Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » ids » Connecting Snort to Trisul Network Analytics
Trace:
ids:snort

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ids:snort [2018/05/03 14:23] – created veeraids:snort [2018/05/03 14:42] (current) – [Start snort and view analytics in TrisulNSM] veera
Line 8: Line 8:
   - Configure Oinkmaster for automatic updates   - Configure Oinkmaster for automatic updates
   - Start snort and view analytics in TrisulNSM   - Start snort and view analytics in TrisulNSM
 +
 +
 +===== Install snort =====
 +
 +Snort has a package for Ubuntu.  This installs all components required. 
 +
 +<code bash>
 +apt-get update
 +apt-get install snort
 +</code>
 +
 +Also install oinkmaster , which also has an Ubuntu package
 +
 +<code bash>
 +apt-get install oinkmaster
 +</code>
 +
 +
 +===== Replace with Emerging Threats rules =====
 +
 +We like the ET and ET Pro rulesets for a number of reasons. If you wish to remain with the Snort community rules or move to the excellent Talos ruleset, you can skip this step.
 +
 +==== Download ET Community rules ====
 +
 +
 +<code>
 +cd /etc/snort
 +mv rules rules_old
 +wget https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
 +tar xf emerging.rules.tar.gz -C /etc/snort 
 +</code>
 +
 +==== Point to the new ET rules ====
 +
 +Open snort.conf and copy the lines from rules/emerging.conf into snort.conf and comment out the old snort.conf rules.
 +
 +This is a bit of a chore, but you only do this once. 
 +==== Specify a HOMENET ====
 +
 +
 +If you dont do this, you will find out soon enough. Many ET rules wont load
 +
 +Example:
 +
 +<code>
 +ipvar HOME_NET 192.168.0.0/16,10.0.0.0/8
 +</code>
 +
 +
 +===== Configure Oinkmaster =====
 +
 +Oinkmaster will keep the rules updated.
 +
 +Open /etc/oinkmaster.conf  and add the ET (or ET-Pro) rule path using the ''url'' directive
 +
 +<code>
 +
 +# EMERGING THREATS COMMUNITY 
 +url = https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
 +
 +</code>
 +
 +Then you can test it out 
 +
 +<code>
 +oinkmaster -C /etc/oinkmaster.conf  -o /etc/snort/rules
 +</code>
 +
 +
 +==== Make oinkmaster refresh at 2AM every night ====
 +
 +The following crontab entry will 
 +  - Run at 2:00 AM every night
 +  - Download latest rules and install them correctly
 +  - Send a SIGUSR1 to snort to reload the new rules 
 +
 +
 +Open ''crontab -e'' and add the following line
 +
 +<code cron>
 +
 +0 2 * * *  root ( /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules; sleep 5; kill -USR1 `pidof -s snort` )
 +
 +</code>
 +
 +
 +That is pretty much it.  
 +
 +===== Start snort and view analytics in TrisulNSM =====
 +
 +First stop the old instance of snort
 +
 +<code>
 +pkill snort
 +</code>
 +
 +
 +Then Login to Trisul as admin/admin ; 
 +  * then go to Admin Tasks -> Start/Stop Tasks
 +  * on the selected network adapters -> More Options -> click on "How to start snort?" 
 +  * copy paste that into a terminal.
 +
 +
 +You're all done.  
 +
 +To view analytics in Trisul you can start with the  **Real Time Alerts dashboard**.
 +
 +
 +
 +
  
  
ids/snort.1525337633.txt.gz · Last modified: 2018/05/03 14:23 by veera