November 16, 2008
Operating System |
Platform |
Application(s) |
Database(s) |
Other |
|
|
|
|
N / A |
This document describes the process of setting up a Snort network intrusion prevention and detection system on Sun Solaris 10 (SPARC). We will be using Barnyard for processing events to send to a database (to utilize BASE or another SIM product). This guide will go over both PostgreSQL and MySQL database output configurations for the sensor, and PostgreSQL for a separate example BASE console.
The sensor configuration assumed for this guide consists of two network interfaces (this will not be an inline sensor (IPS)). One will be for management and one will be connected to the network SPAN, TAP or hub on the edge device to monitor all traffic.
Snort Sensor Test Platform:
- Sun 420R
- 4x 450Mhz UltraSPARC-II / 4GB RAM
- Solaris 10 OE 05/08
PostgreSQL Test Platform:
- Sun Netra t 1125
- 2x 440Mhz UltraSPARC-II / 1GB RAM
- Solaris 10 OE 05/08
BASE Console Test Platform:
- Sun Netra X1
- 400Mhz UltraSPARC-IIe / 1GB RAM
- Solaris 10 OE 05/08
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks. For the most part, this guide assumes access to the system through a terminal or SSH, with no attached keyboard or monitor.
Follow my guide titled Configuring a Solaris 10 JumpStart Server to lay the foundation for what we will be doing here. This guide has an example JumpStart profile with the require clusters and packages needed for development.
You may want to nudge up the size on the /var partition, depending on your estimated log sizes.
I also suggest you add the following to your system's PATH:
/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin:/usr/local/pgsql/bin
/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin:/MYSQL_PATH_HERE
This will allow easier access to some programs we will need later.
Libpcap:
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/libpcap/libpcap-1.0.0.tar.gz
# gunzip libpcap-1.0.0.tar.gz
# tar -xvf libpcap-1.0.0.tar
# rm libpcap-1.0.0.tar && cd libpcap-1.0.0
# ./configure && make && make install |
PCRE:
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/pcre/pcre-7.8.tar.bz2
# bunzip2 pcre-7.8.tar.bz2
# tar -xvf pcre-7.8.tar
# rm pcre-7.8.tar && cd pcre-7.8
# ./configure --enable-utf8 --enable-pcregrep-libz --enable-pcregrep-libbz2
# make && make install |
Snort:
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.3.1.tar.gz
# gunzip snort-2.8.3.1.tar.gz
# tar -xvf snort-2.8.3.1.tar
# rm snort-2.8.3.1.tar && cd snort-2.8.3.1
# ./configure --with-libpcap-libraries=/usr/local/lib
# make && make install |
PostgreSQL:
If the URL used here is too slow, check here for others to try.
# wget http://ftp7.us.postgresql.org/pub/postgresql/v8.3.5/postgresql-8.3.5.tar.bz2
# bunzip2 postgresql-8.3.5.tar.bz2
# tar -xvf postgresql-8.3.5.tar
# rm postgresql-8.3.5.tar && cd postgresql-8.3.5
# ./configure --without-readline
# gmake && gmake install |
MySQL
# groupadd mysql
# useradd -g mysql mysql
# cd /usr/src
# wget http://mirrors.24-7-solutions.net/pub/mysql/Downloads/MySQL-5.0/mysql-5.0.67.tar.gz
# gunzip mysql-5.0.67.tar.gz
# tar -xvf mysql-5.0.67.tar
# rm mysql-5.0.67.tar && cd mysql-5.0.67
# ./configure --without-server && make && make install |
Barnyard:
# cd /usr/src
# wget http://www.snort.org/dl/barnyard/barnyard-0.2.0.tar.gz
# gunzip barnyard-0.2.0.tar.gz
# tar -xvf barnyard-0.2.0.tar
# cd barnyard-0.2.0.tar |
Barnyard 2.0 has a compile bug in it when used on Solaris/SPARC. Before you run ./configure, be sure to replace line 1543, which is:
- LDFLAGS="${LDFLAGS} -lnsl"
with
- LDFLAGS="${LDFLAGS} -lresolv -lnsl"
Another bug (at least when compiling on Solaris) is that the include/library flags don't work. I cheat here by using CC= - just a shame that Barnyard has been abandoned.
If using PostgreSQL:
# CC="gcc -I/usr/local/pgsql/include -L/usr/local/pgsql/lib -R/usr/local/pgsql/lib" \
./configure --enable-postgres
# make && make install
If using MySQL:
# CC="gcc -I/usr/local/include -L/usr/local/lib/mysql -R/usr/local/lib/mysql" \
./configure --enable-mysql
# make && make install
|
We will be configuring this sensor to monitor traffic on a "stealth" interface. On my system (Sun Netra X1), the second interface name is dmfe1. In the example below, you may need to change for your specific system. ifconfig -a will show you what you have.
Setup Stealth NIC
# ifconfig dmfe1 plumb
# ifconfig dmfe1 up |
Configure snort.conf
# mkdir /etc/snort
# mkdir /var/log/snort
# touch /var/log/snort/alert
# cp /usr/share/src/snort-2.8.3.1/etc/unicode.map /etc/snort/
# cp /usr/share/src/snort-2.8.3.1/etc/classification.config /etc/snort/
# cp /usr/share/src/snort-2.8.3.1/etc/reference.config /etc/snort/
# cp /usr/share/src/snort-2.8.3.1/etc/snort.conf /etc/snort/
# vi /etc/snort/snort.conf
|
Rather than go into intricate detail on this process, I shall refer you to the excellent information provided by the Snort team. The Configuring Snort FAQ will help you understand all the options available to you. Just to get you started, the most important settings you'll want to customize for now are:
- var HOME_NET any
- example: var HOME_NET [192.168.0.0/24]
- var EXTERNAL_NET any
- example: var EXTERNAL_NET !$HOME_NET
- var RULE_PATH ../rules
- example: var RULE_PATH /etc/snort/rules
We also need to configure the section in snort.conf titled:
# unified: Snort unified binary format alerting and logging
This is where we configure the fast unified alert/log output plugin. This is the data that Barnyard will be using to export events to your database. All you have to do is uncomment the following lines:
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
If you scroll down in the snort.conf file you will find the ruleset includes section. Look over what rules are included and comment or uncomment as needed for your specific environment.
Get and Install Rules
First, we need to download the latest rule set from http://www.snort.org/pub-bin/downloads.cgi. Do this often, and be careful once you start customizing or adding them. It can be very depressing to upgrade snort or refresh the rules and find your work overwritten! Here, we will use the Community Rules for Snort:
# cd /etc/snort
# wget http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/ \
Community-Rules-CURRENT.tar.gz
# gunzip Community-Rules-CURRENT.tar.gz
# tar -xvf Community-Rules-CURRENT.tar
# rm Community-Rules-CURRENT.tar
|
Also available to use are the rules from Emerging Threats. This is an open source community project that provides a more up to date and larger variety of rule than the ones offered by SourceFire. These can be downloaded here.
We will be using Barnyard to offload the output processing from Snort. These events will be sent to another system hosting either the PostgreSQL or MySQL database.
We won't need it to start a new instance, however you should get familiar with the waldo log file for later usage. See the /usr/src/barnyard-0.2.0/docs/USAGE file for more information on how to configure Barnyard.
Now, for the barnyard.conf file:
# cp /usr/share/src/barnyard-0.2.0/etc/barnyard.conf /etc/snort/
# vi /etc/snort/barnyard.conf |
Uncomment/comment and edit the following lines. For my setup, I am going to use the data with Basic Analysis and Security Engine (BASE) using PostgreSQL. Bold indicates changes/additions (and use a better password for the DB than snort, please). The server variable should point to the address of your SQL server:
config hostname: snortsensor (this it the sensor's hostname)
config interface: dmfe0 (the management interface (NIC to database server))
# output alert_fast
# output log_dump
If using PostgreSQL:
output alert_acid_db: postgres, sensor_id 1, database snort, server 192.168.0.16, user snort, password snort
output log_acid_db: postgres, sensor_id 1, database snort, server 192.168.0.16, user snort, password snort, detail full
If using MySQL:
output alert_acid_db: mysql, sensor_id 1, database snort, server 192.168.0.16, user snort, password snort
output log_acid_db: mysql, sensor_id 1, database snort, server 192.168.0.16, user snort, password snort |
You will notice the BASE-format output is accomplished using the alert_acid_db statement. Since development of Barnyard was abandoned before BASE replaced ACID, this has not yet been updated.
Also, you need to copy the .map files over to /etc/snort:
# cp /usr/share/src/snort-2.8.3.1/etc/gen-msg.map /etc/snort/
# cp /usr/share/src/snort-2.8.3.1/etc/sid-msg.map /etc/snort/ |
I have another guide up titled "PostgreSQL 8.3 w/ OpenSSL Support (64-bit)" for Solaris 10 on SPARC. Do that then continue here.
Create DB Schema:
Log into the DB server and do the following as the postgres user:
$ cd /var/db
$ createuser -U postgres -P snort
Enter password for new role: xxx
Enter it again: xxx
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb -U postgres -E UTF8 -O snort snort
$ wget http://www.procyonlabs.com/guides/solaris/snort_base/create_postgresql
$ psql -U snort snort < create_postgresql |
I have another guide up titled "Web Server with Apache 2, PHP 5, OpenSSL and Database Support" for Solaris 10 on SPARC. Follow the instructions for PostgreSQL, since that is what we will use for this example installation. Do that then continue here.
Download and Install Sources:
ADOdb:
# cd /var/www
# wget http://voxel.dl.sourceforge.net/sourceforge/adodb/adodb498.tgz
# gunzip adodb498.tgz
# tar -xvf adodb498.tar
# rm adodb498.tar |
Image_Graph (for graphing capabilities):
# pear upgrade-all
# pear install --alldeps Image_Graph-alpha |
BASE:
# cd /var/www
# wget http://voxel.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz
# gunzip base-1.4.0.tar.gz
# tar -xvf base-1.4.0.tar
# rm base-1.4.0.tar
# mv base-1.4.0 base && cd base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php |
Read through the base_conf.php file and scan for any site-specific changes you need to configure. For basics, make sure to edit the $DBlib_path and $DBtype variables according to our setup.
Use the following commands to start everything (the -D puts it in daemon mode):
# snort -c /etc/snort/snort.conf -i dmfe1 -D
# barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s \
/etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /etc/snort/log.waldo |
The -c option specifies the location of the barnyard.conf file. The -g and -s options specify the locations of the SID and GID map files that come with Snort. It is important that you specify these, as they provide the information that tells Barnyard what a particular alert means. The -d and -f options specify the directory and name of the Snort logging files, respectively. Lastly, the -w option specifies the location of the waldo file we've just created.
Now you can go to the URL of the BASE installation and start having fun! Please send any BASE bug reports or feature requests to myself, the BASE mailing lists or the BASE SourceForge Tracker.
|
