Building an ethichal hacking lab on your laptop with VirtualBox – Part 7 Linux Mint Snort IDS – Pulled Pork install and configuration

Now to configure and install pulled pork, but first once again we need to install a few prerequisites first

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

81 - Pulled pork prerequisites install

81 – Pulled pork prerequisites install

cd ~/snort_source
wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz

82 - cd and wget pulled pork

82 – cd and wget pulled pork

Extract with tar

tar xvfvz pulledpork-0.7.0.tar.gz

83 - tar pulledpork

83 – tar pulledpork

cd pulledpork-0.7.0/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort
sudo mkdir /etc/snort/rules/iplists
sudo touch /etc/snort/rules/iplists/default.blacklist

84 - cd mod cp mkdir touch

84 – cd mod cp mkdir touch

Check things are working

/usr/local/bin/pulledpork.pl -V

85 - Check pulled pork

85 – Check pulled pork

Sign up for a free snort account and get yourself an oinkcode at the snort.org website then modify the next configuration file located here

sudo vi /etc/snort/pulledpork.conf

86 - modify pulledpork conf

86 – modify pulledpork conf

Modify lines 19 and 26 to include your oinkcode at the end of the line which should look something like this

87 - modify pulledpork conf line 19 and 26

87 – modify pulledpork conf line 19 and 26

Uncomment the # on line 27 to use the open ruleset

88 - modify pulledpork conf un comment

88 – modify pulledpork conf un comment

Modify line 72 to match rule_path=/etc/snort/rules/snort.rules

89 - modify pulled pork line 72

89 – modify pulled pork line 72

Modify line 87 to match local_rules=/etc/snort/rules/local.rules and line 90 to match sid_msg=/etc/snort/sid-msg.map

90 - modify pulled pork line 87 and 90

90 – modify pulled pork line 87 and 90

Modify line 117 to match config_path=/etc/snort/snort.conf

91 - modify pulled pork line 117

91 – modify pulled pork line 117

Modify line 131 to the following distro=Ubuntu-10-4

91 - modify pulled pork line 131

91 – modify pulled pork line 131

Modify line 138 to the following black_list=/etc/snort/rules/iplists/default.blacklist

92 - modify pulled pork line 138

92 – modify pulled pork line 138

Modify line 147 to the following IPRVersion=/etc/snort/rules/iplists

93 - modify pulled pork line 147

93 – modify pulled pork line 147

Modify lines 194 – 197 with the following

enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf

94 - modify pulled pork line 194 - 197

94 – modify pulled pork line 194 – 197

Update pulledpork with the following

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

95 - Pulledpork update

95 – Pulledpork update

It should update successfully like below

96 - Pulledpork update finished

96 – Pulledpork update finished

Now modify line 543 of the snort.conf file with the following

sudo vi /etc/snort/snort.conf

include $RULE_PATH/snort.rules

97 - Modify snort conf line 543

97 – Modify snort conf line 543

It should look like this

98 - Modified snort conf line 543

98 – Modified snort conf line 543

Now to test and see that this is working with the following

sudo snort -T -c /etc/snort/snort.conf

99 - Testing snort configuration

99 – Testing snort configuration

It should finish with the following message showing everything was a success

100 -Snort configuration test success

100 -Snort configuration test success

Some snort daemon testing again with

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth1 -D

101 - Snort daemon testing again

101 – Snort daemon testing again

Running barnyard again as a daemon this time for some testing

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D

102 - Barnyard daemon testing again

102 – Barnyard daemon testing again

Test the database

mysql -u snort -p -D snort -e “select count(*) from event”

103 - MYSQL database testing

103 – MYSQL database testing

I also added the following to /etc/network/interfaces

104 - Modify network interface settings

104 – Modify network interface settings

To the following to make sure eth1 stays in promiscuous mode

up ip address add 0/0 dev eth1
up ip link set eth1 up
up ip link set eth1 promisc on

down ip link set eth1 promisc off
down ip link set eth1 down

105 - Network interface settings modified

105 – Network interface settings modified

Modify the /etc/rc.local file

106 - Modify etc rc local

106 – Modify etc rc local

To add the following

107 - Modified etc rc local

107 – Modified etc rc local

Create a cronjob, select option 2 for nano

sudo crontab -e

108 - Modify crontab

108 – Modify crontab

Add in the following and save the file

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

109 - Create cronjob

109 – Create cronjob

Well done getting this far! In the next tutorial we will configure Base and see this all through a GUI front-end to view what is going on within our network or at least the pings received from the pfsense box.

 

 

Leave a Reply