Snort: Barnyard2 + MySQL + BASE based on Ubuntu 14.04 SNORT and snortbarnyard2

Snort: Barnyard2 + MySQL + BASE based on Ubuntu 14.04 SNORT and snortbarnyard2

First, it is clear that the operating system platform is Ubuntu 14.04 LTS

Now we need to deploy snort NIDS (Intrusion Detection System) on Ubuntu 14.04 ).

These things are required:

SNORT/Barnyard2/Mysql/Apache2/BASE

Before doing all the work, run the following command to ensure that necessary software (tool chain) is installed)

sudo apt-get install -y build-essential libpcap0.8-devlibpcre3-dev libdumbnet-dev bison flex zlib1g-dev

SNORT can be installed in Ubuntu 14.04 in either of the following ways:

sudo apt-get install snort

The other is install from source code. Since there is a simple method, choose to install from the software source, that is, select the first one. If an error occurs in this method, you may need to execute the following commands in sequence:

Sudo apt-get update

Sudo apt-get upgrade

Test and run the following command:

snort -V

If the following information is displayed:

   ,,_     -*> Snort! <*-  o"  )~   Version 2.9.7.0 GRE (Build 149)   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.           Copyright (C) 1998-2013 Sourcefire, Inc., et al.           Using libpcap version 1.5.3           Using PCRE version: 8.31 2012-07-06           Using ZLIB version: 1.2.8

The installation is successful! Congratulations!

Next we need to modify the snort configuration file (pay attention to the software source method we use, so the configuration file path is relatively fixed)

sudo vim /etc/snort/snort.conf

Modify 115 rows (approximate location) as follows (if the same)

var RULE_PATH /etc/snort/rulesvar SO_RULE_PATH /etc/snort/so_rulesvar PREPROC_RULE_PATH /etc/snort/preproc_rules

The purpose is to specify the path for Storing Rule files.
In row 3:

Ipvar HOME_NET 192.168.1.0/24
Modify row 536th to the following:
Output uniied2: filename snort. log, limit 128, mpls_event_types, vlan_event_types
(If the file itself is the same as what I modified here, there is no need to modify it)

 

Start testing SNORT now:

 

sudo service snort restart

Delete the content in the previous log (we changed the log format and used the timestamp format)

sudo rm /var/log/snort/snort.log

(Digression: Row 51st does not need to be modified because it is overwritten by/etc/snort. debian. conf)

Now we want to test the snort rules.

/Etc/snort/rules is the path for Storing Rule files. In the future, snort will provide warnings and prompts based on many rule files.

Open the rule file:

sudo vim /etc/snort/rules/local.rules

Local. rules is the rule file used to customize rules. Then add your rules to local. rules:

alert icmp any any -> $HOME_NET any (msg:"ICMP Test NOW!!!"; classtype:not-suspicious; sid:1000001; rev:1;)alert tcp any any -> $HOME_NET 80 (msg:"HTTP Test NOW!!!"; classtype:not-suspicious; sid:1000002;  rev:1;)

These two rules mean that any ICMP or HTTP packet sent to the local machine will trigger a warning!
Save and exit.

To facilitate the test, modify the snort. conf file. It is about the location of 573 rows. Perform the following operations:

Remove all rule files except local. rules (excluded ). (That is, the include of the next dozens of rows ).

The final result is as follows:

# site specific rulesinclude $RULE_PATH/local.rules

(This is to facilitate testing)

sudo snort -T -c /etc/snort/snort.conf

The result is as follows:

...Snort successfully validated the configuration!Snort exiting

You can also find the following output in the output information:

+++++++++++++++++++++++++++++++++++++++++++++++++++Initializing rule chains...1 Snort rules read    1 detection rules    0 decoder rules    0 preprocessor rules1 Option Chains linked into 1 Chain Headers0 Dynamic rules+++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]---------------------------------------|             tcp     udp    icmp      ip|     src       0       0       0       0|     dst       0       0       0       0|     any       0       0       1       0|      nc       0       0       1       0|     s+d       0       0       0       0+----------------------------------------------------------------------------

Congratulations again! Rule loaded successfully. Test passed!

After making the above changes, we will start the real test.

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Then, you can use another computer or run another terminal command to ping the test host.

For example, ping localhost

You should be able to see similar output on the test Host:

10/31-02:27:19.663643  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.6410/31-02:27:19.663675  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.7410/31-02:27:20.658378  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.6410/31-02:27:20.658404  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.7410/31-02:27:21.766521  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.6410/31-02:27:21.766551  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.7410/31-02:27:22.766167  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.74 -> 10.0.0.6410/31-02:27:22.766197  [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 10.0.0.64 -> 10.0.0.74^C*** Caught Int-Signal

(Press ctrl + c to end)

Then you can view/var/log/snort. You will also find that the command is snort. log. nnnnnn (nnnn stands for numbers), which contains the same information as printed on the screen.

Congratulations! Now we can display warning information according to our own rules.

Barnyard, why is this? Simply put, he will read the binary file of snort and store it in the MySQL database. Run the following command to install necessary software. LAMP is also used. How can I install it quickly? (Make Sure You Have not installed any of the LAMP components before.) For more information, see: Open the link.

sudo apt-get install -y libmysqlclient-dev autoconf libtool

Add the following lines near the first line of the/etc/snort. conf file (approximate location) and save the file.

output unified2: filename snort.u2, limit 128

Next, install and configure Barnyard: Download Barnyard:

wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz

Run the following commands in sequence:

tar zxvf barnyard2-2-1.13.tar.gzcd barnyard2-2-1.13autoreconf -fvi -I ./m4

64-bit and 32-bit machines perform the following:

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu --with-mysql-includes=/usr/include/./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu --with-mysql-includes=/usr/include/

Continue:

makesudo make install

sudo cp /usr/local/etc/barnyard2.conf /etc/snort

sudo mkdir /var/log/barnyard2sudo chown snort.snort /var/log/barnyard2

sudo cp schemas/create_mysql /usr/src

Edit:

sudo gedit /etc/snort/barnyard2.conf

# Change row 227:
Output alert_fast (instead of output alert_fast: stdout)
# Delete the comments in line 2:
Output database: log, mysql, user = snort password = secret2 dbname = snort host = localhost

(Replace secret2 with your snort user password. secret2 will be used in MySQL)
Log on to MySQL using the MySQL root Password you set when installing lamp.
Sudo mysql-u root-p

[Enter the MySQL root Password]

Enter the following content in the MySQL console in sequence (note the end Of the semicolon ):

Create database snort;
Create database archive;

Grant usage on snort. * to snort @ localhost;
Grant usage on archive. * to snort @ localhost;

Set password for snort @ localhost = PASSWORD ('secret2 ');

Grant all privileges on snort. * to snort @ localhost;
Grant all privileges on archive. * to snort @ localhost;

Flush privileges;

Exit
Log on to the MySQL console again and type:

use snort;source /usr/src/create_mysql;show tables;                                                 exit

Snort and Barnyard test run:

<span style="font-size:12px;">sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D</span>

You will not see the output result because the program runs in the background. Ping your host. Continue to run the following:

<span style="font-size:12px;">sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort</span><span style="font-size: 18.6666660308838px;"></span>

The following output is displayed:

--== Initialization Complete ==--   ______   -*> Barnyard2 <*- / ,,_  \  Version 2.1.13 (Build 327) |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' +  (C) Copyright 2008-2013 Ian Firns <firnsy@securixlive.com> Using waldo file '/var/log/snort/barnyard2.waldo':    spool directory = /var/log/snort    spool filebase  = snort.u2    time_stamp      = 1412527313    record_idx      = 16Opened spool file '/var/log/snort/snort.u2.1412527313'Closing spool file '/var/log/snort/snort.u2.1412527313'. Read 16 recordsOpened spool file '/var/log/snort/snort.u2.1412528990'Waiting for new data

Use ctrl + c to end. If you are curious about what happened to the database? Check:

mysql -u snort -p -D snort -e "select count(*) from event"

The following results should appear:

+----------+| count(*) |+----------+|       4  |+----------+

* ** If an error with one sid-msg.map file missing occurs, fix the problem as follows:

cd /usr/share/oinkmastersudo bash -c "sudo ./create-sidmap.pl /etc/snort/rules > /etc/snort/sid-msg.map"

BASE first:

sudo apt-get install libphp-adodb

Continue to modify the configuration file:

Edit "/etc/php5/apache2/php. ini", find this line "error_reporting", and modify it:

error_reporting = E_ALL & ~E_NOTICE

Edit/etc/apache2/apache2.conf to add the permission www/base:

 

-----------------------------------------------------------------------------------------------------<Directory /var/www/html/base>    AllowOverride All    Require all granted</Directory>-----------------------------------------------------------------------------------------------------

Restart apache2:

sudo service apache2 restart

Install BASE dependency:

sudo apt-get install php-pearsudo apt-get install libwww-perl                                                       sudo apt-get install php5-gdsudo pear config-set preferred_state alphasudo pear channel-update pear.php.netsudo pear install --alldeps Image_Color Image_Canvas Image_Graph

If the following error is returned: 'Could not extract the package. xml file', the following method can be used to fix the error.

After downloading these 6 pear packages, We will install them manually (3 + 3 dependencies ).

As follows:

 

cd /build/buildd/php5-5.5.9+dfsg/pear-build-downloadls

There should be 6. tgz packages. install them manually:

Sudo tar zxf Image_Color *. tgz

sudo cp package.xml ./Image_Color*/cd Image_Color*sudo pear install package.xmlcd ..

Install the remaining five packages in sequence according to the above method.

Image_Canvas

Numbers_Roman

Math_BigInteger

Numbers_Words

Image_Graph

BASE installation:

cd /usr/srcsudo wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gzsudo tar -zxf base-1.4.5.tar.gzsudo cp -r base-1.4.5 /var/www/html/basesudo chown -R www-data:www-data /var/www/html/basesudo service apache2 restart

BASE settings:

Input in the browser: http: // localhost/base

(Select the default English language)

Step 1) input path:/usr/share/php/adodb

Step 2) Database Name: snort

Database Host: localhost


Database User Name: snort

Database Password: secret2 (previously entered)


(Tick 'use Archive database ')

Archive Database Name: archive

Archive Database Host: localhost


Archive Database User Name: snort

Archive Database Password: secret2 (previously entered)

Step 3)

Full admin name (xxx)

[GUI password] (Secret3)

Full admin name (XXXX)

Step 4) Click 'create baseag'

Step 5) Click 'now continue to Step 5' and login (XXX/secret3)

 

If you ping the host, the snort information will be displayed every 3 minutes.