The Sticky Fingers Kali-Pi installation walk through did not include any detailed information about the configuration of Snort, Barnyard2 and PulledPork on the Raspberry Pi 2 running Kali.
Here are my configuration notes.
Snort:
sudo bash apt install apache2 apache2-doc autoconf automake bison ca-certificates ethtool flex g++ gcc libapache2-mod-php libcrypt-ssleay-perl default-libmysqlclient-dev libnet1 libnet1-dev libpcre3 libpcre3-dev libpcap-dev libphp-adodb libssl-dev libtool libwww-perl make default-mysql-client mysql-common default-mysql-server php-cli php-gd php-mysql php-pear sysstatcd /usr/local/src wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz wget https://www.snort.org/downloads/snort/snort-2.9.8.2.tar.gz tar xvfvz libdnet-1.12.tgz cd libdnet-1.12 ./configure "CFLAGS=-fPIC" make && make install && make check ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 cd /usr/local/src tar xvfz daq-2.0.6.tar.gz cd daq-2.0.6 ./configure make && make install cd /usr/local/src && wget --no-check-certificate https://www.snort.org/documents/185 -O snort.conf tar xvfz snort-2.9.8.2.tar.gz cd snort-2.9.8.2 ./configure --enable-sourcefire; make; sudo make install mkdir /usr/local/etc/snort /usr/local/etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules touch /usr/local/etc/snort/rules/white_list.rules /usr/local/etc/snort/rules/black_list.rules /usr/local/etc/snort/sid-msg.map groupadd snort && useradd -g snort snort cp /usr/local/src/snort-2.9.8.2/etc/*.conf* /usr/local/etc/snort cp /usr/local/src/snort-2.9.8.2/etc/*.map /usr/local/etc/snort cp /usr/local/src/snort.conf /usr/local/etc/snort mkdir /var/log/snort chown snort:snort /var/log/snort nano /usr/local/etc/snort/snort.conf
replace
var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules var WHITE_LIST_PATH ../rules var BLACK_LIST_PATH ../rules
with
var RULE_PATH rules var SO_RULE_PATH so_rules var PREPROC_RULE_PATH preproc_rules var WHITE_LIST_PATH rules var BLACK_LIST_PATH rules
delete or comment out all of the “include $RULE_PATH” lines except “local.rules”
vi /usr/local/etc/snort/rules/local.rules
Enter a simple rule like this for testing:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)
Now we can start and test snort.
/usr/local/bin/snort -A console -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i eth0
Ping the management IP address from another machine, alerts should be printed to the console like this:
02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2
02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1
Install & configure Barnyard2:
cd /usr/local/src && wget https://github.com/firnsy/barnyard2/archive/master.tar.gz tar -zxf master.tar.gz && cd barnyard2-* autoreconf -fvi -I ./m4 && ./configure --with-mysql --with-mysql-libraries=/usr/lib/arm-linux-gnueabihf/ && make && make install mv /usr/local/etc/barnyard2.conf /usr/local/etc/snort cp schemas/create_mysql /usr/local/src nano /usr/local/etc/snort/barnyard2.conf
Line #27 change to /usr/local/etc/snort/reference.config
Line #28 change to /usr/local/etc/snort/classification.config
Line #29 change to /usr/local/etc/snort/gen-msg.map
Line #30 change to /usr/local/etc/snort/sid-msg.map
Line #227 change to output alert_fast
At the end of the file add this line:
output database: log, mysql, user=snort password=<mypassword> dbname=snort host=localhost
Setup the MySQL server
service mysqld start mysql -u root -p
Type in the root password
In the mysql console (pick a password as ‘mypassword’ that is different from root password):
create database snort; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; CREATE USER snort@localhost IDENTIFIED BY 'mypassword'; source /usr/local/src/create_mysql
List the newly created tables:
show tables;
Exit the mysql console
exit
/usr/local/bin/snort -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i eth0 & /usr/local/bin/barnyard2 -c /usr/local/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /usr/local/etc/snort/bylog.waldo -C /usr/local/etc/snort/classification.config &
PulledPork:
cd /usr/local/src
git clone https://github.org/shirkdog/pulledpork
cd pulledpork
cp pulledpork.pl /usr/local/bin && cp etc/*.conf /usr/local/etc/snort
To use the Sourcefire VRT Certified Rules, go to snort.org, register for an account and get an “oinkcode”, this will allow you to download their Registered User rule set.
edit “/usr/local/etc/snort/pulledpork.conf”:
Line 19: enter your “oinkcode” where appropriate or comment out the line
Line 26: enter your “oinkcode” where appropriate or comment out the line
Line 133: change to: distro=Debian-6-0
chmod +x /usr/local/bin/pulledpork.pl
mkdir /usr/local/etc/snort/rules/iplists
To run:
/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf -T -l
Base:
cd /usr/local/src && sudo wget https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz sudo tar -zxf base-1.4.5.tar.gz && sudo cp -r base-1.4.5 /var/www/base sudo chown www-data:www-data /var/www/base sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/
Add virtual directory “base” aka “/var/www/base/” to “/etc/apache2/sites-enabled/default-ssl.conf”
Alias /base "/var/www/base/" <Directory "/var/www/base/"> DirectoryIndex index.php </Directory>
Change line #449 in “/etc/php5/apache2/php.ini” to read:
error_reporting = E_ALL & ~E_NOTICE
Enable SSL
sudo a2enmod ssl sudo pear config-set preferred_state alpha && pear channel-update pear.php.net sudo pear install --alldeps --force Image_Color2 Image_Canvas Image_Graph sudo service apache2 restart sudo perl -MCPAN -e 'install Geography::Countries' perl -MCPAN -e 'install IP::Country' cd /usr/share/php/Image/Graph/Images/Maps cp /var/www/base/world_map6.* .
Start mysql server and apache2 server
Open “https://[ip-address]/base” in your favorite browser and follow steps to configure:
Click Continue, choose English
Path to adodb: /usr/share/php/adodb
Click Continue
Database Name: snort
Database Host: localhost
Database Port: [leave blank]
Database User Name: snort
Database Password:
Create admin user
Click “create baseag” which extends the DB to support BASE.
nano /var/www/base/base_conf.php
Enforce authentication
$Use_Auth_System = 1;
Towards the end, find the line:
//$IP2CC = “/usr/bin/ip2cc”;
Add instead:
$IP2CC = “/usr/local/bin/ip2cc”;
Fix the fonts:
ln -s /usr/share/fonts/truetype/dejavu /usr/share/php/Image/Canvas/Fonts
The following document from Jason Weir helped me a lot:
Debian___Snort_based_Intrusion_Detection_System
As always, please give me feedback in the forums so I can improve on this.
Many thanks,
Re4son
Hi jpearn,
great find.
Many thanks,
Re4son