Ubuntu 14.

04 64 bit

sudo apt-get update

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev
bison flex zlib1g-dev liblzma-dev openssl libssl-dev

mkdir ~/snort_src
cd ~/snort_src

# Ubuntu 14 only (not Ubuntu 16)

sudo apt-get install -y autoconf libtool pkg-config
cd ~/snort_src
wget https://github.com/nghttp2/nghttp2/releases/download/v1.17.0/nghttp2-
1.17.0.tar.gz
tar -xzvf nghttp2-1.17.0.tar.gz
cd nghttp2-1.17.0
autoreconf -i --force
automake
autoconf
./configure --enable-lib-only
make
sudo make install

#
mkdir ~/snort_src
cd ~/snort_src
wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
tar -xvzf daq-2.0.6.tar.gz
cd daq-2.0.6
./configure
make
sudo make install

cd ~/snort_src
wget https://distfiles.macports.org/snort/snort-2.9.8.0.tar.gz
tar -xvzf snort-2.9.8.0.tar.gz
cd snort-2.9.8.0
./configure --enable-sourcefire
make
sudo make install

sudo ldconfig

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

/usr/sbin/snort -V

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# Create the Snort directories:

sudo mkdir /etc/snort
sudo mkdir /etc/snort/rules
sudo mkdir /etc/snort/rules/iplists
sudo mkdir /etc/snort/preproc_rules
sudo mkdir /usr/local/lib/snort_dynamicrules
sudo mkdir /etc/snort/so_rules
# Create some files that stores rules and ip lists
sudo touch /etc/snort/rules/iplists/black_list.rules
sudo touch /etc/snort/rules/iplists/white_list.rules
sudo touch /etc/snort/rules/local.rules
sudo touch /etc/snort/sid-msg.map

# Create our logging directories:

sudo mkdir /var/log/snort
sudo mkdir /var/log/snort/archived_logs

# Adjust permissions:
sudo chmod -R 5775 /etc/snort
sudo chmod -R 5775 /var/log/snort
sudo chmod -R 5775 /var/log/snort/archived_logs
sudo chmod -R 5775 /etc/snort/so_rules
sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

# Change Ownership on folders:

sudo chown -R snort:snort /etc/snort
sudo chown -R snort:snort /var/log/snort
sudo chown -R snort:snort /usr/local/lib/snort_dynamicrules

cd ~/snort_src/snort-2.9.8.0/etc/
sudo cp *.conf* /etc/snort
sudo cp *.map /etc/snort
sudo cp *.dtd /etc/snort

cd ~/snort_src/snort-2.9.8.0/src/dynamic-
preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

nano /etc/snort/snort.conf

ipvar HOME_NET 10.0.0.0/24 # line 45

var RULE_PATH /etc/snort/rules # line 104
var SO_RULE_PATH /etc/snort/so_rules # line 105
var PREPROC_RULE_PATH /etc/snort/preproc_rules # line 106

var WHITE_LIST_PATH /etc/snort/rules/iplists # line 113

var BLACK_LIST_PATH /etc/snort/rules/iplists # line 114

include $RULE_PATH/local.rules # line 546

sudo snort -T -c /etc/snort/snort.conf -i venet0

nano /etc/snort/rules/local.rules

alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001;
rev:001; classtype:icmp-event;)

sudo snort -T -c /etc/snort/snort.conf -i venet0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sudo apt-get install -y mysql-server libmysqlclient-dev mysql-client autoconf
libtool

nano /etc/snort/snort.conf

output unified2: filename snort.u2, limit 128

cd ~/snort_src
wget
https://github.com/firnsy/barnyard2/archive/7254c24702392288fe6be948f88afb74040f6dc
9.tar.gz -O barnyard2-2-1.14-336.tar.gz
tar zxvf barnyard2-2-1.14-336.tar.gz
mv barnyard2-7254c24702392288fe6be948f88afb74040f6dc9 barnyard2-2-1.14-336
cd barnyard2-2-1.14-336
autoreconf -fvi -I ./m4

sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

sudo ldconfig

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu

./configure --with-mysql --with-mysql-libraries=/usr/lib/i386-linux-gnu

make
sudo make install

cd ~/snort_src/barnyard2-2-1.14-336
sudo cp etc/barnyard2.conf /etc/snort

# the /var/log/barnyard2 folder is never used or referenced

# but barnyard2 will error without it existing
sudo mkdir /var/log/barnyard2
sudo chown snort.snort /var/log/barnyard2

sudo touch /var/log/snort/barnyard2.waldo

sudo chown snort.snort /var/log/snort/barnyard2.waldo
sudo touch /etc/snort/sid-msg.map

$ mysql -u root -p
mysql> create database snort;
mysql> use snort;

CREATE TABLE `schema` ( vseq INT UNSIGNED NOT NULL,

ctime DATETIME NOT NULL,
PRIMARY KEY (vseq));
INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());

CREATE TABLE event ( sid INT UNSIGNED NOT NULL,

cid INT UNSIGNED NOT NULL,
signature INT UNSIGNED NOT NULL,
timestamp DATETIME NOT NULL,
PRIMARY KEY (sid,cid),
INDEX sig (signature),
INDEX time (timestamp));

CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL

AUTO_INCREMENT,
sig_name VARCHAR(255) NOT NULL,
sig_class_id INT UNSIGNED NOT NULL,
sig_priority INT UNSIGNED,
 sig_rev INT UNSIGNED,
sig_sid INT UNSIGNED,
sig_gid INT UNSIGNED,
PRIMARY KEY (sig_id),
INDEX sign_idx (sig_name(20)),
INDEX sig_class_id_idx (sig_class_id));

CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,

ref_seq INT UNSIGNED NOT NULL,
ref_id INT UNSIGNED NOT NULL,
PRIMARY KEY(sig_id, ref_seq));

CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL

AUTO_INCREMENT,
ref_system_id INT UNSIGNED NOT NULL,
ref_tag TEXT NOT NULL,
PRIMARY KEY (ref_id));

CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL

AUTO_INCREMENT,
ref_system_name VARCHAR(20),
PRIMARY KEY (ref_system_id));

CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL

AUTO_INCREMENT,
sig_class_name VARCHAR(60) NOT NULL,
PRIMARY KEY (sig_class_id),
INDEX (sig_class_id),
INDEX (sig_class_name));

# store info about the sensor supplying data

CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
hostname TEXT,
interface TEXT,
filter TEXT,
detail TINYINT,
encoding TINYINT,
last_cid INT UNSIGNED NOT NULL,
PRIMARY KEY (sid));

# All of the fields of an ip header

CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
ip_src INT UNSIGNED NOT NULL,
ip_dst INT UNSIGNED NOT NULL,
ip_ver TINYINT UNSIGNED,
ip_hlen TINYINT UNSIGNED,
ip_tos TINYINT UNSIGNED,
ip_len SMALLINT UNSIGNED,
ip_id SMALLINT UNSIGNED,
ip_flags TINYINT UNSIGNED,
ip_off SMALLINT UNSIGNED,
ip_ttl TINYINT UNSIGNED,
ip_proto TINYINT UNSIGNED NOT NULL,
ip_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX ip_src (ip_src),
INDEX ip_dst (ip_dst));
# All of the fields of a tcp header
CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
tcp_sport SMALLINT UNSIGNED NOT NULL,
tcp_dport SMALLINT UNSIGNED NOT NULL,
tcp_seq INT UNSIGNED,
tcp_ack INT UNSIGNED,
tcp_off TINYINT UNSIGNED,
tcp_res TINYINT UNSIGNED,
tcp_flags TINYINT UNSIGNED NOT NULL,
tcp_win SMALLINT UNSIGNED,
tcp_csum SMALLINT UNSIGNED,
tcp_urp SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX tcp_sport (tcp_sport),
INDEX tcp_dport (tcp_dport),
INDEX tcp_flags (tcp_flags));

# All of the fields of a udp header

CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
udp_sport SMALLINT UNSIGNED NOT NULL,
udp_dport SMALLINT UNSIGNED NOT NULL,
udp_len SMALLINT UNSIGNED,
udp_csum SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX udp_sport (udp_sport),
INDEX udp_dport (udp_dport));

# All of the fields of an icmp header

CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
icmp_type TINYINT UNSIGNED NOT NULL,
icmp_code TINYINT UNSIGNED NOT NULL,
icmp_csum SMALLINT UNSIGNED,
icmp_id SMALLINT UNSIGNED,
icmp_seq SMALLINT UNSIGNED,
PRIMARY KEY (sid,cid),
INDEX icmp_type (icmp_type));

# Protocol options
CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
optid INT UNSIGNED NOT NULL,
opt_proto TINYINT UNSIGNED NOT NULL,
opt_code TINYINT UNSIGNED NOT NULL,
opt_len SMALLINT,
opt_data TEXT,
PRIMARY KEY (sid,cid,optid));

# Packet payload
CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
cid INT UNSIGNED NOT NULL,
data_payload TEXT,
PRIMARY KEY (sid,cid));

# encoding is a lookup table for storing encoding types

CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
encoding_text TEXT NOT NULL,
 PRIMARY KEY (encoding_type));
INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');

# detail is a lookup table for storing different detail levels

CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
detail_text TEXT NOT NULL,
PRIMARY KEY (detail_type));
INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY 'MYSQLSNORTPASSWORD';

mysql> grant create, insert, select, delete, update on snort.* to
'snort'@'localhost';
mysql> exit

output database: log, mysql, user=snort password=MYSQLSNORTPASSWORD dbname=snort

host=localhost

sudo chmod o-r /etc/snort/barnyard2.conf

sudo /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i venet0

-D

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w

/var/log/snort/barnyard2.waldo -g snort -u snort

ps aux | grep snort

sudo kill 1296

sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

cd ~/snort_src
wget
https://github.com/finchy/pulledpork/archive/66241690356d54faa509625a78f80f326b75c3
39.tar.gz -O pulledpork-0.7.2-194.tar.gz
tar xvfvz pulledpork-0.7.2-194.tar.gz
mv pulledpork-66241690356d54faa509625a78f80f326b75c339 pulledpork-0.7.2-194

cd pulledpork-0.7.2-194/
sudo cp pulledpork.pl /usr/local/bin
sudo chmod +x /usr/local/bin/pulledpork.pl
sudo cp etc/*.conf /etc/snort

sudo vi /etc/snort/pulledpork.conf

Line 19 & 26: enter your oinkcode where appropriate (or comment out if no
oinkcode)
Line 29: Un-comment for Emerging threats ruleset (not tested with this guide)
Line 74: change to: rule_path=/etc/snort/rules/snort.rules
Line 89: change to: local_rules=/etc/snort/rules/local.rules
Line 92: change to: sid_msg=/etc/snort/sid-msg.map
Line 96: change to: sid_msg_version=2

Line 119: change to: config_path=/etc/snort/snort.conf

Line 133: change to: distro=Ubuntu-12-04

Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules

Line 150: change to: IPRVersion=/etc/snort/rules/iplists

sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

sudo vi /etc/snort/snort.conf

sudo sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

sudo snort -T -c /etc/snort/snort.conf -i venet0

sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D

sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/var/log/snort/barnyard2.waldo -g snort -u snort -D

mysql -u snort -p -D snort -e "select count(*) from event"

MYSQLSNORTPASSWORD

sudo crontab -e

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

ps aux | grep snort

sudo kill 1296

sudo apt-get install -y imagemagick apache2 libyaml-dev libxml2-dev libxslt-dev git

ruby1.9.3

echo "gem: --no-rdoc --no-ri" > ~/.gemrc

sudo sh -c "echo gem: --no-rdoc --no-ri > /etc/gemrc"

# These gems will also install other required gems

sudo gem install wkhtmltopdf
sudo gem install bundler -v 1.0.10
sudo gem install rails -v 3.0
sudo gem install rake --version=0.9.2

cd ~/snort_src/
wget https://github.com/Snorby/snorby/archive/v2.6.2.tar.gz -O snorby-2.6.2.tar.gz
tar xzvf snorby-2.6.2.tar.gz
sudo cp -r ./snorby-2.6.2/ /var/www/html/snorby/
cd /var/www/html/snorby
sudo bundle install

sudo cp /var/www/html/snorby/config/database.yml.example
/var/www/html/snorby/config/database.yml
sudo vi /var/www/html/snorby/config/database.yml

MySqlROOTpassword

sudo cp /var/www/html/snorby/config/snorby_config.yml.example
/var/www/html/snorby/config/snorby_config.yml
sudo sed -i s/"\/usr\/local\/bin\/wkhtmltopdf"/"\/usr\/bin\/wkhtmltopdf"/g
/var/www/html/snorby/config/snorby_config.yml

cd /var/www/html/snorby
sudo bundle exec rake snorby:setup

$ mysql -u root -p
myslq> create user 'snorby'@'localhost' IDENTIFIED BY 'PASSWORD123';
myslq> grant all privileges on snorby.* to 'snorby'@'localhost' with grant option;
myslq> flush privileges;
myslq> exit

sudo vi /var/www/html/snorby/config/database.yml

cd /var/www/html/snorby/
sudo bundle exec rails server -e production