Page 1 of 6 123 ... LastLast
Results 1 to 10 of 55

Thread: Snort Mysql & Base on Feisty

  1. #1
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Snort Mysql & Base on Feisty

    I just installed a clean version of Feisty and since people were still using my old guide I'm going to create a new one for Feisty. The old one can be found here.
    http://ubuntuforums.org/showthread.php?t=145641

    Start by switching to root because it's tedious to keep retyping sudo.
    Code:
    sudo -i
    Update your system. I had 60+ packages to update and it took about 10min or so.
    Code:
    apt-get update
    apt-get upgrade
    Install Snort with Mysql support.
    Code:
    apt-get install snort-mysql
    It will ask about configuring snort to detect a certain network. Replace this with any and it will inspect all the packets the sensor receives. I'll show you later where you can change this in the future if you needed to. Next it'll ask about setting up a database, just say no and we'll do it by hand later.

    Before testing snort lets go ahead and install oinkmaster. Oinkmaster is a cool tool which keeps your snort rules updated.
    Code:
    apt-get install oinkmaster
    Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.
    Replace
    Code:
    url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
    with
    url
    Code:
    url = http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fab9a70e2a4/snortrules-snapshot-2.3.tar.gz
    Make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code and pay attention to which snort version your using. In my example my snort is version 2.3.
    To find your snort version.
    Code:
    snort -V
    Update the snort rules.
    Code:
    oinkmaster -o /etc/snort/rules/
    I recommend creating a crontab so your rules automatically update.

    Lets take a look at the snort.conf file
    Code:
    nano -w /etc/snort/snort.conf
    var HOME_NET any
    Is what we configured early during the snort install. Make sure you have a line that isn't commented (meaning no # in the front of it)
    Code:
    output log_tcpdump: tcpdump.log
    See if snort is running
    Code:
    pgrep -l snort
    If it's not start it with
    Code:
    /etc/init.d/snort start
    If you get an error about a db-pending-config then
    Code:
    rm /etc/snort/db-pending-config
    Lets see if snort is working properly by tailing the log file. If you see it change or any logs at all then snort should be working fine.
    Code:
    tail -f /var/log/snort/alert
    Windows PCs on the same network triggered my snort but you could always do a port scan from another computer using nmap (it won't do anything to run nmap on it's self.)
    Code:
    nmap -sX your_snort_ip_address
    I believe this only works if you have at least one open port. For this I installed ssh.
    Code:
    apt-get install ssh
    The alert file should say something about an XMAS scan. Press ctrl + c to kill the tail command.

    Lets install msyql, it'll take a few minutes.
    Code:
    apt-get install mysql-server
    Edit the snort.conf
    Code:
    nano -w /etc/snort/snort.conf
    Comment out the output log_tcmpdump: tcpdump.log so it looks like
    Code:
    # output log_tcpdump: tcpdump.log
    Change
    Code:
    # output database: log, mysql, user=root password=test dbname=db host=localhost
    to, make sure you use something other then SNORT_PASSWORD, we'll set it in a minute. And pay attention tot he dbname=snort.
    Code:
    output database: log, mysql, user=snort password=SNORT_PASSWORD dbname=snort host=localhost
    I followed Patrick's Centos guide for the following because I barely understand mysql. You can find his guide here. Good info, even if your not using centos.
    Code:
    http://www.snort.org/docs/setup_guides/snort_base_SSL.pdf
    Code:
    mysql -u root
    set password for root@localhost=password('PICK_A_PASSWORD');
    create database snort;
    grant insert,select on root.* to snort@localhost;
    set password for snort@localhost=password('PASSWORD_SNORT_CONF');
    grant create,delete,insert,select,update on snort.* to snort@localhost;
    grant create,delete,insert,select,update on snort.* to snort;
    exit
    Lets setup the database for snort by uncompressing it and then importing it
    Code:
    gunzip /usr/share/doc/snort-mysql/create_mysql.gz
    mysql -u root -p < /usr/share/doc/snort-mysql/create_mysql snort
    Restart Snort
    Code:
    /etc/init.d/snort restart
    Now lets grab what we need for BASE such as apache & php.
    Code:
    apt-get install apache2 php5-mysql libphp-adodb
    Download the latest version of BASE from
    http://base.secureideas.net/
    Extract BASE & Move BASE
    Code:
    tar -xvzf /home/username/Desktop/base-1.3.6.tar.gz
    mv base-1.3.6 /var/www/base
    Copy & Edit the BASE config
    Code:
    cd /var/www/base
    cp base_conf.php.dist base_conf.php
    nano -w  base_conf.php
    Look for these lines and change so their similiar
    Code:
    $Base_urlpath = “/base”
    $Dblib_path = “/usr/share/adodb/”;
    $alert_dbname = 'snort';
    $alert_password = 'SNORT_PASSWORD';
    I had to restart apache before getting to BASE
    Code:
    /etc/init.d/apache2 restart
    Open firefox & goto localhost/base
    Click on the setup page link and then the Create BASE AG button
    BASE should be working now.

    Lets get the graphing to work
    Code:
    apt-get install php5-gd php-pear
    pear install Image_Color
    pear install Image_Canvas-alpha
    pear install Image_Graph-alpha
    Restart apache
    Code:
    /etc/init.d/apache2 restart
    One more thing to look at before your done is the /etc/snort/threshold.conf. This file can be used to limit and suppress alerts you don't want to see. I get a lot of false positives from samba and normal windows traffic. I'm not worried about local traffic so I can suppress my network but still generate alerts if someone out side was connecting by adding a line like so. The config should be self explanatory.
    Code:
    suppress gen_id 1 sig_id 2466, track by_src, ip 192.168.1.0/24
    Good luck and have fun.

  2. #2
    Join Date
    Jan 2006
    Location
    Renton, WA
    Beans
    142
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Smile Re: Snort Mysql & Base on Feisty

    Thanks for posting that guide. I got it up and running - at least I got through all the steps without any mysterious error messages.
    Now I just have to figure out how this Snort/Base thing works.

    Tom
    -Former XP user. Hehe!

  3. #3
    Join Date
    Dec 2006
    Location
    Maryland
    Beans
    95
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: Snort Mysql & Base on Feisty

    I'm getting this on the graphs page:

    Error loading the Graphing library:

    Check your Pear::Image_Graph installation!

    Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.

    and "pear list" yields this:

    Installed packages, channel pear.php.net:
    =========================================
    Package Version State
    Archive_Tar 1.3.2 stable
    Console_Getopt 1.2 stable
    Image_Canvas 0.3.1 alpha
    Image_Color 1.0.2 stable
    Image_Graph 0.7.1 alpha
    Log 1.9.11 stable
    Numbers_Roman 0.2.0 stable
    Numbers_Words 0.13.1 beta
    PEAR 1.4.11 stable

    any ideas?

  4. #4
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Quote Originally Posted by erwall View Post
    I'm getting this on the graphs page:

    Error loading the Graphing library:

    Check your Pear::Image_Graph installation!

    Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.

    and "pear list" yields this:

    Installed packages, channel pear.php.net:
    =========================================
    Package Version State
    Archive_Tar 1.3.2 stable
    Console_Getopt 1.2 stable
    Image_Canvas 0.3.1 alpha
    Image_Color 1.0.2 stable
    Image_Graph 0.7.1 alpha
    Log 1.9.11 stable
    Numbers_Roman 0.2.0 stable
    Numbers_Words 0.13.1 beta
    PEAR 1.4.11 stable

    any ideas?
    Interesting, have you tried restarting apache?

  5. #5
    Join Date
    Dec 2006
    Location
    Maryland
    Beans
    95
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: Snort Mysql & Base on Feisty

    Yep, sure have, a few times...

  6. #6
    Join Date
    May 2007
    Location
    Boston, Ma
    Beans
    121

    Re: Snort Mysql & Base on Feisty

    After running

    Code:
     /etc/init.d/snort start
    I get:

    Code:
    Starting Network Intrusion Detection System: snort(eth0)No /etc/snort/snort.eth0.conf, defaulting to snort.conf
    .
    However, it doesn't appear to be running after I type:

    Code:
    pgrep -l snort
    I don't really know what my next step in troubleshooting should be since I have no error to work with, unless that period is an error? Anyone have any ideas? Thanks..

  7. #7
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Quote Originally Posted by erwall View Post
    Yep, sure have, a few times...
    I remember a similar problem but it was a long time ago. I think I fixed it by reinstalling some packages such as php or pear. It's been a long time and I can't remember exactly which ones I removed and reinstalled.

  8. #8
    Join Date
    Nov 2005
    Beans
    49
    Distro
    Ubuntu Breezy 5.10

    Re: Snort Mysql & Base on Feisty

    Quote Originally Posted by djhedges View Post
    I remember a similar problem but it was a long time ago. I think I fixed it by reinstalling some packages such as php or pear. It's been a long time and I can't remember exactly which ones I removed and reinstalled.
    Have you looked at the log files? I'm school so I don't have access to my laptop but check in /var/log/messages and some like /var/log/snort

  9. #9
    Join Date
    Jan 2006
    Location
    Renton, WA
    Beans
    142
    Distro
    Ubuntu 7.10 Gutsy Gibbon

    Question Starting Snort.

    Ok, I thought I had it all running, but now finding that I'm close, but not quite there just yet.

    At the command line, I enter:
    snort -b -i eth0 -A fast -N -c /etc/snort/snort.conf

    (I leave out the -D so I can see what happens)

    I get this, which looks all fine, until I get to the very end and see the message saying:
    command line overrides rules file alert plugin!
    ERROR: Suppress-Parse: incorrect argument count
    Fatal Error, Quitting..


    So Snort doesn't seem to be running at all. The computer is on a DMZ port through the router exposed to raw, nasty, unfiltered interenet. I figure that is the best way to see something actually happen!

    Here is the full output of the above command.

    root@satellite:/etc/snort# snort -b -i eth0 -A fast -N -c /etc/snort/snort.conf
    Running in IDS mode

    Initializing Network Interface eth0

    --== Initializing Snort ==--
    Initializing Output Plugins!
    Decoding Ethernet on interface eth0
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file /etc/snort/snort.conf

    ++++++++++++++++++++++++++++++++++++++++++++++++++ +
    Initializing rule chains...
    ,-----------[Flow Config]----------------------
    | Stats Interval: 0
    | Hash Method: 2
    | Memcap: 10485760
    | Rows : 4099
    | Overhead Bytes: 16400(%0.16)
    `----------------------------------------------
    No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl: 0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
    Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE

    Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
    HttpInspect Config:
    GLOBAL CONFIG
    Max Pipeline Requests: 0
    Inspection Type: STATELESS
    Detect Proxy Usage: NO
    IIS Unicode Map Filename: /etc/snort/unicode.map
    IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
    Ports: 80 8080 8180
    Flow Depth: 300
    Max Chunk Length: 500000
    Inspect Pipeline Requests: YES
    URI Discovery Strict Mode: NO
    Allow Proxy Usage: NO
    Disable Alerting: NO
    Oversize Dir Length: 500
    Only inspect URI: NO
    Ascii: YES alert: NO
    Double Decoding: YES alert: YES
    %U Encoding: YES alert: YES
    Bare Byte: YES alert: YES
    Base36: OFF
    UTF 8: OFF
    IIS Unicode: YES alert: YES
    Multiple Slash: YES alert: NO
    IIS Backslash: YES alert: NO
    Directory Traversal: YES alert: NO
    Web Root Traversal: YES alert: YES
    Apache WhiteSpace: YES alert: NO
    IIS Delimiter: YES alert: NO
    IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
    Non-RFC Compliant Characters: NONE
    rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
    telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
    Portscan Detection Config:
    Detect Protocols: TCP UDP ICMP IP
    Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes: 36900

    X-Link2State Config:
    Ports: 25 691
    command line overrides rules file alert plugin!
    ERROR: Suppress-Parse: incorrect argument count
    Fatal Error, Quitting..

  10. #10
    Join Date
    Apr 2005
    Location
    Wales, UK
    Beans
    113

    Re: Snort Mysql & Base on Feisty

    Good tutorial, just a couple of points though -


    1. You forgot to mention that the user need to update /etc/snort/snort.conf with his/her chosen DB password;

    2. In the BASE config
    Code:
    $Dblib_path = “/usr/share/adodb/”;
    should be
    Code:
    $Dblib_path = “/usr/share/php/adodb/”;
    3. Suppression rules should ideally be placed in /etc/snort/threshold.conf

Page 1 of 6 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •