Optimizing Snort Installation with Effective Security Rules Integration

The content has been fully translated. Here is the translation while maintaining the original formatting:

I. Introduction

Security Rules are essential for protecting data and ensuring the integrity

1. Snort is an open-source network intrusion detection system (NIDS) that primarily functions in packet sniffing, packet logging, and intrusion detection.

Snort is capable of capturing and analyzing packets on a network. Unlike other sniffers, it can respond and process them according to the defined rules. Snort analyses the acquired packets based on various rules and can take actions like Activation (alerting and activating another dynamic rule chain), Dynamic (invoked by other rule packets), Alert (alert), Pass (ignore), and Log (record traffic without alarming) based on the rule chain.

Snort provides functionalities like packet sniffing, analysis, detection, and response processing, with each module implementing different functionalities. All modules are integrated with Snort through a plug-in architecture, making functional extensions convenient. For example, preprocessing plugins operate before rule matching misuse detection, performing tasks like IPv4 fragmentation reassembly, HTTP decoding, and Telnet decoding. Processing plugins check protocol fields, close connections, and respond to attacks, outputting various scenarios as logs or alerts.

1. Barnyard2 is a dedicated Snort handler.

To reduce the load on the Snort process, Snort saves binary packets and logs that match rules locally without processing them. Barnyard2 asynchronously processes and saves them to MySQL.

1. PulledPork is a Snort ruleset update program.

PulledPork is a Perl script that automatically downloads the latest Snort rulesets.

1. BASE is the web frontend for Snort.

It queries and analyzes Snort alerts as a web frontend.

II. Environment Preparation#

1. 
   

   System Environment: Ubuntu 18.04 LTS

   
   
2. 
   

   Software Environment: MySQL / Apache2 / PHP 5.5 / SNORT / Barnyard2 / BASE

   
   
3. 
   

   Library Environment

   
   

   sudo apt-get update -y
   sudo apt-get dist-upgrade -y
   sudo apt-get install -y zlib1g-dev liblzma-dev openssl libssl-dev
   sudo apt-get install -y build-essential bison flex
   sudo apt-get install -y libpcap-dev libpcre3-dev libdumbnet-dev libnghttp2-dev
   sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
   sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl libwww-perl 
   sudo add-apt-repository ppa:ondrej/php
   sudo apt-get update -y
   sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd php5.6-cli php5.6-xml php5.6-mysql
   sudo apt-get install -y php-pear libphp-adodb

   
   

4. Software Download

wget https://www.snort.org/downloads/snort/daq-2.0.7.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.16.tar.gz
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
wget https://github.com/shirkdog/pulledpork/archive/v0.7.3.tar.gz -O pulledpork-v0.7.3.tar.gz
wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

III. System Installation

1. Install Snort:

1. Install DAQ, extract and compile
   

   tar xvzf daq-2.0.7.tar.gz
   cd daq-2.0.7
   ./configure && make && sudo make install

   
   
2. Install Snort, extract and compile
   

   tar xvzf snort-2.9.16.tar.gz
   cd snort-2.9.16
   ./configure --enable-sourcefire && make && sudo make install

   
   

While installing Snort, you might encounter

ERROR! LuaJIT library not found. Go get it from http://www.luajit.org/ (or) Try compiling without openAppId using ‘–disable-open-appid’

Solution:

sudo wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
sudo tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
sudo make && sudo make install

Fix links

sudo ldconfig

Test

~/Downloads/snort-2.9.16$ snort -V
,,_
 -*> Snort! <*-
o"  )~
''''
Version 2.9.16 GRE (Build 118) 
By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.43 2019-02-23
Using ZLIB version: 1.2.11

Create User Environment

# Create the snort user and group:
sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
# Create the Snort directories:
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that store rules and IP lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map
# Create our logging directories:
sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs
# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
# Change Ownership on folders:
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

Configuration Files Directory

Snort Configuration File: /etc/snort/snort.conf
Snort Log Data: /var/log/snort/
Snort Rules Directory: /etc/snort/rules/
                          /etc/snort/so_rules/
                          /etc/snort/preproc_rules/
                          /usr/local/lib/snort_dynamicrules/
Snort IP List Directory: /etc/snort/rules/iplists/
Snort Dynamic Preprocessors: /usr/local/lib/snort_dynamicpreprocessor/

Copy Configuration Files

cd ~/snort-2.9.11/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort
cd ~/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

Comment out rule files in snort.conf, use PulledPork to manage ruleset

sudo sed -i "s/include \$RULE\_PATH/#include \$RULE\_PATH/" /etc/snort/snort.conf

Manually edit snort.conf configuration

sudo vi /etc/snort/snort.conf
#Line 45, modify ipvar HOME_NET to the local internal network
ipvar HOME_NET 192.168.146.130/24
#Line 104, set the following configuration file paths
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules/iplists
var BLACK_LIST_PATH /etc/snort/rules/iplists
#Line 521, add
output unified2: filename snort.u2, limit 128
#Line 546, uncomment to enable local.rules file
include $RULE_PATH/local.rules

Add Local Rule

sudo vi /etc/snort/rules/local.rules
alert icmp any any -> $HOME_NET any (msg:"ICMP Test detected!!!"; classtype:icmp-event; sid:10000001; rev:001; GID:1;)
sudo vi /etc/snort/sid-msg.map
#v2
1 || 10000001 || 001 || icmp-event || 0 || ICMP Test detected || url,tools.ietf.org/html/rfc792

Test Configuration File

sudo snort -T -c /etc/snort/snort.conf -i ens33

Test Functionality

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33

At this point, ping from the outside the IP of the ens33 port, and snort will record the attack received, with information saved in /var/log/snort as snort.log.xxx

2. Install Barnyard2

Install MySQL

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool

Extract and Compile

tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
autoreconf -fvi -I ./
# Choose ONE of these two commands to run
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make && sudo make install

Test

~/Downloads/barnyard2-2-1.13$ barnyard2 -V
  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns <[email protected]>

Configure Configuration File

sudo cp ~/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
# the /var/log/barnyard2 folder is never used or referenced
# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

Configure Database

ubuntu@ubuntu:~$ mysql -u root -p
mysql> create database snort;
mysql> use snort;
mysql> source ~/barnyard2-2-1.13/schemas/create_mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
mysql> grant create, insert, select, delete, update on snort.* to 'snort'@'localhost';
mysql> exit;

Add Database Configuration

sudo vi /etc/snort/barnyard2.conf
# Add database configuration at the end
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01
Change barnyard2.conf permissions to prevent modification
sudo chmod o-r /etc/snort/barnyard2.conf

Test

# Start snort and send ping packets to eth1
sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens33
# Start barnyard2, logging information into the database
# 1. Continuous processing mode, setting barnyard2.waldo as bookmark
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort
# 2. File processing mode, processing a single log file
sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.log.xxx
# Check the number of database entries to see if it has increased
mysql -u snort -p -D snort -e "select count(*) from event"

3. Install PulledPork

Extract and Install

tar xzvf pulledpork-v0.7.3.tar.gz
cd pulledpork-v0.7.3/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

Test

ubuntu@ubuntu:~$ pulledpork.pl -V
PulledPork v0.7.3 - Making signature updates great again!

Configure

sudo vi /etc/snort/pulledpork.conf
# Line 19: Enter the oinkcode generated from the registration account, if not, comment it out
# Line 29: Uncomment to download rules for emerging threats
# Line 74: Change to:
rule_path = /etc/snort/rules/snort.rules
# Line 89: Change to:
local_rules = /etc/snort/rules/local.rules
# Line 92: Change to:
sid_msg = /etc/snort/sid-msg.map
# Line 96: Change to:
sid_msg_version = 2
# Line 119: Change to:
config_path = /etc/snort/snort.conf
# Line 133: Change to:
distro = Ubuntu-12-04
# Line 141: Change to:
black_list = /etc/snort/rules/iplists/black_list.rules
# Line 150: Change to:
IPRVersion = /etc/snort/rules/iplists
sudo vi /etc/snort/snort.conf
# Add at line 548
include $RULE_PATH/snort.rules

Update Rules

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

Test Rules

sudo snort -T -c /etc/snort/snort.conf -i eth0

4. Create Service

A. Create a Snort Service by creating a service configuration file

sudo vi /lib/systemd/system/snort.service
[Unit]
Description=Snort NIDS Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens33
[Install]
WantedBy=multi-user.target

Enable Startup at Boot

sudo systemctl enable snort

Start Service

sudo systemctl start snort

Check Service Status

sudo systemctl status snort

B. Create Barnyard2 Service by creating a service configuration file

sudo vi /lib/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Daemon
After=syslog.target network.target
[Service]
Type=simple
Restart=always
ExecStart=/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/archived_logs --pid-path=/var/run
[Install]
WantedBy=multi-user.target

Enable Startup at Boot

sudo systemctl enable barnyard2

Start Service

sudo systemctl start barnyard2

Check Service Status

sudo systemctl status barnyard2

5. Install BASE

Extract

tar xzvf base-1.4.5.tar.gz
sudo mv base-1.4.5 /var/www/html/base/

Configure

cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
 
sudo vi /var/www/html/base/base_conf.php
$BASE_Language = 'simplified_chinese'; # line 27
$BASE_urlpath = '/base'; # line 50
$DBlib_path = '/usr/share/php/adodb/'; # line 80
$alert_dbname = 'snort'; # line 102
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '123456'; # line 106
// $graph_font_name = "Verdana";
// $graph_font_name = "DejaVuSans";
// $graph_font_name = "Image_Graph_Font";
$graph_font_name = "";
 
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
 
sudo service apache2 restart

Visit http://x.x.x./base in a web browser for access. Follow prompts for final configuration to enter the main page.

Remember to restart the snort service after modifying rules to ensure they take effect.