Installing Snort - Snorby/snorby GitHub Wiki

Quick Note on OS

For the installation of Snort, we are going to use Ubuntu 10.04, 32 bit. I don't personally use Ubuntu often, but anyone reading this tutorial is more likely to use Ubuntu for their Linux variant and I want people to be comfortable with their OS. This is important for troubleshooting issues and for ensuring their deployments stay secure. How many Windows Server Admins out there deploy a Linux box for one specific purpose and never keep up-to-date with patches? I've seen too many and I know a younger me was caught in this trap...

Other Operating Systems

Check out Snort's website for other operating systems: http://www.snort.org/docs . Do realize that these guides are not written with the intent of installing Snorby as the front-end. Those documents are still stuck in the days of BASE, so ignore that part if you want Snorby.

Installation Methods

There are two methods to install Snort on Ubuntu: with apt or from source. The easiest method is through apt-get. Using apt, you will lose some functionality and you are at the mercy of the repository and package managers. If Snort releases a new version, you must wait until the package manager updates the package and puts it in the apt repository. The preferred method is compiling from source, but some users may feel uncomfortable with that method.

Important note on Database Schema

DO NOT run any script that creates a database schema for snort other than rake snorby:setup. The rake command creates the database schema for you. Snorby creates the fields required by Snort; however, Snorby creates additional fields that are needed.

Installing with apt-get

To begin, you'll need root-level access. Issue the following command:

sudo apt-get install snort

You should see the following prompt:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libprelude2 oinkmaster snort-common snort-common-libraries snort-rules-default
Suggested packages:
  snort-doc
The following NEW packages will be installed:
  libprelude2 oinkmaster snort snort-common snort-common-libraries snort-rules-default
0 upgraded, 6 newly installed, 0 to remove and 194 not upgraded.
Need to get 1,740 kB of archives.
After this operation, 10.4 MB of additional disk space will be used.
Do you want to continue [Y/n]?

Input "Y" and hit Enter. Grab some coffee or a smoke. Right now, it is downloading snort and it's dependencies.

When you return, hopefully you see the screen "Configuring snort". It is now asking you for your home network IP address range. Typically this will be one or more of the following: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/26. If you do not know, it is probably safest to enter:

10.0.0.0/8,172.16.0.0/12,192.168.0.0/26

Hit your Enter key and Snort will finish installing. To verify Snort is running, enter the following at the command prompt:

ps aux | grep snort | grep -v grep

If you see output containing "/usr/sbin/snort", you have Snort installed!! Continue with Installing Snory.

Compiling from Source

A good guide for Ubuntu installing is located on Snort's website [reference: http://www.snort.org/assets/158/011-snortinstallguide2905.pdf]. This guide follows along with their work.

Download Snort from: http://www.snort.org/snort-downloads. It should come with the file extension ".tar.gz". We need to uncompress this and install it:

tar -zxvf snort­2.9.0.5.tar.gz
cd snort­-2.9.0.5/
sudo ./configure ­­prefix=/usr/local/snort ­­--enable-­ipv6 --­­enable-­gre \
--­­enable-­mpls --­­enable­-targetbased ­--­enable­-decoder­-preprocessor-­rules \
--­­enable-­ppm --­­enable-­perfprofiling --­­enable-­zlib --­­enable-­active-­response \
­­--enable-­normalizer ­--­enable-­reload --­­enable-­react --­­enable-­flexresp3
sudo make
sudo make install
sudo mkdir /var/log/snort
sudo mkdir /var/snort

Now, to change permissions on your Snort directory:

sudo groupadd snort
sudo useradd ­g snort snort
sudo chown snort:snort /var/log/snort

Logging

Logging using Barnyard2

Again, this is the preferred method. Edit /etc/snort/snort.conf to make a line that reads like the following (adapted to your environment):

output unified2: filename snort.out, limit 128

And ensure any other lines that start with "output database:" are commented out (that they have a # in front of it).

Logging Snort to a Mysql Database

Edit /etc/snort/snort.conf, and add the following line:

output database: alert, mysql, user=root password=password dbname=snorby host=localhost

Modify it for your needs. If Snorby isn't located on this sensor, change the host to the IP of the server that Snorby is installed.

Configuring Snort

If you're running Ubuntu, you can run sudo dpkg-reconfigure snort and skip the below, as this command will take you through the steps.

Logging Snort to a Postgres Database

Edit /etc/snort/snort.conf, and add the following line:

output database: alert, postgresql, user=snort dbname=snort

Modify it for your needs. If Snorby isn't located on this sensor, change the host to the IP of the server that Snorby is installed.

Clean up

We will be creating the database for Snort and Snorby soon. Check for the existence of the file /etc/snort/db-pending-config and if it exists, delete it.

Setting snort variables

This is declared in /etc/snort/snort.conf.

Important variables: $HOME_NET, $EXTERNAL_NET

These variables are used in the rules you run. $HOME_NET should be set to your internal IP schema. In my lab, my computers get 10.0.0.1 - 10.0.0.255. So I will set this line to:

var $HOME_NET 10.0.0.0/24

Typically $EXTERNAL_NET will be set to any. This is describing the internet.

Back to Snorby Book

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️