Feb 13, 2008

UBUNTU: Setting up SNORT + BASE on Gutsy



Snort (Intrusion Detection System)
BASE (Basic Analysis and Security Engine)
MySQL (Used as database to store alerts and information)
Apache2 (As a web server to view BASE reports)
Gutsy Gibbon (Ubuntu release)

Here is the step to setup SNORT + BASE:
  • Gain root access:
    • sudo su -
  • We need to make the dependencies ready in order to run snort and base on the system. To prepare the dependencies, please apt-get several things or just copy the code below to your terminal:
    • apt-get install libpcre3-dev libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep
  • Then you have to make a specific folder to gather every source code before we compile. So your system will look neat and you can keep the source code for further use.
    • mkdir /snort
    • mkdir /etc/snort
    • mkdir /etc/snort/rules
    • cd /snort
  • Now we need to get every files needed to run SNORT and BASE(in this tutorial, we will manually compile each and every single application needed to run SNORT and BASE)
    • wget http://www.snort.org/dl/current/snort-2.8.0.1.tar.gz

    • wget http://snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

  • Now extract and compile the source codes:
    • tar xvf snort-2.8.0.1.tar.gz ; cd snort-2.8.0.1 ; tar xvf /snort/snortrules-pr-2.4.tar.gz
    • ./configure -enable-dynamicplugin --with-mysql
    • make
    • make install
  • Now we need to make things on it's directory(working directory)
    • mkdir /etc/snort /etc/snort/rules /var/log/snort
      • cd /snort/snort-2.8.0.1/etc
      • cp * /etc/snort/
      • cd ../rules
      • cp * /etc/snort/rules
  • Now we need to edit the snort config to suit your network:
    • nano /etc/snort/snort.conf
      • changer the "var HOME_NET" any to "var HOME_NET 192.168.1.0/24" <-- maybe different ip's for your network.
      • change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET"
      • Next is to change the rules directory to "var RULE_PATH /etc/snort/rules"
      • Last, you need to edit how the snort will dump the alert, we will use mysql for this tutorial. Scrolldown the config file and search for "output database" and uncomment the mysql line. You need to edit it to suit your database connection where is user = your username ; password = your user password ; dbname = your dbname ;
      • save and quit.
      • to keep the setting secure please change mod:
        • chmod 600 /etc/snort/snort.conf
  • Now we need to setup database to dump the data:
    • mysql -u root -p and insert root password
    • mysql> create database snort;
    • grant all privileges on snort.* to 'snort@localhost' identified by 'snort_password';
    • exit
  • Now create the tables for the database we just created:
    • mysql -D snort -u snort -p < /snort/snort-2.8.0.1/schemas/create_mysql
    • use db password you set on the set above.
  • Now we test snort:
    • snort -c /etc/snort/snort.conf
    • if everything running well without any error message, then press 'ctrl+c'
    • if you got error, please uncomment lines 97,98 and 452 on "/etc/snort/rules/web-misc.rules". There was a known issue in the past.
  • Now is the time to setup BASE:
    • cd /snort
    • wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz
    • cd /var/www ; tar xvf /snort/base-1.3.9.tar.gz
    • mv base-1.3.9 base
    • chmod 757 base
  • We will want to use couple of pear modules and make it activated:
    • pear install Image_Color
    • pear install Image_Canvas-alpha
    • pear install Image_Graph-alpha
  • NOW IT'S TIME TO SETUP BASE FROM YOR WEB BROWSER:
    • open up browser and type this url :
      • http://{your hostname}/base/index.php
    • Click to continue the first page.
    • There will be 5 steps to setup base:
      1. Enter ADODB path to = /usr/share/php/adodb
      2. insert information about your database that we've created on this tutorial.
      3. Check the box if you want to make authentication available.
      4. Click on Create BASE AG
      5. once step 4 is finished, click "Now Continue to .... "
    • Bookmark this page for your access on the future.
  • Now to setup snort to run on startup:
    • nano /etc/rc.local
    • add this before "exit 0"
      • /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -D
    • Save and exit.
  • Now reboot your box.
  • after reboot complete check either snort is running or not by using ps aux command:
    • ps aux | grep snort
    • if you see a line with "/usr/local/snort -c bla bla bla" then it's mean the snort is running.
  • We are done!
Access your alert by using web browser from anywhere by typing the url like "http://www.snortandbase.com/base-1.3.9" and login to view the alert. Please configure your rules to avoid false alarm. Use only rules needed to monitor your box.

Happy Ubuntu-ing~


Thank you for your unbelievable support on Negative Zero - Permission to read and write blog for nearly 4 years. Don't forget to like Negative Zero on Facebook.
Blogirific.com Blog Directory





Post(s) you might like to read :

1 comment:

Subscribe to: Post Comments (Atom)