This Howto will explain how to install and run snort (Intrusion Detection System) on Linux.
THIS IS A HOWTO TO SETUP SNORT WITH ACID ON
RHEL 4.0
First of All we must know what is Snort and what Acid
is.
Snort = Free program for Network Intrusion
Detections System
Acid = Analysis Console for Intrusion
Detection or We can say a Web frontend for Snort, as it works with the Snort’s
log Alerts.
Please remember that your system must have php-4.3.5
or greater for the following to work you can check it by the following command.
#rpm –qa php ß
If you don’t have php-4 or greater downloads it and
configures it.
Now let’s move to Configure Snort with Acid
First download all the necessary packages for its
proper functioning.
1. Acid 2.
Adodb 3.Acidlab 4. Mysql 5.
Snort 6. Jpgraph
7. Php-4 8. Apache
Can be
downloaded from www.sourceforge.net
Now let’s
start the configurations.
First we will setup Snort from source code as follow:
#tar zxvf Snort.tar
The above will untar the Snort.tar and will create
necessary directories in newly created snort directory. The main directories
created are (etc and schemas)
We also have to download the latest rules from www.snort.org/dl
Now after the above step
We have to create following directories our selves.
# mkdir /etc/snort
&
#mkdir /etc/snort/rules
#mkdir /var/log/snort
Now copy the directories created by untar of Snort i.e
its all files from etc to /etc/snort
And copy the
files from rules directory (which was downloaded from www.snort.org/dl) to our
created /etc/snort/rules directory.
Now perform the following after completion of the
above steps
#. /configure snort
–with-mysql
# make
#make install
If all goes well the snort is installed yet not
configured for its configuration we have to edit Snort.conf file found in /etc/snort/snort.conf
therefore we perform the following:
# vi /etc/snort/snort.conf and
edit the configurations files as under
##########################################
#################SNORT.CONF################
var HOME_NET any Change to var
HOME_NET 192.168.5.211 (or
any of
your internal network ip or ip range)
var
EXTERNAL_NET any Change to var
EXTERNAL_NET !$HOME_NET
var RULE_PATH ../rules
Change to
var RULE_PATH /etc/snort/rules
Also uncomment the line which says and change the
user, password and dbname according to your preference e.g.
Output database: log, mysql, user=snort
password=snort123 dbname=snort host=localhost
Now Snort configuration is finished now let’s check if
snort is running so for this we will type the following command
# Snort –c
/etc/snort/snort.conf
If all goes well the above command will successfully
run the snort in nids (network intrusion detection system) mode.
The above will automatically create (alert file) if
some one tries to intrude (hack or scan etc) in our network. The alert file
will be created in the directory which we created that is /var/log/snort/.
By studying the alert file we can see who tries to
penetrate in our network.
Now we will configure mysql
First we start mysql
with the command.
#service mysqld start
and then we will perform as follows:
#mysql ß-Enter
mysql>
mysql>SET PASSWORD FOR
‘root’@’localhost=PASSWORD (‘your
Password’);ß
mysql>Enter new password:
****** ß
mysql>Repeat password:
***** ß
mysql>exit
And now enter the mysql with the following command
#mysql –u root –p ß
Provide the password and now at mysql prompt apply the
commands as follows
mysql> create database
snort; ß
mysql> grant INSERT,
SELECT, on snort.* to snort@localhost; ß
mysql> SET PASSWORD FOR
‘snort’@’localhost’=PASSWORD(‘snort123’);
mysql> grant CREATE,
INSERT, SELECT, DELETE, UPDATE on snort.* to
snort@localhost;
mysql> grant CREATE,
INSERT, SELECT, DELETE, UPDATE on snort.* to
snort;
mysql>exit
Now at shell prompt type the following to create
tables in the newly created database snort
#mysql –D snort –u root –p
</root/snort-2.6.1.4/schemas/create_mysql
If no error occurs the tables in snort data base is
created.
Now we need a front end for Snort which will make use
of alert file and log it graphically on the web.
For such purpose we will utilize Acid (The package)
Perform the following steps:
#tar zxvf acid.tar ß
First create a new directory named acid as under:
#mkdir /var/www/html/acid
ß
Now copy the content of the acid directory recently
untarred to /var/www/html/acid. After this
#tar zxvf adodb.tar ß
Now copy the content of the adodb directory recently
untarred to the same /var/www/html/acid directory
Now untar the jpgraph.tar the same way i.e.
#tar zxvf jpgraph.tar ß
Now copy the content of the jpgraph directory recently
untarred to the same /var/www/html/acid directory
Now find the file named acid_conf.php
in the /var/www/html/acid directory and edit as
described below
#######################################################################acid_conf.php#####################
$DBlib_path = “/var/www/html/acid”; (This line shows
the path of adodb files
and we know that
we copy the adodb directory in
/var/www/html/acid)
$DBtype = “mysql”; (This shows the database type)
Change the following in output plugin as
well as in Archive DB
$alert_dbname =”snort”; (database
name)
$alert_host =”localhost”; (localhost name)
$alert_port = “3306”; (mysql port for
connection)
$alert_user = “snort”;
(user name)
$alert_password = “snort123”; (password for user snort)
Lastly we have to change the following
$ChartLib_path =
“/var/www/html/acid/jpgraph/src”; (The path which
leads
to Jpgraph.php)
That’s it we have done the entire
configuration:
Now lets restart all the services:
# service httpd restart ß
# service mysqld restart ß
# snort –c /etc/snort/snort.conf ß
After restarting the service open you web
browser and point it to http://localhost/acid
and press enter.
If all goes well you will see the following
but before this you have to crate AG by clicking on the create buttons.
I hope you guys have understood every step
if you have problems just e-mail on my personal account i.e. E-mail :
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
|
