1. Setup MySQL DB environment
a. create database snort;
b. grant insert,select on root.* to snort@localhost;
c. set password for snort@localhost=password('abc123');
d. grant create,insert,select,delete,update on snort.* to snort@localhost;
e. grant create,insert,select,delete,update on snort.* to snort;
2. Import MySQL DB schema
a. mysql -u root -p < /home/linuxcbt/temp/Snort/snort-2.8.0.2/schemas/create_mysql snort
3. Setup Snort NIDS /etc/snort environment
a. mkdir /etc/snort && cp -v /home/linuxcbt/temp/Snort/snort-2.8.0.2/etc/* /etc/snort
Note: Snort's primary configuration file for NIDS mode: /etc/snort/snort.conf
4. Download the latest Snort rules file and extract to: /etc/snort/rules
Note: Snort rules are available as follows:
1. Registered users: with delay
2. Subscriber: no delay - NOT FREE
3. Unregistered users: release version (very old) of rules
4. Various third-party sites: i.e. Bleeding Snort, etc.
a. cd /etc/snort && tar -xzvf snortrules*
5. Configure: /etc/snort/snort.conf to use MySQL and rules
a. MySQL - output
b. Rules - path to the rules
6. Start Snort in NIDS mode
a. snort -i eth0 -c /etc/snort/snort.conf -D
7. Setup BASE web analysis application
a. wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
b. tar -xzvf adodb480.tgz
Note: adodb480.tgz - provides DB-connectivity for BASE to MySQL
c. Download BASE from http://base.secureideas.net
d. Configure: base_conf.php file
d1. $BASE_urlpath = '/base';
d2. $Dblib_path = "/var/www/html/adodb";
d3. $Dbtype = 'mysql';
d4. alert_dbname = 'snort';
d5. alert_host = 'localhost';
d6. alert_password = 'abc123';
Note: Ensure that your Apache instance has PHP support
Note: Ensure that 'php-mysql*' package is installed
8. Connect to BASE via web browser
Note: Consider protecting '/base' application using HTDIGEST or basic auth
No comments:
Post a Comment