Thursday, March 6, 2008

setup Snort on CentOS 5

  1. follow the documentation on www.internetsecurityguru.com
  2. certain things to take note as follow:
  • selinux
vi /etc/selinux/config, change to disabled, then reboot
  • yum -y update, and you might want to add 'export http_proxy=http://10.0.0.252:8080' to /etc/profile
  • oinkmaster
login to snort website as registered user, go to rules-download rules, from there you will know how to get the oinkmaster code for automatic download rules for registered user.

after setting up oinkmaster cronjob script, you might want to add root cronjob to restart snort itself also, in case the new rules are downloaded by oinkmaster, then it can be used snort

cronjob -l -u snort
30 5 * * * export http_proxy=http://1.2.3.4:8080; /usr/bin/oinkmaster.pl -C /etc/pinkmaster.conf -C /etc/autodisable.conf -b /etc/snort/backup > /tmp/snort.cron 2>&1 ;sync;sync;sync;sleep 15; (echo:snort@domain.com";echo "Subject: snort rules daily update";echo "";cat /tmp/snort.cron) | /usr/sbin/sendmail -f snort@domain.com jephe@domain.com

  • pear config-show
use pear config-set to set http_proxy as 1.2.3.4:8080 then run 'pear install xxxxx'
  • perl -MCPAN -e shell
install Net::RawIP or force install Net::RawIP
  • barnyard
download it from www.snort.org
./configure --enable-mysql;make;make install
use the following configuration for /etc/snort/barnyard.conf
config localtime
config hostname: localhost
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server localhost, user snort, password snort, detail full

you only need to modify bylog.waldo once, after that, barnyard will update it automatically.

here is the init script for barnyard:
--------------------
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops Barnyard
#
# config: /etc/snort/barnyard.conf
# processname: barnyard

# Source function library
. /etc/rc.d/init.d/functions

# program name
BASE=barnyard

# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/bylog.waldo"
DAEMON="-D"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0

# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting Barnyard service: "
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard
;;
stop)
echo -n "Shutting down Barnyard service: "
killproc /usr/local/bin/$BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1
esac

exit $RETVAL
--------------------------
  • snort.conf
output alert_syslog: LOG_LOCAL1
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

change interface to eth1 in /etc/init.d/snort script

cronjob for snort:
50 5 * * * /sbin/service snort restart 2>&1 > /tmp/snortrestart.cron;sleep 5;(echo "From:sensor1@domain.com";echo "Subject:snort daily restart";echo "";cat /tmp/snortrestart.cron)| /usr/sbin/sendmail -f snort@domain.com jephe@domain.com

  • swatch
more /etc/swatch.conf:
watchfor /snort.*Priority.* -> .*/
mail jephe@domain.com:wu@domain.com,subject=--- Sensor1 Snort Alert! ---

  • syslog
add the following to /etc/logrotate.d/syslog
/var/log/snortalert {
daily
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon
endscript
}
grep snort /etc/syslog.conf
local1.* /var/log/snortalert

  • /etc/rc.local
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon

  • sendmail
masqrade root@snort.domain.com to root@domain.com
a. change DS part to DS[1.2.3.5] which is smtp server
b. put the following to /etc/mail/sendmail.mc
masquerade_as('domain.com')
feature(masquerade_envelope)
feature(masquerade_entire_domain)
masquerade_domain(localhost)
masquerade_domain(localhost.domain)
then go to /etc/mail/sendmail.cf to commen out C{E} root

  • conclusion
use snort, oinkmaster update rules daily then require snort restart, swatch to watch /var/log/snortalert to send out email notification, but after syslog rotation, need to restart swatch. barnyard is doing mysql database recording for snort alert.