Building an ethichal hacking lab on your laptop with VirtualBox – Part 6 Linux Mint Snort IDS – MYSQL & Barnyard

Time now for a bit more installing now before we move on further and configure MYSQL:

sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool gettext automake

54 - More installing

54 – More installing

You will be prompted to enter a password twice with the second time being just a confirmation for your MYSQL database, enter a password and remember it for later

55 - MYSQL password

55 – MYSQL password

The process should complete without error like below

56 - Install complete

56 – Install complete

Now navigate to line 520 of the snort.conf file

sudo vi +50 /etc/snort/snort.conf

57 - Navigate to line 520 snort conf

57 – Navigate to line 520 snort conf

Modify line 520 with the following and delete the commented line already in place then save it

output unified2: filename snort.u2, limit 128

58 - Modify line 520 snort conf

58 – Modify line 520 snort conf

Next we are going to install Barnyard with the following

cd ~/snort_source
wget https://github.com/firnsy/barnyard2/archive/v2-1.13.tar.gz -O barnyard2-2-1.13.tar.gz
tar zxvf barnyard2-2-1.13.tar.gz
cd barnyard2-2-1.13
mv configure.in configure.ac
autoreconf -fvi -I ./m4

59 - cd and wget barnyard

59 – cd and wget barnyard

Use tar to extract the contents of the download

60 - untar the barnyard download

60 – untar the barnyard download

Next cd to the directory again mv the file to .ac and run autoreconf

61 - cd move autoreconf barnyard

61 – cd move autoreconf barnyard

You can ignore the errors at the end of the autoreconf

62 - autoreconf ignore errors

62 – autoreconf ignore errors

Next run the following to configure mysql for your OS architecture type in my case this is 64Bit

./configure –with-mysql –with-mysql-libraries=/usr/lib/x86_64-linux-gnu

63 - MYSQL configure

63 – MYSQL configure

It should end without any errors like below

64 - MYSQL configure without error

64 – MYSQL configure without error

make
sudo make install
cd ~/snort_source/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map
echo “create database snort;” | mysql -u root -p
mysql -u root -p -D snort < ~/snort_source/barnyard2-2-1.13/schemas/create_mysql
echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOUR_MYSQL_PASSWORD'” | mysql -h localhost -u root

65 - Make barnyard

65 – Make barnyard

This should finish without error

66 - Make barnyard without error

66 – Make barnyard without error

sudo make install

67 - Make install barnyard

67 – Make install barnyard

This should finish with no errors

68 - Make install barnyard without error

68 – Make install barnyard without error

Then run the following

cd ~/snort_source/barnyard2-2-1.13
sudo cp etc/barnyard2.conf /etc/snort
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map

69 - cd mkdir chown touch

69 – cd mkdir chown touch

Create a MYSQL database called snort

echo “create database snort;” | mysql -u root -p

70 - Create MYSQL database snort

70 – Create MYSQL database snort

mysql -u root -p -D snort < ~/snort_source/barnyard2-2-1.13/schemas/create_mysql

71 - Create MYSQL schemas

71 – Create MYSQL schemas

Modify the barnyard configuration file

sudo vi /etc/snort/barnyard2.conf

72 - modify barnyard conf

72 – modify barnyard conf

Add the following to the bottom of the file

output database: log, mysql, user=snort password=YOUR_MYSQL_PASSWORD dbname=snort host=localhost

73 - modified configuration file

73 – modified configuration file

echo “grant create, insert, select, delete, update on snort.* to snort@localhost identified by ‘YOUR_MYSQL_PASSWORD'” | mysql -h localhost -u root -p

74 - Create MYSQL grant select delete update

74 – Create MYSQL grant select delete update

sudo chmod o-r /etc/snort/barnyard2.conf

75 - chmod barnyard conf

75 – chmod barnyard conf

Start a snort daemon

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

76 - snort daemon start

76 – snort daemon start

Start barnyard2

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort

77 - Start barnyard2

77 – Start barnyard2

Now on your pfsense box ping your snort machine and you should see some alerts, this shows you that everything you have been doing up until now has worked

78 - Ping from pfsense

78 – Ping from pfsense

Your running barnyard should then show you output similar to the following

79 - ICMP alert detected

79 – ICMP alert detected

You can also check your MYSQL database directly with the following

mysql -u snort -p -D snort -e “select count(*) from event”

80 - MYSQL database check

80 – MYSQL database check

That’s it for now, the next tutorial will deal with the pulled pork installation and configuration on your system to keep your snort rules up to date.

 

 

 

 

Leave a Reply