Thursday, September 4, 2008

Snort Basics

To start with you can get snort from www.snort.org.

In the first part of our discussion we will configure snort on an ubuntu machine.
And in the later blogs we will procede towards others like Redhat or Deb.

The main problem which one faces in installing snort is meeting dependences.

So to solve this i think we should start first.
start with ----->
tar -xvzf snort-2.8.1.tar.gz
cd snort-2.8.1
./configure -------------------> (for IDS)
./configure --enable-inline -------------------> (for IPS)

You can add --enable-mysql to any one of them to push your snort alerts to mysql database.

Generally you wont find any error while configuring IDS.

So hoping your IDS does not gave you a trouble we end it here and even if it gives they wont be different from IPS, that means you can refer to them if you find one(trouble).

To start snort with IDS first get rules
(that too you can get from www.snort.org).
Untar then at /etc/snort/ DIR.
now
cp snort-2.8.1/* /etc/snort/
this makes it convenient as you(and your system) get all files at one place reducing the chances of error.

mkdir /var/log/snort ----------> for snort to log its alert files.

Now make some changes to your snort.conf file lying in /etc/snort DIR.

var HOME_NET localhost ---------->this should be valid ip of your system.

var RULE_PATH /etc/snort/rules


Now initiate snort:>

snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort

You can also put -A console to get alerts on screen or put -D to run snort in deamon mode.


Now its time we should be concentrating on IPS with or without mysql.

Start with trying to compile snort by--------------->
tar snort-2.8.1.tar.gz
cd snort-2.8.1
./configure --enable-inline --enable-mysql

at this you are likely to get an error i.e.
libipq.h not found
This can be eliminated by
copy libipq.h to /usr/include/
And if incase u don't have libipq.h file
then do-------------->
apt-cache search libipq.h
And install the package which provides you the file
apt-get install *


Other errors include errors like----------->
libpcap not found
same is to deal with these kids of errors.

But to do it with --enable-mysql you have to get some prerequisites.
  • Libpcap0.8-dev
  • libmysqlclient15-dev
  • mysql-client-5.0
  • mysql-server-5.0


After this i don't think it will give you any kind of trouble.

To get snort-inline working you have to get iptables up
And add rules to iptables in such a way that packets stand in a queue.
Such as--------->
iptables -A INPUT -p tcp -j QUEUE
iptables -A INPUT -p icmp -j QUEUE
iptables -A INPUT -p udp -j QUEUE

You can do this for any chain of iptables, depending upon what kind of work you want from your snort to perform.

To initiate snort-inline just use-------------------->
snort -QC /etc/snort/snort.conf -i eth0 -l /var/log/snort

You can also put -A console to get alerts on screen or put -D to run snort in deamon mode.

No comments:

Post a Comment