Snort as IDS - Part 2

Discussion regarding the installation and configuration of Linux distributions.
Post Reply
nasacis
Battalion Havaldaar Major
Posts: 269
Joined: Sat Dec 13, 2003 3:58 pm
Location: Faisalabad
Contact:

Snort as IDS - Part 2

Post by nasacis »

Snort as IDS

Snort can be used with other tools are listed below. Each of them has
a specific task. A comprehensive working Snort system utilizes these
tools to provide a web-based user interface with a backend database.

OS= CentOS 5.2
Apache=2.2.9
MySQL=5.0.67
PHP=5.2.6

• MySQL is used with Snort to log alert data.
• Apache acts as a web server.
• PHP is used as an interface between the web server and MySQL database.
• ACID is a PHP package that is used to view and analyze Snort data using a web browser.
• GD library is used by ACID to create graphs.
• PHPLOT is used to present data in graphic format on the web pages used in ACID. GD library must be working correctly to use PHPLOT.
• ADODB is used by ACID to connect to MySQL database.
• JpGraph is a Object-Oriented Graph creating library for PHP
• Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets.
• Libpcap-devel package
• Libpcre

NOTE: Use libnet version 1.0.2a

Installing Snort
cd /usr/src
wget http://www.snort.org/dl/current/snort-2.8.2.2.tar.gz
tar zxvf snort-2.8.2.2.tar.gz
cd snort-2.8.2.2
./configure --prefix=/usr/local/snort --enable-smbalerts --enable-flexresp --with-mysql=/usr/local/mysql --with-snmp --with-openssl
make
make check # to make sure that snort is built properly
make install
/usr/local/snort/bin/snort -? # to check snort is working fine or not

After Installation
mkdir -p /var/log/snor # where snort creates log files by default
mkdir -p /etc/snort
mkdir -p /etc/snort/rules
mkdir -p /etc/snort/preproc_rules
cd ./etc
cp snort.conf /etc/snort
cp classification.config /etc/snort
cp reference.config /etc/snort
cp unicode.map /etc/snort
cd ../preproc_rules
cp preprocessor.rule /etc/snort/preproc_rules
cp decoder.rules /etc/snort/preproc_rules
cd ..
wget http://www.snort.org/pub-bin/downloads. ... 2.4.tar.gz
tar zxvf snortrules-pr-2.4.tar.gz
cd ./rules
cp * /etc/snort/rules
cd /etc/snort
vi snort.conf #replace below lines with existing in current configuration files

var RULE_PATH ../rules
var PREPROC_RULE_PATH ../preproc_rules
with
var RULE_PATH ./rules
var PREPROC_RULE_PATH ./preproc_rules

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
with
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
with
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/

include $RULE_PATH/web-misc.rules
with
# include $RULE_PATH/web-misc.rules

Starting Snort
cd /etc/rc.d/init.d
vi snortd #copy below contents in snortd file and change paths according to your installation

#!/bin/sh
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion
# detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here
INTERFACE=eth0

# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd /var/log/snort
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
­d -D -i $INTERFACE -c /etc/snort/snort.conf
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac

exit 0

chkconfig --add snortd
chkconfig --level 245 snortd off
or
ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc3.d/S65snortd


Using Mysql with Snort

step 1: we already compile snort with MySQL support
step 2: see my earlier post for LAMP installation
step 3: creating snort database in MySQL
#mysql -h localhost -u root -p
Enter password: give password of your MySQL Administrator
mysql>create database snort;
mysql>create database snort_archive; #This new snort_archive database is used by ACID to archive old data.
mysql>use snort;
mysql>status #it shows that the currently opened database is "snort"
step 4:creating MySQL user and graning permissions to user and setting password
mysql>grant CREATE, INSERT, DELETE, UPDATE, SELECT on snort.* to rr@localhost;
mysql>grant CREATE, INSERT, DELETE, UPDATE, SELECT on snort_archive.* to rr@localhost;
mysql>SET PASSWORD FOR 'rr'@'localhost' = PASSWORD('rr78x');
step 5: Create tables in snort database
#mysql -h localhost -u rr -p snort < /usr/src/snort-2.8.2.2/schemas/create_mysql
#mysql -h localhost -u rr -p snort_archive < /usr/src/snort-2.8.2.2/schemas/create_mysql
#mysql -h localhost -u rr -p snort
Enter password: give password of snort database
mysql>show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
#mysql -h localhost -u rr -p snort_archive #use same username and password which we use for snort database
step 6: Modify snort.conf configuration file
#vi /etc/snort/snort.conf
replace
#output database: log, mysql, user=root password=test dbname=db host=localhost
with
output database: log, mysql, user=rr password=rr78x dbname=snort host=localhost
step 7: Starting snort with database support
#/usr/local/snort/bin/snort -c /etc/snort/snort.conf


Using ACID with Snort
Installation and Configuration

• Install and test Snort. We have already done it.
• Install and test MySQL. We have already done it. (see also my previous post of LAMP)
• Install Apache. We have already done it. (see also my previous post of LAMP)
• Install PHP. We have already done it. (see also my previous post of LAMP)
• Download ACID from and uncompress it in apache DocumentRoot directory. This process creates a directory named acid under apache DocumentRoot directory.
#cd /usr/src
#wget http://www.andrew.cmu.edu/user/rdanyliw ... b23.tar.gz
#cd /usr/local/apache/htdocs
#tar zxvf /usr/src/acid-0.9.6b23.tar.gz

• Get and install GD library
#cd /usr/src
#wget http://www.libgd.org/releases/gd-2.0.35.tar.gz
#tar zxvf gd-2.0.35.tar.gz (before running configure script, install all dependencies for GD)
#cd gd-2.0.35
#./configure
#make && make install

• Get and install PHPLOT
#cd /usr/src
#wget http://downloads.sourceforge.net/phplot ... g_mirror=0
#cd /usr/local/apache/htdocs/acid
#tar zxvf /usr/src/phplot-5.0.5.tar.gz
#mv phplot-5.0.5 phplot

• Get and install ADODB
#cd /usr/src
#wget http://downloads.sourceforge.net/adodb/ ... g_mirror=0
#cd /usr/local/apache/htdocs/acid
#tar zxvf /usr/src/adodb505.tgz
#mv adodb505 adodb

• Get and install JpGraph. JpGraph is a Object-Oriented Graph creating library for PHP
#cd /usr/src
#wget http://hem.bredband.net/jpgraph/jpgraph-1.26.tar.gz
#cd /usr/local/apache/htdocs/acid/phplot-5.0.5
#tar zxvf jpgraph-1.26.tar.gz

• Set display_errors variable in /etc/php.ini to Off.

Now you have to configure ACID so that it can interact with the MySQL database.
#cd /usr/local/apache/htdocs/acid
#vi acid_conf.php
<?php
$ACID_VERSION = "0.9.6b21";
/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the
* directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
*/
$DBlib_path = "./adodb";
/* The type of underlying alert database
*
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
*/
$DBtype = "mysql";
/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort
: alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with
: this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
Installation and Configuration 183
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "rr";
$alert_password = "rr78x";
/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "rr";
$archive_password = "rr78x";
/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
*/
$db_connect_method = 1;
/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the
directory)
*/
$ChartLib_path = "./phplot";

Now you are ready to start using the web interface of ACID.
http://your_web_server_ip/acid
The first time you go to this URL, ACID needs to do some setup tasks and current
screen, click the Setup page link and you will move to the DB Setup page
shown. Click the “Create ACID AG” link so that ACID can create its own
table to support Snort and on next page, click the “Main Page” link towards the bottom of
the page to go to the main ACID page.

NOTE: To all seniors, kindly check and confirm where I am wrong

Regards
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
nasacis
Battalion Havaldaar Major
Posts: 269
Joined: Sat Dec 13, 2003 3:58 pm
Location: Faisalabad
Contact:

Post by nasacis »

replace this line
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
­d -D -i $INTERFACE -c /etc/snort/snort.conf

with
daemon /usr/sbin/snort -D -i $INTERFACE -c /etc/snort/snort.conf

otherwise, snort would not log data in database
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
Post Reply