HOWTO Snort
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
Contents |
[edit] Introduction
HOWTO Setup Snort
Snort is a Network Intrusion Detection System (NIDS).
[edit] Abstract
The goal of this document is to walk you though the installation and setup of Snort with either PostgreSQL or MySQL.
[edit] Procedure
[edit] Install Required Programs
| Code: Set your USE flags in /etc/make.conf |
dynamicplugin (important for snort 2.6.X) postgres (if you're using PostgreSQL as a backend) mysql (if you're using MySQL as a backend) apache2 php pcre |
| Code: Install Snort and a database |
emerge -av snort |
[edit] Setup Snort with PostgreSQL
| Code: Start PostgreSQL and create a new snort user |
/etc/init.d/postgresql start createuser -U postgres -P snort |
Enter a unique password (remember it) and answer 'n' to any questions.
| Code: Initialize the database |
createdb -U postgres --owner snort snort_log bzip2 -d /usr/share/doc/snort-[version]/schemas/create_postgresql.bz2 psql -U snort snort_log < \ /usr/share/doc/snort-[version]/schemas/create_postgresql |
| File: /etc/conf.d/snort |
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF" |
| File: /etc/snort/snort.conf |
output database: log, postgresql, user=snort dbname=snort_log \ password=[the password you entered when you created the PostgreSQL \ user 'snort'] host=localhost Or host=[the IP address of your \ PostgreSQL server] |
| Code: Verify the permissions of snort.conf (root:snort 640) and start snort |
chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf /etc/init.d/snort start |
If snort user is not an owner of snort DB, you should grant permissions on DB objects
| Code: Granting permissions |
psql -U snort_owner -d snort_log GRANT SELECT ON detail, encoding, event, reference_system, \ schema, sensor, sig_class, sig_reference, signature TO snort; GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference, \ reference_system, sensor, sig_class, sig_reference, signature, \ tcphdr, udphdr TO snort; GRANT UPDATE ON reference_ref_id_seq, \ reference_system_ref_system_id_seq, sensor_sid_seq, \ sig_class_sig_class_id_seq, signature_sig_id_seq TO snort; |
| Code: Verify snort is logging to the database (optional) |
echo "SELECT hostname FROM sensor" | psql -d snort_log -U postgres |
You should get the hostname(or IP address) snort is running on.
[edit] Secure PostgreSQL
| File: /var/lib/postgresql/data/pg_hba.conf (comment out, or delete the following) |
local all all trust |
| File: /var/lib/postgresql/data/pg_hba.conf (add the following line) |
local snort_log snort md5 |
[edit] Secure Remote PostgreSQL Setup (optional)
You need to edit the next two files only if you've setup PostgreSQL on a separate server.
| File: /var/lib/postgresql/data/pg_hba.conf (Comment out or delete the following line) |
host all all [ip-addr] [ip-mask] trust |
| File: /var/lib/postgresql/data/pg_hba.conf (Add the following line) |
host snort_log snort [ip-addr] [ip-mask] md5 |
[edit] Setup Snort with MySQL
Tip: Skip this if you're using PostgreSQL
| Code: Start MySQL and create the snort database |
/etc/init.d/mysql start mysql -u root -p --enter the password you assigned earlier create database snort_log; |
Tip: Notice the semicolon at the end of the line. It's critical.
| Code: Create the snort user |
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort_log.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('new_password');
flush privileges;
exit;
|
Enter a unique password (remember it) and answer 'n' to any questions.
| Code: Initialize the database |
bzcat /usr/share/doc/snort-[version]/schemas/create_mysql.bz2 | \ mysql -u root -p snort_log |
| File: /etc/conf.d/snort |
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF" |
| File: /etc/snort/snort.conf |
output database: log, mysql, user=snort dbname=snort_log \ password=[the password you entered when you created the database \ user 'snort'] host=localhost |
| Code: Verify the permissions of snort.conf (root:snort 640) and start snort |
chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf /etc/init.d/snort start |
| Code: Verify snort is logging to the database (optional) |
echo "SELECT hostname FROM sensor;" | mysql -u root -p snort_log |
You should get the hostname(or IP address) that snort is listening on.
[edit] Final Steps
| Code: Restart Snort and the database |
/etc/init.d/snort stop /etc/init.d/postgresql restart OR /etc/init.d/mysql restart /etc/init.d/snort start |
| Code: Set snort and the database to run on boot |
rc-update add snort default rc-update add postgresql default OR rc-update add mysql default |
[edit] Graphical BASE Front-End (optional)
| Code: Optional front-end |
|
If you'd like to view your Snort logs graphically via your web browser, take a look at BASE. |
