Assuming that you just installed a basic install of CentOS Server we will have to add a few things to the server so that Snort will run correctly.
First thing you want to install is mysql server and some other packages needed for Snort.
yum install -y mysql-server mysql-bench mysql-devel php-mysql gcc pcre-devel php-gd gd glib2-devel gcc-c++ libcap-devel
Once that is done we will add the Atomic Rocket Turtle Repo so that we can use yum to install snort.
wget http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txtrpm –import RPM-GPG-KEY.art.txtwget http://www.atomicorp.com/installers/atomic.shsh atomic.sh
Now that the new repo is installed we can install Snort.
yum install -y snort snort-mysql
We will actually need to download the snort source as well because we will need one file from it. You can goto http://www.snort.org/snort-downloads and just wget the latest.
We can now edit the snort.conf file located in the ‘/etc/snort’ directory.
This should be at the sart of the conf file and you will have to change this to your home net.
var HOME_NET [192.168.1.0/21]
You will and to change the External net the the entry below.
var EXTERNAL_NET !$HOME_NET
uncomment and fill in the output database info (be sure to remember it as you will need it when you set up the database.)
output database: log, mysql, user=snort password=RanDomPassWord dbname=snort host=localhost
We will create the DB now. You will want to make sure the server is running so use /etc/init.d/mysqld start
Login with ‘mysql -u root’, there should be no pass by default. Follow the commands below to get our snort DB created.
mysql> create database snort;grant INSERT,SELECT on root.* to snort@localhost;SET PASSWORD FOR snort@localhost=PASSWORD(‘RanDomPassWord’);grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
now if you want to secure the root user as well while you are in here then you can also run the below command to do so.
SET PASSWORD FOR root@localhost=PASSWORD(‘rootmysqlpass’);
Download ADODB and BASE
cd /var/www/tar -xvzf /root/adodb-511.tgzmv adodb5/ adodb
Installing and configureing BASE:
cd /var/www/htmltar -xvzf /root/base-1.4.5.tar.gzmv base-1.4.5.tar.gz base/
Setting up Base is pretty simple and can be done in your browser. Goto the ip of your server and put /base at the end of it.
If everything is okay then we can proceed to the next screen. Press Continue.
Just enter your adodb path and press Continue.
You will need to enter in all your database info in here, it will not let you proceed if you don’t put in your valid info so just copy it from the snort.conf if needed. I didn’t setup archiving with this walk through so you can leave it unchecked and press continue.
This is so that everyone just can’t log into your snort setup so I would recommend using it. Fill in your info if needed and press continue.
This is the last step. Press the Create Base AG button under status and that should complete the Base setup and you should start picking up all the traffic on the server. If you want the graphing to work on base you will need to install a few things.
yum install php-pearpear install Image_Canvas-alphapear install Image_Colorpear install Numbers_Romanpear install Image_Graph-0.8.0
We will also have to add rules to snort otherwise you wont be picking up much. We used Bleeding Edge rules so I will write how to go about installing these rules.
Download the rules from here:
First we will install Oinkmaster. This is so that the rules will be updated automatically and since we installed the Atomic Rocket Turtle repo you can just use yum.
yum install oinkmasterOnce that is installed You will have to run it so use.oinkmaster.pl -q -C Oinkmaster-bleedingsnort.conf -o ./rules
and add your rules to the snort .conf file I just added the bleeding.conf to the included rules and did my editing in that file but you can just add all the rules to the snort.conf file. The rules added are below.
include $RULE_PATH/bleeding-attack-response.rulesinclude $RULE_PATH/bleeding-drop.rulesinclude $RULE_PATH/bleeding-dshield.rulesinclude $RULE_PATH/bleeding-exploit.rulesinclude $RULE_PATH/bleeding-game.rulesinclude $RULE_PATH/bleeding-inappropriate.rulesinclude $RULE_PATH/bleeding-malware.rulesinclude $RULE_PATH/bleeding-p2p.rulesinclude $RULE_PATH/bleeding-policy.rulesinclude $RULE_PATH/bleeding.rulesinclude $RULE_PATH/bleeding-scan.rulesinclude $RULE_PATH/bleeding-virus.rulesinclude $RULE_PATH/bleeding-web.rules
If you dont want to have to worry about getting Snort starting when you reboot you should make it start on boot with the chkconfig command.
chkconfig snortd onchkconfig mysqld on
Because of all the changes just do a restart on snort and httpd and you should be good to go with your newly set up IDS.
All that is left to do now is to set your server into promiscuous mode which allows the server to intercept and read each network packet that arrives in it’s entirety.
ifconfig eth0 promisc