Intrusion Detection using Snort
This material is work-in-progress ...
Do not follow instructions here until this notice is removed.
This guide will set up (list subject to change):
- Barnyard (maybe)
This guide will assume:
- You have a knowledge of your network setup (at least know which subnets exist).
- You have Alpine 2.0.2 installed and working with networking setup.
- You have had at least three cups of coffee this morning. And not decaf.
Get Development Packages
Install Alpine and Pre-packaged components
Download Non-Packaged Applications
Download the following packages
For the purpose of this document we will assume you download these files to /usr/src.
- Download snort from www.snort.org. We used version 220.127.116.11 in this document.
- Download the snort rules from http://www.snort.org/snort-rules/
- Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
- Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download
Uncompress snort with something like:
Then do the following:
Configure Snort and Ruleset
Now edit the snort.conf file:
and change the following:
- Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
- Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
- Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
- Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
- Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
- Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)
- Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
- Edit this line to look like this:
- output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost
- Make note of the username, password, and dbname. You will need this information when we set up mysql.
- Find this line (line 194 in current version)
- preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480
- and remove from "compress_depth" to the end of the line. When done, the line will read:
- preprocessor http_inspect: global iis_unicode_map unicode.map 1252
- Find this line (line 207 in current version)
- inspect_gzip \
- and remove it.
- Save and quit.
Start and Setup MySQL
(Need to add detail here on starting up MySQL for the first time)
Once in mysql, type the following commands:
Now create the database schema:
Configure PHP and PEAR
Edit /etc/php/php.ini and add the following under "Dynamic Extensions".
Save and exit. From the command line, type the following:
Start Apache or lighttpd
Need to decide which of these to use in production.
Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)
- Click continue on the first page.
- Step 1 of 5: Enter the path to ADODB.
- This is /var/www/localhost/htdocs/adodb5.
- Step 2 of 5:
- Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD
- Step 3 of 5: If you want to use authentication enter a username and password here.
- Step 4 of 5: Click on Create BASE AG.
- Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.
- Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.
To improve performance.