[packages/snort.git] / README.snort-stuff

$Header$

The following scripts were developed from ideas gleaned from the snort
mailing list, with some stuff I came up with on my own.  It makes
for a fairly easy to manage and simple snort configuration on a Red
Hat Linux system.

The basic files are included in the snort-stuff.tar file (which unpacks the
files into the right places for each file, if untarred in the / directory.)
This README file then resides in /usr/doc/snort-stuff (to go along with Red
Hat's documentation directory structure.)  This is the net effect of
what an RPM file would do, but I don't have time right now to go that
far.  You can find the original at:

	http://staff.washington.edu/dittrich/misc/snort-stuff.tar

Right now, the basic files are:

/usr/doc/snort-stuff/README.snort-stuff
				This file.
/etc/rc.d/init.d/snort		Red Hat Linux startup script for snort
/usr/local/etc/check-snort	Daily checkup script (run by cron)
/usr/local/etc/rules.base	Base rules file (needs to be modified
				to suit your network.)

INSTALLATION

1).  Unpack the files.

You can just unpack this tar file into /, like this:

	# cd /
	# tar -xvf /path/to/snort-stuff.tar
	etc/rc.d/init.d/snort
	usr/local/etc/check-snort
	usr/local/etc/rules.base
	usr/doc/snort-stuff/README

2).  Create snort log and archive directories.

The "snort" rc startup script and "check-snort" log file processor
assume you are using the rules.base as defined here, and that you store
snort log files in /var/log/snort and archive prior days' logs in
/var/log/snort/archive.  Create these now if they don't already exist:

	# mkdir -p /var/log/snort/archive
	# chown -R root.wheel /var/log/snort
	# chmod -R 640 /var/log/snort

3).  Set up snort rules files.

You now must edit /usr/local/etc/rules.base to set your own network
addresses and list of DNS servers you want to ignore for portscan
reports (if you want to do this).

You next need to set up your rules, which in this case are just the rules
set up as part of ArachNIDS by Max Vision.  You can get these with
"wget" (if you don't have it, you might as well install it now from your
favorite Red Hat archive site, as it is needed by the "check-snort" script.)

	# wget --output-document=/usr/local/etc/vision.rules \
	  http://dev.whitehats.com/ids/vision.rules

4).  Set up daily checkup script.

From the root account, edit your crontab (with "crontab -e") and add
the following line (or one adjusted to fit the time of day you wish
to process snort logs):

	0 0 * * *	sh /usr/local/etc/check-snort

5).  Configure snort startup script and start snort running.

You now must install the snort startup script in order for snort to
be run at boot and stopped/started by check-snort.

	# chkconfig --add snort

You can now start snort using this rc file.

	# /etc/rc.d/init.d/snort start

Lastly, check to see that it started correctly.

	# /etc/rc.d/init.d/snort status
	snort (pid 10739) is running...

You will now be mailed copies of alert and portscan files, and
notified of changes to the vision.rules file when necessary.  (You
will also get email from cron with the snort stop/start messages to
confirm that things are working as expected.)

If you have any suggestions for changes, send them to me at
<dittrich@cac.washington.edu>.
Commit	Line	Data
3914b6b8 MP	1	$Header$
	2
	3	The following scripts were developed from ideas gleaned from the snort
	4	mailing list, with some stuff I came up with on my own. It makes
	5	for a fairly easy to manage and simple snort configuration on a Red
	6	Hat Linux system.
	7
	8	The basic files are included in the snort-stuff.tar file (which unpacks the
	9	files into the right places for each file, if untarred in the / directory.)
	10	This README file then resides in /usr/doc/snort-stuff (to go along with Red
	11	Hat's documentation directory structure.) This is the net effect of
	12	what an RPM file would do, but I don't have time right now to go that
	13	far. You can find the original at:
	14
	15	http://staff.washington.edu/dittrich/misc/snort-stuff.tar
	16
	17	Right now, the basic files are:
	18
	19	/usr/doc/snort-stuff/README.snort-stuff
	20	This file.
	21	/etc/rc.d/init.d/snort Red Hat Linux startup script for snort
	22	/usr/local/etc/check-snort Daily checkup script (run by cron)
	23	/usr/local/etc/rules.base Base rules file (needs to be modified
	24	to suit your network.)
	25
	26	INSTALLATION
	27
	28	1). Unpack the files.
	29
	30	You can just unpack this tar file into /, like this:
	31
	32	# cd /
	33	# tar -xvf /path/to/snort-stuff.tar
	34	etc/rc.d/init.d/snort
	35	usr/local/etc/check-snort
	36	usr/local/etc/rules.base
	37	usr/doc/snort-stuff/README
	38
	39	2). Create snort log and archive directories.
	40
	41	The "snort" rc startup script and "check-snort" log file processor
	42	assume you are using the rules.base as defined here, and that you store
	43	snort log files in /var/log/snort and archive prior days' logs in
	44	/var/log/snort/archive. Create these now if they don't already exist:
	45
	46	# mkdir -p /var/log/snort/archive
	47	# chown -R root.wheel /var/log/snort
	48	# chmod -R 640 /var/log/snort
	49
	50	3). Set up snort rules files.
	51
	52	You now must edit /usr/local/etc/rules.base to set your own network
	53	addresses and list of DNS servers you want to ignore for portscan
	54	reports (if you want to do this).
	55
	56	You next need to set up your rules, which in this case are just the rules
	57	set up as part of ArachNIDS by Max Vision. You can get these with
	58	"wget" (if you don't have it, you might as well install it now from your
	59	favorite Red Hat archive site, as it is needed by the "check-snort" script.)
	60
	61	# wget --output-document=/usr/local/etc/vision.rules \
	62	http://dev.whitehats.com/ids/vision.rules
	63
	64	4). Set up daily checkup script.
65
66	From the root account, edit your crontab (with "crontab -e") and add
67	the following line (or one adjusted to fit the time of day you wish
68	to process snort logs):
69
70	0 0 * * * sh /usr/local/etc/check-snort
71
72	5). Configure snort startup script and start snort running.
73
74	You now must install the snort startup script in order for snort to
75	be run at boot and stopped/started by check-snort.
76
77	# chkconfig --add snort
78
79	You can now start snort using this rc file.
80
81	# /etc/rc.d/init.d/snort start
82
83	Lastly, check to see that it started correctly.
84
85	# /etc/rc.d/init.d/snort status
86	snort (pid 10739) is running...
87
88	You will now be mailed copies of alert and portscan files, and
89	notified of changes to the vision.rules file when necessary. (You
90	will also get email from cron with the snort stop/start messages to
91	confirm that things are working as expected.)
92
93	If you have any suggestions for changes, send them to me at
94	<dittrich@cac.washington.edu>.