Page 1 of 1

Snort as IDS - Part 2

Posted: Tue Aug 26, 2008 4:19 pm
by nasacis
Snort as IDS

Snort can be used with other tools are listed below. Each of them has
a specific task. A comprehensive working Snort system utilizes these
tools to provide a web-based user interface with a backend database.

OS= CentOS 5.2

• MySQL is used with Snort to log alert data.
• Apache acts as a web server.
• PHP is used as an interface between the web server and MySQL database.
• ACID is a PHP package that is used to view and analyze Snort data using a web browser.
• GD library is used by ACID to create graphs.
• PHPLOT is used to present data in graphic format on the web pages used in ACID. GD library must be working correctly to use PHPLOT.
• ADODB is used by ACID to connect to MySQL database.
• JpGraph is a Object-Oriented Graph creating library for PHP
• Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets.
• Libpcap-devel package
• Libpcre

NOTE: Use libnet version 1.0.2a

Installing Snort
cd /usr/src
tar zxvf snort-
cd snort-
./configure --prefix=/usr/local/snort --enable-smbalerts --enable-flexresp --with-mysql=/usr/local/mysql --with-snmp --with-openssl
make check # to make sure that snort is built properly
make install
/usr/local/snort/bin/snort -? # to check snort is working fine or not

After Installation
mkdir -p /var/log/snor # where snort creates log files by default
mkdir -p /etc/snort
mkdir -p /etc/snort/rules
mkdir -p /etc/snort/preproc_rules
cd ./etc
cp snort.conf /etc/snort
cp classification.config /etc/snort
cp reference.config /etc/snort
cp /etc/snort
cd ../preproc_rules
cp preprocessor.rule /etc/snort/preproc_rules
cp decoder.rules /etc/snort/preproc_rules
cd ..
wget ... 2.4.tar.gz
tar zxvf snortrules-pr-2.4.tar.gz
cd ./rules
cp * /etc/snort/rules
cd /etc/snort
vi snort.conf #replace below lines with existing in current configuration files

var RULE_PATH ../rules
var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH ./rules
var PREPROC_RULE_PATH ./preproc_rules

dynamicengine /usr/local/lib/snort_dynamicengine/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/

include $RULE_PATH/web-misc.rules
# include $RULE_PATH/web-misc.rules

Starting Snort
cd /etc/rc.d/init.d
vi snortd #copy below contents in snortd file and change paths according to your installation

# snortd Start/Stop the snort IDS daemon.
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion
# detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.

# Source function library.
. /etc/rc.d/init.d/functions

# Specify your network interface here

# See how we were called.
case "$1" in
echo -n "Starting snort: "
cd /var/log/snort
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
­d -D -i $INTERFACE -c /etc/snort/snort.conf
touch /var/lock/subsys/snort
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
$0 stop
$0 start
status snort
echo "Usage: $0 {start|stop|restart|status}"
exit 1

exit 0

chkconfig --add snortd
chkconfig --level 245 snortd off
ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc3.d/S65snortd

Using Mysql with Snort

step 1: we already compile snort with MySQL support
step 2: see my earlier post for LAMP installation
step 3: creating snort database in MySQL
#mysql -h localhost -u root -p
Enter password: give password of your MySQL Administrator
mysql>create database snort;
mysql>create database snort_archive; #This new snort_archive database is used by ACID to archive old data.
mysql>use snort;
mysql>status #it shows that the currently opened database is "snort"
step 4:creating MySQL user and graning permissions to user and setting password
mysql>grant CREATE, INSERT, DELETE, UPDATE, SELECT on snort.* to rr@localhost;
mysql>grant CREATE, INSERT, DELETE, UPDATE, SELECT on snort_archive.* to rr@localhost;
mysql>SET PASSWORD FOR 'rr'@'localhost' = PASSWORD('rr78x');
step 5: Create tables in snort database
#mysql -h localhost -u rr -p snort < /usr/src/snort-
#mysql -h localhost -u rr -p snort_archive < /usr/src/snort-
#mysql -h localhost -u rr -p snort
Enter password: give password of snort database
mysql>show tables;
| Tables_in_snort |
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
#mysql -h localhost -u rr -p snort_archive #use same username and password which we use for snort database
step 6: Modify snort.conf configuration file
#vi /etc/snort/snort.conf
#output database: log, mysql, user=root password=test dbname=db host=localhost
output database: log, mysql, user=rr password=rr78x dbname=snort host=localhost
step 7: Starting snort with database support
#/usr/local/snort/bin/snort -c /etc/snort/snort.conf

Using ACID with Snort
Installation and Configuration

• Install and test Snort. We have already done it.
• Install and test MySQL. We have already done it. (see also my previous post of LAMP)
• Install Apache. We have already done it. (see also my previous post of LAMP)
• Install PHP. We have already done it. (see also my previous post of LAMP)
• Download ACID from and uncompress it in apache DocumentRoot directory. This process creates a directory named acid under apache DocumentRoot directory.
#cd /usr/src
#wget ... b23.tar.gz
#cd /usr/local/apache/htdocs
#tar zxvf /usr/src/acid-0.9.6b23.tar.gz

• Get and install GD library
#cd /usr/src
#tar zxvf gd-2.0.35.tar.gz (before running configure script, install all dependencies for GD)
#cd gd-2.0.35
#make && make install

• Get and install PHPLOT
#cd /usr/src
#wget ... g_mirror=0
#cd /usr/local/apache/htdocs/acid
#tar zxvf /usr/src/phplot-5.0.5.tar.gz
#mv phplot-5.0.5 phplot

• Get and install ADODB
#cd /usr/src
#wget ... g_mirror=0
#cd /usr/local/apache/htdocs/acid
#tar zxvf /usr/src/adodb505.tgz
#mv adodb505 adodb

• Get and install JpGraph. JpGraph is a Object-Oriented Graph creating library for PHP
#cd /usr/src
#cd /usr/local/apache/htdocs/acid/phplot-5.0.5
#tar zxvf jpgraph-1.26.tar.gz

• Set display_errors variable in /etc/php.ini to Off.

Now you have to configure ACID so that it can interact with the MySQL database.
#cd /usr/local/apache/htdocs/acid
#vi acid_conf.php
$ACID_VERSION = "0.9.6b21";
/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the
* directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
$DBlib_path = "./adodb";
/* The type of underlying alert database
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
$DBtype = "mysql";
/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort
: alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with
: this user
* - $alert_password : password of the DB user
* This information can be gleaned from the Snort database
* output plugin configuration.
Installation and Configuration 183
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "rr";
$alert_password = "rr78x";
/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "rr";
$archive_password = "rr78x";
/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
$db_connect_method = 1;
/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the
$ChartLib_path = "./phplot";

Now you are ready to start using the web interface of ACID.
The first time you go to this URL, ACID needs to do some setup tasks and current
screen, click the Setup page link and you will move to the DB Setup page
shown. Click the “Create ACID AG” link so that ACID can create its own
table to support Snort and on next page, click the “Main Page” link towards the bottom of
the page to go to the main ACID page.

NOTE: To all seniors, kindly check and confirm where I am wrong


Posted: Wed Aug 27, 2008 1:53 pm
by nasacis
replace this line
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
­d -D -i $INTERFACE -c /etc/snort/snort.conf

daemon /usr/sbin/snort -D -i $INTERFACE -c /etc/snort/snort.conf

otherwise, snort would not log data in database