Wednesday, April 26, 2017

Snorter -- an automatic Snort, Barnyard2, and PulledPork installation script.

Snorter

We all know that sometimes, the installation of the latest version of Snort, Barnyard2 and PulledPork could be pretty tedious, specially if you have to install lots of Snorts in different machines.

Cloning Hard Disks is the easy way to do it if all the machines in which we are going to install this IDS are the same but, what happens if you are using different machines, and you want to install Snort in all of them? It doesn’t matter if you install a Snort for PCAP analysis or for using it as IDPS: It’s hard work!

I made a guide some time ago where I explain, step by step, how to install and configure a Snort in a Debian based machine, but it was always the same: too long for the short time I have, chiefly if I wanted to do a fast PCAP analysis to discard malware infections or other network traces, for example. This is why I decided to convert my PDF guide into a bash script, which installs all dependencies and also creates a MySQL database for the alerts.

This is how Snorter was born.

The only thing you need is an Oinkcode, available for free in snort.org webpage, needed for automatically update the Snort rules, and the Network Interface which is going to be used (eth0, wlan0, etc…)

For installing, you only need to clone the repository:
git clone https://github.com/joanbono/Snorter
cd Snorter/src
bash Snorter.sh -o  -i

The script is mostly independent, the only interaction needed for the installation is the specification for the $HOME_NET and the $EXTERNAL_NET, but do not worry, is fully documented in the Manual.
Also, I have added a Dockerfile for testing, with the possibility to use websnort, a web interface which allows the analyst to upload a PCAP file and then see graphically the alerts, and adds to the Snorter an API option for submitting pcaps using curl.

I started this tool with the purpose of making my life easier, but the program has evolved, and now it’s time to share it.

The next step is to port it to Red Hat/CentOS, any help is welcome!

Feel free to open issues, improve the script and add more options, but, above all, enjoy the free time you will have from now.



This was a guest post by --
Joan Bono
IT Security Analyst at Ackcent