HOWTO: Snort Mysql Base

[djhedges]

I finally created a new guide for Feisty which is very similar but if anything easier.
http://ubuntuforums.org/showthread.php?t=483488

This guide will show you how to install the IDS system snort. Have snort log to a mysql database. Then be able to access the information in that database with Base which you can access through apache.

Most of the information from this guide I learned from Patrick Harper's Centos guide. I would recommend taking a look at it even if your installing snort on Ubuntu. http://www.snort.org/docs/setup_guid...t_base_SSL.pdf

First edit /etc/apt/sources.list and Uncomment these 2 lines. (My file actually has more uncommented so I'm not sure which sources you'll actually need. If you run into problems try uncommenting more. You can always change it back when your done.)

deb http://us.archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu breezy-updates main restricted

Next update

sudo apt-get update

Install snort with mysql support

sudo apt-get install snort-mysql

The ubuntu will bring up a configuration dialog and a network that you can use. I replaced this with any so it will log all traffic. Next it'll ask if you want to set snort to log to a mysql server. For now we'll say no because we haven't set mysql up yet.

Before testing snort I'm going to go ahead and install oinkmaster and get the latest rules. Oinkmaster is a program that you can use to automatically fetch snort rules.

sudo apt-get install oinkmaster

Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.

Replace

url = http://www.snort.org/dl/rules/snortr...hot-2_2.tar.gz

with

url =http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fab9a70e2a4/snortrules-snapshot-2.3.tar.gz

just make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code. Pay attention to the version of snort your using. To find out type snort -V. My example above is version 2.3.

Now to test oinkmastser

sudo oinkmaster -o /tmp/
ls /tmp

The -o switch is for output directory. You should see several .rules files in /tmp now.

If everything works out alright then update your snort rules

sudo oinkmaster -o /etc/snort/rules/

A good idea is to add oinkmaster to a cron job to update your rules automaticlly. I'm a bit rusty with crons so I'm gona leave that out of this how to until I read up on them again.

Now edit the snort config file

sudo vi /etc/snort/snort.conf

In the begging there are a couple of variable you should check on. The default should work fine. Read over the config file, the comments provide more information about the preprocessors and other snort options.

var HOME_NET any

var RULE_PATH /etc/snort/rules

At the very end you'll find the rules list. Here you can uncomment additional rule sets depending on what rules you want to monitor.

Nows the time to fire snort up using the snort config file.

sudo snort -c /etc/snort/snort.conf

By default snort logs alerts to /var/log/snort/alert

To test snort I used another computer and did a scan with nmap.

sudo nmap -sS Your_IP_Address

If you look through /var/log/snort/alert you should see some port can activity. Do a search on the file. If its empty then something is wrong.

sudo cat /var/log/snort/alert

Now to install mysql

sudo apt-get install mysql-server

Theres a couple of questions apt asks for and I just used the default by pressing enter a couple of times.

Edit the snort config file again so we can change where snort logs its outputs

sudo vi /etc/snort/snort.conf

Comment out so it looks like the following. Mine was line 512.

# output log_tcpdump: tcpdump.log

Uncomment, line 529

output database: log, mysql, user=root password=test dbname=db host=localhost

For this guide I'm going to use snort as my user, password and database. I would recommend you use something different, just note what it is. If you are logging to aother mysql server then change localhost to what ever ip the server is.

output database: log, mysql, user=snort password=snot dbname=snort host=localhost

I don't know anything about mysql. I followed Patrick's guide word for word. Download snort from snort.org and extract it. Since my version of snort was 2.3.2 thats what I downloaded from snort.org. Then we'll set up a database for snort.

mysql -u root
set password for root@localhost=password('PICK_A_PASSWORD');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWORD_SNORT_CONF');
grant create,delete,insert,select,update on snort.* to snort@localhost;
grant create,delete,insert,select,update on snort.* to snort;
exit

Pay attention to the semicolons ;

Create the tables

mysql -u root -p < ~/snort-2.3.2/schemas/create_mysql snort

Check the database

mysql -u root -p
show databases;
use snort
show tables;
exit

You should be able to fire up snort with no problems.

sudo snort -c /etc/snort/snort.conf

*I Updated this section and found adodb in the repository
Install apache our webserver and php with mysql & adodb

sudo apt-get install apache2 php5-mysql libphp-adodb

Download base
http://sourceforge.net/project/showf...ease_id=384975
Move base to /var/www, extract and delete the archive.

sudo mv base-1.2.2.tar.gz
cd /var/www
sudo tar -xvzf base-1.2.2.tar.gz
sudo rm base-1.2.2.tar.gz
mv base-1.2.2 base

Edit the base configuration

sudo cp base/base_conf.php.dist base/base_conf.php
sudo vi base/base_conf.php

$Base_urlpath = “/base”
$Dblib_path = “/usr/share/adodb/”;
Change line 85 and so on to match your mysql database. Such as the username, password etc.

I was expecting this to work but for some reason it didn't. I fired up firefox and went to localhost and when I clicked the folder base it kept trying to download a file. I tried restarting apache but the only thing that actually worked was a reboot. Go figure.

If you goto http://localhost/base you should see a link to the setup page. Click it and then click Setup Base AG. Now click home and Base should be up an running.

Now in order to get the graph to work

sudo apt-get install php5-gd php-pear
sudo pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

Restart Apache and make sure snort is running

sudo /etc/init.d/apache2 restart
sudo /etc/init.d/snort start

For some reason when I was trying to install Image_Color it was missing a dependency that was already installed. If you get the same error try the following.

sudo apt-get remove php5-gd
sudo apt-get install php5-gd

This is my first HOWTO. Good luck & have fun.

[bond00]

Thanks for the great tut...I've been looking for a good Snort tutorial for quite a while and this one hits the spot. One question though.

My router/gateway is configured to forward traffic to the internal server running http, ssh, etc. Whenever an alert from the outside is triggered in Base, the source address is always the router/gateway. This is not extremely helpful for me know who is attacking me. Is there a way to change this? I use awstats and it is able to record the REAL source address of visitors so why should base/snort be able to as well? Thanks for the help.

[djhedges]

It should log outside sources. If I were you I would look at trying to trip the snort sensor from the outside and see if it only shows your router. I know when I first setup my sensor up the routers upnp forwarding was logging a lot. When I ran bit torrent it was logging the external IPs. I'm assuming your router is using NAT.

You could try creating a simple rule to log ssh connections.

sudo vi /etc/snort/local.rules

Make sure local.rules isn't commented in the snort.conf and add the following:

alert tcp any 22 <> any any (msg:"SSH Traffic"

Just be careful because I believe this rule will log each tcp packet that matches port 22.

After that just connect from an outside IP and see if it's in the log.

[bond00]

Thanks for the tip. I just have a few other questions on locking it down a bit more.

1. - Can I restrict access to only localhost or a certain ip address?
2. - I get alot of alerts that I don't care about. Can I make snort ignore those alerts? My thinking is maybe go into the rules files and comment out lines with rules I don't want. Is that correct?
3. - When I try to start snort from /etc/init.d/snort I get an error saying

/etc/snort/snort.conf: line 44: var: command not found

I think it's because I installed snort first and then removed it and installed snort-mysql. Snort-mysql's snort.conf has a format of 'var HOME_NET any'. The snort.conf for the original snort has 'DEBIAN_SNORT_HOME_NET=ANY'. I'm assuming the /etc/init.d/snort is from the original snort and not snort-mysql.

Maybe if someone else is not having this problem, you can checkout the init script and post it so I can copy it. I've looked through the init script and it calls for variables in the original snort format (DEBIAN_SNORT_HOME_NET)...so I'm guessing that's where the error originates because it works fine to start it with

#snort -c /etc/snort/snort.conf

Thanks again for the tutorial and help.

[djhedges]

1-Yes you can but I've never really done it myself and I don't exactly know how. There are two possiblities that you can use though. Either setup a firewall using Firestarter or Iptables and allow access to port 80 by certian IP addresses. I googled and found some sites mentioning setting access to apache by IP addresses. If you read Patrick's Guide he has a section at the end where he demonstrates adding a username and password to the base folder.

2-A problem with any IDS system is false positivies. You can go in and uncomment rules that you don't want snort to check for. Something like ICMP maybe a bit useless. You can also go into the specific rule files themselves. This gets a little bit more advanced but it'll allow you to comment out specific signatures. One more option that I know if at the beginning of the snort.conf file. There a variables which you define your servers such as dns. By default it's using the $HOME_NET variable.

3-I got some ideas on how to fix let me test somethings. I did try removing snort-mysql and installing snort. I couldn't start it w/ the init.d script. I remove snort and the init.d script was still there. I then put snort-mysql back on and everything still worked. It does contain some of those DEBIAN_SNORT_HOME_NET that you mentioned.

I just removed snort-mysql and delted my script which I recomend you don't do because I can't get it installed again I'm working on it though

[djhedges]

I think I know what broke my snort. I was trying to find a way to get the latest version of it installed on my server but with no luck. After removing snort-mysql and I did snort -V and Snort 2.4.4 showed up even though it won't work. I got back on my laptop and I think I have a fix for ya. If you do apt-get remove snort-mysql it'll still leave the init script there and if you delete it you won't be able to reinstall snort.

Open synaptic and do a search for snort. Back up your config file first though. Mark snort-common and snort-mysql for complete removal. This will remove the init script and snort config. Then just install snort-mysql again and you should be good go. Let me know how it turns out.

[bond00]

I think I know what broke my snort. I was trying to find a way to get the latest version of it installed on my server but with no luck. After removing snort-mysql and I did snort -V and Snort 2.4.4 showed up even though it won't work. I got back on my laptop and I think I have a fix for ya. If you do apt-get remove snort-mysql it'll still leave the init script there and if you delete it you won't be able to reinstall snort.

Open synaptic and do a search for snort. Back up your config file first though. Mark snort-common and snort-mysql for complete removal. This will remove the init script and snort config. Then just install snort-mysql again and you should be good go. Let me know how it turns out.

Thanks! That worked. After completely removing I also had to run "update-rc.d -n -f snort remove" That removed all symlinks. Then a reinstall worked. Thanks again for the great tut.

[djhedges]

threshold.conf is neat config located under /etc/snort that will limit the number of logs snort generates. This is probably better then commenting out rules because oinkmaster automatically uncomments them.

Its pretty self explanitory. I just fired up Base in firefox and found a rule that was generating too much traffic such as samba connects. I'd like to know if someone from the outside was connecting but locally I wasn't worried about this kind of traffic tripping the sensor. Heres what I added to the config.

suppress gen_id 1 sig_id 2466, track by_src, ip 192.168.1.0/25

192.168.1.0 covers my network. Most networks will probably have a 24bit mask instead of 25 though.

[stock99]

grant insert,select on root.* to snort@localhost;

there seems sth wrong with this statement. I thought all we ever create is a snort database. root.* seems refer to root database? I don't know much of mysql but quick google give me the syntax :

GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ...
ON {tbl_name | * | *.* | db_name.*}
TO user [IDENTIFIED BY [PASSWORD] 'password']
[, user [IDENTIFIED BY [PASSWORD] 'password']] ...

can someone verify this?

[djhedges]

there seems sth wrong with this statement. I thought all we ever create is a snort database. root.* seems refer to root database? I don't know much of mysql but quick google give me the syntax :

GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ...
ON {tbl_name | * | *.* | db_name.*}
TO user [IDENTIFIED BY [PASSWORD] 'password']
[, user [IDENTIFIED BY [PASSWORD] 'password']] ...

can someone verify this?

I see what your saying but I think line is giving permission to the user snort, how do I put this. Kinda of like permission to a root directory not so much a root database. I'm never very good with mysql commands myself but think of it kinda like directories & permissions.

root
|---snort
___|----various tables

If you had no permissions to root then you wouldn't be able to access the sub directories.