Install Snort
+ Barnyard2
+ PulledPork
automatically
- A computer running:
- Debian
- Kali Linux
- Raspbian Jessie
- Oinkcode:
- It's FREE! 😉
- Highly recommended!
- Get yours here.
- Identified Network Interface:
ip link show
- Previous dependencies:
sudo apt-get install git
- Patience.
- Cloning the repository:
git clone https://github.com/joanbono/Snorter.git
cd Snorter/src
bash Snorter.sh -h
- Recommended: Execute the program using an oinkcode
bash Snorter.sh -o <oinkcode> -i <interface>
Ex: bash Snorter.sh -o XXXXXXXXXXXXX -i eth0
- Not Recommended: Execute the program without an oinkcode
bash Snorter.sh -i interface
bash Snorter.sh -i eth0
- Superuser password, and wait...
Snort
anddaq
are installed.
- Now it's time to add the
HOME_NET
and theEXTERNAL_NET
.
- Press
Enter
to continue. It will openvim
:- Press
A
to go to the end of the line. - Add the address and the mask you want to protect.
- Press
Esc
and then:wq!
to save the changes.
- Press
- Do the same for the
EXTERNAL_NET
:
- Press
Enter
to continue. It will openvim
:- Press
A
to go to the end of the line. - Add the attacker address. Recommeded:
!$HOME_NET
. - Press
Esc
and then:wq!
to save the changes.
- Press
- Now the output. By default,
unified2
output is enabled, but you can enable more than one output. I'm going to enable both CSV and TCPdump output.
- Now
SNORT
will start inconsole
mode. Send aPING
from another machine.
- It will show a
PING
alert. PressCtrl+C
once, and continue the installation.
- Now it's time to install
BARNYARD2
if you want. - You will be asked to insert a password for the
SNORT
database which is going to be created. In the example, I've usedSNORTSQL
- Now the program will install dependencies.
- It's going to install
MySQL
, so if it's not installed, you will insert a password for this service too. In the example, I've usedROOTSQL
.
- And the
MySQL
password.
- Now you are going to be asked for the
MySQL
password 3 times - Please keep in mind:
MySQL
root
password 3 times.
- Now it's time to install
PulledPork
if you want.
- Create a system
service
:
- You can download rules when everything is installed and configurated.
- Enable at
snort.conf
theEmerging Threats
andCommunity
rules
- Install WebSnort for
PCAP
analysis
- Reboot the system.