Next we need to configure a mysql database for snort to use for alerts.
Enter your mysql password for root (you did write it down didn't you ?)
You will get a mysql prompt "mysql>". I will use this prompt to indicate commands entered in mysql (as opposed to the command line) you do not need to enter the "mysql >".
mysql> create database snort;
mysql> grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';
- Consider changing the name of the database to something other than "snort".
- Consider changing the name of mysql user to something other then "snort" (in 'snort'@'localhost').
- Change the password to something other then "snort_password".
Now, back at the command line, import the snort database scheme
mysql -D snort -u snort -p < /usr/src/snort-2.8.3/schemas/create_mysql
We need to configure snort and write a start script, and add a cron job.
If things are too quiet, and snort goes a few hours without logging an alert to mysql, snort loses the connection with mysql. You then need to restart snort to re-establish a connection with the mysql database.
First lets create a user for snort. Again change the user name if you wish.
Enter a password (it does not matter, we will be locking the account anyways)
Enter a shell of "/bin/true" (without quotes).
Last, lock the account.
Next configure snort :
We next need to make a few edits to /etc/snort/snort.conf :
mkdir -p /etc/snort/rules /var/log/snort
chown -R root.snort /var/log/snort
chmod -R 770 /var/log/snort
cp etc/* /etc/snort/
cp rules/* /etc/snort/rules
Using any editor, open /etc/snort/snort.conf and make the following changes :
- In nano you can search using ctrl-W
- In vim you can search using /
- Search for "HOME_NET" , "EXTERNAL_NET", then mysql (without quotes).
- Change "var HOME_NET any" to "var HOME_NET 192.168.0.0/16" (use your netmask here).
- Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET". This sets the external variable to everything other then your network.
- Change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules". This tells snort where to find the rule set.
- Search for "mysql" or scroll down the list to the section with "# output database: log, mysql, user= ...", remove the "#" at the front of this line and change the syntax to :
output database: log, mysql, user=snort password=snort_password dbname=snort host=localhost
Write a script to start snort :
The only "problem" with installing snort from source is that we now need a script to start snort. The other issue is that if there are no alerts, snort will lose it's connection with the mysql database.
To solve this, I wrote a script to start / restart snort.
The script is attached to this post and is called "ubuntu.snort.init.txt"
Copy this file to your computer and copy/move it to /etc/init.d/snort
Now lets look at the code. You need to look at two lines.
- The first is your interface. The default is eth0. If you wish to use snort on an alternate interface, such as eth1, you will need to edit the line IFACE="eth0" and change "eth0" to "eth1"
- Note : Snort will not work with wireless interfaces, you need to use airsnort instead.
- The second option is to whitelist ip addresses. I advise you do this with caution, but you *may* wish to white IP addresses such as your router and your public ip address.
To white list an IP , add it to the line WHITELIST='' (note that is two single quotes, ' ' and not a double quote " ) , one ip at a time, separated by a space, like this :
Now that you are done editing the file, set ownership and permissions :
Starting snort on boot
chown root.root /etc/init.d/snort
chmod 500 /etc/init.d/snort
My script has a 20 second sleep built in (sometimes when you start snort it will fail after a 10-15 second delay). To avoid adding a 20 second longer boot time, use the "boot" option.
With this factoid in mind, edit /etc/rc.local and add :
Add this single line above "exit 0" if your have an exit 0 in the file
exec /etc/init.d/snort boot
Restarting snort with a cron job
Did I mention, Snort may lose the connection to the mysql data base if no alerts are received for several hours (which can happen once we eliminate false positives and install OSSEC-HIDS)? In addition if you clear your data in base you may need to re-start snort.
To restart snort with my script :
The script will use zenity (a gui interface) if you have it installed (zenity is included in a default Ubuntu or Xubuntu desktop installation, but you will need to add it if you are running Kubuntu). On servers, without X, the script will run without zenity (the script runs either with or without X). In addition, if you run the script as a user you will need to be in the admin group and will be prompted for your password (unless you are in the 15 minute grace period for sudo/gksu).
To restart snort every 6 hours, use crontab (as root)
Add a line for snort :
Congratulations !! Snort is now configured.
0 0,6,12,18 * * * /etc/init.d/snort restart >/dev/null 2>&1
Back to top