Intrusion Detection using Snort

From Alpine Linux
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Sertonix on 17 Nov 2023.)

This guide will set up (list subject to change):

  • Snort
  • Barnyard (maybe)
  • BASE

This guide will assume:

  • You have a knowledge of your network setup (at least know which subnets exist).
  • You have Alpine 2.0.2 installed and working with networking setup.
  • You have had at least three cups of coffee this morning. And not decaf.


Get Development Packages

Install Alpine and Pre-packaged components

apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex

Download Non-Packaged Applications

Download the following packages

For the purpose of this document we will assume you download these files to /usr/src.

Download snort from www.snort.org. We used version 2.8.6.1 in this document.
Download the snort rules from https://www.snort.org/downloads/#rule-downloads
Download BASE from https://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
Download adodb5 from https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download

Compile Snort

Uncompress snort with something like:

tar -zxvf snort-2.8.6.1.tar.gz

Then do the following:

cd snort-2.8.6.1 ./configure -enable-dynamicplugin --with-mysql make make install

Configure Snort and Ruleset

mkdir /etc/snort cd /etc/snort cp /usr/src/snort-2.8.6.1/etc/* . mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/. tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz

Now edit the snort.conf file:

vi snort.conf

and change the following:

  • Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
  • Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
  • Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
  • Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
  • Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
  • Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)
  • Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
  • Edit this line to look like this:
output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost
  • Make note of the username, password, and dbname. You will need this information when we set up mysql.
  • Find this line (line 194 in current version)
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
and remove from "compress_depth" to the end of the line. When done, the line will read:
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
  • Find this line (line 207 in current version)
inspect_gzip \
and remove it.
  • Save and quit.

Start and Setup MySQL

(Need to add detail here on starting up MySQL for the first time)

/usr/bin/mysql_install_db --user=mysql rc-update add mysql rc-service mysql start /usr/bin/mysqladmin -u root password 'password' (set password to the same password you specified in the snort.conf file) mysql -u root -p

Once in mysql, type the following commands:

mysql> create database snort; mysql> exit

Now create the database schema:

mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql

Configure PHP and PEAR

Edit /etc/php/php.ini and add the following under "Dynamic Extensions". 

extension=mysql.so
extension=gd.so

Save and exit. From the command line, type the following:

pear install Image_Color pear install Image_Canvas-alpha pear install Image_Graph-alpha pear install mail pear install mail_mime

Start Apache or lighttpd

Need to decide which of these to use in production.

Setup BASE

^

mv /usr/src/adodb5 /var/www/localhost/htdocs/. mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.

Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)

Click continue on the first page.
Step 1 of 5: Enter the path to ADODB.
This is /var/www/localhost/htdocs/adodb5.
Step 2 of 5:
Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD
Step 3 of 5: If you want to use authentication enter a username and password here.
Step 4 of 5: Click on Create BASE AG.
Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.

Configure Barnyard

To improve performance.

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&oldid=25745"