Configure postgresql and snort
First we shall make a database for snort. As you proceed with the configuration you might wish to use alternate database names, database user, and password. For this tutorial I will use :
snort postgresql database = snort_db
snort postgresql user = snort
snort posgresql password = snort_password
At the postgres user prompt :
Enter and confirm a password for snort, answer n to the next 3 questions :
# Create the database for snort
# Configure the database
zcat /usr/share/doc/snort-pgsql/create_postgresql.gz | psql snort_db
# Create a postgresql user for snort
createuser -P snort
Log into the new database
Enter password for new user: snort_password
Enter it again: snort_password
Shall the new user be a superuser? (y/n) n
Shall the new user be allowed to create databases? (y/n) n
Shall the new user be allowed to create more new users? (y/n) n
At the psql prompt ( snort_db=# ) enter ( copy - paste ) the following long command:
Note: "snort_db=#" indicates the prompt, the command you want to copy-paste starts with "Grant All ..." and ends with a ;
\q to exit psql
snort_db=# GRANT ALL ON TABLE data, detail, encoding, event, icmphdr, iphdr, opt, reference, reference_ref_id_seq, reference_system, reference_system_ref_system_id_seq, schema, sensor, sensor_sid_seq, sig_class, sig_class_sig_class_id_seq, sig_reference, signature, signature_sig_id_seq, tcphdr, udphdr TO snort;
exit to return to a root shell (exit the "sudo su postgres")
Remove the "db-pending-config" file.
Using any editor, open /etc/snort/snort.conf
sudo rm db-pending-config
Find and change the following lines:
sudo nano -B /etc/snort/snort.conf
Use the search function (Ctrl-W) search for "var HOME_NET any" , note HOME_NET is used more then once, you want the line var HOME_NET any , as below ...
Change "var HOME_NET any" to "var HOME_NET 192.168.0.0/16,127.0.0.0/8"
Comment out (add a # in front of) "var EXTERNAL_NET any"
Uncomment (remove the #) "var EXTERNAL_NET !$HOME_NET
so it looks similar this:
You may need to change "192.168.0.0/24" to a range appropriate for your LAN.
var HOME_NET 192.168.0.0/24,127.0.0.0/8
#var EXTERNAL_NET any
var EXTERNAL_NET !$HOME_NET
Next, find the line "output database: alert, postgresql ...."
Hint: Search as above for "localhost" .
Uncomment (remove the #) the line and update it to include the database and user you set up.
output database: alert, postgresql, user=snort dbname=snort_db password=snort_password host=localhost
Save the file and close nano (Ctrl-X , when asked to save answer yes).
You can test snort with the following command :
If you see the ascii pig, it is working!
sudo snort -c /etc/snort/snort.conf -T
YOU DO NOT NEED TO DO ANYTHING ELSE TO "TEST SNORT" !!!!
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 126.96.36.199 (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2009 Sourcefire, Inc., et al.
Using PCRE version: 7.8 2008-09-05
Snort successfully loaded all rules and checked all rule chains !
database: Closing connection to database "snort_db"
Back to top