How to Set Up an Independent IDS/IPS Lab Enviroment (Using Snort, Pytbull, Eclipse and Tomcat)

Part 1 of 5:

Prerequisites To Compiling Snort

Install the required packets using:
1. Sudo apt-get install flex bison build-essential checkinstall
2. Sudo apt-get install libpcap-dev libnet1-dev libpcre3-dev
3. Sudo apt-get install libmysqlclient15-dev libnetfilter-queue-dev iptables-dev

Part 2 of 5:

Install Libdnet

Download libdnet-1.12.tgz. Download from: https://code.google.com/p/libdnet/downloads/detail?name=libdnet-1.12.tgz&can=2&q=. Alternatively, you can search for it online.
Switch to the directory where the file was saved (this should be Downloads):
1. cd Downloads
Untar the file
1. tar xvfz libdnet-1.12.tgz
Change into libdnet-1.12 directory:
1. cd libdnet-1.12
Compile libdnet
1. ./configure "CFLAGS=-fPIC"
2. make
3. sudo checkinstall
  1. Type "y" and Enter when it reads "Should I create a default set of package docs? [y]: "
  2. Then when it reads ">>". Press Enter again
  3. Enter when it reads "Enter a number to change any of them or press ENTER to continue"
  4. Type "n" and Enter when it reads "Do you want me to list them? [n] "
  5. Type "y" and Enter when it reads "Should I exclude them from the package? (Saying yes is a good idea) [n]: "
4. Install the package:
5. sudo dpkg -i libdnet_1.12-1_amd64.deb
Create the required symbolic link
1. sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1

Part 3 of 5:

Install DAQ (Data Acquisition Library)

Download daq-2.0.4.tar.gz. Download it from: https://www.snort.org/downloads, or the https://www.snort.org, or search online for it.
Switch to the directory where the file was saved (this should be Downloads):
1. If still inside libdnet-1.12 then type
  1. cd ..
2. If in main directory then type
  1. cd Downloads
Untar the file:
1. tar xvfvz daq-2.0.4.tar.gz
Change into daq-2.0.4 directory:
1. cd daq-2.0.4
Compile daq (Similar to how we compiled libdnet):
1. ./configure
2. make
3. sudo checkinstall
  1. Type "y" and Enter when it reads "Should I create a default set of package docs? [y]: "
  2. Then when it reads ">>". Press Enter again
  3. Enter when it reads "Enter a number to change any of them or press ENTER to continue"
  4. Type "n" and Enter when it reads "Do you want me to list them? [n] "
  5. Type "y" and Enter when it reads "Should I exclude them from the package? (Saying yes is a good idea) [n]: "
Install the package:
1. sudo dpkg -i daq_2.0.4-1_amd64.deb

Part 4 of 5:

Install and Configure Snort

Download snort-2.9.7.0.tar.gz. Download it from https://www.snort.org/downloads or the https://www.snort.org or search for it online.
Switch to the directory where the file was saved (should be Downloads):
1. If still inside libdnet-1.12 or daq.2.0.4, then type
  1. cd ..
2. If in main directory then type
  1. cd Downloads
Untar the file:
1. tar xvfvz snort-2.9.7.0.tar.gz
Change into snort-2.9.7.0 directory:
1. cd snort-2.9.7.0
Compile snort (Similar to how we compiled libdnet and daw):
1. ./configure
2. make
3. sudo checkinstall
  1. Type "y" and Enter when it reads "Should I create a default set of package docs? [y]: "
  2. Then when it reads ">>". Press Enter again
  3. Enter when it reads "Enter a number to change any of them or press ENTER to continue"
  4. Type "n" and Enter when it reads "Do you want me to list them? [n] "
  5. Type "y" and Enter when it reads "Should I exclude them from the package? (Saying yes is a good idea) [n]: "
Install the package:
1. sudo dpkg -i snort_2.9.7.0-1_amd64.deb
Create the required symbolic link:
1. sudo ln -s /usr/local/bin/snort /usr/sbin/snort
2. sudo ldconfig -v
Verify the snort version by typing:
1. snort -V
Make snort an individual user with no login for network security:
1. sudo groupadd snort
2. sudo useradd snort -d /var/log/snort/ -s /sbin/nologin -c SNORT_IDS -g snort
3. sudo mkdir /var/log/snort
4. sudo chown snort:snort /var/log/snort

Part 5 of 5:

Install and Configure Snort Rules

In order to download the default snort rule-set, you will have to create a log in at https://www.snort.org.
Download snortrules-snapshot-2970.tar.gz. Download it from https://www.snort.org/downloads or the https://www.snort.org or search online for it.
Switch to the directory where the file was saved (should be Downloads):
1. If still inside libdnet-1.12 or daq.2.0.4 or snort-2.9.7.0 then type
  1. cd ..
2. If in main directory then type
  1. cd Downloads
Make a new directory for the rules:
1. sudo mkdir /etc/snort
Untar the file
1. sudo tar xvfvz snortrules-snapshot-2970.tar.gz -C /etc/snort/
Configure the rule-set:
1. sudo touch /etc/snort/rules/white_list.rules /etc/snort/rules/black_list.rules
2. sudo mkdir /usr/local/lib/snort_dynamicrules
3. sudo chown -R snort:snort /etc/snort/*
4. sudo mv /etc/snort/etc/* /etc/snort/
Update snort config file:
1. Use any editor you are familiar with (vim, emac, gedit, pico) and open /etc/snort/snort.conf with sudo permissions. Eg: sudo vi /etc/snort/snort.conf
  1. Change Line 104 from "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
  2. Change Line 105 from "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
  3. Change Line 105 from "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
  4. Change Line 109 from "var WHITE_LIST_PATH ../rules" to "var WHITE_LIST_PATH /etc/snort/rules"
  5. Change Line 110 from "var BLACK_LIST_PATH ../rules" to "var BLACK_LIST_PATH /etc/snort/rules"
  6. Save and Exit
Verify that snort is fully functional with the default rule-set listening to all the traffic on the network by running it in test mode.
1. sudo snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf

Jessica Tanner

Update 04 March 2020

You should read it

May be interested

NASA instructs how to observe a total eclipse safely
if you observe the solar eclipse directly without the use of protective devices, our eyes are prone to ultraviolet rays causing burns to the cornea, pain, loss of vision for hours, possibly even cataract macular and macular degeneration.
Do you know what a solar eclipse looks from the Moon?
recently nasa announced a gif to help us understand what it feels like to observe an eclipse on earth when standing from the moon.
America must prepare 'carefully' for the Japanese Food Festival which will take place on August 21
the solar eclipse of august 21 will affect the us solar grid
Total solar eclipse in North America 'most impressive in hundreds of years'
on april 8, some places in north america witnessed a total solar eclipse - a scene considered 'once in a lifetime'. this total solar eclipse - nicknamed the great american eclipse because of its long path across north america - appeared in the sky over parts of mexico, 15 us states and eastern canada. .
Mysterious blue crescent decoding in many photos of total eclipse in America
in the moment the sun disappeared in the sky of america, many people were fortunate to capture one of the most remarkable astronomical phenomena this year. in some of those photos, many people were startled when they saw a mysterious little blue crescent.
Detection of a rare comet appearing during a total solar eclipse
on april 8, just a few hours before the total solar eclipse, an amateur astronomer discovered a small comet 'sungrazer' very close to earth and took a picture of it before the eclipse. completely decomposed.
Deciphering the 'natural wind' mysteriously caused the researchers a headache
that's when an eclipse happens, the air will become unusually cold and wet, a shuddering and frightening feeling like watching horror movies.
August 21, 2017: NASA will broadcast 360-degree videos directly on Facebook's transcontinental eclipse phenomenon on Facebook, you can see
on august 21, 2017, the transcontinental solar eclipse will take place in the us and facebook will send an invitation to watch the most spectacular astronomical event of 2017 by nasa to you.
Use Snort to detect some of the current popular attacks on Web applications
according to statistics from leading security company acunetix, recently the number of attacks on web applications has increased rapidly (75% of the attacks are done in the application layer. web) [see 1]. in which two attack techniques commonly used by hackers are cross-site scripting and sql injection [see 2] and the following figure:
Instructions for pre-registration for the survival game Eclipse Isle
netease is about to launch eclipse isle, a new battle royale game with rpg elements, creating a difference from other games of the same genre. currently, players can pre-register on android and ios to be ready to experience the game when it is officially released.