Wednesday, 16 June 2004
Learn how to install and configure snort intrusion detection system on FreeBSD1. Install Snort from your ports directory
[root]# cd /usr/ports/security/snort
[root]# make install clean
This will install:
snort binary to /usr/local/bin/snort
snort rules files to /usr/local/share/snort
snort configuration to /usr/local/etc/snort.conf
2. Customize your snort.conf to meet your needs. This is a configuration I have found to be useful
[root]# cd /usr/local/etc
[root]# vi snort.conf
- Uncomment the following line ( this will cause snort to use much less resident memory )
config detection: search-method lowmem
- Make sure the flow preprocessor is NOT commented out
preprocessor flow: stats_interval 0 hash 2
- Uncomment the flow-portscan if you want to detect port scans (change server-watchnet for your network)
preprocessor flow-portscan:
server-watchnet [172.16.0.0/16]
unique-memcap 5000000 unique-rows 50000
tcp-penalties on
server-scanner-limit 30
alert-mode all
output-mode msg
server-learning-time 3600
- Comment out / Uncomment the rules files you want. This is my file
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
#include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
3. Start up snort.
[root]# /usr/local/etc/rc.d/snort.sh start
Your alerts will be logged to /var/log/snort/alert.
I have a snort log parser written in perl that will parse the snort alerts and show today's alerts in an easy to read format. Example log
04/06 08:06:57 TCP 24.163.219.104:80 -> 67.173.96.51:2763 ATTACK-RESPONSES 403 Forbidden 1201
04/06 08:07:53 TCP 24.163.219.104:80 -> 211.40.66.207:2676 ATTACK-RESPONSES 403 Forbidden 1201
04/06 08:13:51 TCP 24.163.219.104:80 -> 211.40.211.115:2604 ATTACK-RESPONSES 403 Forbidden 1201
You can download the program here Only registered users can write comments.
Please login or register. Powered by AkoComment 1.0 beta 2! |
Home 
FreeBSD Articles 
