /opt/snort/etc/threshold.conf # # See the snort manual for a full set of configuration references # # config flowbits_size: 64 # config ignore_ports: <tcp|udp> <list of ports separated by whitespace> # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 ################################################################################ ################################################################################ # Section 6. Rule Sets ###################### # See README.alert_order for how rule ordering affects how alerts are triggered # Disabled Rule Sets # ------------------ # include $RULE_PATH/bleeding-drop-BLOCK.rules # include $RULE_PATH/bleeding-dshield-BLOCK.rules # include $RULE_PATH/experimental.rules # Enabled Rule Sets # ----------------- include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/bleeding.conf include $RULE_PATH/bleeding.rules include $RULE_PATH/bleeding-attack_response.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding-drop.rules include $RULE_PATH/bleeding-dshield.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-game.rules include $RULE_PATH/bleeding-inappropriate.rules include $RULE_PATH/bleeding-malware.rules include $RULE_PATH/bleeding-p2p.rules include $RULE_PATH/bleeding-policy.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-virus.rules include $RULE_PATH/bleeding-web.rules include $RULE_PATH/chat.rules include $RULE_PATH/classification.config include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/experimental.rules include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/imap.rules include $RULE_PATH/info.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules include $RULE_PATH/policy.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/porn.rules include $RULE_PATH/reference.config include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/scan.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules ################################################################################ # END # ################################################################################

# Install Oinkmaster
# Change to your source downloads directory
cd /usr/src
# Download Oinkmaster
fetch http://easynews.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-2.0.tar.gz
# Decompress and extract the archive
tar xvf oinkmaster-2.0.tar.gz
# Manually copy files to correct destinations
cp /usr/src/oinkmaster-2.0/oinkmaster.conf /etc/oinkmaster.conf
cp /usr/src/oinkmaster-2.0/contrib/*.pl /opt/snort/bin/
cp /usr/src/oinkmaster-2.0/oinkmaster.1 /usr/local/man/man1/
cp /usr/src/oinkmaster-2.0/oinkmaster.pl /opt/snort/bin/
touch /etc/autodisable.conf

# Configure Oinkmaster
# Edit the oinkmaster.conf file and uncomment and edit the "url" sources you wish to use
vi /etc/oinkmaster.conf
# You need to setup a free Snort account to get your Oink Code
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<YourOinkCodeHere>/snortrules-snapshot-2.4.tar.gz
# and uncomment the Bleeding Snort line as well
url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
# Test out Oinkmaster to see if it downloads rules
/opt/snort/bin/oinkmaster.pl -o /opt/snort/etc/rules -b /opt/snort/etc/rules-backup

# Create a script to run Oinkmaster each day and update the snort rules
vi /etc/periodic/daily/990.oinkmaster
#!/usr/local/bin/bash /opt/snort/bin/oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /opt/snort/etc/rules -b /opt/snort/etc/rules-backup 2>&1 | /usr/bin/mail -s "oinkmaster" you@yourdomain.com
# Set the script executable
chmod +x /etc/periodic/daily/990.oinkmaster
# Note: You may need to setup a proxy server in your wget configuration if your company uses proxy
vi /usr/local/etc/wgetrc

# Create a snort user and group and set permissions
# Add a snort group
pw groupadd snort
# Add a snort user
pw useradd snort -n snort -G snort -s /usr/sbin/nologin
# Fix file permissions
chown -R snort:snort /opt/snort/
chown -R snort:snort /var/log/snort/

# After editing your rules and commenting out specific rules, create an autodisable.conf:
/usr/opt/snort/bin/makesidex.pl /opt/snort/etc/rules > /etc/autodisable.conf

# Fix a path bug from a lame installer
mv /usr/local/lib/lib/snort/ /usr/local/lib/snort

# Test Snort
# Test as user root, should start up and stop without error
/opt/snort/bin/snort -T -c /opt/snort/etc/snort.conf
# Test as user mysql, should start up and stop without error
/opt/snort/bin/snort -T -u snort -g snort -c /opt/snort/etc/snort.conf
# Launch snort and run it for a minute or so
/opt/snort/bin/snort -u snort -g snort -c /opt/snort/etc/snort.conf
#CTRL+C after a minute and you should see statistics on exit

# Run snort manually in the background
/opt/snort/bin/snort -u snort -g snort -c /opt/snort/etc/snort.conf &
ps wwaux | grep snort

# Reboot and snort should run automatically if your rc script is functioning
ps wwaux | grep snort