- follow the documentation on www.internetsecurityguru.com
- certain things to take note as follow:
- selinux
- yum -y update, and you might want to add 'export http_proxy=http://10.0.0.252:8080' to /etc/profile
- oinkmaster
after setting up oinkmaster cronjob script, you might want to add root cronjob to restart snort itself also, in case the new rules are downloaded by oinkmaster, then it can be used snort
cronjob -l -u snort
30 5 * * * export http_proxy=http://1.2.3.4:8080; /usr/bin/oinkmaster.pl -C /etc/pinkmaster.conf -C /etc/autodisable.conf -b /etc/snort/backup > /tmp/snort.cron 2>&1 ;sync;sync;sync;sleep 15; (echo:snort@domain.com";echo "Subject: snort rules daily update";echo "";cat /tmp/snort.cron) | /usr/sbin/sendmail -f snort@domain.com jephe@domain.com
- pear config-show
- perl -MCPAN -e shell
- barnyard
./configure --enable-mysql;make;make install
use the following configuration for /etc/snort/barnyard.conf
config localtime
config hostname: localhost
config interface: eth1
output alert_fast
output log_dump
output log_acid_db: mysql, database snort, server localhost, user snort, password snort, detail full
you only need to modify bylog.waldo once, after that, barnyard will update it automatically.
here is the init script for barnyard:
--------------------
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops Barnyard
#
# config: /etc/snort/barnyard.conf
# processname: barnyard
# Source function library
. /etc/rc.d/init.d/functions
# program name
BASE=barnyard
# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/bylog.waldo"
DAEMON="-D"
# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting Barnyard service: "
/usr/local/bin/$BASE -c $CONF -g $GEN_MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard
;;
stop)
echo -n "Shutting down Barnyard service: "
killproc /usr/local/bin/$BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: snort {start|stop|restart|reload|status}"
exit 1
esac
exit $RETVAL
--------------------------
- snort.conf
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
change interface to eth1 in /etc/init.d/snort script
cronjob for snort:
50 5 * * * /sbin/service snort restart 2>&1 > /tmp/snortrestart.cron;sleep 5;(echo "From:sensor1@domain.com";echo "Subject:snort daily restart";echo "";cat /tmp/snortrestart.cron)| /usr/sbin/sendmail -f snort@domain.com jephe@domain.com
- swatch
watchfor /snort.*Priority.* -> .*/
mail jephe@domain.com:wu@domain.com,subject=--- Sensor1 Snort Alert! ---
- syslog
/var/log/snortalert {
daily
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
kill -9 `ps -ef | grep -e swatch -e '/usr/bin/tail -n 0' | grep -v grep | awk '{print $2}'`
sleep 5
/usr/bin/swatch -c /etc/swatch.conf -t /var/log/snortalert --daemon
endscript
}
grep snort /etc/syslog.conf
local1.* /var/log/snortalert
- /etc/rc.local
- sendmail
a. change DS part to DS[1.2.3.5] which is smtp server
b. put the following to /etc/mail/sendmail.mc
masquerade_as('domain.com')
feature(masquerade_envelope)
feature(masquerade_entire_domain)
masquerade_domain(localhost)
masquerade_domain(localhost.domain)
then go to /etc/mail/sendmail.cf to commen out C{E} root
- conclusion