Posted by: jasonk2600 | November 22, 2009

Snort IDS Sensor on FreeBSD

Installation

This document assumes that a MySQL server has already been configured for Snort sensors to connect to.  For more information on setting up a MySQL server for Snort, see “MySQL Backend for Snort”.  To begin, install oinkmaster and snort from the FreeBSD ports collection.  NOTE:  The default configuration for oinkmaster is sufficient, when configuring the snort port, be sure to select the MYSQL and FLEXRESP configuration options.  Should snort fail to compile on the first try, simply run make install clean a second time.

# cd /usr/ports/security/snort
# make config
# make install clean
   ....[ Lots of output ]....
# cd /usr/ports/security/oinkmaster
# make config
# make install clean
# rehash

 

Configuration

Oinkmaster is a simple utility used to download and update the Snort IDS ruleset from www.snort.org.  In order to get oinkmaster to communicate with the snort website, you will need to visit the site and obtain an oinkcode from the following link:  Get Oinkcode.  Once you have obtained your oinkcode continue by modifying /usr/local/etc/oinkmaster.conf to reflect the following settings:

url = http://www.snort.org/pub-bin/oinkmaster.cgi
  /[oinkcode]/snortrules-snapshot-CURRENT.tar.gz

Next, run oinkmaster to download the latest snort ruleset.

# oinkmaster -o /usr/local/etc/snort/rules/
  ....[ Lots of output ]....

Next, modify /usr/local/etc/snort/snort.conf to reflect the following settings. NOTE: Replace 192.168.1.0/24 with your IP network, user=snort with the snort database username, password=snort with the snort database user’s password, dbname=snort with the name of the snort database, and host=192.168.1.2 with the IP address or hostname of your database server.

var HOME_NET [192.168.1.0/24]
config detection: search-method lowmem
output database: log, mysql, user=snort 
  password=snort dbname=snort host=192.168.1.2

Finally, you can skip down to the very bottom of snort.conf and comment out any ruleset that you don’t wish to use, or just leave it as-is.

 

Testing

Enable snort to start at system boot and run it for the first time.  Verify that everything is working by verifying that snort is running after you have started it.

# echo "snort_enable=YES" >> /etc/rc.conf
# /usr/local/etc/rc.d/snort start
Starting snort.
# /usr/local/etc/rc.d/snort status
snort is running as pid 87314

If snort has failed to start, check the log for details:

# tail /var/log/messages

 

  [EoF]
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: