For organizational purposes, some text has been outlined in color for easier

identification of commands, warnings and important information. In this document the

Terminal commands are outlined with Orange, important information is outlined in Red,
and files or other information which might need to be quickly referenced will be outlined
in Blue.

Initial Setup and Installation of

ProxMox
Installation of ProxMox on a Proliant DL385 G7 server.
General instructions for the installation of ProxMox can be found on
the official snort.org page. For more information or clarification on
any of these topics see https://www.proxmox.com/en/proxmoxve/get-started and https://pve.proxmox.com/wiki/Installation or the
guide which was used as the basis of this installation here:
https://www.youtube.com/watch?v=JvDMLNAxYbI

Setup

Begin by running an initial memory test on your hard ware to check for
any failures and errors.
Verify that the hardware is in working condition.
Format the hard drives and remove any partitions and traces of
partition tables.
Configure the hard drives to fit your specified needs. eg. Raid 1 for
redundancy and the installation of ProxMox, and Raid 5 or 5+1 for
backup and storage.
Be sure to have or set up access to a static Ip address for your server
for ProxMox to be installed and configured properly.

ProxMox

Download the ISO image from https://www.proxmox.com/en/downloads

Burn the ISO to a DvD for install
Set the Bios to boot from disk.
Read and accept the ProxMox terms and agreement to proceed
Select the appropriate hard drives that were created for the install.
Follow along with the on screen instructions eg. Country, Password.

When you are promoted for IP configuration be sure to use a static IP

address for proper installation.
Remove the DvD and reboot the system.
Change the boot options balk to default
Log on to your ProxMox server using a web-browser and the IP
assigned with the port:8006
Login using credentials entered in the installation.
Using the shell login to the server
Edit the file /etc/apt/sources.list
Add the line
deb http://download.proxmox.com/debian wheezy pve-nosubscription
Edit the file /etc/apt/sources.list.d/pve-enterprise.list
Comment out the line that reads:
deb https://enterprise.proxmox.com/debian wheezy pve-enterprise
Next preform apt-get update; apt-get install openipmi
In the ProxMox shell partition and format the secondary drives with the
file system of choice
Mount the file system to /srv with the mount command and add it to
fstab
Create needed directories with mkdir eg. Backups

Duplicating And Backing up Virtual

Machines (VMs) And Virtual
Containers (CTs)
Backing up
Login to the ProxMox web interface.
Select the VM or CT that is to be backed up or duplicated.
Select the Backup tab.
Select Backup now.
If the VM or CT is running use the snapshot or suspend option.
If the VM or CT is stopped use the stop option.
Select the storage location that the backup is going to be saved to.

Select the compression Gzip (Good), LZO (Fast), or none for no

compression.

Restoring
To restore a VM or CT from a backup select the storage location that
the backup is stored.
Select the backup file
Select restore
Specify the location you want the VM or CT to be created in
Specify the new VM ID
Click restore
Wait for the process to complete
If restoring a VM and CT and the original is still in use the hostname,
mac address and ssh keys will be the same and need to be changed
before it is used or conflicts between the two will occur.
To change the mac address click on the VM or CT
Select the network tab
Click on the network device
Select edit
Change the mac address
Select ok
To change the host name and ssh key varies from Os to Os you will
have to look up the appropriate way dependent on your Os of choice.

Snort Install
Installing Snort on a CentOs 7 virtualized environment on a ProxMox server.
General instructions for the installation of snort on CentOS 7 can be found on
the official snort.org page for CentOS 7. For more information or
clarification on any of these topics see www.snort.org or the guide which
was used as the basis of this installation here:
https://s3.amazonaws.com/snort-orgsite/production/document_files/files/000/000/063/original/snortcentos6x-7x-2970.pdf?
AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1427937712&S
ignature=FcRFXDbYkcXfd3m0krg%2FG00HfJA%3D
The RPM repository (via HTTP) for CentOS 7.x is located at:
http://mirror.centos.org/centos/7/os/x86_64/Packages/

Step 1 Create template (from ISO)

-

Create KVM from ISO image file as outlined in the ProxMox guide here:
Create Template (for future use)

From Template
o Navigate to a storage device on your ProxMox web Interface
o Under the Content tab, Select Upload, in new window select
Type of image (ISO, VZDump backup file or Template) in this case
Template.
o Select the template you would like to upload using the Select a
file button and upload (this can take some time depending on the
size of the upload)

o
o
o
o
o
o
o
o
o
o

Now in the ProxMox web interface, in the top right click Create CT
Set Hostname (optional, Will create a default CT#VM_ID#)
Ensure VM_ID # does not match any other containers you have.
Select Storage, Enter PW and confirm PW (to be used for root pw on
container)
Select Storage Where template was previously uploaded.
Select Template you wish to use.
Set Memory, Swap, Disk space, CPUs
Set IP(either static or Bridged, for our purposes we used bridged)
Use Host DNS settings or set custom.
Confirm and Create.
A new window should pop up and indicate when container has been
created or any errors that have occurred.

Setting up new Container

Step 2 (network/connectivity)

Check Network Configuration command: ip addr list (ifconfig for

debian)
o By default eth0 is not set to be up on boot. Set this now (either in
/ect/networks/interfaces for debian or in centOS edit
/etc/syconfig/network-scripts/ifcfg-eth0) Four our purposes we will
be using centOS for snort
o

To check interface information use ip addr list (similar to ifconfig

for debian)
Example file /etc/syconfig/network-scripts/ifcfg-eth0:

DEVICE="eth0"
HWADDR="00:21:70:10:7E:CD"
NM_CONTROLLED="no"
ONBOOT="yes" sets the interface to online on boot (ifconfig eth0 up)
BOOTPROTO=static use static IP
#To use dhcp
# BOOTPROTO=dhcp
IPADDR=10.16.1.106
NETMASK=255.255.255.0
# the GATEWAY is sometimes in: /etc/sysconfig/network
GATEWAY=10.16.1.1
Note: Snort SHOULD be configured on a static IP.
o Ifcfg-eth0 is loaded on boot, so we recommend rebooting to test
configuration.
o Upon reboot (centOS container) using the command ip addr list
verify eth0 has IP and connecting properly to internet using ping
8.8.8.8(google) or nslookup www.google.ca
Note: any external IP or domain name should work if valid DNS is
configured.

Verify Dependencies
Step 3 (Dependencies)

o Check/Verify all dependencies for Snort (CentOS 7)

gcc version (4.4.7including libraries)
flex (2.5.37),
bison (2.7.x)
zlib (1.2.7 including zlib-devel)
libpcap(1.5.3 including libpcap-devel)
pcre (8.32 including pcre-devel)
libdnet (1.12including libdnet-devel)

tcpdump (4.5.x).
o yum y groupinstall Development tools
o rpm qi gcc flex bison libpcap libpcap-devel pcre pcre-devel zlib
zlib-devel libdnet libdnet-devel tcpdump (rpm qi to check, and
install packages if missing)
o yum list installed |grep <package> (or any other package to quickly
check versions)
Note: newer versions should NOT cause any issues when
compiling DAQ and Snort.

If you are upgrading from a previous version of Snort it is STRONGLY

recommended to back up local.rules, snort.conf, threshold.conf,
white_list.rules, and black_list.rules before any snort upgrade is
installed.

Snort Install
Step 4 (Install Snort + Rules)

To install snort we will need to obtain the snort version (in our case
2.9.7.2-1) and DAQ, both can be found on the official snort website
www.snort.org
wget http://www.snort.org/downloads/snort/snort-2.9.7.21.centos7.x86_64.rmp
wget http://www.snort.org/downloads/snort/daq-2.0.4.RH7.x86_64.rpm
Install both packages
rpm Uvh snort-2.9.7.2-1.centos7.x86_64.rpm
rpm Uvh daq-2.0.4.RH7.x86_64.rpm
ldconfig v /usr/local/lib (verifies if the links in folder are current with
links on the system)
Change the ownership/permissions of the logging and snort
configuration directories so our snort user/group can read/write
chown R snort:snort /etc/snort
chown R snort:snort /var/log/snort
cd /etc/snort/rules
touch white_list.rules (create white_list.rules file)
touch black_list.rules (create black_list.rules file)
In using the registered rule set we uploaded a copy of the rules
snapshot to a private ftp site and retrieved it from the web, your link
location will vary. Snapshot can be obtained from www.snort.org or use
the community rules which do not require registration/login.

 wget https://<location>/snortrules-snapshot-2972.tar.gz
Add a user and group for snort in your system (using the commands
below):
groupadd -g 40000 snort
useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS
g snort
cd /etc/snort chown -R snort:snort *
chown -R snort:snort /var/log/snort
Install the downloaded rules to your /etc/snort/rules folder
tar -zxvf snortrules-snapshot-2972.tar.gz
Verify the rules have been copied over, ls -l snort/rules/
Locate, and change these variables in your snort.conf file to allow snort
to access rules, and your network properly
var RULE_PATH /etc/snort/rules
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Change the permissions and ownership of directories/files related to
Snort and/or DAQ
cd /usr/local/src chown -R snort:snort
daq-2.0.x chmod -R 700 daq-2.0.x
chown -R snort:snort snort-2.9.7.x
chmod -R 700 snort-2.9.7.x
chown -R snort:snort snort_dynamicsrc
chmod -R 700 snort_dynamicsrc
Information and scripts to run snort as a service from /etc/init.d/ directory
on your CentOS7 box can be found at https://www.snort.org/documents
To test snort we will need to set up a rule or identify a rule we can
trigger and use to verify correct operations. Edit the file local.rules located
in /etc/snort/rules/ directory adding in the following line:
alert icmp any any -> any any (msg:"ICMP Packet";
sid:100001; rev:1;)
This rule sets an alert to be triggered by any ICMP (ping) message
send across the whole network. From any any with the displaying
message ICMP Packet to be displayed in the alerts file. To test this
simply ping the IP of your snort box from another computer/virtual
machine while a snort capture is running.
Save local.rules file and test.

Now to Test snort using user snort, group snort, listening on interface eth0
and using the snort.conf file located in the /etc/snort/ directory.
From terminal use the following command:

snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

To manually run snort:
snort -b -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
Runs snort in binary-log-file in Daemon mode on eth0 interface as user snort, group snort,
using configuration file located /etc/snort/snort.conf and using the logging directory
/var/log/snort/

Snort Information/Flags
Step 5 (Important Commands for Operation)

Important commands for operation

All information from the snort man page available here: http://www.manpagez.com/man/8/snort/.

-v Log packets in a tcpdump formatted file.

All packets are logged in their native binary state to a
tcpdump formatted log file named with the snort start timestamp and
"snort.log". This option results in much faster operation of the
program since it doesn't have to spend time in the packet binary>text converters.
-c config-file
Use the rules located in file config-file.
-D
Run Snort in daemon mode. Alerts are sent to
/var/log/snort/alert unless otherwise specified.
-e

Display/log the link layer packet headers.

-g group
Change the group/GID Snort runs under to group after
initialization. This switch allows Snort to drop root privileges
after it's initialization phase has completed as a security
measure.
-I

Print out the receiving interface name in alerts.

-l log-dir
Set the output logging directory to

log-dir.

-L binary-log-file
Set the filename of the binary log file to binary-log-file.
-n packet-count
Process packet-count packets and exit.
-q

Quiet operation.
Don't display banner and initialization information.

-T
Snort will start up in self-test mode, checking all the
supplied command line switches and rules files that are handed to
it and indicating that everything is ready to proceed.
-v
Be verbose. Prints packets out to the console.
There is one big problem with verbose mode: it's slow. If you are
doing IDS work with Snort, don't use the '-v' switch, you WILL drop
packets.

Perl scripts administrator manual

Installing Statistics::Descriptive
You need the Statistics module to run this script. It does not matter what directory you
are in for this install. Type the following into a terminal to get the Stats module:

apt-get install cpanminus

cpanm i Statistics::Descriptive (-i option is install)
Running the scripts

Start off by placing the statCap.pl file into the /etc/snort directory. The file will create
the necessary files it needs to run. To run the script, type into terminal the following:

perl statCap.pl
Editing the path of the log file in script
You may need to change the default path of the script that looks for the location of the
log files. By default in our script it is set to /var/log/snort/snortlogs, change this in the
individual subroutines to match your log file location

Proper Output (Figure 1)

(Optional) Crontabs

If you would like to set up you script to run on a daily biases, you can setup a
Cvrontab to run daily. Type the following commands to do so:

crontab e (-e option for editing the Crontab file)

type 0 20 * * * perl /etc/snort/statCap.pl (for 8PM run time, you can set it up
for anytime you want to scan in the day)

(
(Figure 2. Crontab example)