A Quick Snort on NetBSD 6.0.1 HOWTO

Tags

Yes, I know this is a default config but if you are new to Snort it gets you up and running quickly so you can actually tinker with a running system. If you haven’t installed pkgin, see my post How to install XFCE on NetBSD 6 and run the steps to install pkgin.

1) Get the software.
> pkgin avail | grep snort

oinkmaster-2.0nb1    Manage snort rule updates
snort-2.8.5.1nb2     The Open Source Network Intrusion Detection System
snort-rules-2.4      Network Intrusion Detection System (Community Rules)
snortsnarf-20050314.1nb1 Generate HTML report summaries from snort incident alerts

> pkgin install oinkmaster-2.0nb1
> pkgin install snort-2.8.5.1nb2
> pkgin install snort-rules-2.4
> pkgin install snortsnarf-20050314.1nb1
> pkgin install libpcap
> pkgin install tcpdump
> pkgin install pcre-*

2) Create var RULE_PATH files in /usr/pkg/share/snort/rules.
> touch /usr/pkg/share/snort/rules/local.rules
> touch /usr/pkg/share/snort/rules/bad-traffic.rules
> touch /usr/pkg/share/snort/rules/exploit.rules
> touch /usr/pkg/share/snort/rules/scan.rules
> touch /usr/pkg/share/snort/rules/finger.rules
> touch /usr/pkg/share/snort/rules/ftp.rules
> touch /usr/pkg/share/snort/rules/telnet.rules
> touch /usr/pkg/share/snort/rules/rpc.rules
> touch /usr/pkg/share/snort/rules/rservices.rules
> touch /usr/pkg/share/snort/rules/dos.rules
> touch /usr/pkg/share/snort/rules/ddos.rules
> touch /usr/pkg/share/snort/rules/dns.rules
> touch /usr/pkg/share/snort/rules/tftp.rules
> touch /usr/pkg/share/snort/rules/web-cgi.rules
> touch /usr/pkg/share/snort/rules/web-coldfusion.rules
> touch /usr/pkg/share/snort/rules/web-iis.rules
> touch /usr/pkg/share/snort/rules/web-frontpage.rules
> touch /usr/pkg/share/snort/rules/web-misc.rules
> touch /usr/pkg/share/snort/rules/web-client.rules
> touch /usr/pkg/share/snort/rules/web-php.rules
> touch /usr/pkg/share/snort/rules/sql.rules
> touch /usr/pkg/share/snort/rules/x11.rules
> touch /usr/pkg/share/snort/rules/icmp.rules
> touch /usr/pkg/share/snort/rules/netbios.rules
> touch /usr/pkg/share/snort/rules/misc.rules
> touch /usr/pkg/share/snort/rules/attack-responses.rules
> touch /usr/pkg/share/snort/rules/oracle.rules
> touch /usr/pkg/share/snort/rules/mysql.rules
> touch /usr/pkg/share/snort/rules/snmp.rules
> touch /usr/pkg/share/snort/rules/smtp.rules
> touch /usr/pkg/share/snort/rules/imap.rules
> touch /usr/pkg/share/snort/rules/pop2.rules
> touch /usr/pkg/share/snort/rules/pop3.rules
> touch /usr/pkg/share/snort/rules/nntp.rules
> touch /usr/pkg/share/snort/rules/other-ids.rules

3) Test config.
> /usr/pkg/bin/snort -T -i wm0 -u snort -g snort -c /usr/pkg/etc/snort/snort.conf

4) Start Snort.
> /usr/pkg/bin/snort -D -i wm0 -A fast -b -d -u snort -g snort -c /usr/pkg/etc/snort/snort.conf -l /var/log/snort

5) Monitor hits.
> tail -f /var/log/snort/alert

6) After an hour or so, run snortsnarf.pl to get an html report.
> mkdir -p /var/log/snort/report
> /usr/pkg/bin/snortsnarf.pl -d /var/log/snort/report /var/log/snort/alert
> cd /var/log/snort/report
> firefox index.html
Note: if you don’t have an X11 desktop, just scp the report folder over to a host that does and run firefox index.html from that host.

slice2

A Quick Snort on NetBSD 6.0.1 HOWTO

Like this:

Leave a Reply Cancel reply

Share this:

Like this:

Leave a Reply Cancel reply