Snort script
debian install snort script :
www.snortattack.org/install-snort.tar.gz
-----------------------------------------------
1.Install The Debian (minimal installation) kernel 2.6.x
This script is compatible with debian release 3.1 and 4.0
Tested on debian 3.1r05a, 3.1r5 and debian 4.0r0
Setup network connection
Setup apt repository (debian stable)
and you should run (as root):
# apt-get update (OPTIONAL)
# apt-get upgrade (OPTIONAL)
2.Download the snortattack tar.gz
$ cd /
$ wget http://www.snortattack.org/install-snort.tar.gz
$ tar -zxvf install-snort.tar.gz
$ cd /snortattack
The files must stay in this path: /snortattack/
3.Open with your favourite text editor install.conf and setup the variable
$ nano install.conf
4.Start apt.sh or use the snort static binary (as root)
$ su root
$ (enter the password)
# cd /snortattack
# sh apt.sh
(you must have debian base repository in /etc/apt/sources.list)
(deb http://ftp.it.debian.org/debian stable main contrib non-free)
Install some packet with the aptlist from snortattack
leave the default options and press enter to confirm
the configuration.
if there is some error with the packet name try to search it with:
# apt-cache search paketname
and install with:
# apt-get install packetname
to force install, search and fix error:
# apt-get -f install
If you want to use snort static binary from snortattck.org :
# sh snort-static.sh (optional)
Your kernel must have this option enable :
Packet socket: mmapped IO
You can choose to update your kernel by change
the variable UPDATE_KERNEL="y" in install.conf
Not tested yet!
Use only if your kernel version is < 2.6.18
5.Start download-pkts.sh
# sh download-pkts.sh
Download some packet with the mirrorlist from snortattack
if there is some error with the mirror try to search it in internet.
6.Start install-pkts.sh
# sh install-pkts.sh
Update the kernel and install all the pkts .
At the end you should see :
,,_ -*> Snort_Inline! <*-
o" )~ Version 2.4.5 (Build 29)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.
Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness,
Dave Remien, Rob McMillen and Jed Haile
NOTE: Snort's default output has changed in version 2.4.1!
The default logging mode is now PCAP, use "-K ascii" to activate
the old default logging mode.
,,_ -*> Snort! <*-
o" )~ Version 2.6.0.2 (Build 85) inline
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.
7.Start mysql-setup.sh
# sh mysql-setup.sh
Setup the mysql snort database with the correct permission
8.Start bridge-setup.sh
# sh bridge-setup.sh
(don't do this in ssh session)
Create the bridge (br0) with two lan interfaces (eth0,eth1)
9.Start snort-config.sh
# sh snort-config.sh
Setup snort_inline.conf and download the last rules
with oinkmaster.conf provided by snortattack.org
You have to register to snort.org and obtain the oinkcode!
Howto --> www.snortattack.it/oink/eng.html
Don't warry if clamav version is 0.88.7
Snort diff doesn't work with 0.90.x yet
10.Start snort-try.sh
# sh snort-try.sh
Modprobe ipqueue and setup iptables.
Start snort or snort_inline daemon
11.Start stats-ips.sh
# sh stats-ips.sh
Show the state of the bridge and the iptables queue.
Connect cross cable to your pc and surf the web, verify
the queue size and the network connection.
You should see :
Iptables queue :
Chain INPUT (policy ACCEPT 24946 packets, 4782K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13M 8646M QUEUE all -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 55290 packets, 7393K bytes)
pkts bytes target prot opt in out source destination
Network Interface status:
eth0: negotiated 100baseTx-FD, link ok
eth1: negotiated 100baseTx-FD, link ok
12.Start snort-auto.sh
# sh snort-auto.sh
Create a new rc file in /etc/rc2.d/S999snortattack.sh
Install finish!
Stay tuned with this script :
13.Start visual-install.sh (optional)
# sh visual-install.sh
Install base and pmgraph
try to look at http://localhost/base/ (NOT TESTED YET)
follow the step and install
look at http://localhost/usage/
14.To insert a false/positive rules in oinkmaster.conf use disable-sid.sh
$ sh disable-sid.sh
15.To stay update with the ruleset use snort-update.sh
# sh rules-update.sh
Nb. Snort.org accept one download per 10 minutes.
16.To perform some useful operation with cron, use crontab-setup.sh
# sh crontab-setup.sh
Insert in the crontab this command :
0 0 * * * /snortattack/snort-update.sh
*/30 * * * * freshclam
*/30 * * * * /snortattack/pmgraph-0.2/pmgraph.pl ..usage/ ..perform.txt
if you don't execute visual-install.sh remove the last entry in crontab
# crontab -e
17.To tuning your ips use tuning-ips.sh
# sh tuning-ips.sh
Modprobe ipconntrack and setup some useful parameters.
Look at the script for other info.
If you want to enable tuning at boot edit TUNING="y" in install.conf
Possible error :
Sorry, you are not root.
$ su root
$ (enter the password)
Sorry, List unavailable.
verify your connection and try again.
$ wget http://www.snortattack.org/files/apt.txt
Send an email at
admin@snortattack.org
if the problem persist.
Sorry, mirror.sh not found.
verify the correct path of mirror.sh or get it and try again.
$ wget http://www.snortattack.org/files/mirror.sh
Send an email at
admin@snortattack.org
if the problem persist.
If there is some error with the installation send an email to mailinglist.