I. Abstract
This document describes the process of setting up a Snort Intrusion Detection System (IDS) with OpenBSD on AMD64 hardware. This guide will also detail some of the most popular methods of event distribution (alerting), using Barnyard2 for processing events to send to a database (to utilize BASE or another SIM product) or Syslog.
The sensor configuration assumed for this guide consists of two network interfaces (this will not be an inline sensor (IPS)). One will be for management and one will be connected to the network SPAN, TAP or hub on the edge device to monitor all traffic.
Test Platform:
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks.
II. Install and Setup the Operating Environment
I won't go into great detail for installing the operating system. You should have an idea of what you are doing. Just make sure you have a fair amount of space on the /var partition, depending on your estimated log sizes. During installation of the OS, say yes when asked to start sshd by default, yes when asked to start ntpd by default and no when asked if you expect to run the X Window System.
When selecting the installation sets, stick with the defaults, but remove game49.tgz (the X sets need to stay because some bonehead on the OpenBSD team thinks it is necessary).
If you are using an SMP (multi-processor) system, be sure to keep the bsd.mp kernel selected. OpenBSD now has a feature where it will automatically replace the stock bsd kernel after installation (you don't have to manually move /bsd.mp over /bsd after the first boot anymore).
When the installation is finished, remove the install media (CD, floppy, whatever) and reboot!
Now we need to fetch the ports tree. FYI, this could take a while:
# cd /usr
# cvs -qd anoncvs@mirror.planetunix.net:/cvs get -r OPENBSD_4_9 -P ports |
And now the latest OpenBSD 4.9 ports tree is on your system and ready to use.
One thing a lot of people overlook is patching their OpenBSD system(s). This is because it is a major pain in the ass. But, a necessary one. Here I'll step you through downloading the latest patches and applying them to your kernel. Follow closely. You can really mess things up if you're not careful.
First, you need wget:
# cd /usr/ports/net/wget
# make install |
Get the files needed:
# cd /usr/src
# mkdir kernel && cd kernel
# wget ftp://ftp.openbsd.org/pub/OpenBSD/4.9/sys.tar.gz
# tar zxvf sys.tar.gz
# mkdir patches
# wget -r --no-parent -A.patch --convert-links -nH -nd -Ppatches \
http://ftp.openbsd.org/pub/OpenBSD/patches/4.9/common/ |
Now apply the patches. NOTE! When running the bash script line below (for i ...), ctrl-c to move past any questions about entering a file name. These patches aren't applicable. Also, my system is a multi-CPU box using the GENERIC.MP kernel. If you are using a single-CPU box, do the same process only substitue GENERIC for GENERIC.MP.
# for i in patches/*.patch; do patch -p0 < $i; done
#
cd /usr/src/kernel/sys/arch/`arch -s`/conf
# config GENERIC.MP && cd ../compile/GENERIC.MP
# make depend && make && make install |
Now reboot to use the new kernel. See, that was fun!
III. Install Dependencies
# cd /usr/ports/net/libdnet
# make install clean |
# cd /usr/ports/devel/pcre
# make install clean |
# cd /usr/ports/devel/bison
# make install clean |
# cd /usr/ports/net/wget
# make install clean |
# cd /usr/ports/databases/postgresql
# make install clean |
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/libpcap/libpcap-1.1.1.tar.gz
# tar zxvf libpcap-1.1.1.tar.gz
# rm libpcap-1.1.1.tar.gz && cd libpcap-1.1.1
# ./configure && make && make install |
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/daq-0.6.1.tar.gz
# tar zxvf daq-0.6.1.tar.gz
# rm daq-0.6.1.tar.gz && cd daq-0.6.1
# ./configure --with-libpcap-includes=/usr/local/include --with-libpcap-libraries=/usr/local/lib
#
gmake && gmake install |
These are just some example flags to set for configure. You should only use what you need for your setup, and that may include some not shown here!
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/snort-2.9.0.5.tar.gz
# tar zxvf snort-2.9.0.5.tar.gz
# rm snort-2.9.0.5.tar.gz && cd snort-2.9.0.5
# ./configure --enable-ppm --enable-zlib --enable-perfprofiling --enable-pthread --enable-build-dynamic-examples \
--enable-decoder-preprocessor-rules --with-libpcap-includes=/usr/local/include \
--with-libpcap-libraries=/usr/local/lib --with-daq-includes=/usr/local/include --with-daq-libraries=/usr/local/lib
# make && make install
*************** --enable-dynamicplugin on by default |
# cd /usr/src
# wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
# tar zxvf barnyard2-1.9.tar.gz
# rm barnyard2-1.9.tar.gz
# cd barnyard2-1.9
If using PostgreSQL:
# ./configure --with-postgresql
# make && make install
If *only* using syslog:
# ./configure
# make && make install |
We will be configuring this sensor to monitor traffic on a "stealth" interface. On my system, the second interface (the one wired to the tap, SPAN or hub) name is bge1. In the example below, you may need to change for your specific system. ifconfig -a will show you what you have.
Setup Stealth NIC
Get and Install Rules
First:
# mkdir /etc/snort
# mkdir /var/log/snort
|
Next, we need to download the latest rules/signatures. Do this often, and be careful once you start customizing or adding them. It can be very depressing to upgrade Snort or refresh the rules and find your work overwritten! Here, we will use the Sourcefire VRT rules.
There are two rulesets available: Subscribers and Registered Users. Details are on the VRT Rules download page. You will need to go fetch the rules package via a Web browser and move them to this sensor's /etc/snort directory, then extract as follows:
# cd /etc/snort/
# tar zxvf snortrules-snapshot-2905.tar.gz
# rm snortrules-snapshot-2905.tar.gz |
Subscribers will get the most up to date version. Pitch the nickel, it's worth it.
Rather than go into intricate detail on this process, I shall refer you to the excellent information provided by the Snort team. The Snort 2.9.0 Manual will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customize for now are:
| # vi /etc/snort/etc/snort.conf |
- var HOME_NET any
- example: var HOME_NET [192.168.0.0/16]
- var EXTERNAL_NET any
- example: var EXTERNAL_NET !$HOME_NET
Notice we are using "var" instead of "ipvar" - ipvar only works with IPv6. I'm using IPv4, so change all references to ipvar to var or you will get errors.
Now we need to comment the following lines, since we're not using IPS mode:
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
We also need to configure Section #6 in snort.conf titled:
# unified2
This is where we configure the unified2 output plugin. This is the data that Barnyard2 will be using to export events to your database. All you have to do is uncomment the following line:
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
And edit some stuff so it looks like this (unless you need the extra variables, read the docs!):
output unified2: filename snort.log, limit 128
Towards the end of the snort.conf file (Step #7: Customize your rule set), is where you need to edit so Snort knows which rules to use. Go through the rules and add/delete the ones listed so that only the ones you need are active. Do this for (Step #8: Customize your preprocessor and decoder alerts) since we've added --enable-decoder-preprocessor-rules as well by uncommenting these lines:
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules
include $PREPROC_RULE_PATH/sensitive-data.rules
Finally, Step #9: Customize your Shared Object Snort Rules. Edit to taste.
That's it. Save it and continue.
VI. Configure Barnyard2
We will be using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting either PostgreSQL or to a remote syslog server.
Let's get to the barnyard2.conf file:
# cp /usr/src/barnyard2-1.9/etc/barnyard2.conf /etc/snort/
# mkdir /var/log/barnyard2
# vi /etc/snort/barnyard2.conf |
Uncomment/comment and/or edit the following lines. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your PostgreSQL server:
config reference_file: /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file: /etc/snort/etc/gen-msg.map
config sid_file: /etc/snort/etc/sid-msg.map
config hostname: titan (this it the sensor's hostname)
config interface: bge0 (the management interface (NIC to database server))
config daemon (uncomment to run in background)
config show_year (uncomment to include year in timestamps)
config waldo_file:/var/log/snort/waldo (uncomment, define waldo file location)
If using PostgreSQL:
output database: log, postgresql, user=snort dbname=snort host=pg-server
If using syslog:
output alert_syslog: host=syslog-server |
Use the following commands to start everything (the -D puts Snort in daemon mode):
# snort -c /etc/snort/etc/snort.conf -i bge1 -D
# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log |
The -c option specifies the location of the barnyard2.conf file.The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.
|
