Install Snort and Base
Just like psad in the earlier post, Snort is an intrusion prevention and detection system capable of performing real-time traffic analysis and packet logging on IP networks. It has an increasing database of rules and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It is though a resource hog, and you should think twice before installing it on a low memory machine.
To install Snort on Ubuntu just add the following programs and dependencies:
aptitude install acidbase snort-mysql libpcap0.8-dev libmysqlclient16-dev bison flex php5-gd php5-mysql libphp-adodb php-pear libcompress-bzip2-perl libhtml-format-perl libmailtools-perl oinkmaster
And then edit accordingly your configuration file /etc/snort/snort.conf with your external ip:
var HOME_NET xxx.xxx.xxx.xxx/32 var EXTERNAL_NET !$HOME_NET
In the files installed earlier you saw the acidbase package. Base is "Basic Analysis and Security Engine" and provides a web front-end to query and analyse the alerts coming from a SNORT IDS system. In order for it to work you need to create 2 databases that will hold the logs:
mysql -u root -p create user <your_username>@localhost; SET PASSWORD FOR <your_username>@localhost=PASSWORD(‘<your_password>’); create database snort; crate database snortarchive; grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <your_username>@localhost; grant CREATE,INSERT,SELECT,DELETE,UPDATE on snortarchive.* to <your_username>@localhost; exit
And than import the tables into them:
cd /usr/share/doc/snort-mysql zcat create_mysql.gz | mysql -u root -h localhost -p snort zcat create_mysql.gz | mysql -u root -h localhost -p archiveCTRL-C
You also have to create the directories for the Base System:
mkdir /var/www/snort mkdir /var/www/snort/archive cp -R /usr/share/acidbase/* /var/www/snort/ cp -R /usr/share/acidbase/* /var/www/snort/archive/ mv /var/www/snort/base_conf.php /var/www/snort/base_conf.php.old mv /var/www/snort/archive/base_conf.php /var/www/snort/archive/base_conf.php.old
Now you can start the install process by going to http://yoursite.com/snort/setup, and for the adodb path use: /usr/share/php/adodb. Also check "Use archive".
Now go to http://yoursite.com/snort/archive/setup (here you should not check "Use archive").
Now run:
snort -c /etc/snort/snort.conf
If everything was ok you shoud see the ASCII picture of a pig.
In order to have all the graphs working you should install the following modules:
pear install Image_Color pear install Image_Canvas-0.3.2 pear install Numbers_Roman-1.0.2 pear install Numbers_Words-0.16.1 pear install Image_Graph-0.7.2
To update the rules set you should sign up for an account at Snort and get a "OINKCODE" from https://www.snort.org/account/oinkcode.
Earlier we also installed Oinkmaster which is used to automate the update of the rules:
Edit the configuration file /etc/oinkmaster.conf, and change the update url:
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz
Now to update the rules just type or add to crontab the following:
oinkmaster -o /etc/snort/rules
This is it, you can visit http://yoursite.com/snort and see what happened.
