Setting up Snort and Snortreport

General Information

Any private network should be running some sort of Intrusion Detection System for system adminstrators to watch for any malicious traffic. ugg bailey button In this guide you will learn how to set up snort and one of its reporting utilities, snortreport.


Requirements

  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. Your favorite text editor (I like nano).
  4. Apache and MySQL servers installed and running.

Installation

Snort

Installation of snort is pretty straight forward.

 # cd /usr/ports/security/snort # make install -DWITH_MYSQL 

Snortreport

Snortreport uses php4-gd and jpgraph to display a pretty chart, so if you didn’t compile php4 with GD support and don’t have jpgraph installed, let’s do it now.

 # cd /usr/ports/graphics/php4-gd # make install distclean # cd /usr/ports/graphics/jpgraph # make install distclean 

Now that the required packages are installed for Snortreport, let’s install the reporting utility.

 # cd /usr/ports/security/snortreport # make install distclean 


Configuration

Snort

Snort gets launched from /etc/rc.conf on bootup so we need to add it.

 # echo 'snort_enable="YES"' >> /etc/rc.conf 

Because we will be using Snortreport, we need to set up our MySQL database to support snort:

 # mysqladmin -u root -p create snort # cd /usr/ports/security/snort/work/snort-*/contrib # mysql -u root -p -D snort < create_mysql # mysql -u root -p -D snort < /usr/local/share/doc/snortreport/create_indexes.sql 

If you already have a MySQL user you plan on using, you can skip this step. bottes ugg pour homme adidas superstar femme Otherwise, execute the following to create a MySQL user of "snort" and a password of "snortpw." Of course, you will probably want to change the password for security purposes.

 # cat << EOF > /usr/ports/security/snort/work/snort-*/contrib/snort_user.sql # GRANT USAGE ON * . ugg 2017 * TO snort@localhost IDENTIFIED BY "snortpw" WITH MAX_QUERIES_PER_HOUR 0 # MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ; # FLUSH PRIVILEGES; # GRANT SELECT, INSERT, UPDATE, DELETE ON snort . ugg bottes * TO snort@localhost; # FLUSH PRIVILEGES; # EOF # mysql -u root -p < /usr/ports/security/snort/work/snort-*/contrib/snort_user.sql # cd /usr/ports/security/snort # make distclean 

Now it's time to edit and tailor snort's config file to our needs. Adidas Running ugg homme chaussure timberland pas cher This is where we can have snort only keep track of certain subnets, interfaces, and the services we run. There's no need to have snort use resources looking for bad DNS traffic if we don't run a DNS server.

 # nano -w /usr/local/etc/snort.conf ..output omitted..  UGG Maylin ugg men # List of DNS servers on your network #var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET ..output omitted..  ugg australia classic 

In the same file, we need to set up the logging options for snort to log to the log file and to MySQL for Snortreport to parse. soldes nike air max pas cher So, uncomment and change the following line:

 output database: log, mysql, user=snort password=snortpw dbname=snort host=localhost 

Save and exit. Before we start Snort, we need to set up the log directory with the appropriate permissions.

 # mkdir /var/log/snort # chmod 0744 /var/log/snort 

Snort is all set up and we might as well fire it up right now. ugg australia air jordan soldes You can either reboot or just issue:

 # /usr/local/etc/rc.d/snort.sh start 

Snortreport

First we need to edit the config file for Snortreport for MySQL database access.

 nano -w /usr/local/www/snortreport/srconf.php ..output omitted.. Soldes Louboutin // Put your snort database login credentials in this section $server = "localhost"; $user = "snort"; $pass = "snortpw"; $dbname = "snort"; ..output omitted.. asics gel lyte 3 nike pas cher 2017 

Now, in the same file, locate and change your jpgraph line to the following:

 define("JPGRAPH_PATH", "../../share/jpgraph/"); 

Save and exit. adidas zx flux homme Make sure you have your apache config set up to see snortreport from /usr/local/www/snortreport.

Now that your new Snort IDS is installed and running, you can either view the logs at /var/log/snort/alert or have Snortreport parse them for you at http://localhost/snortreport, or wherever you have Snortreport configured on your webserver.

Speak Your Mind

*