HOWTO Use Snort, Acid, and MySQL Effectively
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
| Note: 15/09/06 Acid has been removed/replaced in portage by Base dcrawford |
Contents |
[edit] USE Flags
Edit /etc/make.conf and use these USE flags to avoid long compile times.
USE=”dynamicplugin gd gd-external mysql apache2 php openssl jpg png gif session –X -gtk –gnome –alsa”
[edit] Installing Applications
Packages needed:
- net-analyzer/snort
- dev-db/mysql
- dev-php/mod_php
- net-www/apache
- net-libs/libnet
- net-analyzer/acid
- dev-php/adodb
- dev-php4/jpgraph
- net-analyzer/oinkmaster
Edit /etc/portage/package.keywords (See man portage for more information) to install the ~x86 versions of net-analyzer/snort, net-analyzer/acid, and dev-php/jpgraph. Insert the following lines:
| File: /etc/portage/package.keywords |
net-analyzer/snort ~x86 net-analyzer/acid ~x86 dev-php4/jpgraph ~x86 |
Use the following commands to download all files needed for the packages and then install them.
# emerge -f =dev-db/mysql =dev-php/mod_php =net-www/apache =net-libs/libnet =net-analyzer/snort =net-analyzer/acid =net-analyzer/oinkmaster # emerge =dev-db/mysql =dev-php/mod_php =net-www/apache =net-libs/libnet =net-analyzer/snort =net-analyzer/acid =net-analyzer/oinkmaster
After emerging everything, follow the guide to get PHP working with Apache. We need to set Apache, MySQL, and Snort to all start at bootup.
# rc-update add snort default # rc-update add mysql default # rc-update add apache2 default
Now we need to setup Apache and MySQL:
# /usr/bin/mysql_install_db
Note: This prevents the following lines from reporting errors when running for the first time.
# /etc/init.d/apache2 start # /etc/init.d/mysql start
[edit] Setup MySQL
We need to setup a root password for MySQL:
# mysql
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('new_password');
create database snort;
grant INSERT,SELECT on snort.* to snort@localhost;
SET PASSWORD FOR 'snort'@'localhost' = PASSWORD(‘new_password’);
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
exit
Optionnaly, we can decide to delete database test which is installed by default and is useless for what we want to do (type this before exiting mysql) :
drop database test;
Now we need to create the database structure for Snort by issuing this command and entering the snort user database password :
# bzcat /usr/share/doc/snort-<version>/schemas/create_mysql.bz2 | mysql -u snort -D snort -p
Your database now has the correct table structure.
[edit] Setup Snort
We will configure Snort to report to the database and not to log files. Copy the /etc/snort/snort.conf.distrib file to /etc/snort/snort.conf and edit the /etc/snort/snort.conf file.
# nano -w /etc/snort/snort.conf
Find this line shown below, uncomment it, and change it to reflect your setup. You should only have to change the password if you followed this exactly:
| File: /etc/snort/snort.conf |
output database: alert, mysql, user=snort password=password dbname=snort host=localhost |
ATTENTION: Password MUST NOT contain numbers or most symbols, if it does the service will fail when started. With the new MySQL version 5 it's possible.
Now Snort will log all activity and alerts to the MySQL database. But before you can update your snort rules, you'll have to register at Snort.org and request an oinkcode. After that edit /etc/oinkmaster.conf to change the url to dowload the rules updates. An example for Snort 2.3 is
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.3.tar.gz
You may want to update the Snort rules at this time. Run the following command to update the Snort rules and ask you for updates. If you would rather just update the rules without verification of changes, remove the -i flag.
# /usr/bin/oinkmaster.pl -i -o /etc/snort/rules
Edit /etc/conf.d/snort to change the interface Snort will listen for intrusion attempts, eg.
| File: /etc/conf.d/snort |
IFACE="ppp0" |
Start Snort with:
# /etc/init.d/snort start
Watch /var/log/messages or /var/log/everything/current for errors.
If snort fails to start it will be necessary to manually stop the snort service:
# /etc/init.d/snort stop # /etc/init.d/snort zap
Then resolve the errors that occurred in /var/log/messages or /var/log/everything/current and restart Snort.
If the errors are permission-related try:
# chown -R snort:snort /var/log/snort # chmod -R 770 /var/log/snort
[edit] Configuring Apache2
Edit /etc/apache2/conf/commonapache2.conf
<Directory />
Options Multiviews Indexes Includes FollowSymLinks
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
Changing this file may not be necessary. Try it before you change it.
[edit] Configuring ACID
Edit <http-root>/acid/acid_conf.php and change the database name, user, and password for both the Alert DB connection parameters and Archive DB connection parameters to reflect your configuration:
| File: /<http-root>/acid/acid_conf.php |
/* Path to the DB abstraction library * (Note: DO NOT include a trailing backslash after the directory) * e.g. $foo = "/tmp" [OK] * $foo = "/tmp/" [OK] * $foo = "c:\tmp" [OK] * $foo = "c:\tmp\" [WRONG] */ $DBlib_path = "/usr/lib/php/adodb/";<br><br> /* The type of underlying alert database * * MySQL : "mysql" * PostgresSQL : "postgres" * MS SQL Server : "mssql" */ $DBtype = "mysql";<br><br> /* Alert DB connection parameters * - $alert_dbname : MySQL database name of Snort alert DB * - $alert_host : host on which the DB is stored * - $alert_port : port on which to access the DB * - $alert_user : login to the database with this user * - $alert_password : password of the DB user * * This information can be gleaned from the Snort database * output plugin configuration. */ $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "snort"; $alert_password = "password";<br><br> /* Archive DB connection parameters */ $archive_dbname = "snort"; $archive_host = "localhost"; $archive_port = ""; $archive_user = "snort"; $archive_password = "password"; |
Also change the path to $ChartLib_path to reflect your settings.
| File: /<http-root>/acid/acid_conf.php |
/* Path to the graphing library * (Note: DO NOT include a trailing backslash after the directory) */ $ChartLib_path = "/usr/lib/php/jpgraph"; |
Apache will only display the pages as text files so you need to edit the last line of /etc/conf.d/apache2. For php4, this should be:
| File: /etc/conf.d/apache2 |
APACHE2_OPTS="-D PHP4 –D SSL" |
Or for php5:
| File: /etc/conf.d/apache2 |
APACHE2_OPTS="-D PHP5 –D SSL" |
Note: Be sure to remove the # at the beginning of this line if it exists.
You will need to restart apache for these settings to take effect.
# /etc/init.d/apache2 restart
You may need to reemerge mod_php for the page to be displayed correctly
# emerge dev-lang/mod_php
Then go to http://localhost/acid/acid_main.php . Note: You may need to Ctrl+F5 to refresh the page. You will get a message that says something about the database not being valid and will tell you to use the Setup page to config and optimise the DB. Click on that link, and then on the next page click on the button that says Create Acid AG.
Now are you done. You can go to the main Acid page to view your alerts, etc.
[edit] Alert Purging
In order to support Alert purging (the selective ability to permanently delete alerts from the database) and DNS/whois lookup caching, the DB user "snort" must have the DELETE and UPDATE privilege on the database "snort@localhost"
More updates to database:
- Don't forget to add innodb to the USE list in the /etc/make.conf (and re-emerge mysql)
- Don't forget to remove the skip-innodb from the /etc/mysql/my.cnf configuration file. Run all the commands listed below to change the databases to InnoDB tables and import another sql file:
# mysql -u root -p USE snort; ALTER TABLE data TYPE=InnoDB; ALTER TABLE detail TYPE=InnoDB; ALTER TABLE encoding TYPE=InnoDB; ALTER TABLE event TYPE=InnoDB; ALTER TABLE icmphdr TYPE=InnoDB; ALTER TABLE iphdr TYPE=InnoDB; ALTER TABLE opt TYPE=InnoDB; ALTER TABLE reference TYPE=InnoDB; ALTER TABLE reference_system TYPE=InnoDB; ALTER TABLE schema TYPE=InnoDB; ALTER TABLE sensor TYPE=InnoDB; ALTER TABLE signature TYPE=InnoDB; ALTER TABLE sig_class TYPE=InnoDB; ALTER TABLE sig_reference TYPE=InnoDB; ALTER TABLE tcphdr TYPE=InnoDB; ALTER TABLE udphdr TYPE=InnoDB; exit
This file is in the acid directory in your http document root.
# mysql -u root -p < ./create_acid_tbls_mysql.sql snort
- Restart Snort and its done.
# /etc/init.d/snort restart
- Have a look at intrusion attempts pointing your browser to:
http://localhost/acid/
[edit] See Also
Original Gentoo Forum Topic
Thanks to eXklusve for this great HOWTO
eXklusve@hotmail.com
11 June 2007 Please note that Acid is not in the portage anymore!!! It seems the new version is called base and is in the portage as net-analyzer/base
