]>
Commit | Line | Data |
---|---|---|
3914b6b8 MP |
1 | $Header$ |
2 | ||
3 | The following scripts were developed from ideas gleaned from the snort | |
4 | mailing list, with some stuff I came up with on my own. It makes | |
5 | for a fairly easy to manage and simple snort configuration on a Red | |
6 | Hat Linux system. | |
7 | ||
8 | The basic files are included in the snort-stuff.tar file (which unpacks the | |
9 | files into the right places for each file, if untarred in the / directory.) | |
10 | This README file then resides in /usr/doc/snort-stuff (to go along with Red | |
11 | Hat's documentation directory structure.) This is the net effect of | |
12 | what an RPM file would do, but I don't have time right now to go that | |
13 | far. You can find the original at: | |
14 | ||
15 | http://staff.washington.edu/dittrich/misc/snort-stuff.tar | |
16 | ||
17 | Right now, the basic files are: | |
18 | ||
19 | /usr/doc/snort-stuff/README.snort-stuff | |
20 | This file. | |
21 | /etc/rc.d/init.d/snort Red Hat Linux startup script for snort | |
22 | /usr/local/etc/check-snort Daily checkup script (run by cron) | |
23 | /usr/local/etc/rules.base Base rules file (needs to be modified | |
24 | to suit your network.) | |
25 | ||
26 | INSTALLATION | |
27 | ||
28 | 1). Unpack the files. | |
29 | ||
30 | You can just unpack this tar file into /, like this: | |
31 | ||
32 | # cd / | |
33 | # tar -xvf /path/to/snort-stuff.tar | |
34 | etc/rc.d/init.d/snort | |
35 | usr/local/etc/check-snort | |
36 | usr/local/etc/rules.base | |
37 | usr/doc/snort-stuff/README | |
38 | ||
39 | 2). Create snort log and archive directories. | |
40 | ||
41 | The "snort" rc startup script and "check-snort" log file processor | |
42 | assume you are using the rules.base as defined here, and that you store | |
43 | snort log files in /var/log/snort and archive prior days' logs in | |
44 | /var/log/snort/archive. Create these now if they don't already exist: | |
45 | ||
46 | # mkdir -p /var/log/snort/archive | |
47 | # chown -R root.wheel /var/log/snort | |
48 | # chmod -R 640 /var/log/snort | |
49 | ||
50 | 3). Set up snort rules files. | |
51 | ||
52 | You now must edit /usr/local/etc/rules.base to set your own network | |
53 | addresses and list of DNS servers you want to ignore for portscan | |
54 | reports (if you want to do this). | |
55 | ||
56 | You next need to set up your rules, which in this case are just the rules | |
57 | set up as part of ArachNIDS by Max Vision. You can get these with | |
58 | "wget" (if you don't have it, you might as well install it now from your | |
59 | favorite Red Hat archive site, as it is needed by the "check-snort" script.) | |
60 | ||
61 | # wget --output-document=/usr/local/etc/vision.rules \ | |
62 | http://dev.whitehats.com/ids/vision.rules | |
63 | ||
64 | 4). Set up daily checkup script. | |
65 | ||
66 | From the root account, edit your crontab (with "crontab -e") and add | |
67 | the following line (or one adjusted to fit the time of day you wish | |
68 | to process snort logs): | |
69 | ||
70 | 0 0 * * * sh /usr/local/etc/check-snort | |
71 | ||
72 | 5). Configure snort startup script and start snort running. | |
73 | ||
74 | You now must install the snort startup script in order for snort to | |
75 | be run at boot and stopped/started by check-snort. | |
76 | ||
77 | # chkconfig --add snort | |
78 | ||
79 | You can now start snort using this rc file. | |
80 | ||
81 | # /etc/rc.d/init.d/snort start | |
82 | ||
83 | Lastly, check to see that it started correctly. | |
84 | ||
85 | # /etc/rc.d/init.d/snort status | |
86 | snort (pid 10739) is running... | |
87 | ||
88 | You will now be mailed copies of alert and portscan files, and | |
89 | notified of changes to the vision.rules file when necessary. (You | |
90 | will also get email from cron with the snort stop/start messages to | |
91 | confirm that things are working as expected.) | |
92 | ||
93 | If you have any suggestions for changes, send them to me at | |
94 | <dittrich@cac.washington.edu>. |