Intrusion Detection with Snort
Snort is a popular open source intrusion detection system. You can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries to detect and log suspicious activity. Snort is also capable of sending alerts based on the analysis that it does.
Snort Installation
For this lesson, we will install from source. Also, rather than install the standard version of snort, we will compile it to send what it logs to a MySQL database. Also, we will install a web based tool, SnortReport, so that we can easily access the information that Snort gives us. Let's start with Snort itself.
Download the latest tarball and untar it in a place where it is convenient for you - perhaps where you are untarring thesource code for other packages we're dealing with in this course. We're going to be configuring Snort to log its alerts to a MySQL database, so we're assuming that you have MySQL installed. If you're installing this on Fedora Core, as I am, you should also have the Perl Regular Expressions development library installed. These are available as RPMs. (pick up pcre-devel.X.rpm from your favorite RPM repository)
Also, before you compile, you should add both a group and user for snort:
and
Now, you're free to start compiling. Go to the directory with the snort source code and issue the following command:
then:
and (as root)
Snort bases its activity on a set of rules. These rules need to be copied from directory rules in the tarball source to /etc/snort/rules/. You should also copy any configuration files found there to /etc/snort/ (essentially, cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp *.map /etc/snort)
Setting up Snort
First, we need to modify the snort.conf file to reflect the particulars of our network. In this file, you'll find the following variable:
You need to change this to whatever range your network is on. For a typical class C network, you'd change the X's to 192.168.0.0/16, for example. Also, make sure your RULE_PATH variable is pointing to /etc/snort/rules.
Since we configured Snort to log its alerts into a MySQL database, we need to do a few things to get that ready. First, in the snort.conf file, you'll need to add the following line
Now we need to create the 'snort' database. To do this, execute the following command (this, of course, assumes that you've got MySQL 'root' user privileges on the machine)
Now, open a MySQL shell and create the 'snort' user and grant create, insert, select, delete and update rights for the tables.
Then set the password for the user 'snort' that you used above:
Now we need to create the main tables in the snort database. To to this, enter the 'contrib' directory where you put the snort source code and issue the following command:
Then we need to create some extra tables. The best way to do this is with the following command:
Now, you should have all the necessary tables for the snort MySQL system. Doing a 'show tables;' query shows this:
Now everything is ready for 'snort' to start logging alerts.
SnortReport
There's a great web-based front-end to monitor snort alerts called SnortReport. It's written in PHP and installs easily into the web server on the machine where snort resides. It's available from Circuits Maximus:http://www.circuitsmaximus.com/
SnortReport will display a graphic representation of the alerts by type of protocol. This graph requires the libphp-jpgraph library. This actually forms part of a Debian package, but the source code can be found at Ibibilo. You will also need GD library enabled PHP installation. This is normally enabled by default, so it shouldn't require any further effort on your part if you have PHP4 or newer installed.
To install, just untar the SnortReport source where your web pages are found. Then copy the php files that make up libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport directory - as this is where we'll tell SnortReport to look for them. Then open the file 'srconf.php' and change the variable for your MySQL password for the user 'snort' ($pass = "XXXXX". Next, make sure the variable for the path to the 'jpgraph' points to where we want it:
You don't have to enable the graphs. In the file srconf.php there is a variable you can set to 'FALSE' if you don't have either a GD enabled PHP installation or jpgraph.
Now, if you point your web browser to where SnortReport is, you should see something like this:
Now you have web-based monitoring of your Snort intrusion detection system.
Updating and Adding Snort Rules
As we mentioned, snort bases its activity around a set of rules found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the tarball that corresponds to the version of Snort that you're using. At the time of this writing, Snort is on version 2.x. Make sure you get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc).
If you administer one or two servers, it may be practical to just get the latest tarball when it comes out and update manually. One can just rename the old 'rules' directory rules.YYYYMMDD, or whatever you prefer and put the new rules directory in its place and restart Snort. If you're the system administrator for more than just a few machines, it makes sense to create a script to get this done. There is also a popular tool called 'Oinkmaster' to update and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has excellent documentation about how to use this tool to keep your rules up to date.
Snort is a popular open source intrusion detection system. You can obtain it at: http://www.snort.org/ . Snort analyzes traffic and tries to detect and log suspicious activity. Snort is also capable of sending alerts based on the analysis that it does.
Snort Installation
For this lesson, we will install from source. Also, rather than install the standard version of snort, we will compile it to send what it logs to a MySQL database. Also, we will install a web based tool, SnortReport, so that we can easily access the information that Snort gives us. Let's start with Snort itself.
Download the latest tarball and untar it in a place where it is convenient for you - perhaps where you are untarring thesource code for other packages we're dealing with in this course. We're going to be configuring Snort to log its alerts to a MySQL database, so we're assuming that you have MySQL installed. If you're installing this on Fedora Core, as I am, you should also have the Perl Regular Expressions development library installed. These are available as RPMs. (pick up pcre-devel.X.rpm from your favorite RPM repository)
Also, before you compile, you should add both a group and user for snort:
Code:
groupadd snort
and
Code:
useradd -g snort snort -s /dev/null
Now, you're free to start compiling. Go to the directory with the snort source code and issue the following command:
Code:
./configure --with-mysql
then:
Code:
make
and (as root)
Code:
make install
Snort bases its activity on a set of rules. These rules need to be copied from directory rules in the tarball source to /etc/snort/rules/. You should also copy any configuration files found there to /etc/snort/ (essentially, cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, cp *.map /etc/snort)
Setting up Snort
First, we need to modify the snort.conf file to reflect the particulars of our network. In this file, you'll find the following variable:
Code:
var HOME_NET X.X.X.X/X
You need to change this to whatever range your network is on. For a typical class C network, you'd change the X's to 192.168.0.0/16, for example. Also, make sure your RULE_PATH variable is pointing to /etc/snort/rules.
Since we configured Snort to log its alerts into a MySQL database, we need to do a few things to get that ready. First, in the snort.conf file, you'll need to add the following line
Code:
output database: log, mysql, user=snort password=XXXXX dbname=snort host=localhost
Now we need to create the 'snort' database. To do this, execute the following command (this, of course, assumes that you've got MySQL 'root' user privileges on the machine)
Code:
mysqladmin -u root -p create snort
Now, open a MySQL shell and create the 'snort' user and grant create, insert, select, delete and update rights for the tables.
Code:
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
Then set the password for the user 'snort' that you used above:
Code:
SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX');
Now we need to create the main tables in the snort database. To to this, enter the 'contrib' directory where you put the snort source code and issue the following command:
Code:
mysql -u root -p < create_mysql snort
Then we need to create some extra tables. The best way to do this is with the following command:
Code:
zcat snortdb-extra.gz |/usr/local/mysql/bin/mysql -p snort
Now, you should have all the necessary tables for the snort MySQL system. Doing a 'show tables;' query shows this:
Code:
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| flags |
| icmphdr |
| iphdr |
| opt |
| protocols |
| reference |
| reference_system |
| schema |
| sensor |
| services |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
Now everything is ready for 'snort' to start logging alerts.
SnortReport
There's a great web-based front-end to monitor snort alerts called SnortReport. It's written in PHP and installs easily into the web server on the machine where snort resides. It's available from Circuits Maximus:http://www.circuitsmaximus.com/
SnortReport will display a graphic representation of the alerts by type of protocol. This graph requires the libphp-jpgraph library. This actually forms part of a Debian package, but the source code can be found at Ibibilo. You will also need GD library enabled PHP installation. This is normally enabled by default, so it shouldn't require any further effort on your part if you have PHP4 or newer installed.
To install, just untar the SnortReport source where your web pages are found. Then copy the php files that make up libphp-jpgraph into a subdirectory called 'jpgraph' /snortreport directory - as this is where we'll tell SnortReport to look for them. Then open the file 'srconf.php' and change the variable for your MySQL password for the user 'snort' ($pass = "XXXXX". Next, make sure the variable for the path to the 'jpgraph' points to where we want it:
Code:
define("JPGRAPH_PATH", "./jpgraph/");
You don't have to enable the graphs. In the file srconf.php there is a variable you can set to 'FALSE' if you don't have either a GD enabled PHP installation or jpgraph.
Now, if you point your web browser to where SnortReport is, you should see something like this:
Now you have web-based monitoring of your Snort intrusion detection system.
Updating and Adding Snort Rules
As we mentioned, snort bases its activity around a set of rules found in /etc/snort/rules. You can download new rules at: http://www.snort.org/dl/rules/. You should grab the tarball that corresponds to the version of Snort that you're using. At the time of this writing, Snort is on version 2.x. Make sure you get the tarball for your particular '.x'. (ie. 2.1, 2.2, etc).
If you administer one or two servers, it may be practical to just get the latest tarball when it comes out and update manually. One can just rename the old 'rules' directory rules.YYYYMMDD, or whatever you prefer and put the new rules directory in its place and restart Snort. If you're the system administrator for more than just a few machines, it makes sense to create a script to get this done. There is also a popular tool called 'Oinkmaster' to update and manage snort rules. It is available at http://oinkmaster.sourceforge.net/. Their page has excellent documentation about how to use this tool to keep your rules up to date.