Snort as IDS
Snort can be used with other tools are listed below. Each of them has
a specific task. A comprehensive working Snort system utilizes these
tools to provide a web-based user interface with a backend database.
OS= CentOS 5.2
Apache=2.2.9
MySQL=5.0.67
PHP=5.2.6
• MySQL is used with Snort to log alert data.
• Apache acts as a web server.
• PHP is used as an interface between the web server and MySQL database.
• ACID is a PHP package that is used to view and analyze Snort data using a web browser.
• GD library is used by ACID to create graphs.
• PHPLOT is used to present data in graphic format on the web pages used in ACID. GD library must be working correctly to use PHPLOT.
• ADODB is used by ACID to connect to MySQL database.
• JpGraph is a Object-Oriented Graph creating library for PHP
• Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets.
• Libpcap-devel package
• Libpcre
NOTE: Use libnet version 1.0.2a
Installing Snort
cd /usr/src
wget http://www.snort.org/dl/current/snort-2.8.2.2.tar.gz
tar zxvf snort-2.8.2.2.tar.gz
cd snort-2.8.2.2
./configure --prefix=/usr/local/snort --enable-smbalerts --enable-flexresp --with-mysql=/usr/local/mysql --with-snmp --with-openssl
make
make check # to make sure that snort is built properly
make install
/usr/local/snort/bin/snort -? # to check snort is working fine or not
After Installation
mkdir -p /var/log/snor # where snort creates log files by default
mkdir -p /etc/snort
mkdir -p /etc/snort/rules
mkdir -p /etc/snort/preproc_rules
cd ./etc
cp snort.conf /etc/snort
cp classification.config /etc/snort
cp reference.config /etc/snort
cp unicode.map /etc/snort
cd ../preproc_rules
cp preprocessor.rule /etc/snort/preproc_rules
cp decoder.rules /etc/snort/preproc_rules
cd ..
wget http://www.snort.org/pub-bin/downloads. ... 2.4.tar.gz
tar zxvf snortrules-pr-2.4.tar.gz
cd ./rules
cp * /etc/snort/rules
cd /etc/snort
vi snort.conf #replace below lines with existing in current configuration files
var RULE_PATH ../rules
var PREPROC_RULE_PATH ../preproc_rules
with
var RULE_PATH ./rules
var PREPROC_RULE_PATH ./preproc_rules
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
with
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
with
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
include $RULE_PATH/web-misc.rules
with
# include $RULE_PATH/web-misc.rules
Starting Snort
cd /etc/rc.d/init.d
vi snortd #copy below contents in snortd file and change paths according to your installation
#!/bin/sh
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion
# detection tool that
# currently detects more than 1100 host and network
# vulnerabilities, portscans, backdoors, and more.
#
# Source function library.
. /etc/rc.d/init.d/functions
# Specify your network interface here
INTERFACE=eth0
# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd /var/log/snort
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
d -D -i $INTERFACE -c /etc/snort/snort.conf
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
restart)
$0 stop
$0 start
;;
status)
status snort
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
chkconfig --add snortd
chkconfig --level 245 snortd off
or
ln -s /etc/rc.d/init.d/snortd /etc/rc.d/rc3.d/S65snortd
Using Mysql with Snort
step 1: we already compile snort with MySQL support
step 2: see my earlier post for LAMP installation
step 3: creating snort database in MySQL
#mysql -h localhost -u root -p
Enter password: give password of your MySQL Administrator
mysql>create database snort;
mysql>create database snort_archive; #This new snort_archive database is used by ACID to archive old data.
mysql>use snort;
mysql>status #it shows that the currently opened database is "snort"
step 4:creating MySQL user and graning permissions to user and setting password
mysql>grant CREATE, INSERT, DELETE, UPDATE, SELECT on snort.* to rr@localhost;
mysql>grant CREATE, INSERT, DELETE, UPDATE, SELECT on snort_archive.* to rr@localhost;
mysql>SET PASSWORD FOR 'rr'@'localhost' = PASSWORD('rr78x');
step 5: Create tables in snort database
#mysql -h localhost -u rr -p snort < /usr/src/snort-2.8.2.2/schemas/create_mysql
#mysql -h localhost -u rr -p snort_archive < /usr/src/snort-2.8.2.2/schemas/create_mysql
#mysql -h localhost -u rr -p snort
Enter password: give password of snort database
mysql>show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
#mysql -h localhost -u rr -p snort_archive #use same username and password which we use for snort database
step 6: Modify snort.conf configuration file
#vi /etc/snort/snort.conf
replace
#output database: log, mysql, user=root password=test dbname=db host=localhost
with
output database: log, mysql, user=rr password=rr78x dbname=snort host=localhost
step 7: Starting snort with database support
#/usr/local/snort/bin/snort -c /etc/snort/snort.conf
Using ACID with Snort
Installation and Configuration
• Install and test Snort. We have already done it.
• Install and test MySQL. We have already done it. (see also my previous post of LAMP)
• Install Apache. We have already done it. (see also my previous post of LAMP)
• Install PHP. We have already done it. (see also my previous post of LAMP)
• Download ACID from and uncompress it in apache DocumentRoot directory. This process creates a directory named acid under apache DocumentRoot directory.
#cd /usr/src
#wget http://www.andrew.cmu.edu/user/rdanyliw ... b23.tar.gz
#cd /usr/local/apache/htdocs
#tar zxvf /usr/src/acid-0.9.6b23.tar.gz
• Get and install GD library
#cd /usr/src
#wget http://www.libgd.org/releases/gd-2.0.35.tar.gz
#tar zxvf gd-2.0.35.tar.gz (before running configure script, install all dependencies for GD)
#cd gd-2.0.35
#./configure
#make && make install
• Get and install PHPLOT
#cd /usr/src
#wget http://downloads.sourceforge.net/phplot ... g_mirror=0
#cd /usr/local/apache/htdocs/acid
#tar zxvf /usr/src/phplot-5.0.5.tar.gz
#mv phplot-5.0.5 phplot
• Get and install ADODB
#cd /usr/src
#wget http://downloads.sourceforge.net/adodb/ ... g_mirror=0
#cd /usr/local/apache/htdocs/acid
#tar zxvf /usr/src/adodb505.tgz
#mv adodb505 adodb
• Get and install JpGraph. JpGraph is a Object-Oriented Graph creating library for PHP
#cd /usr/src
#wget http://hem.bredband.net/jpgraph/jpgraph-1.26.tar.gz
#cd /usr/local/apache/htdocs/acid/phplot-5.0.5
#tar zxvf jpgraph-1.26.tar.gz
• Set display_errors variable in /etc/php.ini to Off.
Now you have to configure ACID so that it can interact with the MySQL database.
#cd /usr/local/apache/htdocs/acid
#vi acid_conf.php
<?php
$ACID_VERSION = "0.9.6b21";
/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the
* directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
*/
$DBlib_path = "./adodb";
/* The type of underlying alert database
*
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
*/
$DBtype = "mysql";
/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort
: alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with
: this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
Installation and Configuration 183
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "rr";
$alert_password = "rr78x";
/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "rr";
$archive_password = "rr78x";
/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
*/
$db_connect_method = 1;
/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the
directory)
*/
$ChartLib_path = "./phplot";
Now you are ready to start using the web interface of ACID.
http://your_web_server_ip/acid
The first time you go to this URL, ACID needs to do some setup tasks and current
screen, click the Setup page link and you will move to the DB Setup page
shown. Click the “Create ACID AG” link so that ACID can create its own
table to support Snort and on next page, click the “Main Page” link towards the bottom of
the page to go to the main ACID page.
NOTE: To all seniors, kindly check and confirm where I am wrong
Regards
Snort as IDS - Part 2
-
- Battalion Havaldaar Major
- Posts: 269
- Joined: Sat Dec 13, 2003 3:58 pm
- Location: Faisalabad
- Contact:
Snort as IDS - Part 2
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
-
- Battalion Havaldaar Major
- Posts: 269
- Joined: Sat Dec 13, 2003 3:58 pm
- Location: Faisalabad
- Contact:
replace this line
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
d -D -i $INTERFACE -c /etc/snort/snort.conf
with
daemon /usr/sbin/snort -D -i $INTERFACE -c /etc/snort/snort.conf
otherwise, snort would not log data in database
daemon /usr/sbin/snort -A fast -b -l /var/log/snort \
d -D -i $INTERFACE -c /etc/snort/snort.conf
with
daemon /usr/sbin/snort -D -i $INTERFACE -c /etc/snort/snort.conf
otherwise, snort would not log data in database
Nafees Ahmed
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com
Cell: +92.300.8653568
UAN: 041-111432432
Nexlinx Faisalabad
www.nexlinx.net.pk
nafees29@gmail.com