Intrusion Detection with Snort Snort is a popular open source intrusion detection system. You can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries to detect and log suspicious activity. Snort is also capable of sending alerts based on the analysis that it does. Snort Installation For this lesson, we will install from source. Also, rather than install the standard version of snort, we will compile it to send what it logs to a MySQL database. Also, we will install a web based tool, SnortReport, so that we can easily access the information that Snort gives us. Let's start with Snort itself. Download the latest tarball and untar it in a place where it is convenient for you - perhaps where you are untarring thesource code for other packages we're dealing with in this course. We're going to be configuring Snort to log its alerts to a MySQL database, so we're assuming that you have MySQL installed. If you're installing this on Fedora Core, as I am, you should also have the Perl Regular Expressions development library installed. These are available as RPMs. (pick up pcre-devel.X.rpm from your favorite RPM repository) Also, before you compile, you should add both a group and user for snort: Code: groupadd snort and Code: useradd -g snort snort -s /dev/null Now, you're free to start compiling. Go to the directory with the snort source code and issue the following command: Code: ./configure --with-mysql then: Code: make and (as root) Code: make install Snort bases its activity on a set of rules. These rules need to be copied from directory rules in the tarball source to /etc/snort/rules/. You should also copy any configuration files found there to /etc/snort/ (essentially, cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp *.map /etc/snort) Setting up Snort First, we need to modify the snort.conf file to reflect the particulars of our network. In this file, you'll find the following variable: Code: var HOME_NET X.X.X.X/X You need to change this to whatever range your network is on. For a typical class C network, you'd change the X's to 192.168.0.0/16, for example. Also, make sure your RULE_PATH variable is pointing to /etc/snort/rules. Since we configured Snort to log its alerts into a MySQL database, we need to do a few things to get that ready. First, in the snort.conf file, you'll need to add the following line Code: output database: log, mysql, user=snort password=XXXXX dbname=snort host=localhost Now we need to create the 'snort' database. To do this, execute the following command (this, of course, assumes that you've got MySQL 'root' user privileges on the machine) Code: mysqladmin -u root -p create snort Now, open a MySQL shell and create the 'snort' user and grant create, insert, select, delete and update rights for the tables. Code: grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; Then set the password for the user 'snort' that you used above: Code: SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX'); Now we need to create the main tables in the snort database. To to this, enter the 'contrib' directory where you put the snort source code and issue the following command: Code: mysql -u root -p < create_mysql snort Then we need to create some extra tables. The best way to do this is with the following command: Code: zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort Now, you should have all the necessary tables for the snort MySQL system. Doing a 'show tables;' query shows this: Code: +------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | flags | | icmphdr | | iphdr | | opt | | protocols | | reference | | reference_system | | schema | | sensor | | services | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ Now everything is ready for 'snort' to start logging alerts. SnortReport There's a great web-based front-end to monitor snort alerts called SnortReport. It's written in PHP and installs easily into the web server on the machine where snort resides. It's available from Circuits Maximus:http://www.circuitsmaximus.com/ SnortReport will display a graphic representation of the alerts by type of protocol. This graph requires the libphp-jpgraph library. This actually forms part of a Debian package, but the source code can be found at Ibibilo. You will also need GD library enabled PHP installation. This is normally enabled by default, so it shouldn't require any further effort on your part if you have PHP4 or newer installed. To install, just untar the SnortReport source where your web pages are found. Then copy the php files that make up libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport directory - as this is where we'll tell SnortReport to look for them. Then open the file 'srconf.php' and change the variable for your MySQL password for the user 'snort' ($pass = "XXXXX". Next, make sure the variable for the path to the 'jpgraph' points to where we want it: Code: define("JPGRAPH_PATH", "./jpgraph/"); You don't have to enable the graphs. In the file srconf.php there is a variable you can set to 'FALSE' if you don't have either a GD enabled PHP installation or jpgraph. Now, if you point your web browser to where SnortReport is, you should see something like this: Now you have web-based monitoring of your Snort intrusion detection system. Updating and Adding Snort Rules As we mentioned, snort bases its activity around a set of rules found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the tarball that corresponds to the version of Snort that you're using. At the time of this writing, Snort is on version 2.x. Make sure you get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc). If you administer one or two servers, it may be practical to just get the latest tarball when it comes out and update manually. One can just rename the old 'rules' directory rules.YYYYMMDD, or whatever you prefer and put the new rules directory in its place and restart Snort. If you're the system administrator for more than just a few machines, it makes sense to create a script to get this done. There is also a popular tool called 'Oinkmaster' to update and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has excellent documentation about how to use this tool to keep your rules up to date.