OpenAppID Install
This short blog post accompanies the below video showing the installation of Snort with OpenAppID onto a completely clean Ubuntu Server running 13.10. Hold on to your hat, it’s a quick video, so fast in fact we thought it wise to also provide this text listing of the commands typed (without the typos you’ll see in the video).
If you’ve not watched the video yet, go watch it now, below for reference.
Step #1, Prep the system.
You’ll need to download the following files from snort.org
daq-2.0.2.tar.gzsnort-2.9.7.0_alpha.tar.gzsnort-openappid-detectors.2014-02-22.187-0.tgzsnortrules-snapshot-2960.tar.gzYou’ll find the first three files in the downloads section https://www.snort.org/downloads, and the last file in the rules section http://www.snort.org/snort-rules/. The exact rules files available will change over time, just make sure you get one that is compatible with Snort 2.9.x release.
Start with a clean installation of Ubuntu 13.10 Server. The only task selected for the system to be used at during installation was an SSH Server. The files were downloaded into a directory called build.
mkdir ~/buildcd ~/build
Step #2, Install Snort requirements
The following packages were added to the system via apt.
apt-get install openssl libssl-dev build-essential g++ flex bison zlib1g-dev autoconf libtool libpcap-dev libpcre3-dev libdumbnet-dev build-essentialLibdnet-1.11 and LuaJIT were compiled and used so we were running the same versions as those who were developing OpenAppID.
cd ~/build/wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gztar xzvf libdnet-1.11.tar.gzcd libdnet-1.11/./configuremakesudo make installcd ~/build/wget http://luajit.org/download/LuaJIT-2.0.2.tar.gztar xzvf LuaJIT-2.0.2.tar.gzcd LuaJIT-2.0.2/makesudo make installcd ~/build/tar -xzvf daq-2.0.2.tar.gzcd daq-2.0.2/./configuremakesudo make installsudo ldconfig
Step #3 Building Snort with OpenAppID support.
cd ~/build/tar -zxvf snort-2.9.7.0_alpha.tar.gzcd snort-2.9.7.0.alpha/./configure --enable-sourcefire --enable-open-appidmakesudo make install
Step #4 Configure Snort without OpenAppID enabled
sudo mkdir /etc/snort # For configurationsudo mkdir /var/log/snort # For log datasudo mkdir /usr/local/lib/snort_dynamicrules # For dynamic rulessudo mkdir /etc/snort/rules # For normal text rulestouch /etc/snort/white_list.rules # For white liststouch /etc/snort/black_list.rules # For black listsA set of configuration files are included in the snort tarball. These can be copied into your
/etc/snort/ directory.cd ~/build/snort-2.9.7.0.alpha/etc/sudo cp attribute_table.dtd file_magic.conf snort.conf unicode.map classification.config gen-msg.map reference.config threshold.conf /etc/snort/The last thing to do is to add some of the VRT supplied rules to enable snort to detect ‘bad’ stuff. We’ve untarred unto a temp directory called ‘
crules’, the name has no meaning.cd ~/buildmkdir crulesmv snortrules-snapshot-2960.tar.gz crulescd crules/tar -zxvf snortrules-snapshot-2960.tar.gzsudo cp -r preproc_rules /etc/snortsudo cp -r rules /etc/snort/sudo cp -r so_rules /etc/snort/The next step is to configure the
snort.conf file. They key changes made to get Snort working were:RULE_PATH /etc/snort/rulesSO_RULE_PATH /etc/snort/rulesPREPROC_RULE_PATH /etc/snort/rulesWHITE_LIST_PATH /etc/snortBLACK_LIST_PATH /etc/snortTo test Snort’s config the
-T option can be used. If Snort has any problems with configuration, it will let you know.sudo snort -c /etc/snort/snort.conf -T
Step #5 Enabling OpenAppID in Snort.
First we need to add the OpenAppID detector package, this was one of the files that was downloaded earlier.
cd ~/buildtar -zxvf ./snort-openappid-detectors.2014-02-22.187-0.tgzsudo mkdir /usr/local/lib/openappidsudo mv odp/ /usr/local/lib/openappid/The appid preprocessor now needs to be enabled in Snort. Add the following line at the end of the preprocessor section.
preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 60, app_detector_dir /usr/local/lib/openappidEvery 60 seconds details of the apps found in use on the network will be dropped into this file
To start Snort, the following command was used.
sudo snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k noneIn future posts we’ll go into some of the other ways you can use Snort with OpenAppID, but this should be enough to get you started. If you have any questions, please send them to the snort-openappid mailing list at snort-openappid@lists.sourceforge.net.
-Leon