Installing Snort IDS On Ubuntu 14.04 LTS

SheiladeDios
CIT16EthicalHacking
MissionCollege,SantaClara,CA.
InstallingSnortIDSonUbuntu14.04LTS(Desktop)Using
VMWarePlayer6.0
Ifyoucurrentlydonthaveit,VMWarePlayercanbedownloadedfrom:
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6
_0
AfterinstallationofVMWarePLayer6,youmayproceedwiththeinstallationofthe
UbuntuoperatingsystemandSNORT.
I.HowtoInstall:Ubuntu14.04LTS(Desktop)
A. DownloadtheISOforUbuntufrom:
http://www.ubuntu.com/download/desktop
.
Rememberthefolderwhereyoudownloadeditto.
B. InstallUbuntu
1. OpenupVMWarePlayer6andchooseCreateANewVirtualMachine.
1

SheiladeDios
CIT16EthicalHacking
2. NavigatetotheUbuntuISOfileyoudownloaded.
3. HitNext.Fillinthenecessaryinformation.Theusernameandpassword
youenterherewillbetheusername/passwordyouwillusetologintothe
UbuntuOSyouwillbeworkingon.
2

SheiladeDios
CIT16EthicalHacking
4. Giveyourvirtualmachineaname.

5. HitNext.Specifydiskcapacity(youmaychoosewhateverisappropriatefor
thecapacityofyourcurrenthardware).
3

SheiladeDios
CIT16EthicalHacking
6. HitNext.SelecttheCustomizeHardware
7. Customizeyoursettings(processor,NetworkAdapter,etc).IchoseNATfor
mynetworksetting.Thismeansthatthehostmachine(machinewherethe
virtualmachineisbeinginstalledupon)isactingasasortofrouterforthis
VM.TheVMwillpickupanIPaddressfromthehostmachineandnotthe
actualrouteronthehostmachinesnetwork.
4

SheiladeDios
CIT16EthicalHacking
8. HitClose.AndthenFinishwhenyougetthenextbox.
9. TheUbuntuoperatingsystemisnowbeinginstalled.
10. Onceinstalled,itwillaskyoutologinwithyourusernameandpassword.
5

SheiladeDios
CIT16EthicalHacking
II.PreparingUbuntuandInstallingSNORTworkingintheVM
A. Installtheprerequisitesforinstallingandcompilingsnort.
1. Openupaterminalbyhittingtheuppermosticonontheleftcornerto
searchfortheterminalapplication.
2. Onceterminalhasbeenopened,typeinthefollowingcommand(allinone
line):
sudoaptgetinstallflexbisonbuildessentialcheckinstalllibpcapdev
libnet1devlibpcre3devlibmysqlclient15devlibnetfilterqueuedev
iptablesdev

NOTE:Weusesudotogiveussuperuser(rootlike)permissiontoinstall
applicationsontheOS.

3. Itwillaskyouforthepassword.EnterinyourloginpasswordtotheVM.
6

SheiladeDios
CIT16EthicalHacking
4. Theselectedapplicationsarenowbeinginstalled.Youmayoccasionally
getapromptaskingtocontinue.Typeyandcontinue.
B. Buildandinstalllibdnetfromitssourcecode.
1. Typewget https://libdnet.googlecode.com/files/libdnet1.12.tgz
.Hitenter.
2. Ifyoutypeinls,youwillseethatthefilehasbeendownloadedtoyour
homedirectory.Issuethefollowingcommand:tarxvfvzlibdnet1.12.tgz.Hit.
7

SheiladeDios
CIT16EthicalHacking
Enter.
3. Thisunpacksallthefilesthatwereinthelibdnet112.tgzfileandcreatesa
libdnet112directory.Changeintothelibdnet112directory.
4. Type:./configure"CFLAGS=fPIC".Hitenter.The"fPIC"Cflagis
necessaryifyoucompileiton64bitplatform.
5. Youshouldseesomethinglikethefollowingfigure.Typemake.Hitenter.
8

SheiladeDios
CIT16EthicalHacking
6. Resultsshouldlooksimilartothefollowingfigure.Typesudo
checkinstall.Thecheckinstallcommandabovewillbuild.debpackage.and
willaskyouseveralquestions.Acceptdefaultvalues.
9

SheiladeDios
CIT16EthicalHacking
10

SheiladeDios
CIT16EthicalHacking
7. Installthe.debpackage,andcreateasymboliclinkwhereSnortlooksfor
libdnet.Typeinthefollowingcommands:sudodpkgi
libdnet_1.121_amd64.debandsudolns/usr/local/lib/libdnet.1.0.1
/usr/lib/libdnet.1.
C. Download,buildandInstallDAQ(DataAcquisitionLibrary).
1. DAQcanbedownloadedfrom http://www.snort.org/snortdownloads .The
currentversionisdaq2.0.2Usually,thedownloadsareplacedinthe
DownloadsdirectoryofyourUbuntuOS.
2. Wearegoingtorepeatthestepswedidforthelibdnetinstallunpackthe
files,configure,make,andtheninstall.
11

SheiladeDios
CIT16EthicalHacking

NOTE:So,farthefollowingcommandshavebeenentered:
tarxvfvzdaq2.0.2.tar.gz,
cddaq2.0.2,
./configure,and
make
3. Thesudocheckinstallcommandwillgothroughthefollowingstepslikeit
didfromthelibdnetprocedure.Thefiguresbelowshowstheinitialsudo
checkinstallcommandandthentheendresult.
4. Installthepackagebyrunning:sudodpkgidaq_2.0.21_amd64.deb
12

SheiladeDios
CIT16EthicalHacking
D. Download,buildandInstallSnort
1. MuchlikeDAQ,Snortcanbedownloaded
:
http://www.snort.org/snortdownloads .ThecurrentversionisSnort2.9.6.1
Again,thedownloadedfileresidesintheDownloadsdirectoryofyour
UbuntuOS.

2. Wearegoingtorepeatthestepswedidforthelibdnetanddaqinstall
unpackthefiles,configure,make,andtheninstall.

NOTE:So,farthefollowingcommandshavebeenentered:
tarxvfvzsnort2.9.6.1.tar.gz
cdsnort2.9.6.1
./configure
make

13

SheiladeDios
CIT16EthicalHacking
3. Thesudocheckinstallcommandwillgothroughthefollowingstepslikeit
didfromthelibdnetanddaqprocedures.Thefiguresbelowshowsthe
initialsudocheckinstallcommandandthentheendresult.
4. Installthepackagebyrunning:sudodpkgisnort_2.9.6.11_amd64.deb
5. Createasymboliclinkforsnortbyrunning:sudolns/usr/local/bin/snort
/usr/sbin/snort
14

SheiladeDios
CIT16EthicalHacking
6. Runtheldconfigcommand,sothatdynamiclinkerruntimebindingsfor
libdnetandDAQlibrariesareproperlysetup.
7. Youshouldgetsomethinglikethefollowingfigure:
8. VerifythatsnortisinstalledproperlybyrunningsnortV
15

SheiladeDios
CIT16EthicalHacking
III.ConfiguringSNORT
A. Goodpractice:
1. CreateaseparateLinuxuserforwhichsnortwillrunas

Note:thecommandsare:
sudogroupaddsnortand
sudouseraddsnortd/var/log/snorts/sbin/nologincSNORT_IDSg
snort
2. Createalogdirectoryforsnortandgivesnortownershipofit.

B. DownloadSnortRules
1. Snortrulesarelocated:
http://www.snort.org/snortrules/
16

SheiladeDios
CIT16EthicalHacking
2. Beforeyoucandownloadthesnortrules,youmustcreateanaccountwith
snort.org.
3. Onceloggedin,youcandownloadSnortRules.
4. Makenoteofwhichdirectorythesnortruleswasdownloadedto.
17

SheiladeDios
CIT16EthicalHacking
C. InstallandConfigureSnortRules
1. Createadirectoryatthe/etcdirectorytowhichyouwillunpackthetarfiles
to.
2. Createawhite_list.rulesfileandablack_list.rulesfilebyusingtouch.
3. Createdirectoryfordynamicrules.
4. Changeownershipof/etc/snortandmovedirectoryandfilesfromthe
unpackedsnortrules.
18

SheiladeDios
CIT16EthicalHacking
D. EditadefaultSnortconfiguration.
1. TherearedifferentLinuxfileeditors(vi/vim,gedit,nano/pico,etc).Usethe
oneyouaremostcomfortablewith.
2. Youshouldgetascreenthatlooklikethis:
3. ScrolldownuntilyougettoipvarHOME_NETandchangeittothe
networkyouareprotecting.Inmycase,its192.168.80.0/24.
19

SheiladeDios
CIT16EthicalHacking
4. Alsochangetherulespathfromthis:

sothatitwouldreadlikethis:
5. ipvarEXTERNAL_NETshouldalsobechangedto:
6. SavethefilebyctrlXtoexit.SelectYes.HitEnter.
20

SheiladeDios
CIT16EthicalHacking
7. Testsnortbyrunninginselftestmode.Youcanusethefollowing
command:sudosnortTieth0usnortgsnortc/etc/snort/snort.conf.
ifsuccessful,youshouldgetthefollowingresults:
21

SheiladeDios
CIT16EthicalHacking
IV.CreatingCustomSNORTRules
(NOTE:NotallorganizationshavethesamepolicysotheirIDSconfigurationswill
certainlybedifferent.CreatingcustomSnortrulesallowforthosedifferences).
A. TheBasicsmostrulesarewritteninasinglelineDD
GeneralFormoftherule: actionprotosrc_ipsrc_portdirectiondst_ipdst_port
(options)
1. TheHeaders:
a. Actionalert,log,pass,activate,dynamic,(drop,reject,sdrop),the
latterthreearenotdefaultrules.
b. Protocoltcp,udp,icmp,ip
c. SourceIPandDestinationIPIPaddressesofthesourceoftraffic
andthedestinationoftraffic
d. SourcePortandDestinationPortSpecificportaddressestrafficis
intendedfor(i.e.80isgenerallyhttptraffic,25isforsmtp,etc)
e. DirectionThedirectionfromwheretrafficiscoming.
f. Optiongeneral,payload,nonpayload,postdetection(exampleof
generaloptionismsgwhereitprintsoutacommentalongwiththe
packetwhenaruleisactivated.
2. SampleRule:alerttcpanyany>anyany(content:"www.facebook.com"
msg:"SomeoneisaccessingFacebook!!"sid:1000001)
B. CreatingaCustomAlertruleforSnort
1. Navigatetothedirectorywhereallthesnortrulesarelocated:
2. Createafile(nameitwhateveryouwant)byusingtheeditorofyouchoice.
22

SheiladeDios
CIT16EthicalHacking
3. Typeinyourrule.Andthensave.Ifanyoneaccesses www.facebook.com ,
thenamessagewillshowupthatsomeoneistryingtoaccessit.Thisrule
alsomentionsthatifaping(ICMP)requestcomesinfromIPaddress
192.168.80.135,amessagewillalsopopup.

4. Verifytherulehasbeencreated.
23

SheiladeDios
CIT16EthicalHacking
5. Editthesnort.conffiletomakesurethatthecreatedrule(zzzalert.rules)is
includedinit.Savethefile.
C. CreatingaCustomLogRuleforSnort
1. Makesureyouareinthedirectorywhereyoursnortrulesarelocated.
2. Createafile(nameitwhateveryouwant)byusingtheeditorofyouchoice.
24

SheiladeDios
CIT16EthicalHacking
3. Typeinyourrule.Andthensave.IfthemachinewithIPaddressof
192.168.80.139triestoFTP,thepacketwillbelogged.
4. Verifytherulehasbeencreatedandeditthesnort.conffiletoreflectthe
changes.
25

SheiladeDios
CIT16EthicalHacking
V.RunningSNORT
A. Tomakeitalittleeasierfordemopurposes,Iloggedonasroottorunsnort.
B. InSnifferModeTheoutputisloggedontothescreenitself.
C. InPacketLoggermodetheoutputisloggedintoalogfilethatislocatedin
/var/log/snort.thefileisalsowritteninascii..
D. SnortRunningwiththeconfigurationfile.

1. Aconsolemeansthatmessageswillshowuponscreen
2. ieth0specifiestheinterfacesnortislisteningon
3. c/etc/snort/snort.confspecifiestheconfigurationfileyouarerunning.
Thiswouldincludethecustomsnortrulesthatwereaddedearlier.
4. l/var/log/snortspecifiesthedirectorywherethelogswillbelocated
5. Kasciispecifieshowthelogfileswillbewritten.Asciicaneasilybe
openedupbyatexteditororbythecommandcat.
NOTE:Snorthasmanyoptions.Tolisttheoptions,typeinsnorthandit
shouldgiveyoualistofthoseoptions.Itwouldalsobenefityoutoreadthe
SnortUsersManualwhichyoucanpickupfrom http://www.snort.org/docs
26

SheiladeDios
CIT16EthicalHacking
VI.Results
A. PacketLoggerModeresultsloggedinspecificdirectory
1. Changeintologdirectoryandreadfiles
2. Inspectionoffileprovidesresults.Wewereabletopickuptheusername
andpasswordusedtogainaccesstotheftpserver.
27

SheiladeDios
CIT16EthicalHacking
B. InSnifferModeoutputisdirectlydisplayedonscreen
C. ResultofSnortusingConfigurationFilewithCustomRules
1. Messagesoutputonscreen
28

SheiladeDios
CIT16EthicalHacking
2. LogfileisalsocreatedforthecustomLogFTPrule.
29

Installing Snort IDS On Ubuntu 14.04 LTS

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Installing Snort IDS On Ubuntu 14.04 LTS

Hochgeladen von

Copyright:

Verfügbare Formate

SheiladeDios

Das könnte Ihnen auch gefallen