Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which ACIDBASE will use to display in a graphical interface in web browser.
1. System Preparations & Software Installations
1.1 Installation
Download 32bit or 64bit version of Desktop Ubuntu 9.04 from http://www.ubuntu.com/getubuntu/download.1.2 Network & System Configuration
Connect you computer to the network. Although number of different network configurations will allow system to work, the preferred network configuration would be as follows:- Located in DMZ (De-Militarized Zone)
- Static IP address with NAT hiding its IP behind Firewall
- Connected to the monitoring port on the switch.
1.3 Software Installation
The first thing to do after installation completes is to it install all updates recommended by Ubuntu. To access updates proceed to System > Administration > Update Manager. Enter your password and select Check. Select Install Updates.From the Desktop go to System > Administration > Synaptic Package Manager. Enter your password and select Search.
Search for the following packages and install them:
- Acidbase with all affected packages
- Snort-MySQL with all affected packages
- MySql-server-5.0 with all affected packages
- Libpcap0.8-dev
- libmysqlclient15-dev
- MySql-client-5.0
- Bison
- Flex
- Apache2
- Libapache2-mod-php5
- Php5-gd
- Php5-mysql
- Libphp-adodb
- Php-pear
- SSH
2. Gain Root Access
From the Desktop go to Applications > Accessories > Terminal and type:$ sudo -i
$ Then your password.
$ Then your password.
3. Configure Snort
Configuration file snort.conf needs to be modified to suit individual needs.Open /etc/snort/snort.conf with text editor (nano, vi, vim, etc.).
# vim /etc/snort/snort.conf
Change var HOME_NET any to var HOME_NET 192.168.1.0/24 (your home network may differ from 192.168.1.0).
In case you have more than one network to monitor you should enter them as follows var HOME_NET [192.168.1.0/24,10.10.1.0/24].
Change var EXTERNAL_NET any to var EXTERNAL_NET !$HOME_NET (this is stating everything except HOME_NET is external).
Change var RULE_PATH ../rules to var RULE_PATH /etc/snort/rules.
Scroll down the list to the section with # output database: log, mysql, user=, remove the # from in front of this line. Example: output database: log, mysql, user= password= dbname=snort host=localhost (see above when new user was created).
Make note of the username, password, and dbname. You will need this information when we set up the MySQL db.
Save and quit.
4. Setup the snort and archive MySQL databases
4.1 MySQL setup
Log into the MySQL server.
# mysql -u root -p
Sometimes there is no password set so just hit enter.If you get a failed logon, try the above command again and enter YOUR_PASSWORD.
If there is no password you need to create a password for the root account.
Note: Once you are in MySQL the # is now a mysql>
mysql> create user @localhost;
mysql> SET PASSWORD FORr@localhost=PASSWORD(‘’);
mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘);
mysql> SET PASSWORD FOR
mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘
4.2 Create Snort database
mysql> create database snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
4.3 Create Archive database
mysql> create database archive;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to archive;
mysql> exit
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to archive;
mysql> exit
4.4 Create Tables in Snort and Archive databases
We will use the snort schema for the layout of snort and archive databases.# cd /usr/share/doc/snort-mysql
# zcat create_mysql.gz | mysql –u –h localhost –p snort
# zcat create_mysql.gz | mysql –u –h localhost –p archive
# zcat create_mysql.gz | mysql –u
# zcat create_mysql.gz | mysql –u
4.5 Confirm creation of databases and existence of newly created tables
Logon to MySQL and check for databases we just created and tables inside of those databases. If everything was created successful you will see four (4) databases (mysql, test, snort and archive) in mysql databases and approximately 16 tables in each of the databases.# mysql -u root –p
mysql> show databases;
mysql> use snort;
mysql> show tables;
mysql> use archive;
mysql> show tables;
mysql> exit
mysql> show databases;
mysql> use snort;
mysql> show tables;
mysql> use archive;
mysql> show tables;
mysql> exit
4.6 Test Snort
In the terminal type:# snort -c /etc/snort/snort.conf
If everything went well you should see an ascii pig.To end the test hit ctrl + c.
5. Apache2 Configuration
Apache2 has already been installed on the computer.Create a file called test.php in /var/www/ with your favorite text editor.
# vim /var/www/test.php
Write in it:
Save and close this file.
Edit /etc/php5/apache2/php.ini file.
# vim /etc/php5/apache2/php.ini
Add the following under "Dynamic Extensions".
extension=mysql.so extension=gd.so
Restart Apache2.
# /etc/init.d/apache2 restart
Get the IP address of the machine you are working on.
# ifconfig -a
Open a web browser and go to http://YOUR.IP.ADDRESS/test.php.
If everything went well, you will have PHP information displayed.
6. Moving and setting up Folders
Move ADOdb into the /var/www directory.# mv /usr/share/php/adodb /var/www/
Make a directory called web in www and move ACIDBASE.
# mkdir /var/www/web
# mv /usr/share/acidbase /var/www/web/
# mv /usr/share/acidbase /var/www/web/
Temporarily enable writing to the acidbase folder for setup.
# chmod 777 /var/www/web/acidbase
Rename existing base_conf.php file to base_conf.old.
# cd /var/www/web/acidbase
# mv base_conf.php base_conf.old
# mv base_conf.php base_conf.old
Install pear extensions for graphs to work in ACIDBASE.
# pear install Image_Color
7. ACIDBASE Setup for Snort and Archive Databases
7.1 Setup Snort database via web browser
Open a web browser and navigate to http://YOUR.IP.ADDRESS/web/acidbase/setup. Click to continue on the first page.Step 1 of 5: Enter the path to ADODB.
This is /var/www/adodb.
Step 2 of 5:
Main Database type = MySQL, Database name = snort, Database Host = localhost, Database username =
Step 3 of 5: If you want to use authentication enter a username and password here (user: , password: ). Step 4 of 5: Click on Create BASE AG.
Step 5 of 5: Once step 4 is done at the bottom click on Now continue to step 5.
Bookmark this page.7.2 Create folder for ACIDBASE Archive database
In order for archive database to work an archive folder needs to be created within ACIDBASE folder.# mkdir /var/www/web/acidbase/archive
# cd /var/www/web/acidbase
# cp –R * /var/www/web/acidbase/archive
# chmod 777 /var/www/web/acidbase/archive
# cd /var/www/web/acidbase
# cp –R * /var/www/web/acidbase/archive
# chmod 777 /var/www/web/acidbase/archive
Rename existing base_conf.php file to base_conf.old.
# cd /var/www/web/acidbase/archive
# mv base_conf.php base_conf.old
# mv base_conf.php base_conf.old
7.3 Setup Archive database via web browser
Open a web browser and navigate to http://YOUR.IP.ADDRESS/web/acidbase/archive/setup.Click continue on the first page.
Step 1 of 5: Enter the path to ADODB.
This is /var/www/adodb.
Step 2 of 5:
Archive Database type = MySQL, Database name = archive, Database Host = localhost, Database username =
Step 3 of 5:
If you want to use authentication enter a username and password here (user:
Step 4 of 5:
Click on Create BASE AG.
Step 5 of 5:
Once step 4 is done at the bottom click on Now continue to step 5.
8. Start Snort and check services status
To start Snort in the terminal type:# snort -c /etc/snort/snort.conf -i eth0 -D
This starts snort using eth0 interface in a daemon mode.
To make sure it is running you can check with the following command:
# ps aux | grep snort
If it's running you will see an entry similar to snort -c /etc/snort/snort.conf -i eth0 -D.
Make sure that all necessary services are running with the following command:
# /etc/init.d/mysql status
# /etc/init.d/apache2 status
# /etc/init.d/snort status
# /etc/init.d/apache2 status
# /etc/init.d/snort status
If they are running you will see output
If necessary run
# /etc/init.d/ restart
command for each of the services that need a restart.
No comments:
Post a Comment