Main
This document was written and is being maintained by Joshua D.
Abraham. It assumes the user has a basic understanding of computers.
This document contains the steps for installing an IDS sensor on
FreeBSD 5.4. This document contains the small differences between
FreeBSD 5.4 and FreeBSD 6.0.
If you have any suggestions, comments or questions please feel free to
email me at jabra (-at-) ccs (dot) neu (dot) edu.
--------------------------------------------------------------------
1) Install software
$ pkg_add -r mysql41-client
$ pkg_add -r oinkmaster
$ pkg_add -r stunnel
2) Tweak configs
$ ee /etc/hosts
CHANGE the following
127.0.0.1 localhost localhost.my.domain
to
127.0.0.1 localhost sensor sensor.domain.com
Save and Quit [ esc a a ]
-------------------------
ifconfig_lnc0="DHCP"
3) Configure Snort
$ cd /usr/ports/security/snort/
$ make
options for snort 2.4
select mysql[tab]
$ make install clean
$ cd /usr/local/etc
$ cp snort.conf-sample snort.conf
$ chmod 644 snort.conf
$ ee snort.conf
Change the following from
var HOME_NET any
to
var HOME_NET [10.0.0.0/8, 192.168.0.0/16,172.20.0.0/16,172.26.0.0/16]
AND Change the following
preprocessor stream4_reassemble
to
#preprocessor stream4_reassemble
AND Change the following
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
to
#preprocessor http_inspect: global \
# iis_unicode_map unicode.map 1252
AND Change the following
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
to
#preprocessor http_inspect_server: server default \
# profile all ports { 80 8080 8180 } oversize_dir_length 500
AND Change the following
preprocessor rpc_decode: 111 32771
to
#preprocessor rpc_decode: 111 32771
AND Change the following
preprocessor bo
to
#preprocessor bo
AND Change the following
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
to
#preprocessor sfportscan: proto { all } \
# memcap { 10000000 } \
# sense_level { low }
# memcap { 10000000 } \
AND Change the following
# output database: log, mssql, dbname=snort user=snort password=test
ito(note this is one line)
output database: log, mysql, user=snorter password=$n0rt dbname=snort host=localhost
ADD the following(note this is one line)
output database: alert, mysql, user=snorter password=$n0rt dbname=snort host=localhost
CHANGE the following
#output alert_unified: filename snort.alert, limit 128
#output log_unified: filename snort.log, limit 128
to
output alert_unified: filename /usr/local/var/log/snort/snort.alert, limit 512
output log_unified: filename /usr/local/var/log/snort/snort.log, limit 512
Change all the rules to start with a # so that they are commented
# include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
# include $RULE_PATH/exploit.rules
# include $RULE_PATH/scan.rules
# include $RULE_PATH/finger.rules
# include $RULE_PATH/ftp.rules
...
...
...
*NOTE*
if there are any other lines that start with include $RULE_PATH
comment them out by adding # to beginning of the line.
Then ADD the following
include $RULE_PATH/bleeding.rules
Save and Quit [ esc a a ]
-------------------------
# For FreeBSD 5.4
$ cd /usr/local/share/snort
$ cp classification.config-sample \
/usr/local/share/snort/classification.config
$ cp reference.config-sample reference.config
# For FreeBSD 6.0
$ cd /usr/local/etc/snort
$ cp classification.config-sample classification.config
$ cp reference.config-sample reference.config-sample
$ mkdir /var/log/snort
$ chown -R snorter:snorter /var/log/snort
4) Configure Stunnel
$ cd /usr/local/etc/stunnel
$ cp stunnel.conf-sample stunnel.conf
$ chmod 644 stunnel.conf
$ ee stunnel.conf
Make the following Changes
chroot = /usr/local/var/stunnel
to
chroot = /var/tmp/stunnel
AND Change
;client = yes
to
client = yes
AND Change
[pop3s]
accept = 995
connect = 110
[imaps]
accept = 993
connect = 143
[sstmp]
accept = 465
connect = 25
to
; [pop3s]
; accept = 995
; connect = 110
; [imaps]
; accept = 993
; connect = 143
; [sstmp]
; accept = 465
; connect = 25
ADD the following
[3306]
accept = 127.0.0.1:3306
connect = [ server-ip ]
$ openssl req -new -out mail.pem -keyout -nodes -x509 -days 365
pass phrase: p@$$w0rd
verify: p@$$w0rd
Country: US
State: MA
Locality: Boston
Org Name: Abraham Inc.
Unit Name: Internet Security
Common Name: Snorting
Email: snort@domain.com
$ chmod 600 mail.pem
$ chown stunnel:stunnel /var/stunnel/
5) Configure Firewall
$ ee /etc/ipfw.sensor
Add the following
# Firewall for sensors #
################ Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
iif="lnc0" # Internal interface name of NIC
pif="lnc1" # Public interface name of NIC
# facing the public Internet
loop="lo0"
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00005 allow all from any to any via $loop
$cmd 00010 allow all from any to any out via $iif keep-state
$cmd 00020 allow all from any to any in via $pif
$cmd 00025 allow tcp from any to any 22 out via $iif setup keep-state
$cmd 00040 allow tcp from any to me 22 in via $iif setup keep-state
$cmd 00050 allow tcp from any to me 3306 in via $iif setup keep-state
6) Update Snort Rules
$ cd /root/scripts
$ ee bleeding-update.sh
Add the following
#!/bin/sh
oinkmaster -o /usr/local/share/snort/ -u \
http://www.bleedingsnort.com/bleeding.rules.tar.gz
Save and Quit [ esc a a ]
-------------------------
$ cd /usr/local/etc/
$ ee oinkmaster.conf
Change the following
url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
to
url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
Save and Quit [ esc a a ]
-------------------------
$ /root/scripts/bleeding-update.sh
$ crontab -e
insert mode [ press i ]
ADD the following
1 */3 * * root /root/script/bleeding-update.sh &&
/usr/local/etc/rc.d/snort.sh reload
Save and Quit [ esc :wq! enter ]
-------------------------
7) Finish and Start Snort
# Bring the device up without an ip address so it can monitor
$ ee /etc/rc.conf
# *NOTE* snort_conf will be different on FreeBSD 6.0 it is located in
# /usr/local/etc/snort/snort.conf
CHANGE the following
ifconfig_lnc0="DHCP"
to
ifconfig_lnc0="inet 10.0.0.30 netmask 255.255.240.0"
ADD the following
ifconfig_lnc1="inet 0.0.0.0 netmask 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.sensor"
firewall_logging="YES"
stunnel_enable="YES"
stunnel_config="/usr/local/etc/stunnel/stunnel.conf"
stunnel_pidfile="/var/tmp/stunnel/stunnel.pid"
snort_enable="YES"
snort_interface="lnc1"
snort_conf="/usr/local/etc/snort.conf"
Save and Quit [ esc a a ]
-------------------------
$ /etc/netstart
Main
© Copyright 2006 Joshua D. Abraham