I just installed a clean version of Feisty and since people were still using my old guide I'm going to create a new one for Feisty. The old one can be found here.
Start by switching to root because it's tedious to keep retyping sudo.
Update your system. I had 60+ packages to update and it took about 10min or so.
Install Snort with Mysql support.
It will ask about configuring snort to detect a certain network. Replace this with any and it will inspect all the packets the sensor receives. I'll show you later where you can change this in the future if you needed to. Next it'll ask about setting up a database, just say no and we'll do it by hand later.
apt-get install snort-mysql
Before testing snort lets go ahead and install oinkmaster. Oinkmaster is a cool tool which keeps your snort rules updated.
Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.
apt-get install oinkmaster
url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz
Make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code and pay attention to which snort version your using. In my example my snort is version 2.3.
url = http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fab9a70e2a4/snortrules-snapshot-2.3.tar.gz
To find your snort version.
Update the snort rules.
I recommend creating a crontab so your rules automatically update.
oinkmaster -o /etc/snort/rules/
Lets take a look at the snort.conf file
var HOME_NET any
nano -w /etc/snort/snort.conf
Is what we configured early during the snort install. Make sure you have a line that isn't commented (meaning no # in the front of it)
See if snort is running
output log_tcpdump: tcpdump.log
If it's not start it with
If you get an error about a db-pending-config then
Lets see if snort is working properly by tailing the log file. If you see it change or any logs at all then snort should be working fine.
Windows PCs on the same network triggered my snort but you could always do a port scan from another computer using nmap (it won't do anything to run nmap on it's self.)
tail -f /var/log/snort/alert
I believe this only works if you have at least one open port. For this I installed ssh.
nmap -sX your_snort_ip_address
The alert file should say something about an XMAS scan. Press ctrl + c to kill the tail command.
apt-get install ssh
Lets install msyql, it'll take a few minutes.
Edit the snort.conf
apt-get install mysql-server
Comment out the output log_tcmpdump: tcpdump.log so it looks like
nano -w /etc/snort/snort.conf
# output log_tcpdump: tcpdump.log
to, make sure you use something other then SNORT_PASSWORD, we'll set it in a minute. And pay attention tot he dbname=snort.
# output database: log, mysql, user=root password=test dbname=db host=localhost
I followed Patrick's Centos guide for the following because I barely understand mysql. You can find his guide here. Good info, even if your not using centos.
output database: log, mysql, user=snort password=SNORT_PASSWORD dbname=snort host=localhost
Lets setup the database for snort by uncompressing it and then importing it
mysql -u root
set password for root@localhost=password('PICK_A_PASSWORD');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWORD_SNORT_CONF');
grant create,delete,insert,select,update on snort.* to snort@localhost;
grant create,delete,insert,select,update on snort.* to snort;
mysql -u root -p < /usr/share/doc/snort-mysql/create_mysql snort
Now lets grab what we need for BASE such as apache & php.
Download the latest version of BASE from
apt-get install apache2 php5-mysql libphp-adodb
Extract BASE & Move BASE
Copy & Edit the BASE config
tar -xvzf /home/username/Desktop/base-1.3.6.tar.gz
mv base-1.3.6 /var/www/base
Look for these lines and change so their similiar
cp base_conf.php.dist base_conf.php
nano -w base_conf.php
I had to restart apache before getting to BASE
$Base_urlpath = “/base”
$Dblib_path = “/usr/share/adodb/”;
$alert_dbname = 'snort';
$alert_password = 'SNORT_PASSWORD';
Click on the setup page link and then the Create BASE AG button
Open firefox & goto localhost/base
BASE should be working now.
Lets get the graphing to work
apt-get install php5-gd php-pear
pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha
One more thing to look at before your done is the /etc/snort/threshold.conf. This file can be used to limit and suppress alerts you don't want to see. I get a lot of false positives from samba and normal windows traffic. I'm not worried about local traffic so I can suppress my network but still generate alerts if someone out side was connecting by adding a line like so. The config should be self explanatory.
Good luck and have fun.
suppress gen_id 1 sig_id 2466, track by_src, ip 192.168.1.0/24