January 20, 2010
Operating System |
Platform |
Application(s) |
Database(s) |
(6.1 / 64-bit) |
|
|
|
This document describes the process of setting up a Snort network intrusion detection system on IBM AIX 6.1. We will be using Barnyard2 for processing events (unified2 format) to send to a database (to utilize BASE or another SIM product). This guide will go over a PostgreSQL database output configuration for the sensor.
The sensor configuration assumed for this guide consists of two network interfaces (this will not be an inline sensor (IPS)). One will be for management and one will be connected to the network SPAN, TAP or hub on the edge device to monitor all traffic.
Snort Sensor Test Platform:
- IBM eServer pSeries 7029-6C3
- 1.2Ghz Dual Core POWER4 / 2GB RAM
- AIX 6.1
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks.
Follow my guide titled Setting Up TCP/IP, SSH and a GNU C / C++ Development Environment on AIX 6.1 to lay the foundation for what we will be doing here. Or, whatever you have that is capable/compatible.
You may want to nudge up the size on the /var partition, depending on your estimated log sizes.
I also suggest you add the following to your system's PATH:
/usr/local/pgsql/bin
<MySQL currently does not compile on AIX>
This will allow easier access to some programs we will need later.
Libpcap:
These is a bug in 1.0.0 that causes a ./configure fail on AIX. We will use 0.9.8 until a fix is released.
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/libpcap/libpcap-0.9.8.tar.gz
# gunzip libpcap-0.9.8.tar.gz
# tar -xvf libpcap-0.9.8.tar
# rm libpcap-0.9.8.tar && cd libpcap-0.9.8
# ./configure && make && make install |
PCRE:
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/pcre/pcre-8.0.tar.bz2
# bunzip2 pcre-8.0.tar.bz2
# tar -xvf pcre-8.0.tar
# rm pcre-8.0.tar && cd pcre-8.0
# ./configure --enable-utf8
# gmake && gmake install |
Snort:
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.5.2.tar.gz
# gunzip snort-2.8.5.2.tar.gz
# tar -xvf snort-2.8.5.2.tar
# rm snort-2.8.5.2.tar && cd snort-2.8.5.2
# ./configure --with-libpcap-libraries=/usr/local/lib LDFLAGS="-L/usr/lib"
# gmake && gmake install |
PostgreSQL:
# wget http://www.procyonlabs.com/mirrors/postgresql/postgresql-8.4.2.tar.bz2
# bunzip2 postgresql-8.4.2.tar.bz2
# tar -xvf postgresql-8.4.2.tar
# rm postgresql-8.4.2.tar && cd postgresql-8.4.2
# ./configure --without-readline
# gmake && gmake install |
Barnyard2:
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.8-beta1.tar.gz
# gunzip barnyard2-1.8-beta1.tar.gz
# tar -xvf barnyard2-1.8-beta1.tar
# rm barnyard2-1.8-beta1.tar && cd barnyard2-1.8-beta1
# ./configure --sysconfdir=/etc/snort --with-postgresql=/usr/local/pgsql \
--with-libpcap-includes=/usr/local/include \
--with-libpcap-libraries=/usr/local/lib
# chmod +x install-sh
# gmake && gmake install |
We will be configuring this sensor to monitor traffic on a "stealth" interface. On my system (pSeries 7029-6C3), the second interface name is en1. In the example below, you may need to change for your specific system.
Setup Stealth NIC
Configure snort.conf
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
# touch /var/log/snort/snort.u2
# cp /usr/src/snort-2.8.5.2/etc/*.map /etc/snort/
# cp /usr/src/snort-2.8.5.2/etc/*.config /etc/snort/
# cp /usr/src/snort-2.8.5.2/etc/snort.conf /etc/snort/
# vi /etc/snort/snort.conf
|
Rather than go into intricate detail on this process, I shall refer you to the excellent information provided by the Snort team. The Snort Manual (v2.8.5 (PDF)) will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customize for now are:
- var HOME_NET any
- example: var HOME_NET [192.168.0.0/24]
- var EXTERNAL_NET any
- example: var EXTERNAL_NET !$HOME_NET
- var RULE_PATH ../rules
- example: var RULE_PATH /etc/snort/rules
We also need to configure the section in snort.conf titled:
# unified: Snort unified binary format alerting and logging
This is where we configure the unified2 output plugin. The snort.conf file doesn't mention this, but a new unified output is now available that is actually unified! It is of course called unified2. This is the data that Barnyard2 will be using to export events to your database. All you have to do is add the following line:
output unified2: filename snort.u2, limit 128
Get and Install Rules
First, we need to download the latest rules/signatures. Do this often, and be careful once you start customizing or adding them. It can be very depressing to upgrade Snort or refresh the rules and find your work overwritten! Here, we will use the Emerging Threats signatures.
Go to the Emerging Threats Rules Download page and study what is available. You most likely do not want to use all the rulesets available. Pick what is most appropriate for your network. I'll use a short list for this example, just to give you the idea:
# cd /etc/snort/rules
# wget http://www.emergingthreats.net/rules/emerging-malware.rules
# wget
http://www.emergingthreats.net/rules/emerging-exploit.rules
|
Towards the end of the snort.conf file (Step #6: Customize your rule set), is where you need to edit so Snort knows which rules to use. Start by deleting all the ones listed, because we aren't using them. Then again, if you choose to use the Snort VRT rules, rethink this decision!
Add the following two lines to correspond with the signature sets we've selected:
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-exploit.rules
|
That's it. Save it and continue.
We will be using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting a Snort database.
Uncomment/comment and edit the following lines in /etc/snort/barnyard2.conf. For my setup, I am going to use the data with Basic Analysis and Security Engine (BASE) using PostgreSQL. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your SQL server:
config hostname: snortsensor # (this it the sensor's hostname)
config interface: en1 # (the management interface (NIC to database server))
config waldo_file: /etc/snort/barnyard2.waldo
output database: log, postgresql, host=192.168.0.5 dbname=snort user=snort password=pw |
Use the following commands to start everything (the -D puts it in daemon mode):
# snort -c /etc/snort/snort.conf -i en1 -D
# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 \
-w /etc/snort/barnyard2.waldo |
The -c option specifies the location of the barnyard.conf file. The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.
|
