Compiling snort from source code and creating a .deb package
From Cryptolife
This guide shows how can you compile snort from the source code and install from a .deb package.
Updated to Snort Version 2.8.6 (Build 38)
- Install required packages for snort compilation
apt-get install build-essential libnet1-dev libpcap0.8-dev libpcre3-dev \ libmysqlclient15-dev checkinstall
- Create the following directories
#mkdir /etc/snort #mkdir /etc/snort/rules #cd /tmp
Download the last version from snort.org
#wget http://dl.snort.org/snort-current/snort-2.8.6.tar.gz
- Decompress snort ,copy the config files to /etc/snort,create the snort user,set the permissions to the /var/log/snort/ dir.
#tar xvfz snort-2.8.6.tar.gz #cp -a snort-2.8.6/etc/* /etc/snort/ #useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS #mkdir /var/log/snort #chown -R snort /var/log/snort/
- begin with the package build
#cd snort-2.8.6
#./configure --with-mysql
#make
#checkinstall
**********************************************************************
Done. The new package has been installed and saved to
/tmp/snort-2.8.6/snort_2.8.6-1_i386.deb
You can remove it from your system anytime using:
dpkg -r snort
**********************************************************************
- Install the snort package with
dpkg -i snort_2.8.6-1_i386.deb
- Check snort version
# snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.8.6 (Build 38)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05
Snort Rules Management
install the snort signature manager with
#apt-get install oinkmaster
- Snort official rules
Go to http://www.snort.org/login , subscribe and get the oinkcode.
in the file /etc/oinkmaster.conf must be added the following line (replace OINKCODE with your oinkcode).
url = url = http://www.snort.org/pub-bin/oinkmaster.cgi/OINKCODE/snortrules-snapshot-2860.tar.gz
and commented out this
#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
Dowload the official snort rules with
/usr/sbin/oinkmaster -o /etc/snort/rules -v
Check the downloaded rules with
# ls attack-responses.rules ftp.rules oracle.rules smtp.rules web-attacks.rules backdoor.rules icmp-info.rules other-ids.rules snmp.rules web-cgi.rules bad-traffic.rules icmp.rules p2p.rules specific-threats.rules web-client.rules chat.rules imap.rules policy.rules spyware-put.rules web-coldfusion.rules content-replace.rules info.rules pop2.rules sql.rules web-frontpage.rules ddos.rules misc.rules pop3.rules telnet.rules web-iis.rules dns.rules multimedia.rules rpc.rules tftp.rules web-misc.rules dos.rules mysql.rules rservices.rules virus.rules web-php.rules experimental.rules netbios.rules scada.rules voip.rules x11.rules exploit.rules nntp.rules scan.rules VRT-License.txt finger.rules open-test.conf shellcode.rules web-activex.rules
- Using the opensource community emergingthreats rules.
in the file /etc/oinkmaster.conf must be added the following line
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
Dowload the emergingthreats rules
/usr/sbin/oinkmaster -o /etc/snort/rules -v
Check the downloaded rules with
# ls emerging-attack_response.rules emerging-exploit.rules emerging-sid-msg.map.txt emerging-botcc-BLOCK.rules emerging-game.rules emerging-tor-BLOCK.rules emerging-botcc.rules emerging-inappropriate.rules emerging-tor.rules emerging-compromised-BLOCK.rules emerging-malware.rules emerging-user_agents.rules emerging-compromised.rules emerging-p2p.rules emerging-virus.rules emerging.conf emerging-policy.rules emerging-voip.rules emerging-current_events.rules emerging-rbn-BLOCK.rules emerging-web_client.rules emerging-dos.rules emerging-rbn.rules emerging-web.rules emerging-drop-BLOCK.rules emerging-readme.txt emerging-web_server.rules emerging-drop.rules emerging.rules emerging-web_specific_apps.rules emerging-dshield-BLOCK.rules emerging-scan.rules emerging-web_sql_injection.rules emerging-dshield.rules emerging-sid-msg.map
A crontab is needed for automatically updating the rules, in this case every day at 21.30
add this line in the root crontab
30 21 * * * /usr/sbin/oinkmaster -o /etc/snort/rules -s | mail -s "oinkmaster.update" \ myname@mydomain.org
Snort configuration
The main configuration file is located in /etc/snort/snort.conf
var HOME_NET [mynetwork/24]
var RULE_PATH /rules
output database: alert, mysql, dbname=snortdb user=snort password=mypassword host=snortdatabase
At this point all the snort rules from www.emergingthreats.net are downloaded in /etc/snort/rules, in order to use this rules the following section must be added in the snort.conf file and commented acording to your need .
include $RULE_PATH/emerging-attack_response.rules include $RULE_PATH/emerging-botcc-BLOCK.rules include $RULE_PATH/emerging-botcc.rules include $RULE_PATH/emerging-compromised-BLOCK.rules include $RULE_PATH/emerging-compromised.rules include $RULE_PATH/emerging.conf include $RULE_PATH/emerging-current_events.rules include $RULE_PATH/emerging-dos.rules include $RULE_PATH/emerging-drop-BLOCK.rules include $RULE_PATH/emerging-drop.rules include $RULE_PATH/emerging-dshield-BLOCK.rules include $RULE_PATH/emerging-dshield.rules include $RULE_PATH/emerging-exploit.rules include $RULE_PATH/emerging-game.rules include $RULE_PATH/emerging-inappropriate.rules include $RULE_PATH/emerging-malware.rules include $RULE_PATH/emerging-p2p.rules include $RULE_PATH/emerging-policy.rules include $RULE_PATH/emerging-rbn-BLOCK.rules include $RULE_PATH/emerging-rbn.rules include $RULE_PATH/emerging.rules include $RULE_PATH/emerging-scan.rules include $RULE_PATH/emerging-tor-BLOCK.rules include $RULE_PATH/emerging-tor.rules include $RULE_PATH/emerging-user_agents.rules include $RULE_PATH/emerging-virus.rules include $RULE_PATH/emerging-voip.rules include $RULE_PATH/emerging-web_client.rules include $RULE_PATH/emerging-web.rules include $RULE_PATH/emerging-web_server.rules include $RULE_PATH/emerging-web_specific_apps.rules include $RULE_PATH/emerging-web_sql_injection.rules
Start and stop snort
To start and stop snort a scritp must be places in the init.d directory
vim /etc/init.d/snort
case "$1" in
start)
echo "Starting snort IDS"
snort -D -i eth0 -u snort -c /etc/snort/snort.conf
;;
stop)
echo "Stopping snort IDS"
killall snort
;;
*)
echo "Usage: /etc/init.d/snort {start|stop}"
exit 1
;;
esac
exit 0
the script must be executable
#chmod +x /etc/init.d/snort
Testing snort
Assuming that snort is running, we can perform some tests to check if the ids engine is working correctly. We can begin with a nmap scan, remember that for the moment snort is login in the /var/log/snort/alert file and the database login will be enabled lather . So in this case we need to watch this file with:
#tail -f /var/log/snort/alert
from another machine run
#nmap -sS -P0 172.16.160.131
where 172.16.160.131 is the ip address of the snort sensor
in the alert file must appear this alerts :
[**] [1:2000537:6] ET SCAN NMAP -sS [**] [Classification: Attempted Information Leak] [Priority: 2] 05/19-12:49:48.420647 172.16.160.1:38428 -> 172.16.160.131:8089 TCP TTL:37 TOS:0x0 ID:6366 IpLen:20 DgmLen:44 ******S* Seq: 0xE9A27E99 Ack: 0x0 Win: 0x800 TcpLen: 24 TCP Options (1) => MSS: 1460
As you can see the ids engine have detected correctly the nmap -sS scan attempt . In the next how to I'll show how to setup the database and the snort web interface.
comments and feedback are welcome @
