Snort
Páginas: 5 (1019 palabras)
Publicado: 15 de junio de 2012
Main
This document was written and is being maintained by Joshua D.
Abraham. It assumes the user has a basic understanding of computers.
This document contains the steps for installing an IDS sensor on
FreeBSD 5.4. This document contains the small differences between
FreeBSD 5.4 and FreeBSD 6.0.
If you have any suggestions, comments or questions please feel free to
email me at jabra(-at-) ccs (dot) neu (dot) edu.
--------------------------------------------------------------------
1) Install software
$ pkg_add -r mysql41-client
$ pkg_add -r oinkmaster
$ pkg_add -r stunnel
2) Tweak configs
$ ee /etc/hosts
CHANGE the following
127.0.0.1 localhost localhost.my.domain
to
127.0.0.1 localhostsensor sensor.domain.com
Save and Quit [ esc a a ]
-------------------------
ifconfig_lnc0="DHCP"
3) Configure Snort
$ cd /usr/ports/security/snort/
$ make
options for snort 2.4
select mysql[tab]
$ make install clean
$ cd /usr/local/etc
$ cp snort.conf-sample snort.conf
$ chmod 644 snort.conf
$ eesnort.conf
Change the following from
var HOME_NET any
to
var HOME_NET [10.0.0.0/8, 192.168.0.0/16,172.20.0.0/16,172.26.0.0/16]
AND Change the following
preprocessor stream4_reassemble
to
#preprocessor stream4_reassemble
AND Change the following
preprocessor http_inspect: global \iis_unicode_map unicode.map 1252
to
#preprocessor http_inspect: global \
# iis_unicode_map unicode.map 1252
AND Change the following
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
to
#preprocessor http_inspect_server: server default \
# profileall ports { 80 8080 8180 } oversize_dir_length 500
AND Change the following
preprocessor rpc_decode: 111 32771
to
#preprocessor rpc_decode: 111 32771
AND Change the following
preprocessor bo
to
#preprocessor bo
AND Change the following
preprocessor sfportscan: proto { all } \memcap { 10000000 } \
sense_level { low }
to
#preprocessor sfportscan: proto { all } \
# memcap { 10000000 } \
# sense_level { low }
# memcap { 10000000 } \
AND Change the following
# outputdatabase: log, mssql, dbname=snort user=snort password=test
ito(note this is one line)
output database: log, mysql, user=snorter password=$n0rt dbname=snort host=localhost
ADD the following(note this is one line)
output database: alert, mysql, user=snorter password=$n0rt dbname=snort host=localhost
CHANGE the following
#outputalert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
to
output alert_unified: filename /usr/local/var/log/snort/snort.alert, limit 512
output log_unified: filename /usr/local/var/log/snort/snort.log, limit 512
Change all the rules to start with a # so that they are commented
#include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
# include $RULE_PATH/exploit.rules
# include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
...
...
...
*NOTE*
if there are any other lines that start with include $RULE_PATH
comment them out by...
This document was written and is being maintained by Joshua D.
Abraham. It assumes the user has a basic understanding of computers.
This document contains the steps for installing an IDS sensor on
FreeBSD 5.4. This document contains the small differences between
FreeBSD 5.4 and FreeBSD 6.0.
If you have any suggestions, comments or questions please feel free to
email me at jabra(-at-) ccs (dot) neu (dot) edu.
--------------------------------------------------------------------
1) Install software
$ pkg_add -r mysql41-client
$ pkg_add -r oinkmaster
$ pkg_add -r stunnel
2) Tweak configs
$ ee /etc/hosts
CHANGE the following
127.0.0.1 localhost localhost.my.domain
to
127.0.0.1 localhostsensor sensor.domain.com
Save and Quit [ esc a a ]
-------------------------
ifconfig_lnc0="DHCP"
3) Configure Snort
$ cd /usr/ports/security/snort/
$ make
options for snort 2.4
select mysql[tab]
$ make install clean
$ cd /usr/local/etc
$ cp snort.conf-sample snort.conf
$ chmod 644 snort.conf
$ eesnort.conf
Change the following from
var HOME_NET any
to
var HOME_NET [10.0.0.0/8, 192.168.0.0/16,172.20.0.0/16,172.26.0.0/16]
AND Change the following
preprocessor stream4_reassemble
to
#preprocessor stream4_reassemble
AND Change the following
preprocessor http_inspect: global \iis_unicode_map unicode.map 1252
to
#preprocessor http_inspect: global \
# iis_unicode_map unicode.map 1252
AND Change the following
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
to
#preprocessor http_inspect_server: server default \
# profileall ports { 80 8080 8180 } oversize_dir_length 500
AND Change the following
preprocessor rpc_decode: 111 32771
to
#preprocessor rpc_decode: 111 32771
AND Change the following
preprocessor bo
to
#preprocessor bo
AND Change the following
preprocessor sfportscan: proto { all } \memcap { 10000000 } \
sense_level { low }
to
#preprocessor sfportscan: proto { all } \
# memcap { 10000000 } \
# sense_level { low }
# memcap { 10000000 } \
AND Change the following
# outputdatabase: log, mssql, dbname=snort user=snort password=test
ito(note this is one line)
output database: log, mysql, user=snorter password=$n0rt dbname=snort host=localhost
ADD the following(note this is one line)
output database: alert, mysql, user=snorter password=$n0rt dbname=snort host=localhost
CHANGE the following
#outputalert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
to
output alert_unified: filename /usr/local/var/log/snort/snort.alert, limit 512
output log_unified: filename /usr/local/var/log/snort/snort.log, limit 512
Change all the rules to start with a # so that they are commented
#include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
# include $RULE_PATH/exploit.rules
# include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
...
...
...
*NOTE*
if there are any other lines that start with include $RULE_PATH
comment them out by...
Leer documento completo
Regístrate para leer el documento completo.