User Tools

Site Tools


ids:snort

Connecting Snort to Trisul Network Analytics

A step by step guide for Ubuntu 16.04 which explains how to :

  1. Install Snort
  2. Replace with Emerging Threats rules
  3. Configure Oinkmaster for automatic updates
  4. Start snort and view analytics in TrisulNSM

Install snort

Snort has a package for Ubuntu. This installs all components required.

apt-get update
apt-get install snort

Also install oinkmaster , which also has an Ubuntu package

apt-get install oinkmaster

Replace with Emerging Threats rules

We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step.

Download ET Community rules

cd /etc/snort
mv rules rules_old
wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
tar xf emerging.rules.tar.gz -C /etc/snort 

Point to the new ET rules

Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules.

This is a bit of a chore, but you only do this once.

Specify a HOMENET

If you dont do this, you will find out soon enough. Many ET rules wont load

Example:

ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8

Configure Oinkmaster

Oinkmaster will keep the rules updated.

Open /etc/oinkmaster.conf and add the ET (or ET-Pro) rule path using the url directive

# EMERGING THREATS COMMUNITY 
url = https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz

Then you can test it out

oinkmaster -C /etc/oinkmaster.conf  -o /etc/snort/rules

Make oinkmaster refresh at 2AM every night

The following crontab entry will

  1. Run at 2:00 AM every night
  2. Download latest rules and install them correctly
  3. Send a SIGUSR1 to snort to reload the new rules

Open crontab -e and add the following line

0 2 * * *  root ( /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules; sleep 5; kill -USR1 `pidof -s snort` )

That is pretty much it.

Start snort and view analytics in TrisulNSM

First stop the old instance of snort

pkill snort

Then Login to Trisul as admin/admin ;

  • then go to Admin Tasks → Start/Stop Tasks
  • on the selected network adapters → More Options → click on “How to start snort?”
  • copy paste that into a terminal.

You're all done.

To view analytics in Trisul you can start with the Real Time Alerts dashboard.

ids/snort.txt · Last modified: 2018/05/03 14:42 by veera