Spec files
I rebuild my snort package, you can search or downloaded the snort rpm package snort-2.9.0.5.src.rpm.
i make little bit changes in my spec file,
extract src.rpm package using rpm2cpio snort-2.9.0.5.src.rpm | cpio -idv
edit the spec.file and change this line into
SNORT_BASE_CONFIG="--prefix=%{_prefix} \
--bindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir}/snort \
--with-libpcap-includes=%{_includedir} \
--enable-decoder-preprocessor-rules --enable-targetbased \
--enable-dynamicplugin --enable-zlib --enable-ipv6 --enable-normalizer
"
and start to rebuild the package. read my manual how to build a package from source
Installation
yum localinstall libdnet-1.12-7.x86_64.rpm libdnet-progs-1.12-7.x86_64.rpm libdnet-devel-1.12-7.x86_64.rpm
yum localinstall libpcap1-devel-1.1.1-9.x86_64.rpm libpcap1-1.1.1-9.x86_64.rpm
yum localinstall daq-0.5-1.x86_64.rpm
yum localinstall snort-2.9.0.5-1.x86_64.rpm
yum localinstall barnyard2-1.9-1.x86_64.rpm
Download snort rules from official website snortrules-snapshot-2904.tar.gz
you can also install snort and barnyard using source package and configure the snort installation with
--enable-dynamicplugin --enable-zlib --enable-ipv6 --enable-normalizer
And follow this configurations
Configuration
snort
make snort log file directory
mkdir /var/log/snort/ chown snort:snort /var/log/snort/
edit snort config file at /etc/snort/snort.conf
change ipvar into var
set HOME_NET to your ip subnet
var HOME_NET 192.168.1.0/24
setup path to your rule path
var RULE_PATH rules var SO_RULE_PATH so_rules var PREPROC_RULE_PATH preproc_rules
remark dynamic rules and preprocessors because we dont need it
# path to dynamic rules libraries ### dynamicdetection directory /usr/local/lib/snort_dynamicrules # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode ### preprocessor normalize_ip4 ### preprocessor normalize_tcp: ips ecn stream ### preprocessor normalize_icmp4 ### preprocessor normalize_ip6 ### preprocessor normalize_icmp6
set the output to
output unified2: filename snort.log, limit 128
extract snortrules-snapshot-2904.tar.gz and put these folder into /etc/snort
rules so_rules preproc_rules
barnyard2
make directory for barnyard2 log
mkdir -p /var/log/barnyard2/
make waldo file for barnyard2
touch /var/log/snort/barnyard2.waldo
edit baryard2 config at /etc/snort/barnyard2.conf
setup path for barnyard2 where the snort config files use
# set the appropriate paths to the file(s) your Snort process is using. # config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map # set the directory for any output logging # config logdir: /var/log/barnyard2
# set the hostname and interface config hostname: ketoprak.humor.com config interface: eth0
# enable the year being shown in timestamps # config show_year
# define the full waldo filepath. # config waldo_file: /var/log/snort/barnyard2.waldo
# Step 2: setup the input plugins # # this is not hard, only unified2 is supported ;) input unified2
# set output alert mode output alert_full
oinkmaster
Download oink master from here
http://pkgs.org/download/centos-5-rhel-5/atomic-i386/oinkmaster-2.0-0.el5.art.noarch.rpm.html
Install the package
[root@ketoprak tmp]# yum localinstall oinkmaster-2.0-0.el5.art.noarch.rpm -y --nogpgcheck
locate the file to make sure the files was install correctly, and oinkmaster.pl has been send to /usr/bin/
[root@ketoprak tmp]# locate oink /etc/oinkmaster.conf /usr/bin/oinkmaster.pl /usr/share/doc/oinkmaster-2.0 /usr/share/doc/oinkmaster-2.0/ChangeLog /usr/share/doc/oinkmaster-2.0/LICENSE /usr/share/doc/oinkmaster-2.0/README /usr/share/doc/oinkmaster-2.0/README.gui /usr/share/doc/oinkmaster-2.0/README.templates /usr/share/doc/oinkmaster-2.0/README.win32 /usr/share/doc/oinkmaster-2.0/UPGRADING /usr/share/doc/oinkmaster-2.0/template-examples.conf /usr/share/man/man1/oinkmaster.1.gz
Check the snort version using
snort -v
and the result is
[root@ketoprak ~]# snort -v Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth1". Decoding Ethernet --== Initialization Complete ==--
,,_ -*> Snort! <*- o" )~ Version 2.9.0.5 (Build 135) ' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3
Edit the oinkmaster.conf locate at /etc/oinkmaster.conf
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here>/<filename> edit like this url = http://www.snort.org/pub-bin/oinkmaster.cgi/ee4075a398290459/snortrules-snapshot-2861.tar.gz
note:
you will get the oinkcode from snort official website after you register,
Run Snort and Barnyard and Oinkmaster
First run snort service
snort -c /etc/snort/snort.conf -i eth0
then run the Barnyard2
barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log
then run the Oinkmaster
oinkmaster.pl -o <snort rules located> oinkmaster.pl -o /etc/snort/rules
make the crontab schedule
# crontab -e 0 3 * * * /usr/local/bin/oinkmaster.pl -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1
Comments
Post a Comment