View previous topic :: View next topic |
Author |
Message |
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Thu Aug 28, 2003 3:03 am Post subject: COMPLETE guide to Snort, MySQL, and Acid |
|
|
!-UPDATE-!
!-UPDATE-!
Updated this How-to doc today (11-7-05) to cover BASE instead of ACID.
Please check it out
https://forums.gentoo.org/viewtopic-t-399801-highlight-.html
-----------------------------------------------------------------------------------------------
Edit /etc/make.conf and use these USE variables to avoid long compile times.
Code: | USE=gd gd-external mysql apache2 php openssl jpg png gif X -gtk gnome alsa |
Packages needed.
Snort
MYSQL
Mod_PHP
Apache
Libnet
And Acid from this URL: http://acidlab.sourceforge.net
Use to download all the needed packages. Then you can run the same command without the -f to install everything.
Code: | # emerge -f mysql mod_php apache libnet lynx
# emerge mysql mod_php apache libnet lynx
# ACCEPT_KEYWORDS=~x86 emerge snort |
Note: this emerges the latest version or snort
Now after emerging everything follow the instructions to get php working with apache. Now we need to set Apache, MySQL, and Snort to all start at bootup. Use these commands:
Code: | # rc-update add snort default
# rc-update add mysql default
# rc-update add apache2 default |
Now we need to start Apache and MySQL:
Code: | # /usr/bin/mysql_install_db |
Note: this prevents the following lines from reporting errors when running for the first time
Code: | # /etc/init.d/apache2 start
# /etc/init.d/mysql start |
Need to set a root password for MySQL:
Code: | # mysql
SET PASSWORD FOR root@localhost=PASSWORD('new_password');
create databse snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD(net_password);
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
exit |
Now we need to create the database structure for snort by issuing these commands:
Code: | gunzip /usr/share/doc/snort-2.1.0-r1/contrib/create_mysql.gz
mysql -p < /usr/share/doc/snort-2.1.0-r1/contrib/create_mysql snort |
This will create the database structure in MySQL. To add the extra database tables run this command:
Code: | zcat snortdb-extra.gz | mysql -p snort | Note: this file is in the same directory as above.
Now your database has the correct table structure.
Now we need to configure Snort to report to the database and not to log files. Edit the snort.conf file.
Code: | nano -w /etc/snort/snort.conf |
Find this line shown below, uncomment it, and change it to reflect your setup. Should just have to change only the password if you followed this exactly:
Code: | output database: alert, mysql, user=snort password=password dbname=snort host=localhost |
Now Snort will log all logs and alerts to the MySQL database.
Start Snort with :
Code: | /etc/init.d/snort start |
Watch your /var/log/messages for errors.
Configure apache2 to work correctly
Edit /etc/apache2/conf/commonapache2.conf
Note: Only bold lines should need to be changed
Code: | <Directory />
Options Multiviews Indexes Includes FollowSymLinks
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> |
Now to get Acid working so you can view the reports.
Download Acid from http://acidlab.sourceforge.net. Download the archive to your http document root. Extract the file there. Rename the folder to acid.
Code: | tar zxvf acid-0.9.6b23.tar.gz |
Now we need to get a few libraries to get Acid working.
The underlying database library currently used is ADODB, that can be downloaded at http://php.weblogs.com/adodb
Example:
Code: | tar zxvf adodb-VER.tar.gz |
The underlying graphing library currently used is JPGraph, that can be downloaded at http://www.aditus.nu/jpgraph/index.php. Without this library no graphing operations can be performed.
Download these in the http document root, extract them and rename the directories without the verison numbers.
Now edit <http-root>/acid/acid_conf.php and change the $DBlib_path, and the passwords to reflect your configuration:
Code: | /* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
*/
$DBlib_path = "/<http-root>/adodb/";
/* The type of underlying alert database
*
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
*/
$DBtype = "mysql";
/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "password";
/* Archive DB connection parameters */
$archive_dbname = "snort";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "snort";
$archive_password = "password"; |
Also change the path to the $ChartLib_path, to reflect your settings. Make sure you point it to the src directory in the jpgraph directory:
Code: | /* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the directory)
*/
$ChartLib_path = "/<http-root>/jpgraph/src/"; |
Apache will only display the pages as text files so you need to edit the last line of /etc/conf.d/apache2 and change it to:
Code: | APACHE2_OPTS=-D PHP4 D SSL | Note: Be sure to remove the # at the beginning of this line!
You will need to restart apache for these settings to take effect.
Code: | /etc/init.d/apache2 stop
/etc/init.d/apache2 start |
You may need to reemerge mod_php for the page to be displayed correctly
Then go to http://yourhost/acid/acid_main.php . Note: You may need to Ctrl+F5 to refresh the page. You will get a message that says something about the database not being valid, and will tell you to use the Setup page to config and optimise the DB.
Click on that link, and then on the next page click on the button that says Create Acid AG.
Now are you done. You can go to the main Acid page to view your alerts, etc.
In order to support Alert purging (the selective ability to permanently delete alerts from the database) and DNS/whois lookup caching, the DB user "snort" must have the DELETE and UPDATE privilege on the database "snort@localhost
More updates to database:
Run all the commands listed below to change the databases to InnoDB tables and import another sql file.
Code: | ALTER TABLE data TYPE=InnoDB;
ALTER TABLE detail TYPE=InnoDB;
ALTER TABLE encoding TYPE=InnoDB;
ALTER TABLE event TYPE=InnoDB;
ALTER TABLE flags TYPE=InnoDB;
ALTER TABLE icmphdr TYPE=InnoDB;
ALTER TABLE iphdr TYPE=InnoDB;
ALTER TABLE opt TYPE=InnoDB;
ALTER TABLE protocols TYPE=InnoDB;
ALTER TABLE reference TYPE=InnoDB;
ALTER TABLE reference_system TYPE=InnoDB;
ALTER TABLE schema TYPE=InnoDB;
ALTER TABLE sensor TYPE=InnoDB;
ALTER TABLE services TYPE=InnoDB;
ALTER TABLE sig_class TYPE=InnoDB;
ALTER TABLE sig_reference TYPE=InnoDB;
ALTER TABLE signature TYPE=InnoDB;
ALTER TABLE tcphdr TYPE=InnoDB;
ALTER TABLE udphdr TYPE=InnoDB; |
This file is in the acid directory in your http document root.
Code: | mysql -p < ./create_acid_tbls_pgsql_extra.sql snort |
Restart Snort and its done.
_________________
eXklusve
Updated by Apollo and eXklusve _________________ eXklusve
You do know that no one gives a shit about your system spec's right?
Last edited by exklusve on Mon Nov 07, 2005 10:18 pm; edited 8 times in total |
|
Back to top |
|
|
bint n00b
Joined: 24 Sep 2002 Posts: 8
|
Posted: Thu Aug 28, 2003 10:52 am Post subject: |
|
|
Great how-to!!
Some time ago i saw a how-to like this for debian, but now i can use it for gentoo too, |
|
Back to top |
|
|
rojaro l33t
Joined: 06 May 2002 Posts: 732
|
Posted: Thu Aug 28, 2003 11:03 am Post subject: |
|
|
yeah, nice one ... will give it a try later today. this really should be moved to the documentation forum :) _________________ A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
Back to top |
|
|
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Thu Aug 28, 2003 5:57 pm Post subject: |
|
|
Oops!
I should have posted this in the Documentation forum.
Next time I will remember. _________________ eXklusve
You do know that no one gives a shit about your system spec's right? |
|
Back to top |
|
|
vidigiani Tux's lil' helper
Joined: 11 Aug 2003 Posts: 116 Location: Houston, TX
|
Posted: Sat Sep 06, 2003 10:13 pm Post subject: |
|
|
I was able to use this procedure successfully on my system. One thing I had to do was grant the create privilege to the snort user when you select "Create ACID AG". HTH. |
|
Back to top |
|
|
JohanH n00b
Joined: 12 Apr 2003 Posts: 27 Location: Fishers, IN
|
Posted: Sun Sep 07, 2003 3:46 am Post subject: |
|
|
Sweet how-to, the ICMP echo requests (probably spawned by the Welchia worm if I've googled correctly) really stand out! More so than in the firewall logs. Great work!
I did have the slight problem that ACID seemed unable to generate graphs, but re-emerging php with USE="gd gd-external jpg png gif" (as suggested here) fixed that.
I do still have the nagging doubt that I missed something, because I only see that one unique ICMP alert (using default snort.conf ruleset). But I guess I should be happy as long as it stays quiet . |
|
Back to top |
|
|
gpreston n00b
Joined: 03 Sep 2003 Posts: 42 Location: West Chester, PA
|
Posted: Fri Nov 07, 2003 4:48 pm Post subject: |
|
|
I had a problem with the plethora of x11 stuff that this process tried to install since the machine I'm putting this on is strictly a console only machine. Took me forever to realize that php was trying to use +qt in it's install. Ended up going in and putting -qt in my /etc/make.conf USE flags and now all of the x11 stuff is gone from the emerge process.
Other than that, thanks for the How-To! Just what I was looking for. |
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sat Nov 08, 2003 6:04 am Post subject: |
|
|
*edit*
indeed i had to "GRANT CREATE" to the snort user, else it doesnt work.
the guide should be updated with this.
Thx.
edit again:
this is really quite .. i mean everything is on 0,Anyone got some numbers right after installing ?
I will wait some time and see if something goes on, else i might have a problem somewhere.
I also had to re-emerge php with those flags.
btw, isnt mod_php enought ? or do i need php ?
Thx _________________ linux: #232767 |
|
Back to top |
|
|
professorn Apprentice
Joined: 18 Sep 2003 Posts: 235 Location: Stockholm, Sweden
|
Posted: Sat Nov 08, 2003 4:01 pm Post subject: |
|
|
Move to doc. forum? |
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sat Nov 08, 2003 4:05 pm Post subject: |
|
|
hi again.
This isnt working
ive followed the guide and done everything.
i can see in the logs that snort is catching scans and so on .. however acid still shows '0' all over and no grafics ...
anyone got this setup working ?
anyone can help finding whats wrong ?
thx. _________________ linux: #232767 |
|
Back to top |
|
|
puggy Bodhisattva
Joined: 28 Feb 2003 Posts: 1992 Location: Oxford, UK
|
Posted: Sat Nov 08, 2003 4:29 pm Post subject: |
|
|
Moving to Documentation, Tips & Tricks from Networking & Security. Puggy _________________ Where there's open source , there's a way. |
|
Back to top |
|
|
gpreston n00b
Joined: 03 Sep 2003 Posts: 42 Location: West Chester, PA
|
Posted: Sat Nov 08, 2003 9:00 pm Post subject: |
|
|
ikaro, two things possibly. Have you modified the config file to disable automatic caching of the results from snort? If you did, ACID won't show any results unless you manually click on the link towards the bottom of the main page 'Application cache and status' and then click on the button 'Update Alert Cache'. I disabled ACID's automatic caching of the alerts and I set mine up on a cron so that my page loads weren't so slow all the time. |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sun Nov 09, 2003 11:53 am Post subject: |
|
|
gpreston wrote: | ikaro, two things possibly. Have you modified the config file to disable automatic caching of the results from snort? If you did, ACID won't show any results unless you manually click on the link towards the bottom of the main page 'Application cache and status' and then click on the button 'Update Alert Cache'. I disabled ACID's automatic caching of the alerts and I set mine up on a cron so that my page loads weren't so slow all the time. |
You says two things that possibly are wrong, but you only wrote one?
I didn't modified the config more than its decribed in the guide.
I also tried doing what you wrote, but it still says "Added 0 alert(s) to the Alert cache"
here is the page:
http://www.imaginere.dk/acid
iam runing:
Apache 1.3.39-r1
snort 2.0.1-r1
jpgraph-1.13
adodb403
acid-0.9.6b23
mysql-4.0.14-r2
mod_php-4.3.3-r3
php-4.3.3-r2
Thx. _________________ linux: #232767 |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sun Nov 09, 2003 1:54 pm Post subject: |
|
|
check /var/log/snort/alert
i had a bunch of dirs in there with the ip addresses and inside some files.
the 'alert' file had soemthing in it too .
so the my problem isnt that snort isnt login ,. because it is.
_________________ linux: #232767 |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
Posted: Sun Nov 09, 2003 5:29 pm Post subject: |
|
|
I have checked there and i have nothing in there. Not 1 thing at all. thats why i think something is messed up. Shouldnt something showup if i pinged my server from another computer? Is there anyway to test SNORT to see if it is workin correctly? _________________ www.EternalFireProof.com
Registered Linux User #334610 |
|
Back to top |
|
|
ikaro Advocate
Joined: 14 Jul 2003 Posts: 2527 Location: Denmark
|
Posted: Sun Nov 09, 2003 5:50 pm Post subject: |
|
|
you can contact me on irc and i can run nmap on ur ip. that its enought to make something happen.
_________________ linux: #232767 |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
|
Back to top |
|
|
DanBUK Tux's lil' helper
Joined: 12 May 2003 Posts: 105 Location: London, UK
|
Posted: Sun Nov 09, 2003 6:58 pm Post subject: If you need an nmap on demand |
|
|
If you need to get some data flying your way, I have an nmap web page you can call.
It does a nmap -T5 -P0 -F <remote-client>.
http://dans.lockedbox.net/scan/nmap
Cheers,
Dan. |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
|
Back to top |
|
|
DanBUK Tux's lil' helper
Joined: 12 May 2003 Posts: 105 Location: London, UK
|
Posted: Sun Nov 09, 2003 7:22 pm Post subject: |
|
|
jtp755 wrote: | can you set somethign up to send some TCP and ICMP packets? |
Nmap - Is allreadying sending TCP? Have you setup the portscan preprocessor?
ICMP - Umm Ill work out somthing for that...Not sure yet what thou... |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
Posted: Sun Nov 09, 2003 7:28 pm Post subject: |
|
|
when i went to that link nothign TCP came my way? all im gettin is UDP from ICQ i think. what should i set the portscan preprocessor to? _________________ www.EternalFireProof.com
Registered Linux User #334610
Last edited by jtp755 on Sun Nov 09, 2003 7:37 pm; edited 1 time in total |
|
Back to top |
|
|
DanBUK Tux's lil' helper
Joined: 12 May 2003 Posts: 105 Location: London, UK
|
Posted: Sun Nov 09, 2003 7:35 pm Post subject: |
|
|
You want to change:
# preprocessor portscan: $HOME_NET 4 3 portscan.log
to somthing like:
preprocessor portscan: 0.0.0.0/0 4 3 portscan.log
and
#preprocessor portscan-ignorehosts: 0.0.0.0
to somthing like:
#preprocessor portscan-ignorehosts: 81.100.203.141
With the IP being your external address(I say this becuse i have a snort on my gateway, and it picks up connections both ways, i was getting false alerts when i sync'ed or did anything where the gateway opened lots of connections.)
Cheers Dan. |
|
Back to top |
|
|
jtp755 l33t
Joined: 01 Sep 2003 Posts: 691 Location: USA
|
|
Back to top |
|
|
|