Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » ids » Connecting Snort to Trisul Network Analytics
Trace:
ids:snort

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
ids:snort [2018/05/03 08:53]
veera created 		ids:snort [2018/05/03 09:12] (current)
veera [Start snort and view analytics in TrisulNSM]
Line 8: Line 8:
   - Configure Oinkmaster for automatic updates   - Configure Oinkmaster for automatic updates
   - Start snort and view analytics in TrisulNSM   - Start snort and view analytics in TrisulNSM
 +
 +
 +===== Install snort =====
 +
 +Snort has a package for Ubuntu. ​ This installs all components required. ​
 +
 +<code bash>
 +apt-get update
 +apt-get install snort
 +</​code>​
 +
 +Also install oinkmaster , which also has an Ubuntu package
 +
 +<code bash>
 +apt-get install oinkmaster
 +</​code>​
 +
 +
 +===== Replace with Emerging Threats rules =====
 +
 +We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step.
 +
 +==== Download ET Community rules ====
 +
 +
 +<​code>​
 +cd /etc/snort
 +mv rules rules_old
 +wget https://​rules.emergingthreats.net/​open/​snort-2.9.0/​emerging.rules.tar.gz
 +tar xf emerging.rules.tar.gz -C /​etc/​snort ​
 +</​code>​
 +
 +==== Point to the new ET rules ====
 +
 +Open snort.conf and copy the lines from rules/​emerging.conf into snort.conf and comment out the old snort.conf rules.
 +
 +This is a bit of a chore, but you only do this once. 
 +==== Specify a HOMENET ====
 +
 +
 +If you dont do this, you will find out soon enough. Many ET rules wont load
 +
 +Example:
 +
 +<​code>​
 +ipvar HOME_NET 192.168.0.0/​16,​10.0.0.0/​8
 +</​code>​
 +
 +
 +===== Configure Oinkmaster =====
 +
 +Oinkmaster will keep the rules updated.
 +
 +Open /​etc/​oinkmaster.conf ​ and add the ET (or ET-Pro) rule path using the ''​url''​ directive
 +
 +<​code>​
 +
 +# EMERGING THREATS COMMUNITY ​
 +url = https://​rules.emergingthreats.net/​open/​snort-2.9.0/​emerging.rules.tar.gz
 +
 +</​code>​
 +
 +Then you can test it out 
 +
 +<​code>​
 +oinkmaster -C /​etc/​oinkmaster.conf ​ -o /​etc/​snort/​rules
 +</​code>​
 +
 +
 +==== Make oinkmaster refresh at 2AM every night ====
 +
 +The following crontab entry will 
 +  - Run at 2:00 AM every night
 +  - Download latest rules and install them correctly
 +  - Send a SIGUSR1 to snort to reload the new rules 
 +
 +
 +Open ''​crontab -e''​ and add the following line
 +
 +<code cron>
 +
 +0 2 * * *  root ( /​usr/​sbin/​oinkmaster -C /​etc/​oinkmaster.conf -o /​etc/​snort/​rules;​ sleep 5; kill -USR1 `pidof -s snort` )
 +
 +</​code>​
 +
 +
 +That is pretty much it.  ​
 +
 +===== Start snort and view analytics in TrisulNSM =====
 +
 +First stop the old instance of snort
 +
 +<​code>​
 +pkill snort
 +</​code>​
 +
 +
 +Then Login to Trisul as admin/admin ; 
 +  * then go to Admin Tasks -> Start/Stop Tasks
 +  * on the selected network adapters -> More Options -> click on "How to start snort?" ​
 +  * copy paste that into a terminal.
 +
 +
 +You're all done.  ​
 +
 +To view analytics in Trisul you can start with the  **Real Time Alerts dashboard**.
 +
 +
 +
 +
  
  
ids/snort.1525337633.txt.gz · Last modified: 2018/05/03 08:53 by veera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki