Tuesday, November 13, 2012

Howto : Fail2ban, Secure your Network services with Fail2ban and ban malicious hosts

Last Update: 11/13/2012

The Goal: 

Fail2Ban is a very flexible and powerful tool to help you improving your security by temporarily banishing hosts IPs trying to have malicious activity against your services. (brute force attack...)

Easy to install and configure, Fail2Ban will permanently read your files logs and look for suspicious connection attempts or activity, based on provided / custom rules.

Depending on your configuration, Fail2Ban will ban the remote IP using Netfilter rules (iptables) and then unban it depending on your settings.

This a very great tool you MUST have in your server if you opened any service like ssh, http/https with basic authentication, smtp...and much more.

Major sources: 

Official Fail2ban Wiki:

Various articles:

Summary of steps: 

Step 1: Requirements
Step 2: Installation and base configuration
Step 3: Enabling services
Step 4: Test your configuration
Step 5: Adding new customized services, example with Nginx Web Server

FAQ & Issues

Step 1: Requirements

Fail2ban is quite easy to install and setup, still depending on your needs you have some requirements:


Fail2ban will require iptables to banish suspicious hosts, it is not a requirement to setup your iptables Firewall configuration (even if recommended).

Fail2ban will insert a drop line, whenever you are using iptables or not.

It is probably installed by defaut (use the command "iptables" to check), if not:
$ sudo apt-get install iptables

MTA configuration for mail alerting:

If you want Fail2ban to able to send you alerting mails in case of action done (banish, unbanish...), then you need to setup your MTA.

Your system probably only be a client of a mail central hub (eg. your ISP), if this is the case i recommend to install "ssmtp" wich is very light and simple to setup, but you may prefer to use sendmail, postfix or anything else.

If your system is a mail server itself, i guess you already know how to configure it :-)

$ sudo apt-get install ssmtp

Configuration (real simple!): 

Edit "/etc/ssmtp/ssmtp.conf" and set:

- mailhub: Define here the smtp server of your local ISP (eg. myisp.smtp.com)
- rewriteDomain: if you want the sender domain to be rewritten with the value of your choice

For most of cases, this will be the only modifications required, in case of need see ssmtp configuration pages. (ask Google ^^)

Quick send test:
$ echo "Testing" | mail -s Subject dest@domain.com

If you receive the mail then you're done. (check /var/log/mail* if required)

Step 2: Installation and base configuration


Very simple, For Debian/Ubuntu based systems:
$ sudo apt-get install fail2ban

Initial Configuration:

Edit main Fail2Ban configuration file: "/etc/fail2ban/jail.conf" and define:

1. Local hosts to ignore:

If you want to ignore some local hosts, add them to your configuration, example with local network:
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 600
maxretry = 3

2. Mail alert recipient:

If you want to send alter when an action has been done, set the recipient
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = admin@mydomain.com

3. MTA:

Sendmail is defined as default command called for sending mails, both should work but i prefer to call standard "mail" command:
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = mail

4. Default action when a host has banished

In default configuration, when a host has been banned, the information is just logged and no mail report will be sent.

If you want a report to be sent by mail (associated with a whois request report for the concerned IP), set:
action = %(action_mw)s

If you want a report to be sent by mail with a log extract (associated with a whois request report for the concerned IP), set:
action = %(action_mwl)s

Step 3: Enabling services

SSH example:

The next step will be to define which Network services you will want to supervise, in default configuration Fail2Ban will only monitor SSH for both login failed and DDOS attacks, extract:

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

The import thing here will be the enabled value set to "true" (^^) but also the port, in case of host banishing the iptables rules will be created using this port.

Fail2ban will create multiport iptables rules, so you can add as many ports as you require.

Example if your SSH is running on several port (example 22 for internal and OTHER for external purposes) then you can set:

enabled  = true
port     = ssh,OTHER
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

Other services important vars values:

In each service section, you can overwrite default vars values or set specific ones for your needs.
Here are some you may need to set.

1. Protocol type:

The default protocol if not set will be tcp, you can set it to "udp" or "all" if you need to block bother tcp/udp ports.
protocol = all

2. Ban time:

You may want to overwrite the default bantime, then you just need to it in the service concerned section, time is set in seconds, example for 10 minutes banishment:
bantime = 600 # 10 minutes

3. Ports:

As seen before with the SSH example, you can set as many ports as you required in the port section.
You can call them by names if they are present in /etc/services or by the port number.

Each port must be separated by a coma.

4. Action:

Defaults actions in response of matched events are defined in jail.conf, but you can overwrite values for each specific network service.

In the following example, let's say our default configuration sends emails alert with log extract ("action = %(action_mwl)s") but for a specific Network service we just it to be banned without any altering.

Then you will overwrite the action value in your service section:
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s

Enable your services:

Depending on your configuration, you need to enable Network services as you require.
Follow each section to enable if required.

If you need to create your own service, follow the example of Nginx as above.

Step 4: Testing your configuration

Testing your configuration is very simple :-)

Just test accessing your SSH host outside of your local network (using your Smartphone or whatever you want!) and put false credentials.

Upon the max retry failures, your host should have been banished, you will see in fail2ban logs:

2012-11-13 10:41:43,487 fail2ban.actions: WARNING [ss] Ban xxx.xxx.xxx.xxx

Locally, a new iptables rule has been created inside the jail dedicated iptables section (automatically created by fail2ban at boot time):
Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
DROP       all  --          anywhere            
RETURN     all  --  anywhere             anywhere            

And you should (if you set it) have received a mail with all required information.

Depending on your configuration, XX minutes/days or whatever after having been ban, the host will be unban and the iptables drop rule will be removed.

Powerful, simple, beautiful :-)

Step 5: Adding new customized services, example with nginx Web Server

One of very great things with Fail2ban is that you can easily add any customized service you would require, you just add to define regex expression that will be used to match patterns and define Network section.

Here comes a full example for Nginx Web Server, we will monitor basic authentication failures, badbots, prevent script execution... and off course this can be easily customized to your needs.

Nginx Web Server Fail2Ban integration:

1. Create Nginx filters

Create each required file with its content:

# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
# Blocks IPs that fail to authenticate using basic authentication
# Read common prefixes. If any customizations available -- read them from                                                     
# common.local                                                                                                                
before = common.conf 

failregex = no user/password was provided for basic authentication.*client: <HOST>
            user .* was not found in.*client: <HOST>
            user .* password mismatch.*client: <HOST>
ignoreregex =

# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
# Blocks IPs that fail to authenticate using web application's log in page
# Scan access log for HTTP 200 + POST /sessions => failed log in
# Read common prefixes. If any customizations available -- read them from                                                     
# common.local                                                                                                                
before = common.conf 

failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =

# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
# Matches e.g.
# - - "GET /something.php
# Read common prefixes. If any customizations available -- read them from                                                     
# common.local                                                                                                                
before = common.conf 

failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
# Block IPs trying to use server as proxy.
# Matches e.g.
# - - "GET http://www.something.com/
# Read common prefixes. If any customizations available -- read them from                                                     
# common.local                                                                                                                
before = common.conf 

failregex = ^<HOST> -.*GET http.*
ignoreregex =

2. Create Nginx configuration

Edit Fail2Ban configuration  "/etc/fail2ban/jail.conf" and add:


If Nginx is listening to non standard http/https port, think to adapt to your configuration
Also, nginx-noscript will prevent any script execution on your sites, if this is not what you need just comment out this section.

enabled = true
filter = nginx-auth
port = http,https
logpath = /var/log/nginx*/*error*.log
bantime = 600 # 10 minutes
maxretry = 6
enabled = true
filter = nginx-login
port = http,https
logpath = /var/log/nginx*/*access*.log
bantime = 600 # 10 minutes
maxretry = 6
enabled  = true
filter = apache-badbots
port = http,https
logpath = /var/log/nginx*/*access*.log
bantime = 86400 # 1 day
maxretry = 1
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx*/*access*.log
axretry = 6
bantime  = 86400 # 1 day
enabled = true
port = http,https
filter = nginx-proxy
logpath = /var/log/nginx*/*access*.log
maxretry = 0
bantime  = 86400 # 1 day

Finally, restart fail2ban and you're done! (sudo service fail2ban restart)

To test your configuration, just try to access to your basic authentification protected Web Site with bad credentials, as for the SSH example your host will be ban and you'll get the report :-)

FAQ & Issues

  • How to prevent Fail2ban from sending alerts mails when stopped/started

When email alerting is configured, fail2ban will send you one mail per jail configured (one per Network service) for each action (stop/start).

This can be as usefull as boring :-)

If you want to disable this behavior:

- Go in "/etc/fail2ban/actions.d/"

- You will find 6 configurations files related to sendmail & mail, depending on what you set (sendmail vs mail) you just have to comment out actionstart and actionstop:

"action_": comment "actionstart" & "actionstop" in action.d/sendmail.conf
"action_mw": comment "actionstart" & "actionstop" in action.d/sendmail-whois.conf
"action_mwl": comment "actionstart" & "actionstop" in action.d/sendmail-whois-lines.conf

"action_": comment "actionstart" & "actionstop" in action.d/mail.conf
"action_mw": comment "actionstart" & "actionstop" in action.d/mail-whois.conf
"action_mwl": comment "actionstart" & "actionstop" in action.d/mail-whois-lines.conf

- Restart fail2ban, you're done!

Sunday, November 11, 2012

Howto : Guide to SNORT IDS in Debian based system with Barnyard2, Mysql and Pullpork

Last Update: 01/07/2013 
Major changes: 
01/07/2013 - Ignoring local traffic
11/11/2012 - Initial Version

If you are interested in advanced Opensource security tools, you probably already know about Snort Intrusion Prevention System, and if you don't let's follow my guide to help easily getting a full working Snort installation running in Intrusion Prevention System mode.

I will begin with some explanations:

- Snort can operate in various mode, as a Network sniffer, as an Intrusion Detection System (IDS) and as an Intrusion Prevention System (IPS)

- Snort IDS is Opensource but rules are not (anymore) and can be delivered in 2 ways by Sourcefire :

* For free if you register to Snort, you will get 1 month old rules version and an Oinckcode if you want to use third party tools to automatically update rules

* With charge if you want to get a subscription and get always up to date verified rules

- Snort does not support anymore database logging, all activity will logged to files, so you need a third party tool to insert Snort events into a database (Mysql recommended) : Barnyard2

- Snort does not offer itself any frontend or GUI, you will need a third party tool : most known "Base" (Basic And Security Engine)

- Snort won't update itself its detection rules, using the 3rd party tool "Pulledpork" will automatically update your rules. (you need to register on Snort site and generate an Oinckcode, see later)

My guide is based on following documentation, with some adaptations:

I will assume you already have a working Linux installation, which is really far way from the objective of this guide :-)

Summary of steps: 

Step 1: Prepare your system            
            1.1: Install Apache2, Mysql and system dependencies
            1.2: Install Snort dependencies (libpcap, libdnet, daq)
            1.3: Update Library Path
Step 2: Install and configure Snort
            2.1: Installation
            2.2: Test Snort
Step 3: Install Barnyards
Step 4: Setup Mysql Databases
            4.1: Connection to Mysql Server
            4.2: Databases and Privileges creation
            4.3: Populate database with Snort Structure
            4.4: Launch Snort and Barnyard for second testing
            4.5: OPTIONAL - Ignoring local Traffic
Step 5: Init script
Step 6: Cleanup and start services
Step 7: Install Pullpork and update your rules
            7.1: Register to Snort and get your Oinckcode
            7.2: Install and configure Pullpork
            7.3: Install Pullpork and update your rules
            7.4: Plan auto updates using cron
Step 8: Configure Apache2 and BASE
            8.1: Configure php.ini
            8.2: Install Perl requirements
            8.3: Activate Apache SSL
            8.4: Install and configure BASE
Step 9: Recommended alternative Frontend for Snort: Splunk for Snort
Step 10: Testing Snort IDS

Step 1: Prepare your system

The ideal configuration would be to have 2 networking interfaces, one used as the management interface and an other that will act as the collector interface. (eg. eth0: Management Int, eth1: Collector Int)

Therefore you can off course install and use Snort with only one networking interface system that will be used for both normal networking traffic and data collecting.

I will assume you only have one Networking Interface for all traffic, but this can be easily adapted to your needs.

Step 1.1: Configure your Network Interfaces

First, ensure your Network IP Address are statically fixed, or reserved in your DHCP Server.

Disable ”Large Receive Offload” and ”Generic Receive Offload” on the collector interface
# ethtool -K eth0 gro off
# ethtool -K eth0 lro off

Explanation from Snort guide, chapter 1.5:
Some network cards have features named ”Large Receive Offload” (lro) and ”Generic Receieve Offload”
(gro). With these features enabled, the network card performs packet reassembly before they’re processed by
the kernel.
By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and
GRO may cause issues with Stream5 target-based reassembly. We recommend that you turn off LRO and
GRO. On linux systems, you can run:
$ ethtool -K eth1 gro off
$ ethtool -K eth1 lro off

Step 1.1: Install Apache2, Mysql and system dependencies


As always, update apt:
# sudo apt-get update

Install Apache2 Web Server:

If you don't already have Apache2 installed and running:
# sudo apt-get install apache2 apache2-utils apache2.2-bin apache2.2-common libapache2-mod-php5

Install Mysql server:

Your Mysql server can be local or remote.

Local Mysql-server installation:
# sudo apt-get install mysql-client mysql-common mysql-server

Note: Installation wizard will ask to enter your mysql-server admin password

In case of remote mysql-server, just install mysql client and some dependencies:
# sudo apt-get install mysql-client

Install Dependencies:

Install various dependencies:
# sudo apt-get install g++ make autoconf automake libtool flex bison gcc libnet1 libnet1-dev libapache2-mod-php5 libcrypt-ssleay-perl libpcre3 libpcre3-dev libmysqlclient-dev libphp-adodb libssl-dev libtool libwww-perl libmysqlclient-dev mysql-common mysql-client ntp php5-cli php5-gd php5-mysql php-pear

Step 1.2: Install Snort dependencies : (libpcap, libdnet, daq)

Install libpcap: 
# cd /usr/src && wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz 
# tar -zxf  libpcap-1.3.0.tar.gz && cd libpcap-1.3.0 
# ./configure --prefix=/usr --enable-shared && make && make install

Install libdnet: 
# cd /usr/src && wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz 
# tar -zxf libdnet-1.12.tgz && cd libdnet-1.12 
# ./configure --prefix=/usr --enable-shared && make && make install

Install libdnet: 
# cd /usr/src && wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz 
# tar -zxf daq-1.1.1.tar.gz && cd daq-1.1.1 
# ./configure && make && make install

Step 1.3: Update library path

# echo >> /etc/ld.so.conf /usr/lib 
# echo >> /etc/ld.so.conf /usr/local/lib && ldconfig 

Step 2: Install Snort

Step 2.1: Installation

Download, configure compile and install Snort:
# cd /usr/src && wget http://labs.snort.org/snort/2931/snort.conf -O snort.conf
# wget http://www.snort.org/dl/snort-current/snort- -O snort-
# tar -zxf snort- && cd snort-
# ./configure --enable-sourcefire && make && make install
# mkdir /etc/snort /etc/snort/rules /var/log/snort /var/log/barnyard2 /usr/local/lib/snort_dynamicrules
# touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
# groupadd snort && useradd -g snort snort
# chown snort:snort /var/log/snort /var/log/barnyard2
# cp /usr/src/snort-*.conf* /etc/snort
# cp /usr/src/snort-*.map /etc/snort
# cp /usr/src/snort.conf /etc/snort

Edit "/etc/snort/snort.conf": (using vi to search for a line : esc then ":N" where N is the line number)

Line #45 - ipvar HOME_NET – make this match your internal (friendly) network
Line #48 - ipvar EXTERNAL_NET !$HOME_NET
Line #104 - var RULE_PATH ./rules
Line #113 - var WHITE_LIST_PATH ./rules
Line #114 - var BLACK_LIST_PATH ./rules
Line #297 - add this to the end after “decompress_depth 65535” max_gzip_mem 104857600
Line #538 - add this line output unified2: filename snort.log, limit 128
Line #554 - delete or comment out all of the “include $RULE_PATH” lines except “local.rules”

Step 2.2: First test of Snort

Temporarily and for testing purposes, add this to "/etc/snort/rules/local.rules" 
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001;)

This will be a local testing rule using ICMP request, when running Snort in console and pinging our host from another computer, Snort shall detect it:

Start Snort:
# /usr/local/bin/snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Ping your Snort host, you should see Snort logging it:
02/09-11:29:43.450236 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} ->
02/09-11:29:43.450251 [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} ->

If you see this kind of output, then your Snort installation is functional ^^

If not, you may have a configuration issue, stop all and carefully restart from the beginning!

Enter crtl+c to stop Snort.

Step 3: Install Barnyard2

Download, configure, compile and install:
# cd /usr/src && wget https://nodeload.github.com/firnsy/barnyard2/tarball/master
# tar -zxf master && cd firnsy-barnyard2-*
autoreconf -fvi -I ./m4 && ./configure --with-mysql && make && make install
# mv /usr/local/etc/barnyard2.conf /etc/snort
# cp schemas/create_mysql /usr/src

Edit "/etc/snort/barnyard2.conf":
Line #215 change to output alert_fast

At the end of the file, add the Database configuration line, adapt:

- "<mypassword>" to the value of the database snort password you want to set (not the admin password database, but the password you are planing to use for Snort database)

- "localhost" : If your Mysql-server will local, then let localhost, if your Mysql server is remote then enter its IP Address

output database: log, mysql, user=snort password=<mypassword> dbname=snort host=localhost

Step 4: Setup Mysql Databases

Here comes the Mysql configuration, we will:

- Create a main database called "snort" where Snorts events are going to be logged by the barnyards daemon
- Create a secondary database called "archive" to rotate Snort events
- Create a user "snort" with all privileges to these databases

Step 4.1: Connect to your Mysql server

If Mysql-server local, enter:
# mysql -u root -p

If Mysql-server remote, enter: (adapt IPAddress)
# mysql -u root -p -h IPAddress

Then enter your admin password, you should get the mysql prompt:

Step 4.2: Create Databases and privileges

Create Databases:
create database snort;
create database archive;

Create Snort user and privileges: (adapt <mypassword> to the Snort database user password value of your choice)

If Mysql-server local: (adapt IPAddress with Mysql Server value)
grant usage on snort.* to snort@;
grant usage on archive.* to snort@;
set password for snort@'snort');
grant all privileges on snort.* to snort@;
grant all privileges on archive.* to snort@;
flush privileges;

If Mysql-server Remote: (adapt IPAddress with Mysql Server value)
grant usage on snort.* to snort@IPAddress;
grant usage on archive.* to snort@IPAddress;
set password for snort@IPAddress=PASSWORD('<mypassword>');
grant all privileges on snort.* to snort@IPAddress;
grant all privileges on archive.* to snort@IPAddress;
flush privileges;

Step 4.3: Populate Database with Snort structure

use snort;
source /usr/src/create_mysql
show tables; # you should see the list of new tables you just imported.

Step 4.4: Launch Snort and Barnyes for second testing purposes

Launch Snort and Barnyard :

# /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
# /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map -S
/etc/snort/sid-msg.map -C /etc/snort/classification.config &

If Barnyard successfully connects to the Snort database, you should get such an output:
database: compiled support for (mysql)                                                                                        
database: configured to use mysql                                                                                             
database: schema version = 107                                                                                                
database:           host =                                                                                      
database:           user = snort                                                                                              
database:  database name = snort                                                                                              
database:    sensor name = raspberrypi:NULL                                                                                   
database:      sensor id = 1                                                                                                  
database:     sensor cid = 12275                                                                                              
database:  data encoding = hex                                                                                                
database:   detail level = full                                                                                               
database:     ignore_bpf = no                                                                                                 
database: using the "log" facility                                                                                            
        --== Initialization Complete ==--                                                                                     
  ______   -*> Barnyard2 <*-                                                                                                  
 / ,,_  \  Version 2.1.10 (Build 313)                                                                                         
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/                                                            
 + '''' +  (C) Copyright 2008-2012 Ian Firns <firnsy@securixlive.com>                                                         
Using waldo file '/etc/snort/bylog.waldo':                                                                                    
    spool directory = /var/log/snort                                                                                          
    spool filebase  = snort.log                                                                                               
    time_stamp      = 1352226216                                                                                              
    record_idx      = 24326                                                                                                   
Opened spool file '/var/log/snort/snort.log.1352226216'                                                                       
Closing spool file '/var/log/snort/snort.log.1352226216'. Read 24326 records                                                  
Opened spool file '/var/log/snort/snort.log.1352301110'                                                                       
Waiting for new data

Any error preventing Barnyard2 from connecting to the Mysql Database will be shown in ouput messages (bad username/password, host unreacheable, etc...)

If successful, then congratulation you have a working Snort and Barnyard2 installation ^^

Let's continue!

Step 4.5: OPTIONAL - Ignoring local Traffic

In most situations you won't be really interested in monitoring your local networking traffic as you can consider it as a trust zone.

If so, you can easily ask Snort to ignore any local traffic:

Edit "/etc/snort/snort.conf", search for "config bpf_file", comment it out and change to
config bpf_file: /etc/snort/ignore.bpf

Create the file "/etc/snort/ignore.bpf" with the following content: (adapt to your local Network CIDR address)

!(src net

And save, at next reboot any local traffic will be ignored.

This configuration may also be more complex to ignore different Networks, Hosts and even specific ports.
Google is your friend ^^

Let's continue!

Step 5: Init script

Add and enable an init script for Snort and Barnyard2.

NOTE: Change "eth0" to your interface name if your collector Interface is different from eth0.

Create the new file "/etc/init.d/snortbarn" and add this content:
#! /bin/sh
#set -x
# Provides: snortbarn
# Required-Start: $remote_fs $syslog mysql
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Interactive: true
# Short-Description: Start Snort and Barnyard
. /lib/init/vars.sh
. /lib/lsb/init-functions
log_daemon_msg "Starting Snort and Barnyard" ""
/sbin/ifconfig eth0 up
/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 &
/usr/local/bin/barnyard2 -q -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo -G /etc/snort/gen-msg.map –S /etc/snort/sid-msg.map -C /etc/snort/classification.config 2> /dev/null &
log_end_msg 0
return 0
log_daemon_msg "Stopping Snort and Barnyard" ""
kill $(pidof snort) 2> /dev/null
kill $(pidof barnyard2) 2> /dev/null
log_end_msg 0
return 0
case "$1" in
echo "Usage: snort-barn {start|stop|restart}" >&2
exit 3
exit 0

# chmod +x /etc/init.d/snortbarn

# update-rc.d snortbarn defaults

Step 6: Cleanup and start services

Stop existing processes and clean up various files:
# rm /var/www/index.html
# chmod 755 /var/www/base
# pkill snort && pkill barnyard2
# rm -rf /var/log/snort/* /var/log/barnyard2/*

Deactivate the local test rules and activate standard rules:

Edit "etc/snort/rules/local.rules" and comment out the test rule line
Edit "/etc/snort/snort.conf" – Line 553: add: include $RULE_PATH/snort.rules

Start Snort and Barnyard2:
# sudo service snortbarn start

Step 7: Install Pullpork and update your rules

Step 7.1: Register to Snort and get your Oinckcode

First, go to www.snort.org and register (for free).

When your accound had been created, go in:

- "My Account"
- Then "Subscriptions and Oinckcodes"
- "Oinkcodes"

And generate your Oinckcode, copy it somewhere it will be required to set up Pulleporked.

Step 7.2: Install and configure Pulledporked

# cd /usr/src && wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
# tar -zxf pulledpork-0.6.1.tar.gz && cd pulledpork-0.6.1
# cp pulledpork.pl /usr/local/bin && cp etc/*.conf /etc/snort

Edit "/etc/snort/pulledpork.conf":

Comment out lines 22 & 26

Line 20: enter your “oinkcode” where appropriate or comment out the line if you didn’t get one above
Line 23: leave alone (uncommented) to use the Emerging Threats rule set
Line 71: change to: rule_path=/etc/snort/rules/snort.rules
Line 86: change to: local_rules =/etc/snort/rules/local.rules
Line 89: change to: sid_msg=/etc/snort/sid-msg.map
Line 112: change to: config_path=/etc/snort/snort.conf

Line 124: change to: distro=Debian-Lenny

Line 171: Uncomment and change to: enablesid=/etc/snort/enablesid.conf
Line 173: Uncomment and change to: disablesid=/etc/snort/disablesid.conf
Line 174: Uncomment and change to: modifysid=/etc/snort/modifysid.conf

Disable Blocking rules:

# echo pcre:fwsam >> /etc/snort/disablesid.conf # disables all block (fwsam) rules

Step 7.3: Start Pulledporked and update your rules set

# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l

If everything is fine, you should get this kind of output:
# /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l                                          
      _____ ____                                                                                                              
     `----,\    )                                                                                                             
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~                                                                  
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings                                                                       
  @_/        /  66\_  cummingsj@gmail.com                                                                                     
    |    \   \   _(")                                                                                                         
     \   /-| ||'--'  Rules give me wings!                                                                                     
      \_\  \_\\                                                                                                               
Checking latest MD5 for snortrules-snapshot-2931.tar.gz....                                                                   
        They Match                                                                                                            
Prepping rules from snortrules-snapshot-2931.tar.gz for work....                                                              
Reading rules...                                                                                                              
Reading rules...                                                                                                              
Processing /etc/snort/enablesid.conf....                                                                                      
        Modified 0 rules                                                                                                      
Processing /etc/snort/disablesid.conf....                                                                                     
        Modified 0 rules
Setting Flowbit State....                                                                                                     
        Enabled 10 flowbits                                                                                                   
        Enabled 1 flowbits
Writing /etc/snort/rules/snort.rules....                                                                                      
Generating sid-msg.map....                                                                                                    
Writing sid_msg....                                                                                                           
Writing /var/log/sid_changes.log....                                                                                          
Rule Stats....                                                                                                                
        Enabled Rules:----3511                                                                                                
        Dropped Rules:----0                                                                                                   
        Disabled Rules:---11787                                                                                               
        Total Rules:------15298                                                                                               
Please review /var/log/sid_changes.log for additional details                                                                 
Fly Piggy Fly!

Step 7.4:Plan auto updates using cron

Edit your crontab and add a line for Pullpork, example with an auto update every Sunday at 2.30 AM:

Edit your crontab:
# crontab -e

30 2 0 * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -l >/var/log/snort/pulledpork_crontab.log

The auto update result will be available in the log file.

Step 8: Configure Apache2 and install BASE

To use BASE as a Snort front-end which is Web GUI you off course need a running Web Server, as installed before we will use Apache2.

Configuring Apache is far away from this guide objective, the default configuration will allow us to access to BASE with no issue.

Step 8.1: Configure php.in

Edit "/etc/php5/apache2/php.ini", look for the line "error_reporting" and change it to:
error_reporting = E_ALL & ~E_NOTICE

Step 8.2: Install Perl requirements

# pear config-set preferred_state alpha && pear channel-update pear.php.net && pear install --alldeps Image_Color Image_Canvas Image_Graph

Step 8.3: If you are using Apache2 default configuration, activate SSL

# a2enmod ssl
# service apache2 restart

Step 8.4: Install and configure BASE

# cd /usr/src && wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
# tar -zxf base-1.4.5.tar.gz && cp -r base-1.4.5 /var/www/base
# chown -R www-data:www-data /var/www/base

Open your Web Browser and navigate to "https://IPAddress/base", you should get the BASE configuration page.

Do as follows:

Path to adodb: /usr/share/php/adodb
Click Continue
Database Name: snort
Database Host: localhost or your Mysql Server IP if remote
Database Port: leave blank
Database User Name: snort
Database Password: <mypassword>

Activate Database Archive and configure as above. (database name "archive")

Put in values for the authentication system and click submit.
Click "create baseag" which extends the DB to support BASE.

And you should get access to BASE ^^

Step 9: Recommended alternative frontend for Snort

BASE is quite limited and obsolete, as a Snort Frontend i personally recommend the Snort plugin for Splunk.

Splunk is an extremely powerful knowledge tool that will aggregate and manipulate any data, an application is available for Snort and provides a very great frontend for Snort!

A full guide coming soon :-) 

Step 10: Testing SNORT IDS

Here are some tools i recommend:

1. Nessus

Nessus is a well known security scan tool, you can get for a free a personal user key and use the software to scan your sites or hosts.


Installation is really simple, then simply launch a Web Application scan and wait for the report, this should generate a lot of events in Snort!

2. Nikto

Also very powerful and simple to use, Nikto will carefully scan and launch various attacks/exploit against your Web Server.


Example of use:

Launching a scan in http:
perl nikto.pl -h HOST -p PORT

Launching a scan in https:
perl nikto.pl -h HOST -p PORT -ssl

Testing Web Server with Nikto should also generate new events in Snort.