Autosnort is a series of bash shell scripts designed to install a fully functional, fully updated stand-alone snort sensor with an IDS event review console of your choice, on a variety of Linux distributions. The script is very meticulously commented in order for users to fully understand all the changes the script performs on a given system. That way if a user wants to make their own customizations, or gain a better understanding of the install process, that information is present.
I chose to write Autosnort as an alternative to other IDS solutions and also as a way for me to learn shell scripting a bit better, while granting snort users of any proficiency the capability to install the latest and greatest version of snort and its components as soon as they become available with as little muss and fuss as possible — with only the interfaces or features they desired, on any operating system they want to use. As it stands right now, Autosnort supports the following major Linux distributions:
- Ubuntu 12.X and 14.x
- Debian 7.x and 8.x
- CentOS 6.x and 7.x
- Kali Linux
Autosnort will:
1. Install the latest versions of Snort, Barnyard2, DAQ (Data Acquisition) Libraries as well as any other required repositories and pre-reqs for all of Snort’s components automatically with no user input required (beyond filling out a configuration file)
2. Automatically downloads pulled pork and uses it to pull down the latest available rules for your version of Snort, so long as you have a valid Oink Code — Doesn’t matter if it’s a registered user or VRT subscription Oink Code. Don’t have or know what an oink code is? Visit snort.org, register on their website and login. There’s an option to display your oink code once you log in.
3. Can automatically install a variety of IDS event consoles/output mechanisms. Autosnort handles the installation of pre-req packages for the console, configuration files, as well as configuring Apache to serve Web-Based IDS event consoles over HTTPS. You may choose among the following:
- Bammv’s SGUIL project (sguild and snort_agent.tcl)
- Symmetrix Technologies’ SnortReport web interface
- Threat Stack’s Snorby web interface (NO LONGER SUPPORTED – Scripts still provided)
- Tactical Flex’s Aanval web interface
- BASE web interface (Currently hosted by SourceForge)
- syslog_full messages to port 514/udp (think: barebones sensor install or SIEM integration)
- configure barnyard2 to log to a remote database (central console, distributed sensors)
- install no interface at all
Copyright (c) 2012 Tony Robinson – Triptych Security
