Setting up Snort on your Server. (I used CentOS 5.6)
Assuming that you just installed a basic install of CentOS Server we will have to add a few things to the server so that Snort will run correctly.
First thing you want to install is mysql server and some other packages needed for Snort.
yum install -y mysql-server mysql-bench mysql-devel php-mysql gcc pcre-devel php-gd gd glib2-devel gcc-c++ libcap-devel
Once that is done we will add the Atomic Rocket Turtle Repo so that we can use yum to install snort.
wget http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
rpm –import RPM-GPG-KEY.art.txt
wget http://www.atomicorp.com/installers/atomic.sh
sh atomic.sh
Now that the new repo is installed we can install Snort.
yum install -y snort snort-mysql
We will actually need to download the snort source as well because we will need one file from it. You can goto http://www.snort.org/snort-downloads and just wget the latest.
wget http://www.snort.org/downloads/867
We can now edit the snort.conf file located in the ‘/etc/snort’ directory.
This should be at the sart of the conf file and you will have to change this to your home net.
var HOME_NET [192.168.1.0/21]
You will and to change the External net the the entry below.
var EXTERNAL_NET !$HOME_NET
uncomment and fill in the output database info (be sure to remember it as you will need it when you set up the database.)
output database: log, mysql, user=snort password=RanDomPassWord dbname=snort host=localhost
We will create the DB now. You will want to make sure the server is running so use /etc/init.d/mysqld start
Login with ‘mysql -u root’, there should be no pass by default. Follow the commands below to get our snort DB created.
mysql> create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD(‘RanDomPassWord’);
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
now if you want to secure the root user as well while you are in here then you can also run the below command to do so.
SET PASSWORD FOR root@localhost=PASSWORD(‘rootmysqlpass’);
Download ADODB and BASE
ADODB:
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/adodb511.tgz/download
BASE:
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download
Installing ADODB:
cd /var/www/
tar -xvzf /root/adodb-511.tgz
mv adodb5/ adodb
Installing and configureing BASE:
cd /var/www/html
tar -xvzf /root/base-1.4.5.tar.gz
mv base-1.4.5.tar.gz base/
Setting up Base is pretty simple and can be done in your browser. Goto the ip of your server and put /base at the end of it.
http://10.11.12.13/base
If everything is okay then we can proceed to the next screen. Press Continue.
Just enter your adodb path and press Continue.
You will need to enter in all your database info in here, it will not let you proceed if you don’t put in your valid info so just copy it from the snort.conf if needed. I didn’t setup archiving with this walk through so you can leave it unchecked and press continue.
This is so that everyone just can’t log into your snort setup so I would recommend using it. Fill in your info if needed and press continue.
This is the last step. Press the Create Base AG button under status and that should complete the Base setup and you should start picking up all the traffic on the server. If you want the graphing to work on base you will need to install a few things.
yum install php-pear
pear install Image_Canvas-alpha
pear install Image_Color
pear install Numbers_Roman
pear install Image_Graph-0.8.0
We will also have to add rules to snort otherwise you wont be picking up much. We used Bleeding Edge rules so I will write how to go about installing these rules.
Download the rules from here:
wget http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz
First we will install Oinkmaster. This is so that the rules will be updated automatically and since we installed the Atomic Rocket Turtle repo you can just use yum.
yum install oinkmaster
Once that is installed You will have to run it so use.
oinkmaster.pl -q -C Oinkmaster-bleedingsnort.conf -o ./rules
and add your rules to the snort .conf file I just added the bleeding.conf to the included rules and did my editing in that file but you can just add all the rules to the snort.conf file. The rules added are below.
include $RULE_PATH/bleeding-attack-response.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
If you dont want to have to worry about getting Snort starting when you reboot you should make it start on boot with the chkconfig command.
chkconfig snortd on
chkconfig mysqld on
Because of all the changes just do a restart on snort and httpd and you should be good to go with your newly set up IDS.
All that is left to do now is to set your server into promiscuous mode which allows the server to intercept and read each network packet that arrives in it’s entirety.
ifconfig eth0 promisc
  • Comment by
    Lewis
    6 Jul 2011

    Hi Ralph,

    The DB is configured close to the start. Below is how to configure the DB. First log into mysql and do the following

    mysql> create database snort;
    grant INSERT,SELECT on root.* to snort@localhost;
    SET PASSWORD FOR snort@localhost=PASSWORD(‘RanDomPassWord’);
    grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;

    I updated the walkthrough and added the link to download the rules they are at http://www.bleedingsnort.com/downloads/bleeding.rules.tar.gz

  • Comment by
    Lewis
    7 Jul 2011

    It looks like the site is down. You can just create the file yourself and paste this into it.

    —–BEGIN PGP PUBLIC KEY BLOCK—–
    Version: GnuPG v1.2.1 (GNU/Linux)

    mQGiBEGP+skRBACyZz7muj2OgWc9FxK+Hj7tWPnrfxEN+0PE+n8MtqH+dxwQpMTd
    gDpOXxJa45GM5pEwB6CFSFK7Fb/faniF9fDbm1Ga7MpBupIBYLactkoOTZMuTlGB
    T0O5ha4h26YLqFfQOtlEi7d0+BDDdfHRQw3o67ycgRnLgYSA79DISc3MywCgk2TR
    yd5sRfZAG23b4EDl+D0+oaMEAK73J7zuxf6F6V5EaxLd/w4JVB2xW0Glcn0fACOe
    8FV9lzcZuo2xPpdGuyj02f/xlqvEav3XqTfFU2no61mA2pamaRNhlo+CEfGc7qde
    /1twfSgOYqzeCx7+aybyPo8Th41b80FT19mfkjBf6+5NbUHffRabFFh1FmcPVNBn
    F3FoA/95nRIzqDMItdTRitaZn02dIGNjdwllBD75bSVEvaR9O5hjBo0VMc25DB7f
    DM2qEO52wCQbAKw9zFC284ekZVDaK4aHYt7iobHaqJEpKHgsDut5WWuMiSLR+SsF
    aBHIZ9HvrKWLSUQKHU6A1Hva0P0r3GnoCMc/VCVfrLl721SjPbQzQXRvbWljIFJv
    Y2tldCBUdXJ0bGUgPGFkbWluQGF0b21pY3JvY2tldHR1cnRsZS5jb20+iFkEExEC
    ABkFAkGP+skECwcDAgMVAgMDFgIBAh4BAheAAAoJEDKpURRevSdEzcQAn1hSHqTO
    jwv/z/picpOnR+mgycwHAKCBex2ciyXo5xeaQ9w7OMf7Jsmon7kBDQRBj/rMEAQA
    6JvRndqE4koK0e49fUkICm1X0ZEzsVg9VmUW+Zft5guCRxmGlYTmtlC7oJCToRP/
    m/xH5uIevGiJycRKB0Ix+Csl6f9QuTkQ7tSTHcaIKbI3tL1x6CCBoWeTGYaOJlvk
    ubrmajiMFaBfopLH2firoSToDGoUvv4e7bImIHEgNr8AAwUEAND0YR9DOEZvc+Lq
    Ta/PQyxkdZ75o+Ty/O64E3OmO1Tuw2ciSQXCcwrbrMSE6EHHetxtGCnOdkjjjtmH
    AnxsxdONv/EJuQmLcoNcsigZZ4tfRdmtXgcbnOmXBgmy1ea1KvWcsmecNSAMJHwR
    7vDDKzbj4mSmudzjapHeeOewFF10iEYEGBECAAYFAkGP+swACgkQMqlRFF69J0Sq
    nQCfa/q9Y/oY4dOTGj6MsdmRIQkKZhYAoIscjinFwTru4FVi2MIEzUUMToDK
    =NOIx

Sorry, comments are closed.