Intrusion Detection using Snort

From Alpine Linux
Revision as of 19:14, 1 October 2010 by Myoung (talk | contribs)


This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Myoung on 1 Oct 2010.)

This guide will set up (list subject to change):

  • Snort
  • Barnyard (maybe)
  • BASE

This guide will assume:

  • You have a knowledge of your network setup (at least know which subnets exist).
  • You have Alpine 2.0.2 installed and working with networking setup.
  • You have had at least three cups of coffee this morning. And not decaf.


Get Development Packages

Install Alpine and Pre-packaged components 

    apk add alpine-sdk mysql-dev php-mysql lighttpd php-xml php-pear libpcap-dev php-gd pcre-dev wireshark tcpdump tcpflow cvs bison flex


Download Non-Packaged Applications

Download the following packages

For the purpose of this document we will assume you download these files to /usr/src.

Download snort from www.snort.org. We used version 2.8.6.1 in this document.
Download the snort rules from http://www.snort.org/snort-rules/
Download BASE from http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
Download adodb5 from http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.zip/download

Compile Snort

Uncompress snort with something like: 

   tar -zxvf snort-2.8.6.1.tar.gz

Then do the following: 

   cd snort-2.8.6.1
   ./configure -enable-dynamicplugin --with-mysql
   make
   make install

Configure Snort and Ruleset

   mkdir /etc/snort
   cd /etc/snort
   cp /usr/src/snort-2.8.6.1/etc/* .
   mv /usr/src/snortrules-snapshot-2860.tar.gz /etc/snort/.
   tar -zxvf /usr/src/snortrules-snapshot-2680.tar.gz

Now edit the snort.conf file: 

   vi snort.conf

and change the following:

  • Change "var HOME_NET any" to "var HOME_NET X.X.X.X/X" (fill in the subnet with your trusted network)
  • Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
  • Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
  • Comment out the line that says dynamicdetection directory /usr/local/lib/snort_dynamicrules (by placing a "#" in front of the line)
  • Scroll down the list to the section with "# output database: log, ..." and remove the "#" from in front of this line.
  • Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort", "host=localhost"
  • When done, the line should look like this:
output database: log, mysql, user=root password=yoursecretpassword dbname=snort host=localhost
  • Make note of the username, password, and dbname. You will need this information when we set up mysql.
  • Save and quit.

Start and Setup MySQL

(Need to add detail here on starting up MySQL for the first time) 

   /usr/bin/mysql_install_db --user=mysql
   rc-update add mysql
   /etc/init.d/mysql start
   /usr/bin/mysqladmin -u root password 'password'  (set password to the same password you specified in the snort.conf file)
   mysql -u root -p

Once in mysql, type the following commands: 

   mysql> create database snort;
   mysql> exit

Now create the database schema: 

   mysql -D snort -u root -p < /usr/src/snort-2.8.6.1/schemas/create_mysql

Configure PHP and PEAR

Edit /etc/php/php.ini and add the following under "Dynamic Extensions". 

   extension=mysql.so
   extension=gd.so

Save and exit. From the command line, type the following: 

   pear install Image_Color
   pear install Image_Canvas-alpha
   pear install Image_Graph-alpha
   pear install mail
   pear install mail_mime

Start Apache or lighttpd

Need to decide which of these to use in production.

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Intrusion_Detection_using_Snort&oldid=4437"