Snort with Sguil
This page provides information,
updates and files to setup install the Snort with Sguil
IDS sensor using the ISO provided below.
Snort with Sguil
Current version is 7.3 (September 2013)
The Shadow ISO can be directly downloaded from 64-bit version and 64-bit MD5 or 32-bit version and 32-bit MD5.
The built documentation is available here ISO 32-bit Documentation and ISO 64-bit Documentation
What’s new in version 7.3?
After more than a year, I have posted an update ISO of Snort with Sguil. See the install.pdf document provided on the CD in the rel_note directory that contains all the setup information. Here is a summary of the updates/changes:
- Added the following tools: gulp, nfsen, SQueRT, ssdeep, PassiveDNS with database, Sagan, nfdump, rrdtool, rsyslog and pf_ring
- PRADS can now be used with Snort to provide a accurate hosts and services running on the network
- Added new shell scripts configure_sguil.sh, install_nfsen_x64.sh and install_nfsen_i486.sh. These scripts are used to configure the database and sensor.
- Upgraded PassivdDNS to 1.0 and added the scripts and web server to track and query the data via Apache and MySQL
- Separate packages are now provided for Snort IDS engine, Barnyard and Snort configuration.
- Removed sysklogd 1.4.1, logrotate 3.7.4 and replaced it with rsyslog 5.8.12 which is used with Sagan rules
- Upgraded Wireshark/tshark 1.10.1
- Updated Snort to 220.127.116.11 and DAQ 2.0.1
- Updated Barnyard2 to 2.1.13
- Updated libpcap to version 1.3.0
- Added Netflow Sensor (nfsen) version 1.3.6p1 to collect netflow logs using softflowd or router logs
- Added nfdump 1.6.8p1 and rrdtool 1.4.7 to ISO
- Added pf_ring version 5.5.2 to use with Snort
- Upgraded various packages to latest version
I recommend using the Sguil client package located on the CD in the /files/sguil-0.8.0 directory because it contains some modifications to use httpry to retrieve web links under the Alert ID tab.
The menu now looks like this:
Note: Minor updates for this version will be available right here on this page.
Snort with Sguil
Download this custom update script that allows the sensor to download all available updates directly from this site.
Download the script to the sensor and then execute the script as root to download all the updates to the sensor.
After the Custom update script is downloaded, gunzip it and execute it (gunzip custupdate.sh.gz and ./custupdate.sh)
to check the repository for updates. The updates are downloaded in /tmp/slackupdate.
32-bit version custupdate.sh
64-bit version cust64update.sh
Current updates (Latest 29 August 2013)
Wireshark 1.10.1 (14 August 2013)
SiLK 2.5.0 (24 June 2013)
Yaf 2.4.0 (24 June 2013)
Libfixbuf 1.3.0 (24 June 2013)
Snort DAQ 2.0.1 (29 August 2013)
Snort 18.104.22.168 (29 August 2013
Barnyard 2.1.13 (29 August 2013)
PF_Ring 5.5.2 (20 May 2013)
Libpcap 1.3.0 (5 Dec 2012)
Note: To use PF_Ring, you need to download and install PF_Ring 32-bit or PF_Ring 64-bit and the update rc.snort startup script to enable that function.
Updating Snort/Barnyard Package for version 7.2 (Aug 2013)
I did a complete rewrite of the snort package and it is now 3 different packages. Now there is a Snort, snort-files and barnyard package. The Snort package contains only the Snort binaries and configuration (i.e. etc directory), the snort-files package contains the rules and custom configurations and Barnyard for unified logging.
Before upgrading to the current version, I recommend that you copy the following configuration files (the current one in use) because they will be overwritten when you upgrade your sensor:
cp /usr/local/snort/etc/snort.conf /tmp
cp /usr/local/snort/oinkmaster.conf /tmp
cp /usr/local/barnyard/etc/barnyard.eth1.conf /tmp
From the sensor, using wget, download these 4 packages:
After you downloaded these 4 packages with wget, stop Snort and Barnyard before upgrading:
cp /tmp/snort.conf /usr/local/snort/etc/
cp /tmp/oinkmaster.conf /usr/local/snort/etc/
cp /tmp/barnyard.eth1.conf /usr/local/snort/etc/
One last thing, if you are using oinkmaster to manage your rules, don’t forget to update the oinkmaster.conf file to reflect the latest Register User Release ruleset that matches your Snort version.
Edit and save oinkmaster.conf and update the snort version (minimum 22.214.171.124 or 126.96.36.199)
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2946.tar.gz
Save the change
Now test your Snort configuration to make sure everything is still in place:
- cd /usr/local/snort
- ./check_snort_eth1 → This test should be successful
- /etc/rc.d/rc.snort → This restart Snort
- /etc/rc.d/rc./barnyard → This restart Barnyard
Note: From now on, the only update I I will provide will only be the Snort package.