SNORT 2.9.2.2 CON ELASTIX 2.4 32BITS
PREREQUISITOS
perl-DBD-Pg mysql-devel
INSTALACION DE LIBRERIAS
cd mkdir /snort_install
cd /snort_install
wget http://www.tcpdump.org/release/libpcap-1.2.1.tar.gz
tar xvfz libpcap-1.2.1.tar.gz
cd libpcap-1.2.1
./configure
make && make install
cd /snort_install
wget http://sourceforge.net/projects/pcre/files/pcre/8.30/pcre-8.30.tar.gz/download
tar xvfz pcre-8.30.tar.gz
cd pcre-8.30
./configure
make
make install
cd /snort_install
wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar -zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make && make install
ACTUALIZAR LIBRERIAS
cd /usr/lib/
rm -f libpcap.so.0 libpcap.so.0.9
ln -s /usr/local/lib/libpcap.so.1.2.1 /usr/lib/libpcap.so.1.2.1
ln -s /usr/lib/libpcap.so.1.2.1 /usr/lib/libpcap.so.1
ln -s /usr/lib/libpcap.so.1 /usr/lib/libpcap.so
cd /snort_install
wget http://www.snort.org/downloads/2103
mv daq* daq-2.0.0.tar.gz
tar -zxvf daq-2.0.0.tar.gz
cd daq-2.0.0
./configure
make && make install
INSTALACION DE SNORT
cd /snort_install
tar -zxvf snort-2.9.2.2.tar.gz
cd snort-2.9.2.2
./configure –with-mysql –enable-dynamicplugin
make && make install
CONFIGURACION DE USUARIOS Y PERMISOS PARA FUNCIONAMIENTO DE SNORT
groupadd snort
useradd -g snort snort -s /sbin/nologin
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /etc/snort/so_rules
mkdir /etc/snort/preproc_rules
mkdir /var/log/snort
chown snort:snort /var/log/snort
mkdir /usr/local/lib/snort_dynamicrules
cd /snort_install/snort-2.9.2.2/etc/
cp * /etc/snort/
CONFIGURACION DE REGLAS
cd /snort_install
tar xvzf snortrules-snapshot-2921.tar.gz
cd rules/
cp * /etc/snort/rules
cp ../so_rules/precompiled/Centos-5-4/i386/2.9.2.1/* /etc/snort/so_rules
cp ../preproc_rules/* /etc/snort/preproc_rules/
CONFIGURACION DE IPS DE ESCUCHA
vim /etc/snort/snort.conf
ipvar HOME_NET [192.168.10.142]
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
2. comment on the whole “Reputation preprocessor” section, because we haven’t whitelist file
3. find “Configure output plugins” section and add the line “output unified2: filename snort.log, limit 128″
INICIAR SNORT EN MODO IDS
/usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf -i eth0
CONFIGURACION DE SOPORTE DE BASE DE DATOS
mysql -p
create database snort;
cd /snort_install/snort-2.9.2.2
mysql -u root -p -D snort < schemas/create_mysql
vi /etc/snort/snort.conf
output database: alert, mysql, user=root password=yourpassword dbname=snort host=localhost
output database: log, mysql, user=root password=yourpassword dbname=snort host=localhost
mysql -p
use snort;
select * from event;
INSTALACION DE INTERFASE GRAFICA BASE
yum -y install php-pear
pear install Image_Canvas-alpha
pear install Image_Color
pear install Numbers_Roman
pear install Image_Graph-0.8.0
cd /snort_install/
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.tgz/download
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
cd /var/www
tar -xvzf /snort_install/adodb511.tgz
mv adodb5/ adodb/
cd html/
tar xvzf /snort_install/base-1.4.5.tar.gz
mv base-1.4.5/ base/
cd base/
cp base_conf.php.dist base_conf.php
vim base_conf.php
$BASE_urlpath = ‘/base’;
$DBlib_path = ‘/var/www/adodb’;
$DBtype = ‘mysql’;
$alert_dbname = ‘snort’;
$alert_host = ‘localhost’;
$alert_port = ”;
$alert_user = ‘snort’;
$alert_password = ‘yourpassword’;
Create BASE AV
# service httpd restart
Igresar a , https://yourip/base, hacer click sobre “Setup Page” y luego click sobre “Create BASE AV”
Juan Oliva 
Replica a jroliva Cancelar la respuesta