Snort is a popular open source intrusion detection system. You
can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries
to detect and log suspicious activity. Snort is also capable of
sending alerts based on the analysis that it does.
For this lesson, we will install from source. Also, rather than
install the standard version of snort, we will compile it to send
what it logs to a MySQL database. Also, we will install a web based
tool, SnortReport, so that we can easily access the information
that Snort gives us. Let's start with Snort itself.
Download the latest tarball and untar it in a place where it is
convenient for you - perhaps where you are untarring the source
code for other packages we're dealing with in this course. We're
going to be configuring Snort to log its alerts to a MySQL
database, so we're assuming that you have MySQL installed. If
you're installing this on Fedora Core, as I am, you should also
have the Perl Regular Expressions development library installed.
These are available as RPMs. (pick up pcre-devel.X.rpm from your
favorite RPM repository)
Also, before you compile, you should add both a group and user
for snort:
and
useradd -g snort snort -s /dev/null
|
Now, you're free to start compiling. Go to the directory with
the snort source code and issue the following command:
./configure --with-mysql
then:
and (as root)
Snort bases its activity on a set of rules. These rules need to
be copied from directory rules in the tarball source to
/etc/snort/rules/. You should also copy any configuration files
found there to /etc/snort/ (essentially, cp *.rules
/etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp
*.map /etc/snort)
First, we need to modify the snort.conf file to reflect the
particulars of our network. In this file, you'll find the following
variable:
You need to change this to whatever range your network is on.
For a typical class C network, you'd change the X's to
192.168.0.0/16, for example. Also, make sure your RULE_PATH
variable is pointing to /etc/snort/rules.
Since we configured Snort to log its alerts into a MySQL
database, we need to do a few things to get that ready. First, in
the snort.conf file, you'll need to add the following line
output database: log, mysql, user=snort password=XXXXX dbname=snort
host=localhost
|
Now we need to create the 'snort' database. To do this, execute
the following command (this, of course, assumes that you've got
MySQL 'root' user privileges on the machine)
mysqladmin -u root -p create snort
|
Now, open a MySQL shell and create the 'snort' user and grant
create, insert, select, delete and update rights for the
tables.
grant CREATE, INSERT, SELECT, DELETE, UPDATE
on snort.* to snort@localhost;
|
Then set the password for the user 'snort' that you used
above:
SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX');
|
Now we need to create the main tables in the snort database. To
to this, enter the 'contrib' directory where you put the snort
source code and issue the following command:
mysql -u root -p < create_mysql snort
|
Then we need to create some extra tables. The best way to do
this is with the following command:
zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort
|
Now, you should have all the necessary tables for the snort
MySQL system. Doing a 'show tables;' query shows this:
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| flags |
| icmphdr |
| iphdr |
| opt |
| protocols |
| reference |
| reference_system |
| schema |
| sensor |
| services |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
|
Now everything is ready for 'snort' to start logging alerts.
There's a great web-based front-end to monitor snort alerts
called SnortReport. It's written in PHP and installs easily into
the web server on the machine where snort resides. It's available
from Circuits Maximus: http://www.circuitsmaximus.com/
SnortReport will display a graphic representation of the alerts
by type of protocol. This graph requires the libphp-jpgraph
library. This actually forms part of a Debian package, but the
source code can be found at Ibibilo. You will also need GD library
enabled PHP installation. This is normally enabled by default, so
it shouldn't require any further effort on your part if you have
PHP4 or newer installed.
To install, just untar the SnortReport source where your web
pages are found. Then copy the php files that make up
libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport
directory - as this is where we'll tell SnortReport to look for
them. Then open the file 'srconf.php' and change the variable for
your MySQL password for the user 'snort' ($pass = "XXXXX";). Next,
make sure the variable for the path to the 'jpgraph' points to
where we want it:
define("JPGRAPH_PATH", "./jpgraph/");
|
 |
You don't have to enable the graphs. In the file srconf.php
there is a variable you can set to 'FALSE' if you don't have either
a GD enabled PHP installation or jpgraph.
|
Now, if you point your web browser to where SnortReport is, you
should see something like this:
Now you have web-based monitoring of your Snort intrusion
detection system.
As we mentioned, snort bases its activity around a set of rules
found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the
tarball that corresponds to the version of Snort that you're using.
At the time of this writing, Snort is on version 2.x. Make sure you
get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc).
If you administer one or two servers, it may be practical to
just get the latest tarball when it comes out and update manually.
One can just rename the old 'rules' directory rules.YYYYMMDD, or
whatever you prefer and put the new rules directory in its place
and restart Snort. If you're the system administrator for more than
just a few machines, it makes sense to create a script to get this
done. There is also a popular tool called 'Oinkmaster' to update
and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has
excellent documentation about how to use this tool to keep your
rules up to date.
![[ Register ]](/images/navbar/register.gif){kind=small}
![[ Applications ]](/images/navbar/applications.gif){kind=small}
![[ Documentation ]](/images/navbar/documentation.gif){kind=small}
![[ Distributions ]](/images/navbar/distributions.gif){kind=small}
![[ Download Info ]](/images/navbar/download.gif){kind=small}
![[ General Info ]](/images/navbar/geninfo.gif){kind=small}
![[ Book Store ]](/images/navbar/bookstore.gif){kind=small}
![[ Courses ]](/images/navbar/courses.gif){kind=small}
![[ News ]](/images/navbar/news.gif){kind=small}
![[ People ]](/images/navbar/people.gif){kind=small}
![[ Hardware ]](/images/navbar/hardware.gif){kind=small}
![[ Vendors ]](/images/navbar/vendors.gif){kind=small}
![[ Projects ]](/images/navbar/projects.gif){kind=small}
![[ Events ]](/images/navbar/events.gif){kind=small}
![[ User Groups ]](/images/navbar/usergroups.gif){kind=small}
![[ User Area ]](/images/navbar/user_area.gif){kind=small}
![[ About Us ]](/images/navbar/aboutus.gif){kind=small}
![[ Home Page ]](/images/navbar/homepage.gif){kind=small}
![[ Advertise ]](/images/navbar/advertise.gif){kind=small}
