Documente Academic
Documente Profesional
Documente Cultură
Setup
Begin by running an initial memory test on your hard ware to check for
any failures and errors.
Verify that the hardware is in working condition.
Format the hard drives and remove any partitions and traces of
partition tables.
Configure the hard drives to fit your specified needs. eg. Raid 1 for
redundancy and the installation of ProxMox, and Raid 5 or 5+1 for
backup and storage.
Be sure to have or set up access to a static Ip address for your server
for ProxMox to be installed and configured properly.
ProxMox
Restoring
To restore a VM or CT from a backup select the storage location that
the backup is stored.
Select the backup file
Select restore
Specify the location you want the VM or CT to be created in
Specify the new VM ID
Click restore
Wait for the process to complete
If restoring a VM and CT and the original is still in use the hostname,
mac address and ssh keys will be the same and need to be changed
before it is used or conflicts between the two will occur.
To change the mac address click on the VM or CT
Select the network tab
Click on the network device
Select edit
Change the mac address
Select ok
To change the host name and ssh key varies from Os to Os you will
have to look up the appropriate way dependent on your Os of choice.
Snort Install
Installing Snort on a CentOs 7 virtualized environment on a ProxMox server.
General instructions for the installation of snort on CentOS 7 can be found on
the official snort.org page for CentOS 7. For more information or
clarification on any of these topics see www.snort.org or the guide which
was used as the basis of this installation here:
https://s3.amazonaws.com/snort-orgsite/production/document_files/files/000/000/063/original/snortcentos6x-7x-2970.pdf?
AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1427937712&S
ignature=FcRFXDbYkcXfd3m0krg%2FG00HfJA%3D
The RPM repository (via HTTP) for CentOS 7.x is located at:
http://mirror.centos.org/centos/7/os/x86_64/Packages/
Create KVM from ISO image file as outlined in the ProxMox guide here:
Create Template (for future use)
From Template
o Navigate to a storage device on your ProxMox web Interface
o Under the Content tab, Select Upload, in new window select
Type of image (ISO, VZDump backup file or Template) in this case
Template.
o Select the template you would like to upload using the Select a
file button and upload (this can take some time depending on the
size of the upload)
o
o
o
o
o
o
o
o
o
o
Now in the ProxMox web interface, in the top right click Create CT
Set Hostname (optional, Will create a default CT#VM_ID#)
Ensure VM_ID # does not match any other containers you have.
Select Storage, Enter PW and confirm PW (to be used for root pw on
container)
Select Storage Where template was previously uploaded.
Select Template you wish to use.
Set Memory, Swap, Disk space, CPUs
Set IP(either static or Bridged, for our purposes we used bridged)
Use Host DNS settings or set custom.
Confirm and Create.
A new window should pop up and indicate when container has been
created or any errors that have occurred.
DEVICE="eth0"
HWADDR="00:21:70:10:7E:CD"
NM_CONTROLLED="no"
ONBOOT="yes" sets the interface to online on boot (ifconfig eth0 up)
BOOTPROTO=static use static IP
#To use dhcp
# BOOTPROTO=dhcp
IPADDR=10.16.1.106
NETMASK=255.255.255.0
# the GATEWAY is sometimes in: /etc/sysconfig/network
GATEWAY=10.16.1.1
Note: Snort SHOULD be configured on a static IP.
o Ifcfg-eth0 is loaded on boot, so we recommend rebooting to test
configuration.
o Upon reboot (centOS container) using the command ip addr list
verify eth0 has IP and connecting properly to internet using ping
8.8.8.8(google) or nslookup www.google.ca
Note: any external IP or domain name should work if valid DNS is
configured.
Verify Dependencies
Step 3 (Dependencies)
tcpdump (4.5.x).
o yum y groupinstall Development tools
o rpm qi gcc flex bison libpcap libpcap-devel pcre pcre-devel zlib
zlib-devel libdnet libdnet-devel tcpdump (rpm qi to check, and
install packages if missing)
o yum list installed |grep <package> (or any other package to quickly
check versions)
Note: newer versions should NOT cause any issues when
compiling DAQ and Snort.
Snort Install
Step 4 (Install Snort + Rules)
To install snort we will need to obtain the snort version (in our case
2.9.7.2-1) and DAQ, both can be found on the official snort website
www.snort.org
wget http://www.snort.org/downloads/snort/snort-2.9.7.21.centos7.x86_64.rmp
wget http://www.snort.org/downloads/snort/daq-2.0.4.RH7.x86_64.rpm
Install both packages
rpm Uvh snort-2.9.7.2-1.centos7.x86_64.rpm
rpm Uvh daq-2.0.4.RH7.x86_64.rpm
ldconfig v /usr/local/lib (verifies if the links in folder are current with
links on the system)
Change the ownership/permissions of the logging and snort
configuration directories so our snort user/group can read/write
chown R snort:snort /etc/snort
chown R snort:snort /var/log/snort
cd /etc/snort/rules
touch white_list.rules (create white_list.rules file)
touch black_list.rules (create black_list.rules file)
In using the registered rule set we uploaded a copy of the rules
snapshot to a private ftp site and retrieved it from the web, your link
location will vary. Snapshot can be obtained from www.snort.org or use
the community rules which do not require registration/login.
wget https://<location>/snortrules-snapshot-2972.tar.gz
Add a user and group for snort in your system (using the commands
below):
groupadd -g 40000 snort
useradd snort -u 40000 -d /var/log/snort -s /sbin/nologin -c SNORT_IDS
g snort
cd /etc/snort chown -R snort:snort *
chown -R snort:snort /var/log/snort
Install the downloaded rules to your /etc/snort/rules folder
tar -zxvf snortrules-snapshot-2972.tar.gz
Verify the rules have been copied over, ls -l snort/rules/
Locate, and change these variables in your snort.conf file to allow snort
to access rules, and your network properly
var RULE_PATH /etc/snort/rules
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
Change the permissions and ownership of directories/files related to
Snort and/or DAQ
cd /usr/local/src chown -R snort:snort
daq-2.0.x chmod -R 700 daq-2.0.x
chown -R snort:snort snort-2.9.7.x
chmod -R 700 snort-2.9.7.x
chown -R snort:snort snort_dynamicsrc
chmod -R 700 snort_dynamicsrc
Information and scripts to run snort as a service from /etc/init.d/ directory
on your CentOS7 box can be found at https://www.snort.org/documents
To test snort we will need to set up a rule or identify a rule we can
trigger and use to verify correct operations. Edit the file local.rules located
in /etc/snort/rules/ directory adding in the following line:
alert icmp any any -> any any (msg:"ICMP Packet";
sid:100001; rev:1;)
This rule sets an alert to be triggered by any ICMP (ping) message
send across the whole network. From any any with the displaying
message ICMP Packet to be displayed in the alerts file. To test this
simply ping the IP of your snort box from another computer/virtual
machine while a snort capture is running.
Save local.rules file and test.
Now to Test snort using user snort, group snort, listening on interface eth0
and using the snort.conf file located in the /etc/snort/ directory.
From terminal use the following command:
Snort Information/Flags
Step 5 (Important Commands for Operation)
All information from the snort man page available here: http://www.manpagez.com/man/8/snort/.
-g group
Change the group/GID Snort runs under to group after
initialization. This switch allows Snort to drop root privileges
after it's initialization phase has completed as a security
measure.
-I
-l log-dir
Set the output logging directory to
log-dir.
-L binary-log-file
Set the filename of the binary log file to binary-log-file.
-n packet-count
Process packet-count packets and exit.
-q
Quiet operation.
Don't display banner and initialization information.
-T
Snort will start up in self-test mode, checking all the
supplied command line switches and rules files that are handed to
it and indicating that everything is ready to proceed.
-v
Be verbose. Prints packets out to the console.
There is one big problem with verbose mode: it's slow. If you are
doing IDS work with Snort, don't use the '-v' switch, you WILL drop
packets.
Start off by placing the statCap.pl file into the /etc/snort directory. The file will create
the necessary files it needs to run. To run the script, type into terminal the following:
perl statCap.pl
Editing the path of the log file in script
You may need to change the default path of the script that looks for the location of the
log files. By default in our script it is set to /var/log/snort/snortlogs, change this in the
individual subroutines to match your log file location
(Optional) Crontabs
If you would like to set up you script to run on a daily biases, you can setup a
Cvrontab to run daily. Type the following commands to do so:
(
(Figure 2. Crontab example)