================================================================================================
SNORT v2.6 on Red Hat Enterprise 4
================================================================================================
Snort(R) is an open source network intrusion prevention and detection system utilizing a
rule-driven language, which combines the benefits of signature, protocol and anomaly
based inspection methods. With millions of downloads to date, Snort is the most widely
deployed intrusion detection and prevention technology worldwide and has become the
de facto standard for the industry.
------------------
ABOUT THIS GUIDE
------------------
This is a Step by Step Snort v2.6 installation on RHEL4 (Red Hat Enterprise Linux 4).
Note: If we want to store the alerts and logs in a MySQL Database we must install from sources.
----------------
Install snort
----------------
Download the sources
# wget http://www.snort.org/dl/current/snort-2.6.0.2.tar.gz
# tar zxvf snort-2.6.0.2.tar.gz
Note: v2.6.0.2 has problems with gcc_v4 (FC5,Ubuntu,Suse10)
Download libpcre:
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-6.7.tar.gz
# tar zxvf pcre-6.7.tar.gz
# cd pcre-6.7
# ./configure && make && make install
# cd ../snort-2.6.0.2/
# ls
# ./configure --with-mysql --enable-dynamicplugin <-- needs libpcre
# make
# make install
# groupadd snort
# useradd -g snort snort -s /bin/false
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort
# cd etc <-- the etc in the sources (NOT "/etc")
# pwd
# cp * /etc/snort
Updating the rules: (You must log to the website to download the good ones, its free!)
# wget www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-CURRENT.tar.gz
# cp snortrules-snapshot-CURRENT.tar.gz /etc/snort
# cd /etc/snort
# tar zxvf snortrules-snapshot-CURRENT.tar.gz
# vi /etc/snort/snort.conf
[snort.conf] <-- (Edit the RULES path)
var RULE_PATH /etc/snort/rules
---------------------------
Tell Snort to log to MySQL
---------------------------
Add this to "/etc/snort/snort.conf":
# vi /etc/snort/snort.conf
> output database: log, mysql, user=snort password=mysqlpass dbname=snort host=localhost
OR
> output database: alert, mysql, user=snort password=mysqlpass dbname=snort host=localhost
# service mysqld start
# mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('your-sql-pass');
mysql> create database snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('your-sql-pass');
( SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf'); )
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql> exit
>Bye
Then we create the tables: (I downloaded the sources, on /hugomartin/snort-2.6.0.1)
[root@view hugomartin]# mysql -u root -p < /hugomartin/snort-2.6.0.1/schemas/create_mysql snort
We check the tables were created: #mysql -p
mysql> show databases;
mysql> use snort
mysql> show tables;
mysql> exit
>Bye
---------------------
Install BASE
---------------------
1) Download BASE:
# wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.tar.gz
2) Verify that Snort is login to mySql:
$ echo "SELECT count(*) FROM event" | mysql snort_db -u root -p <- Change user and DB accordingly
mysql> select count(*) from event;
3) Harden PHP:
[/etc/php.ini]
display_errors = Off
4) Start the WebServer
5) Download this:
[root@view baseplus-1.3.0]# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman Log http://pear.php.net/get/Numbers_Words-0.13.1.tgz
Requires php-gd:
# rpm -Uvh /media/cdrom/RedHat/RPMS/php-gd-4.3.9-3.1.i386.rpm (RHES v4 Disc 4)
6) Download ADO <-- Just copy to a dir. viewable by the WebServer
$ wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb492.tgz
$ cp adodb492.tgz /var/www/ <-- (RedHat ESv4) recommended:/var/www/
cp adodb492.tgz /home/httpd/html
$ cd /var/www/ <-- (RedHat ESv4) recommended:/var/www/
cd /home/httpd/html
$ tar xvfz adodb492.tgz
$ cd ..
7) Verify the Browser accepts cookies
... Install signatures into BASE install
=============
CONFIGURATION
=============
1) # cd /var/www/html
# tar zxvf base-1.2.6.tar.gz <-- BASE has to be on /var/www/html
# mv base-1.2.6.tar.gz base <-- rename to "base"
3) # cd base
# cp base_conf.php.dist base_conf.php <-- copy template
# vi base_conf.php <-- edit the values
$BASE_urlpath = '/base';
$DBlib_path = '/var/www/adodb/';
$DBtype = 'mysql';
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'mysqlpass';
$archive_exists = 0; # Set this to 1 if you have an archive DB
Save.
4) http://localhost/base
- Create BASE AG
- Goto the "Main page" to use the application
Gogogogo! ;)
=============================
Securing the BASE directory
=============================
# mkdir /var/www/passwords
/usr/bin/htpasswd -c /var/www/passwords/passwords base
# vi /etc/httpd/conf/httpd.conf
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user base
# service httpd restart
================================================================================================
by Hugo Martin, SCNP 2006 (cc) www.hackcraft.com