Sticky Finger’s Kali-Pi – Configuration of Snort

The Sticky Fingers Kali-Pi installation walk through did not include any detailed information about the configuration of Snort, Barnyard2 and PulledPork on the Raspberry Pi 2 running Kali.

Here are my configuration notes.

Snort:

sudo bash
apt install apache2 apache2-doc autoconf automake bison ca-certificates ethtool flex g++ gcc libapache2-mod-php libcrypt-ssleay-perl default-libmysqlclient-dev libnet1 libnet1-dev libpcre3 libpcre3-dev libpcap-dev libphp-adodb libssl-dev libtool libwww-perl make default-mysql-client mysql-common default-mysql-server php-cli php-gd php-mysql php-pear sysstatcd /usr/local/src
wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
wget https://www.snort.org/downloads/snort/snort-2.9.8.2.tar.gz
tar xvfvz libdnet-1.12.tgz
cd libdnet-1.12
./configure "CFLAGS=-fPIC"
make && make install && make check
ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

cd /usr/local/src
tar xvfz daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make && make install

cd /usr/local/src && wget --no-check-certificate https://www.snort.org/documents/185 -O snort.conf
tar xvfz snort-2.9.8.2.tar.gz
cd snort-2.9.8.2
./configure --enable-sourcefire; make; sudo make install

mkdir /usr/local/etc/snort /usr/local/etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
touch /usr/local/etc/snort/rules/white_list.rules /usr/local/etc/snort/rules/black_list.rules /usr/local/etc/snort/sid-msg.map

groupadd snort && useradd -g snort snort

cp /usr/local/src/snort-2.9.8.2/etc/*.conf* /usr/local/etc/snort
cp /usr/local/src/snort-2.9.8.2/etc/*.map /usr/local/etc/snort
cp /usr/local/src/snort.conf /usr/local/etc/snort
mkdir /var/log/snort
chown snort:snort /var/log/snort
nano /usr/local/etc/snort/snort.conf

replace

var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
var WHITE_LIST_PATH ../rules
var BLACK_LIST_PATH ../rules

with

var RULE_PATH rules
var SO_RULE_PATH so_rules
var PREPROC_RULE_PATH preproc_rules
var WHITE_LIST_PATH rules
var BLACK_LIST_PATH rules

delete or comment out all of the “include $RULE_PATH” lines except “local.rules”

vi /usr/local/etc/snort/rules/local.rules

Enter a simple rule like this for testing:

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:1;)

Now we can start and test snort.

/usr/local/bin/snort -A console -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i eth0

Ping the management IP address from another machine, alerts should be printed to the console like this:
02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.1 -> 172.26.12.2
02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} 172.26.12.2 -> 172.26.12.1

Install & configure Barnyard2:

cd /usr/local/src && wget https://github.com/firnsy/barnyard2/archive/master.tar.gz
tar -zxf master.tar.gz && cd barnyard2-*
autoreconf -fvi -I ./m4 && ./configure --with-mysql --with-mysql-libraries=/usr/lib/arm-linux-gnueabihf/ && make && make install
mv /usr/local/etc/barnyard2.conf /usr/local/etc/snort
cp schemas/create_mysql /usr/local/src
nano /usr/local/etc/snort/barnyard2.conf

Line #27 change to /usr/local/etc/snort/reference.config
Line #28 change to /usr/local/etc/snort/classification.config
Line #29 change to /usr/local/etc/snort/gen-msg.map
Line #30 change to /usr/local/etc/snort/sid-msg.map
Line #227 change to output alert_fast
At the end of the file add this line:

output database: log, mysql, user=snort password=<mypassword> dbname=snort host=localhost

Setup the MySQL server

service mysqld start
mysql -u root -p

Type in the root password

In the mysql console (pick a password as ‘mypassword’ that is different from root password):

create database snort;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
CREATE USER snort@localhost IDENTIFIED BY 'mypassword';
source /usr/local/src/create_mysql

List the newly created tables:

show tables;

Exit the mysql console

exit

 

/usr/local/bin/snort -q -u snort -g snort -c /usr/local/etc/snort/snort.conf -i eth0 &
/usr/local/bin/barnyard2 -c /usr/local/etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /usr/local/etc/snort/bylog.waldo -C /usr/local/etc/snort/classification.config &

PulledPork:

cd /usr/local/src
git clone https://github.org/shirkdog/pulledpork
cd pulledpork
cp pulledpork.pl /usr/local/bin && cp etc/*.conf /usr/local/etc/snort

To use the Sourcefire VRT Certified Rules, go to snort.org, register for an account and get an “oinkcode”, this will allow you to download their Registered User rule set.

edit “/usr/local/etc/snort/pulledpork.conf”:
Line 19: enter your “oinkcode” where appropriate or comment out the line
Line 26: enter your “oinkcode” where appropriate or comment out the line
Line 133: change to: distro=Debian-6-0

chmod +x /usr/local/bin/pulledpork.pl

mkdir /usr/local/etc/snort/rules/iplists

To run:
/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf -T -l

Base:

cd /usr/local/src && sudo wget https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
sudo tar -zxf base-1.4.5.tar.gz && sudo cp -r base-1.4.5 /var/www/base
sudo chown www-data:www-data /var/www/base
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/

Add virtual directory “base” aka “/var/www/base/” to “/etc/apache2/sites-enabled/default-ssl.conf”

Alias /base "/var/www/base/"
<Directory "/var/www/base/">
  DirectoryIndex index.php
</Directory>

Change line #449 in “/etc/php5/apache2/php.ini” to read:

error_reporting = E_ALL & ~E_NOTICE

Enable SSL

sudo a2enmod ssl
sudo pear config-set preferred_state alpha && pear channel-update pear.php.net
sudo pear install --alldeps --force Image_Color2 Image_Canvas Image_Graph
sudo service apache2 restart
sudo perl -MCPAN -e 'install  Geography::Countries'
perl -MCPAN -e 'install  IP::Country'
cd /usr/share/php/Image/Graph/Images/Maps
cp /var/www/base/world_map6.* .

Start mysql server and apache2 server

Open “https://[ip-address]/base” in your favorite browser and follow steps to configure:
Click Continue, choose English
Path to adodb: /usr/share/php/adodb
Click Continue
Database Name: snort
Database Host: localhost
Database Port: [leave blank]
Database User Name: snort
Database Password:

Create admin user

Click “create baseag” which extends the DB to support BASE.

nano /var/www/base/base_conf.php
Enforce authentication
$Use_Auth_System = 1;

Towards the end, find the line:
//$IP2CC = “/usr/bin/ip2cc”;
Add instead:
$IP2CC = “/usr/local/bin/ip2cc”;

Fix the fonts:

ln -s /usr/share/fonts/truetype/dejavu /usr/share/php/Image/Canvas/Fonts

The following document from Jason Weir helped me a lot:
Debian___Snort_based_Intrusion_Detection_System

As always, please give me feedback in the forums so I can improve on this.

Many thanks,

Re4son

Facebooktwitterredditpinterestlinkedinmail

3 thoughts on “Sticky Finger’s Kali-Pi – Configuration of Snort

Comments are closed.