Gk's Blog
Tuesday, January 05, 2010
Install SnortCenter2 on Ubuntu 9.10 (quick note)
Install guide for snortcenter is here: http://users.telenet.be/larc/documentation/chap1.html
Snortcenter2: http://sourceforge.net/projects/snortcenter2/
Install webserver, php, mysql, curl and perl:
apt-get install apache2 mysql-server php5 php5-mysql perl curl
Create snort DB:
echo "CREATE DATABASE snort;" | mysql -u root -p
Install snort:
apt-get install snort-mysql
cd /usr/share/doc/snort-mysql/
zcat create_mysql.gz | mysql -uroot -p1 snort
Install snortcenter
Download snortcenter2:
wget http://downloads.sourceforge.net/project/snortcenter2/SnortCenter%20Console/SnortCenter%20Console%202.x%203_31_05/snortcenter-console-3-31-05.tar.gz?use_mirror=nchc
tar -vzxf snortcenter-console-3-31-05.tar.gz
mv snortcenter-release/ /var/www/snortcenter
Get adodb lib, place it where snortcenter can include it:
wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-510-for-php5/adodb510.tgz?use_mirror=nchc
tar -vzxf adodb510.tgz
mv adodb5 /var/www/snortcenter/adodb
Create snortcenter DB:
echo "CREATE DATABASE snortcenter;" | mysql -u root -p
Edit snortcenter config file:
vi /var/www/snortcenter/config.php
$DBlib_path = "/var/www/snortcenter/adodb/"; //use absolute path to get rid of an unknown error
//edit mysql conn
Edit database.php file to fix some bug
vi /var/www/snortcenter/database.php
Go to line 294 change "CREATE TABLE schema" to "CREATE TABLE `schema`"
Go to line 304 change "INSERT INTO schema" to "INSERT INTO `schema`"
Open URL: http://server/snortcenter/setup.php and get thing done.
Install snortcenter agent:
wget http://downloads.sourceforge.net/project/snortcenter2/SnortCenter%20Agent/Linux%20Agent/snortcenter-agent-v2.x.linux.tar.gz?use_mirror=nchc
tar -vxzf snortcenter-agent-v2.x.linux.tar.gz
cd sensor/
./setup.sh
conf/start
Go to snortcenter web to add sensor and Push to sensor Ur snort conf (Admin->Import/Update Rules->Copy and paste):
Snortcenter2: http://sourceforge.net/projects/snortcenter2/
Install webserver, php, mysql, curl and perl:
apt-get install apache2 mysql-server php5 php5-mysql perl curl
Create snort DB:
echo "CREATE DATABASE snort;" | mysql -u root -p
Install snort:
apt-get install snort-mysql
cd /usr/share/doc/snort-mysql/
zcat create_mysql.gz | mysql -uroot -p1 snort
Install snortcenter
Download snortcenter2:
wget http://downloads.sourceforge.net/project/snortcenter2/SnortCenter%20Console/SnortCenter%20Console%202.x%203_31_05/snortcenter-console-3-31-05.tar.gz?use_mirror=nchc
tar -vzxf snortcenter-console-3-31-05.tar.gz
mv snortcenter-release/ /var/www/snortcenter
Get adodb lib, place it where snortcenter can include it:
wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-510-for-php5/adodb510.tgz?use_mirror=nchc
tar -vzxf adodb510.tgz
mv adodb5 /var/www/snortcenter/adodb
Create snortcenter DB:
echo "CREATE DATABASE snortcenter;" | mysql -u root -p
Edit snortcenter config file:
vi /var/www/snortcenter/config.php
$DBlib_path = "/var/www/snortcenter/adodb/"; //use absolute path to get rid of an unknown error
//edit mysql conn
$DBtype = "mysql";
$DB_dbname = "snortcenter";
$DB_dbname = "snortcenter";
$DB_host = "localhost";
$DB_user = "root";
$DB_password = "1";
$DB_port = "";
Edit database.php file to fix some bug
vi /var/www/snortcenter/database.php
Go to line 294 change "CREATE TABLE schema" to "CREATE TABLE `schema`"
Go to line 304 change "INSERT INTO schema" to "INSERT INTO `schema`"
Open URL: http://server/snortcenter/setup.php and get thing done.
Install snortcenter agent:
wget http://downloads.sourceforge.net/project/snortcenter2/SnortCenter%20Agent/Linux%20Agent/snortcenter-agent-v2.x.linux.tar.gz?use_mirror=nchc
tar -vxzf snortcenter-agent-v2.x.linux.tar.gz
cd sensor/
./setup.sh
conf/start
Go to snortcenter web to add sensor and Push to sensor Ur snort conf (Admin->Import/Update Rules->Copy and paste):
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]¶ 5:17 PM 7 Comments
var HOME_NET 192.168.37.0/24
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var EXTERNAL_NET !$HOME_NET
var SNMP_SERVERS $HOME_NET
# Next variable automatic added by SnortCenter, used in some rule(s).
var HTTP_PORTS any
#
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
#
output log_tcpdump: tcpdump.log
#
#
#
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
#
#
#-------------------------------------------------------------------------------
# $Id: classification.config, Tuesday 05th 2010f January 2010 05:05:23 PM
#-------------------------------------------------------------------------------
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
#
#
#-------------------------------------------------------------------------------
# $Id: Unknown-Catagory.rules, Tuesday 05th 2010f January 2010 05:05:23 PM
#-------------------------------------------------------------------------------
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( sid: 1837; rev: 2; msg: "PORN alt.binaries.pictures.tinygirls"; flow: to_client,established; content: "alt.binaries.pictures.tinygirls"; nocase; classtype: kickass-porn;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( sid: 1292; rev: 9; msg: "ATTACK-RESPONSES directory listing"; flow: established; content: "test"; classtype: bad-unknown;)
alert tcp any any -> any any ( sid: 10293; rev: 10; msg: "testkaka_is_coming"; content: "testkaka";)
