Monday, May 26, 2008

Install and Configure Snort on CentOS

The following has been laying around in some text file I got tired of keeping, so I figured I put it here.

groupadd snort
useradd -g snort snort –s /sbin/nologin
passwd snort

chkconfig apmd off
chkconfig cups off
chkconfig isdn off
chkconfig netfs off
chkconfig nfslock off
chkconfig pcmcia off
chkconfig portmap off

rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4

yum -y update

chkconfig yum on
service yum start
yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++

# In the /etc/ssh/sshd_config file change the following lines (if it is commented out remove the #):
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no

service sshd restart

chkconfig httpd on
chkconfig mysqld on
service httpd start
service mysqld start

cd /var/www/html
wget http://www.internetsecurityguru.com/index.php.txt
mv ./index.php.txt ./index.php

cd /root
mkdir /root/snortinstall/
cd /root/snortinstall/
wget http://www.snort.org/dl/current/snort-2.6.1.5.tar.gz
tar xvzf snort-2.6.1.5.tar.gz
cd snort-2.6.1.5
./configure --with-mysql --enable-dynamicplugin
make
make install


mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
cd /root/snortinstall/snort-2.6.1.5/etc/
# (make not this is not /etc. it is the etc dir under the snort source code)
cp * /etc/snort

#Download BASE
cd ~/snortinstall/
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.tar.gz
cd /var/www/html
tar xvzf /root/snortinstall/base-1.2.6.tar.gz
mv base-1.2.6/ base/


mkdir /root/snortinstall/rules
cd /root/snortinstall/rules
wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
tar xvzf /root/snortinstall/rules/snortrules-pr-2.4.tar.gz
cd /root/snortinstall/rules/rules
cp * /etc/snort/rules

#Copy the signatures into the BASE application directory
cd ~/snortinstall/rules/
mv ./doc/signatures/ /var/www/html/base/

#Modify your snort.conf file
var HOME_NET 10.0.0.0/24 (make this what ever your internal network is, use CIDR.
var EXTERNAL_NET !$HOME_NET (this means everything that is not your home net is external to your network)
#change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
#After the line that says “preprocessor stream4_reassemble” add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433

output database: log, mysql, user=snort password=
dbname=snort host=localhost


#Change directory to /etc/init.d and type:
cd /etc/init.d
wget http://internetsecurityguru.com/snortinit/snort
chmod 755 snort
chkconfig snort on


===========
mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('r3m0t3c0ntr0l');
>Query OK, 0 rows affected (0.25 sec)
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('sn0rt');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
mysql> exit
>Bye
===========
mysql
SET PASSWORD FOR root@localhost=PASSWORD('r3m0t3c0ntr0l');
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('sn0rt');
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
exit



mysql -u root -p < ~/snortinstall/snort-2.6.1.5/schemas/create_mysql snort

#Hand configure the firewall:
cd /etc/sysconfig/

#edit the iptables file
#and delete the lines
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

#change the line
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#to
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

#change the line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#to
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j DROP

service iptables restart



cd /root/snortinstall
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman



#Download ADODB
cd ~/snortinstall/
wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
cd /var/www/
tar xvzf /root/snortinstall/adodb480.tgz


cp /var/www/html/base/base_conf.php.dist /var/www/html/base/base_conf.php

#Edit the “base_conf.php” file and insert the following perimeters
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "sn0rt";

service snort start

#goto here to finish setting up the database
https://ip_address/base

#Secure BASE
mkdir /var/www/passwords
/usr/bin/htpasswd -c /var/www/passwords/passwords base

#Edit the httpd.conf (/etc/httpd/conf/httpd.conf). I put it under the section that has:

Options FollowSymLinks
AllowOverride None



AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user base


service httpd restart
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)