/Guides/FreeBSD/Security/

General Information

Any private network should be running some sort of Intrusion Detection System for system adminstrators to watch for any malicious traffic.  In this guide you will learn how to set up snort and one of its reporting utilities, snortreport.

Requirements

1. Local root access on the box or be able to su to root.
   
2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren't on the box).
   
3. Your favorite text editor (I like nano).
   
4. Apache and MySQL servers installed and running.

Installation

Snort

Installation of snort is pretty straight forward.

# #	cd /usr/ports/security/snort make install -DWITH_MYSQL

Snortreport

Snortreport uses php4-gd and jpgraph to display a pretty chart, so if you didn't compile php4 with GD support and don't have jpgraph installed, let's do it now.

# # # #

cd /usr/ports/graphics/php4-gd make install distclean cd /usr/ports/graphics/jpgraph make install distclean

Now that the required packages are installed for Snortreport, let's install the reporting utility.

# #	cd /usr/ports/security/snortreport make install distclean

Configuration

Snort

Snort gets launched from /etc/rc.conf on bootup so we need to add it.

#	echo 'snort_enable="YES"' >> /etc/rc.conf

Because we will be using Snortreport, we need to set up our MySQL database to support snort:

# # # #

mysqladmin -u root -p create snort cd /usr/ports/security/snort/work/snort-*/contrib mysql -u root -p -D snort < create_mysql mysql -u root -p -D snort < /usr/local/share/doc/snortreport/create_indexes.sql

If you already have a MySQL user you plan on using, you can skip this step.  Otherwise, execute the following to create a MySQL user of "snort" and a password of "snortpw."  Of course, you will probably want to change the password for security purposes.

# # # # # # # # # # #

cat << EOF > /usr/ports/security/snort/work/snort-*/contrib/snort_user.sql GRANT USAGE ON * . * TO snort@localhost IDENTIFIED BY "snortpw" WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ; FLUSH PRIVILEGES; GRANT SELECT, INSERT, UPDATE, DELETE ON snort . * TO snort@localhost; FLUSH PRIVILEGES; EOF mysql -u root -p < /usr/ports/security/snort/work/snort-*/contrib/snort_user.sql cd /usr/ports/security/snort make distclean

Now it's time to edit and tailor snort's config file to our needs.  This is where we can have snort only keep track of certain subnets, interfaces, and the services we run.  There's no need to have snort use resources looking for bad DNS traffic if we don't run a DNS server.

# nano -w /usr/local/etc/snort.conf ..output omitted.. # List of DNS servers on your network #var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET ..output omitted..

In the same file, we need to set up the logging options for snort to log to the log file and to MySQL for Snortreport to parse.  So, uncomment and change the following line:

output database: log, mysql, user=snort password=snortpw dbname=snort host=localhost

Save and exit.  Before we start Snort, we need to set up the log directory with the appropriate permissions.

# #	mkdir /var/log/snort chmod 0744 /var/log/snort

Snort is all set up and we might as well fire it up right now.  You can either reboot or just issue:

#	/usr/local/etc/rc.d/snort.sh start

Snortreport

First we need to edit the config file for Snortreport for MySQL database access.

nano -w /usr/local/www/snortreport/srconf.php ..output omitted.. // Put your snort database login credentials in this section $server = "localhost"; $user = "snort"; $pass = "snortpw"; $dbname = "snort"; ..output omitted..

Now, in the same file, locate and change your jpgraph line to the following:

define("JPGRAPH_PATH", "../../share/jpgraph/");

Save and exit.  Make sure you have your apache config set up to see snortreport from /usr/local/www/snortreport.

Now that your new Snort IDS is installed and running, you can either view the logs at /var/log/snort/alert or have Snortreport parse them for you at http://localhost/snortreport, or wherever you have Snortreport configured on your webserver.  To test snort, simply run a port-scan.

Author: Jon LaBass
jon at bsdguides dot org

If snort fails to start after rebooting the system -- possibly giving the following error message:

snort: FATAL ERROR: database: mysql_error: can't connect to local MySQL server through /tmp/mysql.sock (2) --

edit the snort.sh script in /usr/local/etc/rc.d, and insert this command (before the varibles)

sleep 5

it will allow the MySQL server to start properly and initialize snort without conflict --    

I have the same problem (error 2002)without snort installed. You did something wrong when you've installed mysql server.

Hi , all works fine great guide ,  the directory
/usr/ports/security/snort/work/snort-*/contrib is changed   now is ../schemas.

on FreeBSD 5.1

Have a nice day

Snort report is not getting generated properly..

the following is the srconf.php

<? // Snort Report 1.3.1 // December 21, 2005 // Copyright (C) 2000-2005 Symmetrix Technologies, LLC. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; either version 2 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with this program; if not, write to the Free Software // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. //  // Current version of Snort Report $srVersion = "Snort Report Version 1.3.1";  // // PLEASE SET THE FOLLOWING VARIABLES TO MATCH YOUR SYSTEM //  // Put your snort database login credentials in this section $server = "localhost"; $user = "snort"; $pass = "snort123; $dbname = "snort";  // use either "mysql" or "pgsql" below, depending on your database $dbtype = "mysql";  // Change to FALSE if GD *and* JPGraph are not installed $haveGD = TRUE;  // Relative path to JPGraph // You need to have jpgraph and jpgraph_pie installed to see the chart. // Change the variable below to reflect the location of jpgraph relative // to Snort Report, for example "../jpgraph/", etc. define("JPGRAPH_PATH", "var/www/html/jpgraph/");  // Path to external utilities // Enter the correct path (including the binary) to nmap and nbtscan if you have them installed // You can also include switches for each binary (see nmap) define("NMAP_PATH", "/usr/bin/nmap -v"); define("NBTSCAN_PATH", "/usr/bin/nbtscan");  tar -zxvf snortreport-1.3.1.tar.gz  // Custom microtiming functions for profiling pages - available from http://improbable.org/chris/software/profiling.phps   define("PROFILING", false); if (PROFILING) { require_once("profiling.phps"); }  // // YOU DON'T NEED TO MODIFY ANYTHING UNDER THIS LINE //  // Open a connection to the database require_once("DB.php"); $db = new DB; $db->setinst($server); $db->setuser($user); $db->setpass($pass); $db->dbname($dbname); $db->persist(); $conn = $db->connect();  define("FULL_DATETIME_FORMAT", "Y-m-d H:i:s");  set_time_limit(1800);  require_once("info-retrieval.php"); ?>

http://localhost/snortreport-1.3.1/alerts.php]
http://localhost/snortreport-1.3.1/alerts.php[/URL]

Snort Report M e n u  Alerts  Snort Home  Snort Report Home setinst($server); $db->setuser($user); $db->setpass($pass); $db->dbname($dbname); $db->persist(); $conn = $db->connect(); define("FULL_DATETIME_FORMAT", "Y-m-d H:i:s"); set_time_limit(1800); require_once("info-retrieval.php"); ?> [/EMAIL]