Building an ethichal hacking lab on your laptop with VirtualBox – Part 4 Linux Mint Snort IDS – Configuring Snort

Following on from the previous tutorial where we installed DAQ and Snort from source, now it is time to configure snort.

sudo groupadd snort
sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort
sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo touch /etc/snort/rules/white_list.rules
sudo touch /etc/snort/rules/black_list.rules
sudo touch /etc/snort/rules/local.rules
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /var/log/snort
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules
sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules
sudo cp ~/snort_source/snort-2.9.7.3/etc/*.conf* /etc/snort
sudo cp ~/snort_source/snort-2.9.7.3/etc/*.map /etc/snort

37 - Configure snort from source

37 – Configure snort from source

Install tree to see what the directory structure looks like

38 - Install tree

38 – Install tree

Your directory should now look like the following when you run

tree /etc/snort/

39 - tree output of snort directory

39 – tree output of snort directory

Modify snort.conf and add a ‘#’ in front of include in the configuration file so that you don’t have everything enabled when you start playing with snort in the next tutorial to test everything is working correctly. This will effectively comment out all the rulesets for now.

sudo sed -i ‘s/include \$RULE\_PATH/#include \$RULE\_PATH/’ /etc/snort/snort.conf

‘sed -i’ will edit the file in place

40 - sed change snort conf

40 – sed change snort conf

Navigate to line 45 with vi so you can change it to what you see below

41 - snort conf file change

41 – snort conf file change

Before it looks like the following

41 - snort conf file change before

41 – snort conf file change before

Afterwards I have changed the HOME_NET so it looks like the following [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] to cover pretty much all private subnets and anything outside of this is going to be flagged under EXTERNAL_NET !$HOME_NET or think of this as anything NOT included in your HOME_NET so this is external traffic.

41 - snort conf file change after

41 – snort conf file change after

modify EXTERNAL_NET as it is below from any to !$HOME_NET

42 - EXTERNAL_NET

42 – EXTERNAL_NET

Next navigate to line 104 to modify the three lines below

var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules

FUN Tip’s:
Use Shift + :, then type 104 to navigate directly to line 104

43 - vi command line jump

43 – vi command line jump

Pressing dd on a line will delete that entire line quickly for you

Pressing ESC will take you out of editing mode when something weird is happening

Pressing ‘i’ and ‘a’ will allow you to modify the file, I will let you figure out how they work

44 - Path to rule files

44 – Path to rule files

Now navigate to line 113 and remove lines 113 and 114 and replace with the following

var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules

45 - set absolute path

45 – set absolute path

Uncomment the # from line 45 so it looks like this

include $RULE_PATH/local.rules

46 - local rules uncomment

46 – local rules uncomment

Finally, test it!
sudo snort -T -c /etc/snort/snort.conf
‘-T’ will allow you to test your configuration

‘-c’ will load the configuration for testing

47 - Testing snort configuration

47 – Testing snort configuration

It should finish without error like the following

47 - Testing snort configuration finish

47 – Testing snort configuration finish

In the next tutorial you will need pfsense as outlined in the first tutorial for some testing of our configuration so far.

 

Leave a Reply