How to Install and Configure Snort - Network based IDS

How to Install and Configure Snort - Network based IDS   Install Snort that is Network based IDS ( Intrusion Detection System ). MySQL is also required.

How to Install and configure Snort - Intrusion Detection System


Install required packages to build Snort first.

[root@www ~]#yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
# install from EPEL  

Install Daq first. Make sure latest version on Snort site and download it.

 

[root@www ~]#wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm

 

[root@www ~]#rpm -Uvh daq-0.5-1.src.rpm

1:daq warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
########################################### [100%]
warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
[root@www ~]#cd rpmbuild/SPECS

[root@www SPECS]#sed -i 's/\/lib\//\/lib64\//g' daq.spec

[root@www SPECS]#rpmbuild -bb daq.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm
Preparing...

########################################### [100%]

   1:daq

########################################### [100%]

 

Install Snort. Make sure latest version on Snort site and download it.

[root@www ~]#wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm

[root@www ~]#rpm -Uvh snort-2.9.0.5-1.src.rpm

1:snort warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
########################################### [100%]
warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root

[root@www ~]#cd rpmbuild/SPECS

[root@www SPECS]#vi snort.spec

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-decoder-preprocessor-rules --enable-targetbased \

# near line 280: change like follows

 

                   --enable-zlib \
                   --enable-ipv6 \
                   --enable-normalizer \

                  "

[root@www SPECS]#ln -s /usr/lib64/mysql /usr/lib/mysql

[root@www SPECS]#rpmbuild -bb --with mysql snort.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm

Preparing...

########################################### [100%]

   1:snort

########################################### [ 50%]

   2:snort-mysql

########################################### [100%]

 

Create a database for Snort  

 

[root@www ~]#mysql -u root -p

Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

create database snort;

Query OK, 1 row affected (0.00 sec)

mysql>

grant all privileges on snort.* to snort@localhost identified by 'password';

Query OK, 0 rows affected (0.00 sec)

mysql>

flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql>

exit

Bye
[root@www ~]#

mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql

Enter password:

DB password for snort user

 

Configure Snort

 [root@www ~]#vi /etc/snort/snort.conf

# line 39: change to internal network

ipvar HOME_NET

10.0.0.0/24

# line 177: make it comment

 

#

dynamicdetection directory /usr/local/lib/snort_dynamicrules

# line 376: add settings for DB

 

output database: log, mysql, user=snort password=password dbname=snort host=localhost

 

[root@www ~]#vi /etc/sysconfig/snort

# line 69: make it comment ( output logs into MySQL )

 

#

ALERTMODE=fast

 

[root@www ~]#vi /etc/logrotate.d/snort

# line 4: change like follows ( remove unnecesarry section )

/var/log/snort/alert /var/log/snort/*log {

 

Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" )

[root@www ~]#tar zxvf snortrules-snapshot-2905.tar.gz

[root@www ~]#cp rules/* /etc/snort/rules/

[root@www ~]#rm -rf rules snortrules-snapshot-2905.tar.gz

[root@www ~]#/etc/rc.d/init.d/snortd start

Starting snort: Spawning daemon child...
My daemon child 21617 lives...
Daemon parent exiting
[ OK ]

Install BASE that you can watch Snort's logs on Web browser.  [root@www ~]#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph # install from EPEL   [root@www ~]#wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz [root@www ~]#tar zxvf base-1.4.5.tar.gz [root@www ~]#mv base-1.4.5 /var/www/base [root@www ~]#chown -R apache. /var/www/base [root@www ~]#cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php [root@www ~]#vi /var/www/base/base_conf.php # line 50: PATH to BASE $BASE_urlpath = ' /base '; # line 80: PATH to adodb $DBlib_path = ' /usr/share/php/adodb '; # line 102: change for your env # snort database $alert_dbname = ' snort '; $alert_host = 'localhost'; $alert_port = ''; # username for snort database $alert_user = ' snort '; # DB password for snort $alert_password = ' password '; [root@www ~]#vi /etc/httpd/conf.d/base.conf # Create new   Alias /base /var/www/base Order Deny,Allow Deny from all Allow from 127.0.0.1 10.0.0.0/24 [root@www ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]   Access to "http://(hostname or IP address)/base/" and click "Setup page".     Click "Create BASE AG" button on upper right.

Click "Main page" to move after finishing setup like follows.

How to Install and Configure Snort - Network based IDS

How to Install and Configure Snort - Network based IDS   Install Snort that is Network based IDS ( Intrusion Detection System ). MySQL is also required.

How to Install and configure Snort - Intrusion Detection System


Install required packages to build Snort first.

[root@www ~]#yum --enablerepo=epel -y install gcc make rpm-build autoconf automake flex libpcap-devel bison libdnet libdnet-devel mysql-devel pcre-devel php-mysql
# install from EPEL  

Install Daq first. Make sure latest version on Snort site and download it.

 

[root@www ~]#wget http://www.snort.org/downloads/858 -O daq-0.5-1.src.rpm

 

[root@www ~]#rpm -Uvh daq-0.5-1.src.rpm

1:daq warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
########################################### [100%]
warning: user rjordan does not exist - using root
warning: group rjordan does not exist - using root
[root@www ~]#cd rpmbuild/SPECS

[root@www SPECS]#sed -i 's/\/lib\//\/lib64\//g' daq.spec

[root@www SPECS]#rpmbuild -bb daq.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/daq-0.5-1.x86_64.rpm
Preparing...

########################################### [100%]

   1:daq

########################################### [100%]

 

Install Snort. Make sure latest version on Snort site and download it.

[root@www ~]#wget http://www.snort.org/downloads/865 -O snort-2.9.0.5-1.src.rpm

[root@www ~]#rpm -Uvh snort-2.9.0.5-1.src.rpm

1:snort warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root
########################################### [100%]
warning: user ssturges does not exist - using root
warning: group ssturges does not exist - using root

[root@www ~]#cd rpmbuild/SPECS

[root@www SPECS]#vi snort.spec

SNORT_BASE_CONFIG="--prefix=%{_prefix} \
                   --bindir=%{_sbindir} \
                   --sysconfdir=%{_sysconfdir}/snort \
                   --with-libpcap-includes=%{_includedir} \
                   --enable-decoder-preprocessor-rules --enable-targetbased \

# near line 280: change like follows

 

                   --enable-zlib \
                   --enable-ipv6 \
                   --enable-normalizer \

                  "

[root@www SPECS]#ln -s /usr/lib64/mysql /usr/lib/mysql

[root@www SPECS]#rpmbuild -bb --with mysql snort.spec

[root@www SPECS]#rpm -Uvh ../RPMS/x86_64/snort-2.9.0.5-1.x86_64.rpm ../RPMS/x86_64/snort-mysql-2.9.0.5-1.x86_64.rpm

Preparing...

########################################### [100%]

   1:snort

########################################### [ 50%]

   2:snort-mysql

########################################### [100%]

 

Create a database for Snort  

 

[root@www ~]#mysql -u root -p

Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

create database snort;

Query OK, 1 row affected (0.00 sec)

mysql>

grant all privileges on snort.* to snort@localhost identified by 'password';

Query OK, 0 rows affected (0.00 sec)

mysql>

flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql>

exit

Bye
[root@www ~]#

mysql -u snort -p snort < /usr/share/snort-*/schemas/create_mysql

Enter password:

DB password for snort user

 

Configure Snort

 [root@www ~]#vi /etc/snort/snort.conf

# line 39: change to internal network

ipvar HOME_NET

10.0.0.0/24

# line 177: make it comment

 

#

dynamicdetection directory /usr/local/lib/snort_dynamicrules

# line 376: add settings for DB

 

output database: log, mysql, user=snort password=password dbname=snort host=localhost

 

[root@www ~]#vi /etc/sysconfig/snort

# line 69: make it comment ( output logs into MySQL )

 

#

ALERTMODE=fast

 

[root@www ~]#vi /etc/logrotate.d/snort

# line 4: change like follows ( remove unnecesarry section )

/var/log/snort/alert /var/log/snort/*log {

 

Register to Snort site to get rule files on Snort site first. After registration, Download rule files from this link. ( select "snortrules-snapshot-xxxx.tar.gz" under "Registered User Release" )

[root@www ~]#tar zxvf snortrules-snapshot-2905.tar.gz

[root@www ~]#cp rules/* /etc/snort/rules/

[root@www ~]#rm -rf rules snortrules-snapshot-2905.tar.gz

[root@www ~]#/etc/rc.d/init.d/snortd start

Starting snort: Spawning daemon child...
My daemon child 21617 lives...
Daemon parent exiting
[ OK ]

Install BASE that you can watch Snort's logs on Web browser.  [root@www ~]#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph # install from EPEL   [root@www ~]#wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.4.5.tar.gz [root@www ~]#tar zxvf base-1.4.5.tar.gz [root@www ~]#mv base-1.4.5 /var/www/base [root@www ~]#chown -R apache. /var/www/base [root@www ~]#cp /var/www/base/base_conf.php.dist /var/www/base/base_conf.php [root@www ~]#vi /var/www/base/base_conf.php # line 50: PATH to BASE $BASE_urlpath = ' /base '; # line 80: PATH to adodb $DBlib_path = ' /usr/share/php/adodb '; # line 102: change for your env # snort database $alert_dbname = ' snort '; $alert_host = 'localhost'; $alert_port = ''; # username for snort database $alert_user = ' snort '; # DB password for snort $alert_password = ' password '; [root@www ~]#vi /etc/httpd/conf.d/base.conf # Create new   Alias /base /var/www/base Order Deny,Allow Deny from all Allow from 127.0.0.1 10.0.0.0/24 [root@www ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]   Access to "http://(hostname or IP address)/base/" and click "Setup page".     Click "Create BASE AG" button on upper right.

Click "Main page" to move after finishing setup like follows.

Setting up snort

Intrusion Detection with Snort
Snort is a popular open source intrusion detection system. You can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries to detect and log suspicious activity. Snort is also capable of sending alerts based on the analysis that it does.

Snort Installation
For this lesson, we will install from source. Also, rather than install the standard version of snort, we will compile it to send what it logs to a MySQL database. Also, we will install a web based tool, SnortReport, so that we can easily access the information that Snort gives us. Let's start with Snort itself.
Download the latest tarball and untar it in a place where it is convenient for you - perhaps where you are untarring the source code for other packages we're dealing with in this course. We're going to be configuring Snort to log its alerts to a MySQL database, so we're assuming that you have MySQL installed. If you're installing this on Fedora Core, as I am, you should also have the Perl Regular Expressions development library installed. These are available as RPMs. (pick up pcre-devel.X.rpm from your favorite RPM repository)

Also, before you compile, you should add both a group and user for snort:

groupadd snort

and

useradd -g snort snort -s /dev/null

Now, you're free to start compiling. Go to the directory with the snort source code and issue the following command:

./configure --with-mysql

 


then:

make

and (as root)

make install

Snort bases its activity on a set of rules. These rules need to be copied from directory rules in the tarball source to /etc/snort/rules/. You should also copy any configuration files found there to /etc/snort/ (essentially, cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp *.map /etc/snort)

Setting up Snort
First, we need to modify the snort.conf file to reflect the particulars of our network. In this file, you'll find the following variable:

var HOME_NET X.X.X.X/X

You need to change this to whatever range your network is on. For a typical class C network, you'd change the X's to 192.168.0.0/16, for example. Also, make sure your RULE_PATH variable is pointing to /etc/snort/rules.

Since we configured Snort to log its alerts into a MySQL database, we need to do a few things to get that ready. First, in the snort.conf file, you'll need to add the following line

output database: log, mysql, user=snort password=XXXXX dbname=snort host=localhost

Now we need to create the 'snort' database. To do this, execute the following command (this, of course, assumes that you've got MySQL 'root' user privileges on the machine)

mysqladmin -u root -p create snort

Now, open a MySQL shell and create the 'snort' user and grant create, insert, select, delete and update rights for the tables.

grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;

Then set the password for the user 'snort' that you used above:

SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX');

Now we need to create the main tables in the snort database. To to this, enter the 'contrib' directory where you put the snort source code and issue the following command:

mysql -u root -p < create_mysql snort

Then we need to create some extra tables. The best way to do this is with the following command:

zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort

Now, you should have all the necessary tables for the snort MySQL system. Doing a 'show tables;' query shows this:

+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| flags            |
| icmphdr          |
| iphdr            |
| opt              |
| protocols        |
| reference        |
| reference_system |
| schema           |
| sensor           |
| services         |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+

Now everything is ready for 'snort' to start logging alerts.

SnortReport
There's a great web-based front-end to monitor snort alerts called SnortReport. It's written in PHP and installs easily into the web server on the machine where snort resides. It's available from Circuits Maximus:http://www.circuitsmaximus.com/

SnortReport will display a graphic representation of the alerts by type of protocol. This graph requires the libphp-jpgraph library. This actually forms part of a Debian package, but the source code can be found at Ibibilo. You will also need GD library enabled PHP installation. This is normally enabled by default, so it shouldn't require any further effort on your part if you have PHP4 or newer installed.
To install, just untar the SnortReport source where your web pages are found. Then copy the php files that make up libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport directory - as this is where we'll tell SnortReport to look for them. Then open the file 'srconf.php' and change the variable for your MySQL password for the user 'snort' ($pass = "XXXXX";). Next, make sure the variable for the path to the 'jpgraph' points to where we want it:

define("JPGRAPH_PATH", "./jpgraph/");

You don't have to enable the graphs. In the file srconf.php there is a variable you can set to 'FALSE' if you don't have either a GD enabled PHP installation or jpgraph.

Now, if you point your web browser to where SnortReport is, you should see something like this:

Now you have web-based monitoring of your Snort intrusion detection system.

Updating and Adding Snort Rules
As we mentioned, snort bases its activity around a set of rules found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the tarball that corresponds to the version of Snort that you're using. At the time of this writing, Snort is on version 2.x. Make sure you get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc).

If you administer one or two servers, it may be practical to just get the latest tarball when it comes out and update manually. One can just rename the old 'rules' directory rules.YYYYMMDD, or whatever you prefer and put the new rules directory in its place and restart Snort. If you're the system administrator for more than just a few machines, it makes sense to create a script to get this done. There is also a popular tool called 'Oinkmaster' to update and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has excellent documentation about how to use this tool to keep your rules up to date.

Setting up snort

Intrusion Detection with Snort
Snort is a popular open source intrusion detection system. You can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries to detect and log suspicious activity. Snort is also capable of sending alerts based on the analysis that it does.

Snort Installation
For this lesson, we will install from source. Also, rather than install the standard version of snort, we will compile it to send what it logs to a MySQL database. Also, we will install a web based tool, SnortReport, so that we can easily access the information that Snort gives us. Let's start with Snort itself.
Download the latest tarball and untar it in a place where it is convenient for you - perhaps where you are untarring the source code for other packages we're dealing with in this course. We're going to be configuring Snort to log its alerts to a MySQL database, so we're assuming that you have MySQL installed. If you're installing this on Fedora Core, as I am, you should also have the Perl Regular Expressions development library installed. These are available as RPMs. (pick up pcre-devel.X.rpm from your favorite RPM repository)

Also, before you compile, you should add both a group and user for snort:

groupadd snort

and

useradd -g snort snort -s /dev/null

Now, you're free to start compiling. Go to the directory with the snort source code and issue the following command:

./configure --with-mysql

 


then:

make

and (as root)

make install

Snort bases its activity on a set of rules. These rules need to be copied from directory rules in the tarball source to /etc/snort/rules/. You should also copy any configuration files found there to /etc/snort/ (essentially, cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp *.map /etc/snort)

Setting up Snort
First, we need to modify the snort.conf file to reflect the particulars of our network. In this file, you'll find the following variable:

var HOME_NET X.X.X.X/X

You need to change this to whatever range your network is on. For a typical class C network, you'd change the X's to 192.168.0.0/16, for example. Also, make sure your RULE_PATH variable is pointing to /etc/snort/rules.

Since we configured Snort to log its alerts into a MySQL database, we need to do a few things to get that ready. First, in the snort.conf file, you'll need to add the following line

output database: log, mysql, user=snort password=XXXXX dbname=snort host=localhost

Now we need to create the 'snort' database. To do this, execute the following command (this, of course, assumes that you've got MySQL 'root' user privileges on the machine)

mysqladmin -u root -p create snort

Now, open a MySQL shell and create the 'snort' user and grant create, insert, select, delete and update rights for the tables.

grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;

Then set the password for the user 'snort' that you used above:

SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX');

Now we need to create the main tables in the snort database. To to this, enter the 'contrib' directory where you put the snort source code and issue the following command:

mysql -u root -p < create_mysql snort

Then we need to create some extra tables. The best way to do this is with the following command:

zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort

Now, you should have all the necessary tables for the snort MySQL system. Doing a 'show tables;' query shows this:

+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| flags            |
| icmphdr          |
| iphdr            |
| opt              |
| protocols        |
| reference        |
| reference_system |
| schema           |
| sensor           |
| services         |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+

Now everything is ready for 'snort' to start logging alerts.

SnortReport
There's a great web-based front-end to monitor snort alerts called SnortReport. It's written in PHP and installs easily into the web server on the machine where snort resides. It's available from Circuits Maximus:http://www.circuitsmaximus.com/

SnortReport will display a graphic representation of the alerts by type of protocol. This graph requires the libphp-jpgraph library. This actually forms part of a Debian package, but the source code can be found at Ibibilo. You will also need GD library enabled PHP installation. This is normally enabled by default, so it shouldn't require any further effort on your part if you have PHP4 or newer installed.
To install, just untar the SnortReport source where your web pages are found. Then copy the php files that make up libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport directory - as this is where we'll tell SnortReport to look for them. Then open the file 'srconf.php' and change the variable for your MySQL password for the user 'snort' ($pass = "XXXXX";). Next, make sure the variable for the path to the 'jpgraph' points to where we want it:

define("JPGRAPH_PATH", "./jpgraph/");

You don't have to enable the graphs. In the file srconf.php there is a variable you can set to 'FALSE' if you don't have either a GD enabled PHP installation or jpgraph.

Now, if you point your web browser to where SnortReport is, you should see something like this:

Now you have web-based monitoring of your Snort intrusion detection system.

Updating and Adding Snort Rules
As we mentioned, snort bases its activity around a set of rules found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the tarball that corresponds to the version of Snort that you're using. At the time of this writing, Snort is on version 2.x. Make sure you get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc).

If you administer one or two servers, it may be practical to just get the latest tarball when it comes out and update manually. One can just rename the old 'rules' directory rules.YYYYMMDD, or whatever you prefer and put the new rules directory in its place and restart Snort. If you're the system administrator for more than just a few machines, it makes sense to create a script to get this done. There is also a popular tool called 'Oinkmaster' to update and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has excellent documentation about how to use this tool to keep your rules up to date.