Scientific Linux 6
Sponsored Link

Snort - Network based IDS
2011/06/05
 
Instal Snort that is Network based IDS ( Intrusion Detection System ). MySQL is also required.
[1] Install required packages first.
[root@dlp ~]#
yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
 
# install from EPEL
[2] Install Daq first. Make sure latest version on Snort site and download it.
[root@dlp ~]#
wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm
[root@dlp ~]#
rpm -Uvh daq-0.5-1.src.rpm

1:daq warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
########################################### [100%]
warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
[root@dlp ~]#
cd rpmbuild/SPECS

[root@dlp SPECS]#
sed -i 's/\/lib\//\/lib64\//g' daq.spec

[root@dlp SPECS]#
rpmbuild -bb daq.spec

[root@dlp SPECS]#
rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm

Preparing...
########################################### [100%]

   1:daq
########################################### [100%]

[3] Install Snort. Make sure latest version on Snort site and download it.
[root@dlp ~]#
wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm
[root@dlp ~]#
rpm -Uvh snort-2.9.0.5-1.src.rpm

1:snort warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
########################################### [100%]
warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
[root@dlp ~]#
cd rpmbuild/SPECS

[root@dlp SPECS]#
vi snort.spec
# near line 280: change like follows

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
--bindir=%{_sbindir} \

--sysconfdir=%{_sysconfdir}/snort \

--with-libpcap-includes=%{_includedir} \

--enable-decoder-preprocessor-rules --enable-targetbased \

--enable-zlib \

--enable-ipv6 \

--enable-normalizer \

 
--with-mysql-lib=/usr/lib64/mysql
[root@dlp SPECS]#
rpmbuild -bb --with mysql snort.spec

[root@dlp SPECS]#
rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm

Preparing...
########################################### [100%]

   1:snort
########################################### [ 50%]

   2:snort-mysql
########################################### [100%]

[4] Create a database for Snort
[root@dlp ~]#
mysql -u root -p

Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
create database snort;

Query OK, 1 row affected (0.00 sec)
mysql>
grant all privileges on snort.* to snort@localhost identified by 'password';

Query OK, 0 rows affected (0.00 sec)
mysql>
flush privileges;

Query OK, 0 rows affected (0.00 sec)
mysql>
exit

Bye
[root@dlp ~]#
mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql

Enter password:
DB password for snort user

[5] Configure Snort
[root@dlp ~]#
vi /etc/snort/snort.conf
# line 39: change to internal network

ipvar HOME_NET
10.0.0.0/24
# line 177: make it comment

#
dynamicdetection directory /usr/local/lib/snort_dynamicrules
# line 376: add settings for DB

output database: log, mysql, user=snort password=password dbname=snort host=localhost
[root@dlp ~]#
vi /etc/sysconfig/snort
# line 69: make it comment ( output logs into MySQL )

#
ALERTMODE=fast
[root@dlp ~]#
vi /etc/logrotate.d/snort
# line 4: change like follows ( remove unnecesarry section )

/var/log/snort/alert /var/log/snort/*log {
[6] Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" )
[root@dlp ~]#
tar zxvf snortrules-snapshot-2905.tar.gz

[root@dlp ~]#
cp rules/* /etc/snort/rules/

[root@dlp ~]#
rm -rf rules snortrules-snapshot-2905.tar.gz

[root@dlp ~]#
/etc/rc.d/init.d/snortd start

Starting snort: Spawning daemon child...
My daemon child 19430 lives...
Daemon parent exiting
 
[ OK ]
[7] Install BASE that you can watch Snort's logs on Web browser.
[root@dlp ~]#
yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph
 
# install from EPEL
[root@dlp ~]#
wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz
[root@dlp ~]#
tar zxvf base-1.4.5.tar.gz

[root@dlp ~]#
mv base-1.4.5 /var/www/base

[root@dlp ~]#
chown -R apache. /var/www/base

[root@dlp ~]#
cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php

[root@dlp ~]#
vi /var/www/base/base_conf.php
# line 50: PATH to BASE

$BASE_urlpath = '
/base
';
# line 80: PATH to adodb

$DBlib_path = '
/usr/share/php/adodb
';
# line 102: change for your env

# snort database

$alert_dbname = '
snort
';
$alert_host = 'localhost';
$alert_port = '';
# username for snort database

$alert_user = '
snort
';
# DB password for snort

$alert_password = '
password
';
[root@dlp ~]#
vi /etc/httpd/conf.d/base.conf
# Create new

Alias /base /var/www/base
<Directory /var/www/base/>
   Order Deny,Allow
   Deny from all
   Allow from 127.0.0.1 10.0.0.0/24
</Directory>

[root@dlp ~]#
/etc/rc.d/init.d/httpd restart

Stopping httpd:
[ OK ]

Starting httpd:
[ OK ]

[8] Access to "http://(hostname or IP address)/base/" and click "Setup page".
[9] Click "Create BASE AG" button on upper right.
[10] Click "Main page" to move after finishing setup like follows.
[11] This is main site of BASE. It's possible to watch Snort's logs on here.
 
Tweet