Snort Mysql & Base on Feisty

[djhedges]

I just installed a clean version of Feisty and since people were still using my old guide I'm going to create a new one for Feisty. The old one can be found here.
http://ubuntuforums.org/showthread.php?t=145641

Start by switching to root because it's tedious to keep retyping sudo.

Code:

sudo -i

Update your system. I had 60+ packages to update and it took about 10min or so.

Code:

apt-get update
apt-get upgrade

Install Snort with Mysql support.

Code:

apt-get install snort-mysql

It will ask about configuring snort to detect a certain network. Replace this with any and it will inspect all the packets the sensor receives. I'll show you later where you can change this in the future if you needed to. Next it'll ask about setting up a database, just say no and we'll do it by hand later.

Before testing snort lets go ahead and install oinkmaster. Oinkmaster is a cool tool which keeps your snort rules updated.

Code:

apt-get install oinkmaster

Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.
Replace

Code:

url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz

with
url

Code:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fab9a70e2a4/snortrules-snapshot-2.3.tar.gz

Make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code and pay attention to which snort version your using. In my example my snort is version 2.3.
To find your snort version.

Code:

snort -V

Update the snort rules.

Code:

oinkmaster -o /etc/snort/rules/

I recommend creating a crontab so your rules automatically update.

Lets take a look at the snort.conf file

Code:

nano -w /etc/snort/snort.conf

var HOME_NET any
Is what we configured early during the snort install. Make sure you have a line that isn't commented (meaning no # in the front of it)

Code:

output log_tcpdump: tcpdump.log

See if snort is running

Code:

pgrep -l snort

If it's not start it with

Code:

/etc/init.d/snort start

If you get an error about a db-pending-config then

Code:

rm /etc/snort/db-pending-config

Lets see if snort is working properly by tailing the log file. If you see it change or any logs at all then snort should be working fine.

Code:

tail -f /var/log/snort/alert

Windows PCs on the same network triggered my snort but you could always do a port scan from another computer using nmap (it won't do anything to run nmap on it's self.)

Code:

nmap -sX your_snort_ip_address

I believe this only works if you have at least one open port. For this I installed ssh.

Code:

apt-get install ssh

The alert file should say something about an XMAS scan. Press ctrl + c to kill the tail command.

Lets install msyql, it'll take a few minutes.

Code:

apt-get install mysql-server

Edit the snort.conf

Code:

nano -w /etc/snort/snort.conf

Comment out the output log_tcmpdump: tcpdump.log so it looks like

Code:

# output log_tcpdump: tcpdump.log

Change

Code:

# output database: log, mysql, user=root password=test dbname=db host=localhost

to, make sure you use something other then SNORT_PASSWORD, we'll set it in a minute. And pay attention tot he dbname=snort.

Code:

output database: log, mysql, user=snort password=SNORT_PASSWORD dbname=snort host=localhost

I followed Patrick's Centos guide for the following because I barely understand mysql. You can find his guide here. Good info, even if your not using centos.

Code:

http://www.snort.org/docs/setup_guides/snort_base_SSL.pdf

Code:

mysql -u root
set password for root@localhost=password('PICK_A_PASSWORD');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWORD_SNORT_CONF');
grant create,delete,insert,select,update on snort.* to snort@localhost;
grant create,delete,insert,select,update on snort.* to snort;
exit

Lets setup the database for snort by uncompressing it and then importing it

Code:

gunzip /usr/share/doc/snort-mysql/create_mysql.gz
mysql -u root -p < /usr/share/doc/snort-mysql/create_mysql snort

Restart Snort

Code:

/etc/init.d/snort restart

Now lets grab what we need for BASE such as apache & php.

Code:

apt-get install apache2 php5-mysql libphp-adodb

Download the latest version of BASE from
http://base.secureideas.net/
Extract BASE & Move BASE

Code:

tar -xvzf /home/username/Desktop/base-1.3.6.tar.gz
mv base-1.3.6 /var/www/base

Copy & Edit the BASE config

Code:

cd /var/www/base
cp base_conf.php.dist base_conf.php
nano -w  base_conf.php

Look for these lines and change so their similiar

Code:

$Base_urlpath = “/base”
$Dblib_path = “/usr/share/adodb/”;
$alert_dbname = 'snort';
$alert_password = 'SNORT_PASSWORD';

I had to restart apache before getting to BASE

Code:

/etc/init.d/apache2 restart
Open firefox & goto localhost/base

Click on the setup page link and then the Create BASE AG button
BASE should be working now.

Lets get the graphing to work

Code:

apt-get install php5-gd php-pear
pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

Restart apache

Code:

/etc/init.d/apache2 restart

One more thing to look at before your done is the /etc/snort/threshold.conf. This file can be used to limit and suppress alerts you don't want to see. I get a lot of false positives from samba and normal windows traffic. I'm not worried about local traffic so I can suppress my network but still generate alerts if someone out side was connecting by adding a line like so. The config should be self explanatory.

Code:

suppress gen_id 1 sig_id 2466, track by_src, ip 192.168.1.0/24

Good luck and have fun.

[tegwilym]

Thanks for posting that guide. I got it up and running - at least I got through all the steps without any mysterious error messages.
Now I just have to figure out how this Snort/Base thing works.

Tom
-Former XP user. Hehe!

[erwall]

I'm getting this on the graphs page:

Error loading the Graphing library:

Check your Pear::Image_Graph installation!

Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.

and "pear list" yields this:

Installed packages, channel pear.php.net:
=========================================
Package Version State
Archive_Tar 1.3.2 stable
Console_Getopt 1.2 stable
Image_Canvas 0.3.1 alpha
Image_Color 1.0.2 stable
Image_Graph 0.7.1 alpha
Log 1.9.11 stable
Numbers_Roman 0.2.0 stable
Numbers_Words 0.13.1 beta
PEAR 1.4.11 stable

any ideas?

[djhedges]

Quote:

Originally Posted by erwall I'm getting this on the graphs page: Error loading the Graphing library: Check your Pear::Image_Graph installation! Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed. and "pear list" yields this: Installed packages, channel pear.php.net: ========================================= Package Version State Archive_Tar 1.3.2 stable Console_Getopt 1.2 stable Image_Canvas 0.3.1 alpha Image_Color 1.0.2 stable Image_Graph 0.7.1 alpha Log 1.9.11 stable Numbers_Roman 0.2.0 stable Numbers_Words 0.13.1 beta PEAR 1.4.11 stable any ideas?

Interesting, have you tried restarting apache?

[erwall]

Yep, sure have, a few times...

[djhedges]

Quote:

Originally Posted by erwall Yep, sure have, a few times...

I remember a similar problem but it was a long time ago. I think I fixed it by reinstalling some packages such as php or pear. It's been a long time and I can't remember exactly which ones I removed and reinstalled.

[djhedges]

Quote:

Originally Posted by djhedges I remember a similar problem but it was a long time ago. I think I fixed it by reinstalling some packages such as php or pear. It's been a long time and I can't remember exactly which ones I removed and reinstalled.

Have you looked at the log files? I'm school so I don't have access to my laptop but check in /var/log/messages and some like /var/log/snort

[KyleBrandt]

After running

Code:

 /etc/init.d/snort start

I get:

Code:

Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
.

However, it doesn't appear to be running after I type:

Code:

pgrep -l snort

I don't really know what my next step in troubleshooting should be since I have no error to work with, unless that period is an error? Anyone have any ideas? Thanks..

[tegwilym]

Ok, I thought I had it all running, but now finding that I'm close, but not quite there just yet.

At the command line, I enter:
snort -b -i eth0 -A fast -N -c /etc/snort/snort.conf

(I leave out the -D so I can see what happens)

I get this, which looks all fine, until I get to the very end and see the message saying:
command line overrides rules file alert plugin!
ERROR: Suppress-Parse: incorrect argument count
Fatal Error, Quitting..

So Snort doesn't seem to be running at all. The computer is on a DMZ port through the router exposed to raw, nasty, unfiltered interenet. I figure that is the best way to see something actually happen!

Here is the full output of the above command.

root@satellite:/etc/snort# snort -b -i eth0 -A fast -N -c /etc/snort/snort.conf
Running in IDS mode

Initializing Network Interface eth0

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

++++++++++++++++++++++++++++++++++++++++++++++++++ +
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE

Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900

X-Link2State Config:
Ports: 25 691
command line overrides rules file alert plugin!
ERROR: Suppress-Parse: incorrect argument count
Fatal Error, Quitting..

[Spudgun]

Quote:

Originally Posted by tegwilym Ok, I thought I had it all running, but now finding that I'm close, but not quite there just yet. At the command line, I enter: snort -b -i eth0 -A fast -N -c /etc/snort/snort.conf (I leave out the -D so I can see what happens) I get this, which looks all fine, until I get to the very end and see the message saying: command line overrides rules file alert plugin! ERROR: Suppress-Parse: incorrect argument count Fatal Error, Quitting..

In /etc/snort/threshold.conf, change the 4 digit number after 'sig_id' to 1852. That should solve your problem.