}----------------------------====&&====-------------------------------{ % Snort Installation Guide with BASE and MySQL support. (ver 0.6) % }----------------------------====&&====-------------------------------{ * * * Dedicated > Laila Eldemellawy, the one I will never forget! * * * #---------------------- DISCLAIMER ---------------------------# # # # This manual comes under NO GUARANTEE that snort/BASE would run # # fully functional on your machine. Furthermore, I can't guarantee # # the disappearance of Alexander syndrome that you've been suffering # # from till you found this manual # # # #-------------------------------------------------------------------# (o_ Ghaith Nasrawi //\ www.drider.org V_/_ libero -at- drider - org "Evil thrives when good men do nothing" Created: 1 Dec 2004 Last Modified: 27 Dec 2004 ..... and FYI, TMTOWTDI ..... ------------------- 0.1 Few Assumptions ------------------- I've made few assumptions in this manual (Don't Panic!), just as a starting point so I can start throwing some meaningless lines of instructions. Otherwise, I'll end up writing manuals on how to install Linux (Fedora Core 3, in this case). So, if you are stuck at any point, I'd suggest you point your browser to http://google.co.uk/ and DON'T mail me, cause I'm not a snorting expert by any means. I just wrote it, because I couldn't find it. So, assumptions: 1- Platform: Fedora Core 3 on Linux Kernel 2.6.9-1.681 [foo@bar~]#uname -a Linux bar 2.6.9-1.681_FC3 #1 Thu Nov 18 15:10:10 EST 2004 i686 i686 i386 GNU/Linux 2- Snort v. 2.3.0 RC1 Download the latest snort dist. from in this case here (http://www.snort.org/dl/snort-2.3.0RC1.tar.gz) This is a release candidate version, I know that! [foo@bar~]#wget http://www.snort.org/dl/snort-2.3.0RC1.tar.gz 3- BASE v. 1.0 Download the latest release of BASE from (http://voxel.dl.sourceforge.net/sourceforge/secureideas/base-1.0.tar.gz) [foo@bar~]# wget http://voxel.dl.sourceforge.net/sourceforge/secureideas/base-1.0.tar.gz 4- You need to get yourself few more packages to have the fancy BASE running: httpd (Apache webserver), MySQL, MySQL Server, MySQL Devel, PHP, php-mysql, adodb, jpgraph, ... I will be relying on "yum" to update/install (most of) them. NOTE: Another alternative can be "rpm", type "man rpm" from the console to get more info. on how to use that method. Otherwise, you might fancy downloading the tar balls and install everything manually. [foo@bar~]#yum install mysql (if mysql is already installed you might need to try "update" instead of "install". However, when using "install" while it's already installed, yum would prompt you for "Nothing to do". So you don't need to worry about some weirdo effects!) [foo@bar~]#yum install mysql-server [foo@bar~]#yum install mysql-devel [foo@bar~]#yum install httpd [foo@bar~]#yum install php [foo@bar~]#yum install php-mysql [foo@bar~]#yum install php-gd Ok, here is a little nasty part :-) (you still need to get your hand dirty to get the job done) go to http://adodb.sourceforge.net/ and get "adodb" with PHP support (I had the latest version here 4.5.4) [foo@bar~]# wget http://heanet.dl.sourceforge.net/sourceforge/adodb/adodb454.tgz and go to http://www.aditus.nu/jpgraph/jpdownload.php and get "jpgraph". Their release candidates didn't work with me, so I had a stable version (v 1.16) [foo@bar~]# wget http://www.aditus.nu/jpgraph/downloads/jpgraph-1.16.tar.gz ---------------------- 0.2 What are we doing? ---------------------- Here is what we are trying to do. ========================================== ################ | LINUX BOX (FC3, Kernel 2.6.9-1.681) | # # | | # # | ```````````` (M) """"""""""""""""" | # # | ` ` (y) " APACHE + PHP " | # NETWORK(S) # | ` SNORT ` ->(S) " ------------- " | # UNDER # | ` ` ->(Q) " | | " | # ANALYSIS # | ` ` (L) " | **BASE** | " | # # | ```````````` ^<><><><><>^ | " | # # | || " ------------- " | # # | || """"""""""""""""" | # # | || | # # | <<<<<<<<------->>>>>>>>> NIC(S) ----- # ========================================== ################ And in few words, this manual is for building the "Basic Analysis and Security Engine" (BASE) to grab (and eventually analyze data generated by the Intrusion Detection (IDS) tool SNORT after having events logged to MySQL RDBM. -------------------------- 0.3 Installing Basic Snort -------------------------- Now, untar snort package [foo@bar~]#tar -zxvf snort-2.3.0RC1.tar.gz [foo@bar~]#cd snort-2.3.0RC1 It's better to choose mysql now, because we will use it later. [foo@bar snort-2.3.0RC1]#./configure --with-mysql [foo@bar snort-2.3.0RC1]#make [foo@bar snort-2.3.0RC1]#make check <- OPTIONAL [foo@bar snort-2.3.0RC1]#make install Now, you've got snort installed :-) You just need few bits and pieces to tide it up. [foo@bar snort-2.3.0RC1]#mkdir /etc/snort [foo@bar snort-2.3.0RC1]#cd etc/ <- THIS IS UNDER SNORT PACKAGE, NOT /etc !! [foo@bar etc]#mv *.conf* /etc/snort/ <- There is "*" after "conf" [foo@bar etc]#mv *.map /etc/snort/ [foo@bar etc]#cd ../rules/ [foo@bar rules]#mkdir /etc/snort/rules [foo@bar rules]#mv *.rules /etc/snort/rules/ Also, you need to creat this directory for snort logs! [foo@bar~]#mkdir /var/log/snort Go and edit /etc/snort/snort.conf using a text editor like emacs, vi, pico, joe, whichever you feel comfortable with... you should have "RULE_PATH" pointing to you rules directory (remember, we've just changed it) var RULE_PATH ./rules Stay in that "snort.conf" and go to the beginning of the file and edit the variables according to your network setup and needs, I don't want to stress how important is that to log events correctly! Just Remember, TMTOWTDI. Now, in order to verify that snort was installed successfuly and working properly (no mysql, yet!). The following commands would tell you if (1) you have valid configurations [-T], (2) and it would prompt you for any problems that would stop snort from getting running while running in verbose mode [-v]. [foo@bar~]# snort -c /etc/snort/snort.conf -T [foo@bar~]# snort -c /etc/snort/snort.conf -v -i any Now, if you have any problem with your setup, "-v" should show it for you, so go fix it! your logs should be visible under /var/log/snort Note: When running snort for real, use the command [foo@bar~]#snort -c /etc/snort/snort.conf -i eth1 or eth0 or eth2 or whatever the network under analysis is. Do not run snort in verbose mode for production. --------------------------- 0.4 Time To get MySQL Setup --------------------------- From 0.1, I'm assuming now that mysql (which is the client and few other thingies), and mysql-server are installed. You need to start the server now. [foo@bar~]# /sbin/service mysqld start Create a new database for snort (probably you might need to read snort-2.3.RC1/doc/README.database) [foo@bar~]#echo "CREATE DATABASE snort;" | mysql -u root -p By default the database will come with empty root password, so it's a good time to change it now. [foo@bar~]#mysqladmin -u root -h localhost password "newpwd" Now we need to create the schema and tables for the "snort" database we've created moments ago. You will find the whole schema was created in the Snort package you've downloaded under the directory "schemes" [foo@bar snort-2.3.0RC1]# cd schemas/ [foo@bar schemas]# [foo@bar schemas]# mysql -D snort -u root -p < create_mysql Also, it's a good idea to run Snort with a user different than root, so login to MySQL with your new root password [foo@bar~]# mysql -u root -p mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'YOUR_PASS' with grant option; Now time to reconfigure "/etc/snort/snort.conf" for MySQL logging. So, start looking for the databases' rules, and you should have something similar to this rule output database: log, mysql, user=snort password=YOUR_PASS dbname=snort host=localhost Run snort again to check if it successfully logs into MySQL. [foo@bar~]#snort -c /etc/snort/snort.conf -v Now, go back to MySQL to check if Snort managed to add some data [foo@bar~]# mysql -u root -p mysql> connect snort; mysql> select * from sensor where 1; You should see some data over there. No? It's your turn to debug, it works here! ------------------------------- 0.5 Getting BASE up and running ------------------------------- From 0.1 we should have these packages installed: Apache, php, php-mysql, php-gd, .... (Refer to 0.1.4 for the complete list) So, lets start by untarring "adodb" [foo@bar~]# tar -zxvf adodb454.tgz [foo@bar~]# mv adodb/ /var/www/ Then unpacking jpgraph [foo@bar~]# tar -zxvf jpgraph-1.16.tar.gz tar [foo@bar~]# mv jpgraph-1.16 /var/www/html/jpgraph Now, to the magic BASE [foo@bar~]# tar -zxvf base-1.0.tar.gz [foo@bar~]# mv base/ /var/www/html/ [foo@bar~]# cd /var/www/html/base/ [foo@bar base]# cp base_conf.php.dist base_conf.php Now you need to edit that "base_conf.php" and have the following parameters with the following values $DBlib_path = "/var/www/adodb"; $DBtype = "mysql"; $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = "3306"; $alert_user = "snort"; $alert_password = "YOUR_PASS"; and it might be a good idea to have a different database to archive alerts, so you need to configure this also (you can use the same database and username) $archive_dbname = "snort"; $archive_host = "localhost"; $archive_port = "3306"; $archive_user = "snort"; $archive_password = "YOUR_PASS"; $ChartLib_path = "/var/www/html/jpgraph/src"; and the last bit, you need to configure BASE's URL base (is this confusing?) and since our root directory is "/var/www/html/" and we installed it under "/base/" $BASE_urlpath = "/base"; //No trailing slash! Here we go, it's time for action [foo@bar~]# /sbin/service httpd start Point you browser to that machine webserver http://IP_ADDRESS/base or just http://localhost/base if you're accessing it from the same machine You should see the BASE Welcome screen and there is a look that guides you to the "setup" page which will lead you to a button when you press it will create a new database for BASE. Few suggestions here is to password protect that web directory (instructions to be added later) and if you are trying it in a busy environment, you might need to delete unnecessary logs/alerts and archive the significant ones often. ---------------------- 0.6 Snort Fine-Tuning ---------------------- Now, go have some fun with /etc/snort/snort.conf and the other .conf files to fine-tune them according to your environment by omitting some rules (and who knows, maybe writing some, as well) ----------- 0.7 Thanks! ----------- - Jeremy Hewlett. - Kevin Johnson. - Neville Aga -------------- 0.8 References -------------- [1] Harper, Patrick. Snort, Apache, SSL, PHP, MySQL, ACID on Fedora Core 2 Installation Guide. URL: http://www.snort.org/docs/Snort_SSL_FC2.pdf Last seen: 12 Dec. 2004.