Tuesday, 13 December 2011

### Snort NIDS Setup ###


 1. Setup MySQL DB environment
  a. create database snort;
  b. grant insert,select on root.* to snort@localhost;
  c. set password for snort@localhost=password('abc123');
  d. grant create,insert,select,delete,update on snort.* to snort@localhost;
  e. grant create,insert,select,delete,update on snort.* to snort;

 2. Import MySQL DB schema
  a. mysql -u root -p < /home/linuxcbt/temp/Snort/snort-2.8.0.2/schemas/create_mysql snort

 3. Setup Snort NIDS /etc/snort environment
  a. mkdir /etc/snort && cp -v /home/linuxcbt/temp/Snort/snort-2.8.0.2/etc/* /etc/snort

Note: Snort's primary configuration file for NIDS mode: /etc/snort/snort.conf

 4. Download the latest Snort rules file and extract to: /etc/snort/rules

Note: Snort rules are available as follows:
 1. Registered users: with delay
 2. Subscriber: no delay - NOT FREE
 3. Unregistered users: release version (very old) of rules
 4. Various third-party sites: i.e. Bleeding Snort, etc.

 a. cd /etc/snort && tar -xzvf snortrules*

 5. Configure: /etc/snort/snort.conf to use MySQL and rules
  a. MySQL - output
  b. Rules - path to the rules

 6. Start Snort in NIDS mode
  a. snort -i eth0 -c /etc/snort/snort.conf -D

 7. Setup BASE web analysis application
  a. wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
  b. tar -xzvf adodb480.tgz

Note: adodb480.tgz - provides DB-connectivity for BASE to MySQL

  c. Download BASE from http://base.secureideas.net
  d. Configure: base_conf.php file
   d1. $BASE_urlpath = '/base';
   d2. $Dblib_path = "/var/www/html/adodb";
   d3. $Dbtype = 'mysql';
   d4. alert_dbname = 'snort';
   d5. alert_host = 'localhost';
   d6. alert_password = 'abc123';

Note: Ensure that your Apache instance has PHP support
Note: Ensure that 'php-mysql*' package is installed

 8. Connect to BASE via web browser

Note: Consider protecting '/base' application using HTDIGEST or basic auth

No comments:

Post a Comment