Snort from scratch (Part II): Installing BASE & barnyard2

Continuing with the last post Snort from scratch part I now I’ll explain how to install BASE and barnyard2. BASE (Basic Analysis and Security Engine) provides a web front-end to query and analyze the alerts coming from Snort. The alerts will send to a MySQL database, this feature is provided by barnyard2. Barnyard2 is an output system for Snort, it reads the binary logs from snort using the unified2 format and then it will resend the information of this logs to a database backend, for this We’ll configure Snort to output alerts to this format.
Install BASE dependencies

# yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd httpd
# pear channel-update pear.php.net
# pear install Numbers_Roman
# pear install channel://pear.php.net/Image_Canvas-0.3.5
# pear install channel://pear.php.net/Image_Graph-0.8.0

Preparing MySQL environment
- Initializing mysql and configuring to start the daemon at boot time:


# service mysql start
# chkconfig --levels 235 mysql on
- Preparing the new database for snort:


# mysql -u root -p

<pre>mysql> create database snort;
mysql> grant select,insert,update,delete,create on snort.* to snort@localhost;
mysql> set password for snort@localhost=PASSWORD('snortpassword');

Setup snort to log out in unified2 format

# vi /etc/snort/snort.conf

output unified2: filename snort.u2, limit 128

Installing barnyard2

# cd /tmp ; wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
# tar -xzvf barnyard2-1.9.tar.gz
# cd barnyard2-1.9
# ./configure --with-mysql
# make && make install
# cp etc/barnyard2.conf /etc/snort/
# mysql -u snort -psnortpassword snort < schemas/create_mysql
# touch /etc/snort/barnyard2.waldo
# chmod 777 /etc/snort/barnyard2.waldo
# chown snort:snort /etc/snort/barnyard2.waldo

- Edit barnyard2 configuration:

# vi /etc/snort/barnyard2.conf

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/rules/gen-msg.map
config sid_file: /etc/snort/rules/sid-msg.map
input unified2
config hostname: localhost
config interface: eth0
config alert_with_interface_name
output database: log, mysql, user=snort password=snortpassword dbname=snort host=localhost

Adapting our init script to work with barnyard2

# vi /etc/init.d/snortd

 
BARNYARD2=/usr/local/bin/barnyard2
 
start()
{
[ -x $SNORTD ] || exit 5
 
echo -n $"Starting $prog: "
daemon --pidfile=$PID_FILE $SNORTD $LINK_LAYER $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure
RETVAL=$?
$BARNYARD2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /etc/snort/barnyard2.waldo -u snort -g snort -D
[ $RETVAL -eq 0 ] && touch $lockfile
echo
return $RETVAL
}
 
stop()
{
echo -n $"Stopping $prog: "
killproc $SNORTD
killproc $BARNYARD2
if [ -e $PID_FILE ]; then
chown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi*
fi
RETVAL=$?
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
trap TERM
killall $prog 2>/dev/null
trap TERM
fi
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
return $RETVAL
}

- Restart Snortd:

# /etc/init.d/snortd restart

Installing BASE

# cd /tmp ; wget http://sourceforge.net/projects/secureideas/files/latest/download
# tar -xzvf base-1.4.5.tar.gz
# cp -r base-1.4.5/ /var/www/base
# cd /var/www/base/
# cp base_conf.php.dist base_conf.php

- Edit BASE scripts configuration:

# vi base_conf.php

$BASE_urlpath = '/base';
$DBlib_path = '/usr/share/php/adodb';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '3306';
$alert_user = 'snort';
$alert_password = 'snortpassword';

Configuring Apache

# vi /etc/httpd/conf.d/base.conf

Alias /base /var/www/base/
<directory "/var/www/base/">
AllowOverride None
Order allow,deny
Allow from all
AuthName "Snort IDS"
AuthType Basic
AuthUserFile /etc/snort/base.passwd
Require valid-user
</directory>

- Generating password file for web access for BASE:

# htpasswd -c /etc/snort/base.passwd snortadmin

- Restart apache:

# service httpd restart

Accessing to the BASE web environment
http://IP-WEB-SERVER/base/base_db_setup.php
and click create BASE AV

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>   ...
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm