« November 2010 | Main | May 2010 »

Tuesday, June 15, 2010

Installing Snort and Barnyard2 in Ubuntu 9.10: Part 2

This is a follow up to Installing Snort and Barnyard2 in Ubuntu 9.10: Part 1, in this part we'll look at how snort is started by init.d and we'll set up a simple upstart config to start barnyard2 when the system starts

Starting Snort

By default, snort is set to start as a daemon via init.d, so we'll leave that be. But Ubuntu is moving to Upstart as a replacement for init.d, so we'll try to get that working for barnyard, rather than use init.d. Fortunately, upstart was designed with compatibility in mind. The first thing we'll do is check out the init.d file for snort (that got installed when we installed the snort package). To see if snort is already running, use the ps command, if it's running you'll see something like this:

$ ps -A | grep snort
1569 ?        00:00:01 snort 

If it's not running, try starting it manually:

$ sudo /etc/init.d/snort start
* Starting Network Intrusion Detection System snort                    [ OK ]

If this is the first time you've fired up snort via init.d, you'll likely get this back:

$ sudo /etc/init.d/snort start
[sudo] password for hays: 
* Starting Network Intrusion Detection System  snort
* /etc/snort/db-pending-config file found
* Snort will not start as its database is not yet configured.
* Please configure the database as described in
* /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
* and remove /etc/snort/db-pending-config

Ok, that error is caused by a bit just a left over from our install. Move the file (it's best to not delete a file if you can just mv it, that way you can undo the damage if you mess up), and try again to start snort:

sudo mv /etc/snort/db-pending-config /etc/snort/db-pending-config.orig
sudo /etc/init.d/snort start

If you're not familiar with init.d, you can also use "stop" and "restart" instead of "start"

Next, just to make sure everything's working as expected, fire up barnyard and check the base web page:

sudo /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
-G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
-d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

If the base page is showing alerts, we're good to go.

Now, one issue is that the way snort starts in Ubuntu 9.10 via init.d is that the configuration files are spread out a bit. For example, some settings are stored in /etc/snort/snort.debian.conf.

# This file is used for options that are changed by Debian to leave
# the original lib files untouched.
# You have to use "dpkg-reconfigure snort" to change them.

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth1"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"

/etc/default/snort is used to set the user, group, and log file location:

# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-m 027 -D -d "
#
# Snort user
# This user will be used to launch snort. Notice that the 
# preinst script of the package might do changes to the user 
# (home directory, User Name) when the package is upgraded or
# reinstalled.  So, do *not* change this to 'root' or to any other user 
# unless you are sure there is no problem with those changes being introduced.
# 
SNORTUSER="snort"
#
# Logging directory
# Snort logs will be dropped here and this will be the home
# directory for the SNORTUSER. If you change this value you should
# change the /etc/logrotate.d/snort definition too, otherwise logs
# will not be rotated properly.
#
LOGDIR="/var/log/snort"
#
# Snort group
# This is the group that the snort user will be added to.
#
SNORTGROUP="snort"
# 
# Allow Snort's init.d script to work if the configured interfaces
# are not available. Set this to yes if you configure Snort with
# multiple interfaces but some might not be available on boot
# (e.g. wireless interfaces)
# 
# Note: In order for this to work the 'iproute' package needs to 
# be installed.
ALLOW_UNAVAILABLE="no"

But, aside from the parameters in these files, the rest of the stuff in the /etc/snort/snort.conf file is honored.

Automating the Barnyard startup

Upstart is a replacement for init.d, similar in most respect to Apple's launchd. Since Ubuntu is moving to upstart, we'll use a simple upstart config file to start barnyard2. There is a good article on upstart at linux.com.

Upstart files live in /etc/init, basically the upstart system reads the files in this directory and starts them accord to the settings. Let's take a look at a couple of examples.

ufw.conf

# ufw - Uncomplicated Firewall
#
# The Uncomplicated Firewall is a front-end for iptables, to make managing a
# Netfilter firewall easier.

description     "Uncomplicated firewall"

start on net-device-added INTERFACE=lo
stop on runlevel [!023456]

console output

pre-start exec /lib/ufw/ufw-init start quiet
post-stop exec /lib/ufw/ufw-init stop
 

This config controls the ufw interface for iptables. Some things to note:

  • The exec statements execute the command, in this case when the localhost interface is added, /lib/ufw/ufw-init start quiet starts the firewall.
  • The stop command tells upstart to stop the firewall (via post-stop exec /lib/ufw/ufw-init stop) when the run level is not set to 0, 2, 3, 4, 5, or 6.

tty1.conf

# tty1 - getty
#
# This service maintains a getty on tty1 from the point the system is
# started until it is shut down again.

start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]

respawn
exec /sbin/getty -8 38400 tty1

This one uses slightly different settings, note especially the respawn flag, which will restart the getty if it crashes

For barnyard2, we'll use the same command we use to start the program manually, but put it in a barnyard2.conf file in /etc/init. Here's a version that works for me:

# rc - System V runlevel compatibility
#
# This task runs the old System V-style rc script when changing between
# runlevels.

description     "Barnyard2 for Snort support"
author          "bil b@unc.edu"

start on started networking
#start on startup
#start on (startup
#          and filesystem
#          and started udev)
 
#stop on runlevel [!023456]

respawn

exec /usr/local/bin/barnyard2 \
   -c /etc/snort/barnyard2.conf \
   -G /etc/snort/gen-msg.map \
   -S /etc/snort/sid-msg.map \
   -d /var/log/snort -f snort.log \
   -w /var/log/snort/barnyard.waldo

With that file in place, barnyard2 should start on boot and keep running until shutdown. This is admittedly a very crude upstart configuration, but it seem to work.

After restarting, check your base page to make sure you're getting alerts. You can also use the ps and kill commands to check the reliability of barnyard2--if you kill the process, upstart should respawn it for you:

$ ps -A | grep barnyard2
 1198 ?        00:00:00 barnyard2
$ sudo kill -9 1198
[sudo] password for hays: 
$ ps -A | grep barnyard2
 2078 ?        00:00:00 barnyard2 

Finally, you can stop and start barnyard2 manually using the start and stop commands, eg:

sudo stop barnyard2

Ok, we're done, time for a refreshing beverage.

Posted by bil at 11:10 AM
Categories: My Software, Other Software
Comment by Nathan Beam - Tuesday 18th October 2011 04:41:21 PM

I had a hard time finding this second tutorial but boy am I glad that I did. The more of your stuff that I go through the more accustomed I am getting to Linux, snort, and all of the surrounding programs.

Anyhow, learning about init and init.d was extremely useful. Upstart seems VERY easy to use compared to the scripts I looked at in the init folder.

I was wondering if you were going to do a third part talking about how to download new definitions for snort and how to install them?

These two tutorials have been an absolute lifesaver and I really can't thank you enough!

Cheers,

Nathan
Comment by bil - Wednesday 19th October 2011 09:49:00 AM

Nathan,
Thanks for the compliment! I don't know when I'll have time to get back to this, but what you're looking for is oinkmaster:
http: / / oinkmaster.sourceforge.net/

You might also check out easyids, it's a pretty nice prepackaged snort box running under centOS.
bil