295_Snort2e_03.qxd 5/5/04 2:55 PM Page 122 122 Chapter 3 • Installing Snort 7. At the command prompt, type ./configure and press Enter.This will run the configure script for libpcap (see Figure 3.5). Figure 3.5 Running the configure Script 8. When the configure script has completed its operation, you should be returned to a prompt. Make sure you have no errors on screen. Everything should look okay if you installed your development tools from earlier in the chapter. At the prompt, type make and press Enter. 9. The make command will also bring you back out to a prompt when it has completed its work. Again, you need to check the output that make has displayed on screen to verify that the operation was trouble-free. At the prompt, type make install and press Enter. 10. After make finishes the installation of the software, you will be returned to the command prompt—and with luck, free of error. Installing libpcap from RPM You can also install libpcap from an RPM package if your distribution supports it. At the time of writing, www.rpmfind.net returned 63 results (spanning 11 Linux distributions including SUSE) when presented with a query for libpcap. Frankly, we believe that this is the best place to find custom-compiled RPMs for www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 123 Installing Snort • Chapter 3 123 your distribution of choice. We have included RPMs for the following distribu- tions on the accompanying CD-ROM.They are located in the /Snort- 2.1.1/Linux/pcap/rpms directory. ■ Conectiva Version 6.2 (RPM and SRPM) ■ Mandrake Version 6.2 (RPM), version 7.1 (RPM and SRPM) ■ Red Hat (7.2, 7.3, 8.0) Version 6.2 (RPM only) ■ SuSE Linux Version 7.1 (RPM only. Version 9.1 comes with the 0.8.1 RPM on CD.) The procedures involved in installation via RPM are, more often than not, much easier than an installation that uses source code—if there are no depen- dency problems.The RPM system, while an excellent package management tool, is fraught with problems regarding dependencies. It understands and reports what the specific package requires to install, but is not yet capable of acquiring and installing the packages necessary to fulfill its requirements. If you are not familiar with the term, dependencies are packages and/or libraries required by other packages.The Linux operating system is built on dependencies, which you can visualize as an upside-down tree structure. At the top of the tree are your basic user-installed programs, such as Snort. Snort depends on libpcap to operate, and libpcap requires other libraries to function. Installing libpcre The next package that will need to be installed on a SUSE Linux system is the PCRE (www.pcre.org) library package (from the developers site: “The PCRE library is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5”). Because of recent enhancements to the Snort rule language, Snort requires it to function. In fact, Snort won’t compile without it. For a detailed discussion of the benefits of the PCRE func- tions and the Snort rule language in general, see Chapter 5, “Playing by the Rules.” Depending on your setup, you might already have this installed.To install it on SUSE Linux, perform the following: 1. Download the latest PCRE package from ftp://ftp.sourceforge.net/pub/ sourceforge/p/pc/pcre/ (the Windows port can be found at http://gnuwin32.sourceforge.net/packages/pcre.htm) and extract it to your home directory.The current version as of the writing of this book is 4.3.This will create a directory called pcre-4.3. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 124 124 Chapter 3 • Installing Snort 2. Change directories into it and issue the following commands to build the software: ./configure make make install Now you are ready to continue with the rest of the installation. Installing MySQL Snort 2.1.1 can be used in conjunction with a number of different database packages; as with choice of OS, choice of database is highly personal. In this case, we will use MySQL as the example although it is equally easy to make Snort work with PostgreSQL, Oracle, or MS SQL Server. OINK! There are a number of reasons not to place your database directly on the IDS sensor itself. Some of the most important ones are speed (run- ning the database may take precious resources from the IDS) and secu- rity. We strongly recommend that you use Barnyard to take the Snort logs and load them into a database. For more on Barnyard, see Chapter 11, “Mucking Around with Barnyard.” First, you will need to make sure that MySQL is not already installed on your system. From the command line, enter the following command: rpm -qa | grep MySQL That command should return you to an empty prompt. If it doesn’t, you can skip the installation steps that follow—you already have it installed. Installing from RPM SUSE Linux 9.1 comes with MySQL v4.0.18, and it can be easily loaded from the YaST Install and Remove Software application.To install MySQL server, (from the GUI, simply launch the K menu and go launch SYSTEM > YAST > INSTALL AND REMOVE SOFTWARE) launch /sbin/yast from the com- mand line (see Figure 3.6). www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 125 Installing Snort • Chapter 3 125 Figure 3.6 Search for MySQL 1. When the program launches, tab over the Install and Remove Software, and press Enter. 2. Highlight the Filters button and press the down arrow until Search is selected. Press Enter.Type mysql in the text box, tab down to the OK button, and press Enter (see Figure 3.7). 3. In the next screen, arrow down to highlight mysql, and press either the Space bar or the Plus (+) key on it. If you’ve done this correctly, there will be a plus sign next to the entry. Other dependencies will also be selected by the system automatically (in most cases, mysql-client). 4. Tab down to the Accept button and press Enter. 5. The system will prompt you to accept the changes.Tab down to OK and press Enter. 6. SUSE will then ask you to insert a CD or multiple CDs depending on your setup and version. SUSE Pro 9.1 will only ask for CD 3. Insert the required media, tab down to the OK button, and press Enter. 7. The system will continue the installation as requested.There will be no more prompts and you will be returned back to the YaST main screen when it’s done. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 126 126 Chapter 3 • Installing Snort 8. Tab down to the Quit button and press Enter. Figure 3.7 Install MySQL Installing from Source First, we need to download the MySQL archive (which can be found at www.mysql.com/downloads/mysql-4.0.html).The current stable version as of the writing of this book is 4.0.18.The only package you should have to down- load is the standard package. Download it to a place that is easily remembered, such as your home directory. In the case of this documentation, we will assume this location is /root.The first step after downloading it will be to extract it. Enter the following line at the command prompt: tar zxvf /root/mysql-standard-4.0.18-pc-linux-i686.tar.gz This will extract the MySQL source code into the /root directory.The next step will be to build the package and install it to the system. Enter the following at the prompt: ./configure –prefix=/usr/local/mysql –localstatedir=/usr/local/mysql/data –enable-large-files-without-debug –with-mysqld-user=mysql –disable- maintainer-mode www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 127 Installing Snort • Chapter 3 127 If all goes well, this command will complete without error.The next thing to do is build and install it.To do this, enter the following: make && make install Your software should now be installed successfully. Now you need to create the mysql group by entering this command at the prompt: /usr/sbin/groupadd mysql Now create the mysql user (who belongs to the group we just created) to run the service: /usr/sbin/useradd -g mysql mysql The next thing we will do is install the database files and adjust file permis- sions. (Note: Each of the following lines need to be entered individually.) ./scripts/mysql_install_db chown root:mysql /usr/local/mysql -R chown mysql:mysql /usr/local/mysql/data -R Next, we need to edit /etc/ld.so.conf and add the following: /usr/local/mysql/lib/mysql The last thing that needs to be done is to set the root password for MySQL (the YOUR_PASSWORD_HERE string is a placeholder here and should be changed to the password you want to use): /usr/local/mysql/bin/mysqladmin -u root password YOUR_PASSWORD_HERE Installing Snort Now we can get into the actual installation of Snort. So far, we have covered the basics of Linux package management, including RPM installs, source compila- tion, and installing libpcap, so this next section should be fairly easy for us to get through.The installation of Snort is painless, so we can save all of our energy for the setup, configuration, and rules management. First, you need to get Snort. Whether you choose to get it from the Web site at www.snort.org or on the accompanying CD-ROM is entirely up to you.The version on the CD-ROM is 2.1.1, so we will use it in our example install.This is the most current stable version available at press time. Please note that we strongly recommend going to www.snort.org and downloading the newest stable www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 128 128 Chapter 3 • Installing Snort release, as you will benefit from new functionality, bug fixes, stability, and speed enhancements.This software is constantly changing, growing, and getting better every day. A Brief Word about Sentinix GNU/Linux It was not until recently that we came across a wonderful Linux distribution called SENTINIX. What is it? The description from their Web site (www.sen- tinix.org) sums it up fairly well: “SENTINIX is a GNU/Linux distribution designed for monitoring, intrusion detection, penetration testing, auditing, statistics/graphing, and anti-spam. It’s completely free; free to use, free to modify, and free to distribute. SENTINIX includes the fol- lowing software, installed and preconfigured; Nagios, Nagat, Snort, SnortCenter, ACID, Cacti, RRDTool, Nessus, Postfix, MailScanner, SpamAssassin, openMosix, MySQL, Apache, PHP, Perl, Python, and lots more.” With this Linux distribution, other than the obvious abundance of security and scanning software, was the Web-based configuration. Basically, you can build the server, load the operating system, tuck it away in a rack somewhere, and sit at your desk to configure it through a Web browser.The developers have done an excellent job making Snort friendlier to use via the SnortCenter Web interface (see Figure 3.8).This is well worth a look if you are serious about intrusion detection and need the convenience of a Web-based console. Figure 3.8 SENTINIX Snort Console www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 129 Installing Snort • Chapter 3 129 OINK! All of the components of SENTINIX Linux can be downloaded individually from the Internet free of charge, so if you don’t want the entire distribu- tion you can simply download and install the packages you want on an existing Linux or Windows installation. The distribution is built entirely from open-source software, so it is completely legal and recommended. The installation was devoid of a GUI, but it was so simple almost anyone with a bit of Linux experience wouldn’t have any problems understanding how to get everything running.The configuration of all the scanners (including Snort) have already been done for you—all you have to do is power it on.This is not to say that you cannot go into the system via a Web browser and configure your own rules, and so forth this is very easy to do.The software will also generate reports, issue alerts, and generally make your IDS life a little easier.You have to admit, we can all use a little lift from time to time, especially when it comes to working with computer systems. Installing Snort from Source There is something to be said about installing software from source code. In our opinion, it is the easiest and best way to install a properly functioning software package. In this section, we will be installing the Snort 2.1.1 package from a source tarball located on the accompanying CD-ROM.To install Snort, simply follow these simple steps: 1. As root, browse to the /Snort-2.1.1/Linux/src folder located in the Chapter 3 directory (03) on the CD-ROM. 2. Copy the tarball to the /tmp directory by typing cp snort- 2.1.1.tar.gz /tmp at the command line. 3. Change directories to /tmp by typing cd /tmp at the command line. 4. Extract the tar archive by issuing the command tar –zxvf snort- 2.1.1.tar.gz. 5. Change directories into the newly created Snort directory by typing cd snort-2.1.1. 6. At the command line, type ./configure to configure the package.You should see text start to scroll by (similar to the example in Figure 3.9). www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 130 130 Chapter 3 • Installing Snort Figure 3.9 Running the Snort configure Script 7. Next, type make at the command line.This will create the makefile. OINK ! This might take some time depending on the speed of the target machine. 8. As the final step in the build process, type make install at the com- mand prompt.This action will deliver the package and its files to where they belong in the system.The Snort install is now officially complete. We can now move on to basic customization. OINK! This must be done as root, or Snort won’t be able to install properly. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_03.qxd 5/5/04 2:55 PM Page 131 Installing Snort • Chapter 3 131 Enabling Features via configure During the build process (more specifically, during the configure script portion), we can pass options to the installer to customize it to whatever specific situation or needs we might have.These were harvested from the /docs/INSTALL file in the Snort 2.1.1 tarball (which is on the accompanying CD-ROM, so if you ever need to reference them, you can find them there). ■ enable-debug Enable debugging options (bug reports and developers only). ■ with-snmp Enable SNMP alerting code. ■ enable-smbalerts Enable the SMB alerting code, which is somewhat unsafe because it executes a popen() call from within the program (which runs at root privs).You’ve been warned, so use it with caution! ■ enable-flexresp Enable the “Flexible Response” code, which allows you to cancel hostile connections on IP-level when a rule matches. When you enable this feature, you also need the libnet-library that can be found at www.packetfactory.net/libnet. See README.FLEXRESP for details.This function is in stable release 1.1.2.1 as this book goes to press. ■ with-mysql=DIR Support for MySQL; turn this on if you want to use ACID with MySQL. ■ with-odbc=DIR Support for ODBC databases; turn this on if you want to use ACID with a nonlisted DB. ■ with-postgresql=DIR Support for PostgreSQL databases; turn this on if you want to use ACID with PostgreSQL. ■ with-oracle=DIR Support for Oracle databases; turn this on if you want to use ACID with Oracle. ■ with-openssl=DIR Support for OpenSSL (used by the XML output plug-in). ■ with-libpq-includes=DIR Set the include directories for PostgresSQL database support to DIR. ■ with-libpq-libraries=DIR Set the library directories for PostgresSQL database support to DIR. Setting both of these values enables the Postgres output plug-in module. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/mkinstalldirs /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/man/man8 install -c -o root -g bin -m 444 /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0 /snort. 8 /usr/ports/net /snort/ w -snort- 2.0.0p1/fake- i386/usr/local/man/man8 /snort. 8 install -d -o root -g bin -m 755 /usr/ports/net /snort/ w -snort- 2.0.0p1/fake- i386/usr/local/share/examples /snort install... /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/etc /snort. conf /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/share/examples /snort install -c -o root -g bin -m 444 /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/etc/sid-msg.map /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/share/examples /snort install -c -o root -g bin -m 444 /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/etc/classification.config... /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/share/examples /snort install -c -o root -g bin -m 444 /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/etc/reference.config /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/share/examples /snort install -c -o root -g bin -m 444 /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/rules/*.rules /usr/ports/net /snort/ w -snort- 2.0.0p1/fake- i386/usr/local/share/examples /snort. .. Version - http://www.simpopdf.com Making install in detection- plugins Making install in preprocessors Making install in parser /bin/sh /usr/ports/net /snort/ w -snort- 2.0.0p1 /snort- 2.0.0/mkinstalldirs /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/bin install -c -s -o root -g bin -m 555 snort /usr/ports/net /snort/ w -snort- 2.0.0p1/fake-i386/usr/local/bin /snort Making install in doc Making install in... your sensor, in order to build binaries on _[X] bsd [X] bsd.rd [X] base35.tgz [X] etc35.tgz [X] misc35.tgz [X] comp35.tgz www.syngress.com 151 152 Chapter 3 • Installing Snort Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [X] man35.tgz [ ] game35.tgz ] ] xbase35.tgz [ ] xshare35.tgz [ ] xfont35.tgz [ ] xserv35.tgz Option 1: Using OpenBSD Ports The OpenBDS ports system is a method... i386/usr/local/share/examples /snort ===> Building package for snort- 2.0.0p1 Creating package /usr/ports/packages/i386/all /snort- 2.0.0p1.tgz Creating gzip’d tar ball in '/usr/ports/packages/i386/all /snort- 2.0.0p1.tgz’ Link to /usr/ports/packages/i386/ftp /snort- 2.0.0p1.tgz Link to /usr/ports/packages/i386/cdrom /snort- 2.0.0p1.tgz www.syngress.com Installing Snort • Chapter 3 Simpo PDF Merge and Split Unregistered... ftp://ftp.openbsd.org/pub/OpenBSD /3. 5/packages/i386 /snort- 2.0.0p1.tgz Adding ftp://ftp.openbsd.org/pub/OpenBSD /3. 5/packages/i386 /snort- 2.0.0p1.tgz extracting /usr/local/bin /snort extracting /usr/local/man/man8 /snort. 8 www.syngress.com Installing Snort • Chapter 3 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The Snort rule examples have been installed in /usr/local/share/examples /snort OpenBSDhost#... (se Figure 3. 13) Figure 3. 13 Whom to Alert When this last question has been answered, the installation will continue When it is complete (and providing there were no errors), you should be pre­ sented with the following output: Setting up snort- common (2.0.2-2) Setting up python2 .3- docutils (0 .3+ cvs20 030 901-2) Setting up snort- rules-default (2.0.2-2) Setting up python-docutils (0 .3+ cvs20 030 901-2)... prompt, all you have to do is navigate to the /Snort2 .1.1/Linux/srpm folder and enter rpmbuild rebuild snort- 2.1. 1 1snort. src.rpm.This will prompt RPM to rebuild the file into a regular RPM specifically designed for your system www.syngress.com 133 134 Chapter 3 • Installing Snort Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The second example is for versions earlier than 4.1... to say is that you can install the software simply by typing rpm –i snort- 2.1. 1 1snort. i386.rpm ■ Inside X Windows If you are using KDE, GNOME, or one of the many X Windows systems out there, this set of instructions is for you Inside the /Snort- 2.1. 1/Linux/RPM folder on the accompanying CD­ ROM, double-click the snort- 2.1. 1- 1snort. i386.rpm file Under SUSE Linux, konqueror will load an HTML document with . up snort- common (2. 0 .2- 2) Setting up python2 .3- docutils (0 .3+ cvs20 030 9 01 -2) Setting up snort- rules-default (2. 0 .2- 2) Setting up python-docutils (0 .3+ cvs20 030 9 01 -2) Setting up snort (2. 0 .2- 2). http://www.simpopdf.com 29 5 _Snort2 e_ 03. qxd 5/5/04 2: 55 PM Page 13 4 13 4 Chapter 3 • Installing Snort The second example is for versions earlier than 4 .1. For these systems, just enter rpm rebuild snort- 2. 1. 1- 1snort. src.rpm.This. be 1 92. 16 8.0.0 /24 , which means that the address space of 1 92. 16 8.0. 1 92. 16 8.0 .25 4 will be repre- sented, using a subnet mask of 25 5 .25 5 .25 5.0 (see Figure 3 .14 ). Figure 3 .14 Editing the snort. conf