Integration
Now we need to integrate many of the applications we have installed thus far.
cd /etc/snort
You will want to familiarize yourself with the /etc/snort/snort.conf file. The file itself
is well commented and discussed in the Official Snort Manual
(http://www.snort.org/docs/snort_htmanuals/htmanual_2615/). To get you and
your system started, the following variables need to be set. Open snort.conf with vi
or some other editor. If you choose an editor other than vi you may have to install it
from ports.
Change:
"var HOME_NET any"
to:
Nicholas Pappas
50
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
"var HOME_NET [192.168.1.0/24,192.168.0.3]"
Also Change:
"var EXTERNAL_NET any"
to:
"var EXTERNAL_NET !$HOME_NET"
To make Snort send alerts through Barnyard we uncomment the following lines:
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
Such that they look like this:
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
Save your snort.conf changes and exit your favorite editor. Now we'll need to make
two configuration files. One for the first bridge and the other for the second bridge.
First let's make barnyard-bridge0.conf
cd /etc/snort/
cp barnyard.conf barnyard-bridge0.conf
Now make the following modifications:
Change:
# config daemon
to this
config daemon
Change:
#config localtime
to this
config localtime
Change:
config interface: fxp0
to
config interface: bridge0
Change:
output alert_fast
to
# output alert_fast
Change:
Nicholas Pappas
51
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
output log_dump
to
# output log_dump
Change:
config hostname: snorthost
to reflect your Snort sensor machine (which may very well be localhost)
config hostname: localhost
Now enable the following output plugin lines
#output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root
# output log_acid_db: mysql, database snort, server localhost, user root, detail full
Such that it looks similar to this (ensure you use the same password you set for the
snort account in MySQL):
output alert_acid_db: mysql, sensor_id 0, database snort, server localhost, user snort,\
password secret-pass
output log_acid_db: mysql, database snort, server localhost, user snort, password \
secret-password, detail full
Ok now save the barnyard-bridge0.conf file and make a copy of barnyard.conf for
the next config file we'll need. In the next file, we'll make similar changes. The only
difference is swapping bridge0 for bridge1 and making sensor_id 0 set to sensor_id1
cp barnyard.conf barnyard-bridge1.conf
Now edit that file.
vi barnyard-bridge1.conf
Change:
# config daemon
to this
config daemon
Change:
#config localtime
to this
config localtime
Change:
config interface: fxp0
to
config interface: bridge0
Nicholas Pappas
52
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Change:
output alert_fast
to
# output alert_fast
Change:
output log_dump
to
# output log_dump
Change:
config hostname: snorthost
to reflect your Snort sensor machine (which may very well be localhost)
config hostname: localhost
Now enable the following output plugin lines
#output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root
# output log_acid_db: mysql, database snort, server localhost, user root, detail full
Such that it looks similar to this (ensure you use the same password you set for the
snort account in MySQL):
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user snort,\
password secret-pass
output log_acid_db: mysql, database snort, server localhost, user snort, password \
secret-password, detail full
Ok you should now save the barnyard-bridge1.conf file
Once again the only differences between barnyard-bridge0.conf and
barnyard-brdige1.conf are on the "config interface" line and the line starting with
"output alert_acid_db" where the id numbers are either '0' or '1'. Set permissions
(need to protect the password content):
chmod 640 barnyard*.conf
Copy the maps over.
cd /usr/ports/net/snort/w-snort-2.6.0.2p1/snort-2.6.0.2/etc/
cp gen-msg.map /etc/snort/
cp sid-msg.map /etc/snort/
Nicholas Pappas
53
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Insert the following into /etc/rc.local, this will startup both instances of Snort and
Barnyard. Please notice that this content goes below the entry we made earlier for
MySQL.
--start of snip--
# Added to start Barnyard on bridge 0 during boot after the db is up but
# before Snort is brought up.
if [ -x /usr/local/bin/barnyard ]; then
/usr/local/bin/barnyard -D -w barn.waldo-0 -c /etc/snort/barnyard-bridge0.conf \
-d /var/snort/log/bridge0 -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map \
-f snort.log -X /tmp/barnyard-bridge0.pid
echo ' barnyard bridge 0'
fi
# Added to start Barnyard on bridge 1 during boot after the db is up but
# before Snort is brought up.
if [ -x /usr/local/bin/barnyard ]; then
/usr/local/bin/barnyard -D -w barn.waldo-1 -c /etc/snort/barnyard-bridge1.conf \
-d /var/snort/log/bridge1 -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map \
-f snort.log -X /tmp/barnyard-bridge1.pid
echo ' barnyard bridge 1'
fi
# Added to start the first Snort sensor during boot after the db is brought up.
if [ -x /usr/local/bin/snort ]; then
/usr/local/bin/snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l \
/var/snort/log/bridge0 -G 0 -i bridge0 -D
sleep 5
echo ' snort bridge 0'
fi
# Added to start the second Snort sensor during boot after the db is brought up.\
if [ -x /usr/local/bin/snort ]; then
/usr/local/bin/snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l \
/var/snort/log/bridge1 -G 1 -i bridge1 -D
sleep 5
echo ' snort bridge 1'
fi
--end of snip--
Nicholas Pappas
54
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Finally some minor steps before we reboot for another test.
mkdir /var/snort/log/bridge0
mkdir /var/snort/log/bridge1
touch /etc/snort/rules/local.rules
chown -R _snort /etc/snort
Reboot and hope for the best. This is a critical test. Upon reboot you should have
two snort daemons running and their respective barnyard's should be inserting
events found into MySQL. Now you should check to make sure you have snort
running, two of them actualy.
ps aux | grep snort
In the resulting output you should see two processes being run by _snort. If not
check the /var/log/daemon log for clues and make sure this is working after a
reboot. It may take a couple tries but it's crucial to ensure your system boots
appropriately.
| 