Snort
Contents |
Introduction
Snort is a Network Intrusion Detection System (NIDS).
Abstract
The goal of this document is to walk you though the installation and setup of Snort with either PostgreSQL or MySQL.
Procedure
Install Required Programs
| Code: Set your USE flags in /etc/make.conf |
dynamicplugin (important for snort 2.6.X) postgres (if you're using PostgreSQL as a backend) mysql (if you're using MySQL as a backend) php pcre |
| Code: Install Snort and a database |
emerge -av snort |
Setup Snort with PostgreSQL
| Code: Start PostgreSQL and create a new snort user |
/etc/init.d/postgresql start createuser -U postgres -P snort |
Enter a unique password (remember it) and answer 'n' to any questions.
| Code: Initialize the database |
createdb -U postgres --owner snort snort_log bzip2 -d /usr/share/doc/snort-[version]/schemas/create_postgresql.bz2 psql -U snort snort_log < \ /usr/share/doc/snort-[version]/schemas/create_postgresql |
| File: /etc/conf.d/snort |
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF" |
| File: /etc/snort/snort.conf |
output database: log, postgresql, user=snort dbname=snort_log \ password=[the password you entered when you created the PostgreSQL \ user 'snort'] host=localhost Or host=[the IP address of your \ PostgreSQL server] |
| Code: Verify the permissions of snort.conf (root:snort 640) and start snort |
chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf /etc/init.d/snort start |
If snort user is not an owner of snort DB, you should grant permissions on DB objects
| Code: Granting permissions |
psql -U snort_owner -d snort_log GRANT SELECT ON detail, encoding, event, reference_system, \ schema, sensor, sig_class, sig_reference, signature TO snort; GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference, \ reference_system, sensor, sig_class, sig_reference, signature, \ tcphdr, udphdr TO snort; GRANT UPDATE ON reference_ref_id_seq, \ reference_system_ref_system_id_seq, sensor_sid_seq, \ sig_class_sig_class_id_seq, signature_sig_id_seq TO snort; |
| Code: Verify snort is logging to the database (optional) |
echo "SELECT hostname FROM sensor" | psql -d snort_log -U postgres |
You should get the hostname(or IP address) snort is running on.
Secure PostgreSQL
| File: /var/lib/postgresql/data/pg_hba.conf (comment out, or delete the following) |
local all all trust |
| File: /var/lib/postgresql/data/pg_hba.conf (add the following line) |
local snort_log snort md5 |
Secure Remote PostgreSQL Setup (optional)
You need to edit the next two files only if you've setup PostgreSQL on a separate server.
| File: /var/lib/postgresql/data/pg_hba.conf (Comment out or delete the following line) |
host all all [ip-addr] [ip-mask] trust |
| File: /var/lib/postgresql/data/pg_hba.conf (Add the following line) |
host snort_log snort [ip-addr] [ip-mask] md5 |
Setup Snort with MySQL
Tip: Skip this if you're using PostgreSQL
| Code: Start MySQL and create the snort database |
/etc/init.d/mysql start mysql -u root -p --enter the password you assigned earlier create database snort_log; |
Tip: Notice the semicolon at the end of the line. It's critical.
| Code: Create the snort user |
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort_log.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('new_password');
flush privileges;
exit;
|
Enter a unique password (remember it) and answer 'n' to any questions.
| Code: Initialize the database |
bzcat /usr/share/doc/snort-[version]/schemas/create_mysql.bz2 | \ mysql -u root -p snort_log |
| File: /etc/conf.d/snort |
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF" |
| File: /etc/snort/snort.conf |
output database: log, mysql, user=snort dbname=snort_log \ password=[the password you entered when you created the database \ user 'snort'] host=localhost |
| Code: Verify the permissions of snort.conf (root:snort 640) and start snort |
chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf /etc/init.d/snort start |
| Code: Verify snort is logging to the database (optional) |
echo "SELECT hostname FROM sensor;" | mysql -u root -p snort_log |
You should get the hostname(or IP address) that snort is listening on.
Final Steps
| Code: Restart Snort and the database |
/etc/init.d/snort stop /etc/init.d/postgresql restart '''OR''' /etc/init.d/mysql restart /etc/init.d/snort start |
| Code: Set snort and the database to run on boot |
rc-update add snort default rc-update add postgresql default '''OR''' rc-update add mysql default |
Graphical BASE Front-End (optional)
| Code: Optional front-end |
If you'd like to view your Snort logs graphically via your web browser, take a look at BASE. |
Last modified: Thu, 02 Oct 2008 18:07:00 +1000 Hits: 24,485
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and real estate agent tools.