So. You want to set up a snort client for your distributed snort network on a scad of Ubuntu boxes? It is pretty easy, once you've done it three or four times.
Uncomment the line beginning with: deb cdrom
This will configure the dpkg package system to NOT look for packages on the cdrom.
Then we want to update our sources and upgrade our binaries to the latest:
If ssh is not already installed, install it:
We're going to roll our own snort; install all required packages:
Does everything look fine?
This step involves installing snort, adding the snort user & group, then installing the detection rules.
We're installing the latest snort as found on the snort site.
Next, run the following commands:
If you have a pre-compiled version of snort, you may wish to do the following:
And you'll see what libraries are lacking on your system. The following is from client; looks like all we need is libmysql15off:
Note: central repository for rules is on server.
Now it is time to configure and start snort.
First, we need to edit the main configuration file:
To get change these lines to match environment:
Add the following:
The snort pre-processor throws a lot of false positives; disable some options by unhashing:
Let's see if snort works by editing local rules:
Make a simple rule for testing:
Or to a whole lot of alerts, make this local rule:
Now we can start snort:
snort should initialize successfully. Look at /var/log/syslog for a line that looks like this:
If not already enabled, bring up "sniffing" interface:
Use the snort startup commands above along with the -i option to call an interface you would like to sniff from. (i.e. -i eth1). Remember to kill the existing snort process first before you start a new one.
Check if snort user via the remote client can connect to the snort database on central snort server.
If the connection is rejected, check the DB table permissions.
Uncomment and edit this line:
For server logging:
Note: For mysql clients with rev less than 5.0 , please see old mysql client setup.
Since this is a slave server, we're going to edit oinkmaster.conf to grab rules from a directory to be rsynced from the central repository and then process those rules. Our repository is server.
Note this section of the configuration file and edit:
We're going to have to do some more initial legwork by creating an oinkmaster user, gen pubkeys. Yeah.
note: Double-check if oinkmaster is permitted to ssh into the system:
If not, add the user and re-start ssh daemon.
As oinkmaster user on client:
Do a test ssh connection from repository to see if pubkey authentication is working properly. From repository as oinkmaster user:
Push the initial set of rules from repository to client. On repository:
Add the following line:
What the above specifies is that rsync will use the oinkmaster key to connect to the client and will delete all and replace the rules in the rules.hold directory. The client's oinkmaster.conf has defined the rules.hold directory to be used for new rules to be loaded into snort.
Run pushsnortrules-test.sh on the repository as oinkmaster:
After the rules have been rsynced with success, add the same line to pushsnortrules.sh . Test oinkmaster.pl on client:
Take a look in /tmp/oinktest to see if the rules are in place:
Once it has been determined that the rules updated correctly, run oinkmaster.pl with the production output location as defined in the configuration file.
Note: The -o switch tells oinkmaster to override the output directory in the configuration file; the -b switch will make oinkmaster back up the current rules in the location before doing the actual update; play with this is so desired; the /etc/snort/backup directory is created for this purpose.
On repository, there are init scripts and configuration files. scp them over to client sensor and place thusly:
The above should be configured to match specific sensor environment. The /etc/default/snort file works will with the init.d script and will override settings in /etc/snort/snort.conf ; snort.debian.conf is good for determining specifying the interface and settings debian specific. Please be reminded to check the path for the snort binary in the init.d script.
After chmod +x /etc/init.d/snort
Make init script an init script, do:
Or use sysvconfig...
Set up favorite email daemon to send mail, then, in /etc/crontab add the following (if mail isn't set up, set it up):
Just to be safe, check if commandline mailing works:
You're ready to start IDSing. Or something. On the client, execute:
To watch snort start, stare at the appropriate syslog:
Go to the repository webconsole and examine away once you've installed base... you have done that, right?