PLABS
softwareguideswar roomaboutgo-home

RHEL: Snort Intrusion Detection System w/ Barnyard2 and PostgreSQL Support
February 9, 2014

Operating System
Platform
Applications
Databases
RHEL
x86_64
Snort
Barnyard2
Barnyard2
PostgreSQL

I. Abstract

This document describes the process of setting up a Snort Intrusion Detection System (IDS) with Red Hat Enterprise Linux (RHEL) Server 6.5 on x86/64 hardware. This guide will also detail some of the most popular methods of event distribution (alerting), using Barnyard2 for processing events to send to a database (to utilize BASE or another SIEM / log management product like Splunk) or syslog.

The sensor configuration assumed for this guide consists of two network interfaces (this will not be an inline sensor (IPS)). One will be for management and one will be connected to the network SPAN, TAP or hub on the edge device to monitor all traffic.

Test Platform:

  • PowerEdge 2950
  • 2x 5060 3.20 GHz Dual-Core CPUs / 8GB RAM
  • 15k SAS RAID0 (take a chance!)
  • RHEL 6.5 / x86_64
  • Snort: 2.9.6.0
  • Barnyard2: Latest git bits
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It may be in a very vulnerable position, facing that filthy and scary Internet.

This guide should also work (with some modifications) for Scientific Linux and CentOS derivative versions of RHEL.


II. Install and Setup the Operating Environment

Go through the installation procedure and set things up according to your network and needs. You may want to nudge up the size on the /var partition, depending on your estimated requirements.

When you are presented with the software sets screen, select "Basic Server" and then "Customize now" - click Next.

Next is the part where I either would have used Kickstart or just spend a while de-selecting/selecting packages I know I will or will not need. This is a fairly simple base installation, so we don't really need to add anything (unless you need the PostgreSQL database client). If you know you won't need something, it is best to not install it, however.

Configure Services

After rebooting, log in as root and enter the command ntsysv. This will start the services management application. Here you can select or de-select the services you want started at boot. Go through the list and edit as your environment requires. One obvious selection would be ntpd/ntpdate, and don't forget to edit the /etc/ntp.conf file if using custom NTP servers.

Any service changes will go into effect after rebooting (but don't do that yet).

Configure Firewall

As root, enter the command system-config-firewall-tui. This will start the Firewall Configuration tool. Unless you need to open something other than incoming SSH, there isn't much to do here. Any changes will go into effect immediately.

Note, I live like there is no tomorrow. Just turn off iptables in services (ntsysv) and enjoy the feeling.

SELinux

I also disable SELinux, but if you are comfortable with the detailed configurations necessary for this feature, by all means, leave it on Enforcing and pay attention! To disable this feature, edit the /etc/selinux/config file so the SELINUX variable is "disabled" instead of "enforcing." A reboot is necessary for this change to take effect.

Register System with RHN, Update and Reboot

Now it's time to run rhn_register and take advantage of that online management and support you bought. Don't forget, Red Hat offers big discounts for educational customers - give them a call and see what they can do for you. As for the registration process here, just follow the prompts. Pretty straight forward.

Finally, you should run yum update. It is important to keep your system as up to date as possible. When this process is finished, reboot and continue on!


III. Install Dependencies

Some or all of these may be already on your system (depending on your installation options). Best to make sure, though.

You may ask, why automake and libtool? We're pulling the latest bits for Barnyard2 from GitHub, and need to make it ./configure-able.

FYI - to get libpcap-devel, you'll need to alter your RHN subscription for this system to include the channel!

# yum install gcc gcc-c++ flex bison pcre-devel zlib-devel libpcap-devel postgresql-devel automake libtool


IV. Download and Install Sources

libdnet

# cd /usr/src
# wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
# tar zxvf libdnet-1.12.tgz
# rm libdnet-1.12.tgz && cd libdnet-1.12
# ./configure && make && make install

DAQ:

# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/daq-2.0.2.tar.gz
# tar zxvf daq-2.0.2.tar.gz
# rm daq-2.0.2.tar.gz && cd daq-2.0.2
# ./configure && make && make install

Snort:

This is just an example of flag(s) to set for configure. You should only use what you need for your setup.

Note: If you're like me, you're probably going to throw the occasional >2GB PCAP file at Snort for analysis (outside of normal traffic monitoring, we're not mission critical here). Add --enable-large-pcap if you plan on doing that.

# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/snort-2.9.6.0.tar.gz
# tar zxvf snort-2.9.6.0.tar.gz
# rm snort-2.9.6.0.tar.gz && cd snort-2.9.6.0
# ./configure --enable-sourcefire
# make && make install

Barnyard2:

There are no "releases" for this, so we need to grab the latest bits straight from shithub:

# cd /usr/src
# wget https://github.com/firnsy/barnyard2/archive/master.zip -O by2.zip
# unzip by2.zip
# rm by2.zip
# cd barnyard2-master

# ./autogen.sh

If using PostgreSQL:

# ./configure --with-postgresql
# make && make install

If *only* using Syslog:

# ./configure
# make && make install


V. Configure Snort

We will be configuring this sensor to monitor traffic on a "stealth" interface. On my system, the second interface (the one wired to the tap, SPAN or hub) name is eth1. In the example below, you may need to change for your specific system. ifconfig -a will show you what you have.

# ifconfig eth1 up

Then, for ensuring this occurs at boot, edit /etc/sysconfig/network-scripts/ifcfg-eth1 from ONBOOT="no" to ONBOOT="yes".

NOTE: This is the manual way. If you want to make things a little easier, check out Pulled Pork.

First:

# mkdir /etc/snort
# mkdir /var/log/snort

Next, we need to download the latest rules/signatures. Do this often, and be careful once you start customizing or adding them. It can be very depressing to upgrade Snort or refresh the rules and find your work overwritten! Here, we will use the Sourcefire VRT rules.

There are two rulesets available: Subscribers and Registered Users. Details are on the VRT Rules download page. You will need to go fetch the rules package via a Web browser and move them to this sensor's /etc/snort directory. Also, for the precompiled .so rules, substitute i386 for x86-64 if you're on a 32-bit platform.

# cd /etc/snort/
# tar zxvf snortrules-snapshot-2960.tar.gz
# rm snortrules-snapshot-2960.tar.gz
# mkdir /usr/local/lib/snort_dynamicrules
# cp /etc/snort/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.0/*.so /usr/local/lib/snort_dynamicrules/
# cat /etc/snort/so_rules/*.rules >> /etc/snort/rules/so-rules.rules

Keep in mind, subscribers will get the most up to date version. Pitch the nickel, it's worth it.

Configure snort.conf

Rather than go into intricate detail on this process, I shall refer you to the excellent information provided by the Snort team. The Snort Manual will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customize for now are:

# vi /etc/snort/etc/snort.conf
  • ipvar HOME_NET any
    • example: ipvar HOME_NET [192.168.0.0/16]
  • ipvar EXTERNAL_NET any
    • example: ipvar EXTERNAL_NET !$HOME_NET

We also need to configure Section #6 in snort.conf titled:

# unified2

This is where we configure the unified2 output plugin. This is the data that Barnyard2 will be using to export events to your database. All you have to do is uncomment and edit the output unified2 line to look like this:

# output unified2: filename /var/log/snort/merged.log, limit 128

Unless you want to use reputation filters, find this section and comment the whole block:

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules

Configure Rules

Towards the end of the snort.conf file (Step #7: Customize your rule set and Step #8: Customize your preprocessor and decoder alerts), is where you need to edit so Snort knows which rules to use. Go through the rules and add/delete the ones listed so that only the ones you need are active.

Finally, Step #9: Customize your Shared Object Snort Rules. Edit to taste.

That's it. Save it and continue.


VI. Configure Barnyard2

We will be using Barnyard2 to offload the output processing from Snort. These events will be sent to another system hosting PostgreSQL or to a remote syslog server.

Let's get to the barnyard2.conf file:

# cp /usr/src/barnyard2-master/etc/barnyard2.conf /etc/snort/
# vi /etc/snort/barnyard2.conf

Uncomment/comment and/or edit the following lines. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your PostgreSQL server:

config reference_file: /etc/snort/etc/reference.config
config classification_file: /etc/snort/etc/classification.config
config gen_file: /etc/snort/etc/gen-msg.map
config sid_file: /etc/snort/etc/sid-msg.map

config logdir: /var/log/snort

config hostname: titan   (this it the sensor's hostname)
config interface: eth0   (the management interface (NIC to database or syslog server))

config daemon   (uncomment to run in background)

config show_year   (uncomment to include year in timestamps)

config waldo_file: /var/log/snort/by2.waldo   (uncomment, define waldo file location)

If using PostgreSQL:

output database: log, postgresql, user=snort dbname=snort host=pg-server

If using syslog (in this example, to a Splunk instance):

output alert_syslog_full: sensor_name phobos-eth1, server 192.168.2.3, protocol udp, port 518, operation_mode default

Finally, we need to create the waldo file (we will be using this as a checkpoint file for continuous mode w/ bookmarking):

# touch /var/log/snort/by2.waldo


VII. Start Snort and Barnyard2!

Use the following commands to start everything (the -D puts Snort in daemon mode):

# snort -c /etc/snort/etc/snort.conf -i eth1 -D

# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f merged.log

The -c option specifies the location of the barnyard2.conf file.The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.

 


© 2014 Procyon Labs / Randal T. Rioux