Search:  
Gentoo Wiki

Snort

Contents

Introduction

Snort is a Network Intrusion Detection System (NIDS).

Abstract

The goal of this document is to walk you though the installation and setup of Snort with either PostgreSQL or MySQL.

Procedure

Install Required Programs

Code: Set your USE flags in /etc/make.conf
dynamicplugin  (important for snort 2.6.X)
postgres (if you're using PostgreSQL as a backend)
mysql (if you're using MySQL as a backend)
php
pcre 
Code: Install Snort and a database
emerge -av snort

Install PostgreSQL or Install MySQL.

Setup Snort with PostgreSQL

Code: Start PostgreSQL and create a new snort user
/etc/init.d/postgresql start
createuser -U postgres -P snort 

Enter a unique password (remember it) and answer 'n' to any questions.

Code: Initialize the database
createdb -U postgres --owner snort snort_log
bzip2 -d /usr/share/doc/snort-[version]/schemas/create_postgresql.bz2
psql -U snort snort_log < \ 
/usr/share/doc/snort-[version]/schemas/create_postgresql
File: /etc/conf.d/snort
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF"
File: /etc/snort/snort.conf
output database: log, postgresql, user=snort dbname=snort_log \
password=[the password you entered when you created the PostgreSQL \
user 'snort'] host=localhost Or host=[the IP address of your \
PostgreSQL server]
Code: Verify the permissions of snort.conf (root:snort 640) and start snort
chown root:snort /etc/snort/snort.conf
chmod 640 /etc/snort/snort.conf
/etc/init.d/snort start

If snort user is not an owner of snort DB, you should grant permissions on DB objects

Code: Granting permissions
psql -U snort_owner -d snort_log
GRANT SELECT ON detail, encoding, event, reference_system, \
schema, sensor, sig_class, sig_reference, signature TO snort;
GRANT INSERT ON data, event, icmphdr, iphdr, opt, reference, \
reference_system, sensor, sig_class, sig_reference, signature, \
tcphdr, udphdr TO snort;
GRANT UPDATE ON reference_ref_id_seq, \
reference_system_ref_system_id_seq, sensor_sid_seq, \
sig_class_sig_class_id_seq, signature_sig_id_seq TO snort;

Look here for more details

Code: Verify snort is logging to the database (optional)
echo "SELECT hostname FROM sensor" | psql -d snort_log -U postgres

You should get the hostname(or IP address) snort is running on.

Secure PostgreSQL

File: /var/lib/postgresql/data/pg_hba.conf (comment out, or delete the following)
local all all trust
File: /var/lib/postgresql/data/pg_hba.conf (add the following line)
local snort_log snort md5

Secure Remote PostgreSQL Setup (optional)

You need to edit the next two files only if you've setup PostgreSQL on a separate server.

File: /var/lib/postgresql/data/pg_hba.conf (Comment out or delete the following line)
host all all [ip-addr] [ip-mask] trust
File: /var/lib/postgresql/data/pg_hba.conf (Add the following line)
host snort_log snort [ip-addr] [ip-mask] md5

Setup Snort with MySQL

Tip: Skip this if you're using PostgreSQL
Code: Start MySQL and create the snort database
/etc/init.d/mysql start
mysql -u root -p

--enter the password you assigned earlier

create database snort_log;
Tip: Notice the semicolon at the end of the line. It's critical.


Code: Create the snort user
grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort_log.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('new_password');
flush privileges;
exit;

Enter a unique password (remember it) and answer 'n' to any questions.

Code: Initialize the database
bzcat /usr/share/doc/snort-[version]/schemas/create_mysql.bz2 | \ 
mysql -u root -p snort_log 
File: /etc/conf.d/snort
SNORT_OPTS="-D -u snort -i $IFACE -c $CONF"
File: /etc/snort/snort.conf
output database: log, mysql, user=snort dbname=snort_log \
password=[the password you entered when you created the database \
user 'snort'] host=localhost
Code: Verify the permissions of snort.conf (root:snort 640) and start snort
chown root:snort /etc/snort/snort.conf
chmod 640 /etc/snort/snort.conf
/etc/init.d/snort start
Code: Verify snort is logging to the database (optional)
echo "SELECT hostname FROM sensor;" | mysql -u root -p snort_log

You should get the hostname(or IP address) that snort is listening on.

Final Steps

Code: Restart Snort and the database
/etc/init.d/snort stop
/etc/init.d/postgresql restart '''OR''' /etc/init.d/mysql restart
/etc/init.d/snort start
Code: Set snort and the database to run on boot
rc-update add snort default
rc-update add postgresql default '''OR''' rc-update add mysql default

Graphical BASE Front-End (optional)

Code: Optional front-end

If you'd like to view your Snort logs graphically via your web browser, take a look at BASE.

Retrieved from "http://www.gentoo-wiki.info/Snort"

Last modified: Thu, 02 Oct 2008 08:07:00 +0000 Hits: 21,301