11/Nov/2005 tested on SuSE 10.0
Snort is an open source network intrusion detection system (NIDS)# libpcap-0.9.3-5.i586.rpm # rpm -ihv snort-2.3.3-2.i586.rpm
... SNORT_INTERFACE="eth1" ... SNORT_ACTIVATE="yes" ... SNORT_PROMISC="yes" ...
# chkconfig snort on # /etc/init.d/snort start
# lynx http://oinkmaster.sourceforge.net
# cp oinkmaster-1.2.tar.gz /usr/local/src # tar zxvf oinkmaster-1.1.tar.gz # cd oinkmaster-1.2 # cp oinkmaster.conf oinkmaster.pl /etc/snort/ # mkdir /etc/snort/bk/ # chown root:snort /etc/snort/* # chmod g+x /etc/snort/oinkmaster.pl # chmod g+w /etc/snort/ -R
... url = http://www.snort.org/pub-bin/oinkmaster.cgi/your_oinkcode/snortrules-snapshot-2.3.tar.gz ...
# su - snort $ /etc/snort/oinkmaster.pl -C /etc/snort/oinkmaster.conf -o /etc/snort -b /etc/snort/bk 2>&1 > /dev/null Loading /etc/snort/oinkmaster.conf Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/your_oinkcode/snortrules-snapshot-2.3.tar.gz... done. Archive successfully downloaded, unpacking... done. Setting up rules structures... done. Processing downloaded rules... disabled 0, enabled 0, modified 0, total=4798 Setting up rules structures... done. Comparing new files to the old ones... done. Creating backup of old rules... saved as /etc/snort/bk/rules-backup-20060130-162150.tar.gz. Updating rules... done.
# Oinkmaster for Snort 30 2 * * * snort /etc/snort/oinkmaster.pl --C /etc/snort/oinkmaster.conf -o /etc/snort -b /etc/snort/bk 2>&1 > /dev/null
| Package | URL | |
|---|---|---|
| acid-0.9.6b23.tar.gz | http://acidlab.sourceforge.net/ | |
| adodb471-1.tgz | http://adodb.sourceforge.net/ | |
| jpgraph-1.20.2.tar.gz | http://www.aditus.nu/jpgraph/ |
# cp adodb471-1.tgz /usr/local/src/ # cd /usr/local/src/ # tar zxvf adodb453.tgz # cp -R adodb /srv/www/htdocs
# cp jpgraph-1.20.2.tar.gz /usr/local/src/ # cd /usr/local/src/ # tar zxvf jpgraph-1.20.2.tar.gz # cp -R jpgraph-1.20.2/src/ /srv/www/htdocs/jpgraph
# cp acid-0.9.6b23.tar.gz /usr/local/src # cd /usr/local/src # tar zxvf acid-0.9.6b23.tar.gz # cp -R acid /srv/www/htdocs/
# su - postgres > createuser Enter name of user to add: snort Shall the new user be allowed to create databases? (y/n) n Shall the new user be allowed to create more new users? (y/n) n CREATE USER
# host all all 127.0.0.1/32 ident sameuser host all all 127.0.0.1/32 trust
...
CREATE TABLE acid_ag ( ag_id SERIAL NOT NULL,
ag_name TEXT,
ag_desc TEXT,
ag_ctime TIMESTAMP,
ag_ltime TIMESTAMP,
PRIMARY KEY (ag_id) );
...
CREATE TABLE acid_ip_cache( ipc_ip INT8 NOT NULL,
ipc_fqdn TEXT,
ipc_dns_timestamp TIMESTAMP,
ipc_whois TEXT,
ipc_whois_timestamp TIMESTAMP,
PRIMARY KEY (ipc_ip) );
# su - snort $ createdb -W snort Password: CREATE DATABASE > psql < /usr/share/doc/packages/snort/schemas/create_postgresql > psql < /srv/www/htdocs/acid/create_acid_tbls_pgsql.sql > psql < /srv/www/htdocs/acid/create_acid_tbls_pgsql_extra.sql > exit #
# output database: alert, postgresql, user=snort dbname=snort output database: alert, postgresql, user=snort dbname=snort host=localhost sensor_name=mysnort
#!/bin/bash
BACKUPDAY=7
DBLIST="
snort
"
# Full Vacuum clean and analyze for the optimizer for all databases
su - postgres -c "/usr/bin/vacuumdb --all --analyze --full"
for DB in $DBLIST
do
# Backup file
BACKUPFILE=/var/lib/pgsql/backups/$DB`/bin/date '+%Y%m%d'`
# Backup
/bin/rm -f $BACKUPFILE
su - postgres -c "/usr/bin/pg_dump $DB > $BACKUPFILE"
# Compress a backup file
/bin/rm -f $BACKUPFILE.gz
su - postgres -c "/usr/bin/gzip $BACKUPFILE"
done
# Remove old file
find /var/lib/pgsql/backups -mtime +$BACKUPDAY -exec rm -f {} \;
# chmod 755 postgresql.cron
... $DBlib_path = "../adodb"; ... $DBtype = "postgres"; ... $alert_dbname = "snort"; ... $alert_user = "snort"; ... $ChartLib_path = "../jpgraph "; ...
# /etc/init.d/snort reload
... # include $RULE_PATH/snmp.rules ...
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER "; content:"USER"; depth:4; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS "; content:"PASS"; depth:4; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER"; content:"USER"; depth:4; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS"; content:"PASS"; depth:4; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP LOGIN"; content:"LOGIN"; nocase; depth:11; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SquirrelMail Login"; content:"login_username="; depth:100; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Message"; content:"Message-ID"; depth:10; classtype:default-login-attempt; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Basic Auth"; flow:established,to_server; content:"Authorization|3a 20|Basic|0d 0a|"; nocase; classtype:default-login-attempt; rev:1;)