Intrusion Detection using Snort

From Alpine Linux

This material is work-in-progress ... Do not follow instructions here until this notice is removed. (Last edited by Dubiousjim on 24 Mar 2012.)

This guide will set up (list subject to change):

• Snort
• Barnyard (maybe)
• BASE

This guide will assume:

• You have a knowledge of your network setup (at least know which subnets exist).
• You have Alpine 2.0.2 installed and working with networking setup.
• You have had at least three cups of coffee this morning. And not decaf.

Contents 1 Get Development Packages 2 Download Non-Packaged Applications 3 Compile Snort 4 Configure Snort and Ruleset 5 Start and Setup MySQL 6 Configure PHP and PEAR 7 Start Apache or lighttpd 8 Setup BASE 9 Configure Barnyard

Get Development Packages

Install Alpine and Pre-packaged components

    apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex

Download Non-Packaged Applications

Download the following packages

For the purpose of this document we will assume you download these files to /usr/src.

Download snort from www.snort.org. We used version 2.8.6.1 in this document.

Download the snort rules from http://www.snort.org/snort-rules/

Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download

Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download

Compile Snort

Uncompress snort with something like:

   tar -zxvf snort-2.8.6.1.tar.gz

Then do the following:

   cd snort-2.8.6.1
   ./configure -enable-dynamicplugin --with-mysql
   make
   make install

Configure Snort and Ruleset

   mkdir /etc/snort
   cd /etc/snort
   cp /usr/src/snort-2.8.6.1/etc/* .
   mv /usr/src/snortrules-snapshot-2861.tar.gz /etc/snort/.
   tar -zxvf /usr/src/snortrules-snapshot-2861.tar.gz

Now edit the snort.conf file:

   vi snort.conf

and change the following:

• Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
• Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
• Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
• Change "var SO_RULE_PATH ../so_rules" to "var SO_RULE_PATH /etc/snort/so_rules"
• Change "var PREPROC_RULE_PATH ../preproc_rules" to "var PREPROC_RULE_PATH /etc/snort/preproc_rules"
• Comment out the line that says "dynamicdetection directory /usr/local/lib/snort_dynamicrules" (by placing a "#" in front of the line)
• Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
• Edit this line to look like this:

output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost

• Make note of the username, password, and dbname. You will need this information when we set up mysql.
• Find this line (line 194 in current version)

preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 20480 decompress_depth 20480

and remove from "compress_depth" to the end of the line. When done, the line will read:

preprocessor http_inspect: global iis_unicode_map unicode.map 1252

• Find this line (line 207 in current version)

inspect_gzip \

and remove it.

• Save and quit.

Start and Setup MySQL

(Need to add detail here on starting up MySQL for the first time)

   /usr/bin/mysql_install_db --user=mysql
   rc-update add mysql
   /etc/init.d/mysql start
   /usr/bin/mysqladmin -u root password 'password'  (set password to the same password you specified in the snort.conf file)
   mysql -u root -p

Once in mysql, type the following commands:

   mysql> create database snort;
   mysql> exit

Now create the database schema:

   mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql

Configure PHP and PEAR

Edit /etc/php/php.ini and add the following under "Dynamic Extensions".

   extension=mysql.so
   extension=gd.so

Save and exit. From the command line, type the following:

   pear install Image_Color
   pear install Image_Canvas-alpha
   pear install Image_Graph-alpha
   pear install mail
   pear install mail_mime

Start Apache or lighttpd

Need to decide which of these to use in production.

Setup BASE

   mv /usr/src/adodb5 /var/www/localhost/htdocs/.
   mv /usr/src/base-1.4.5/* /var/www/localhost/htdocs/.

Now, open your web browser and navigate to http://X.X.X.X/setup (where x.x.x.x is your server's IP address)

Click continue on the first page.

Step 1 of 5: Enter the path to ADODB.

This is /var/www/localhost/htdocs/adodb5.

Step 2 of 5:

Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD

Step 3 of 5: If you want to use authentication enter a username and password here.

Step 4 of 5: Click on Create BASE AG.

Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.

Copy the text on the screen, and then paste into a new file named /var/www/localhost/htdocs/base_conf.php. Save that file.

Configure Barnyard

To improve performance.