Professional Documents
Culture Documents
Howto Install & Configure Snort On Debian/Ubuntu
Howto Install & Configure Snort On Debian/Ubuntu
*** S"ccess@ 'eloading the privilege tables 3ill ens"re that all changes made so far 3ill take effect immediately* Re+oad pr*'*+e!e ta,+es now" #Y$n% ( *** S"ccess@ -leaning "p*** %ll done@ 8f yo"Ave completed all of the above steps7 yo"r MySQL installation sho"ld no3 be sec"re* /hanks for "sing MySQL@
Lets make s"re MySQL is no3 r"nning> 9root:snortbo( ;<= netstat -ntlp # grep mysql tcp ) ) D6F*)*)*D>,,)G )*)*)*)>H
L8S/&0
DG)))Imysqld
0o3 search for K3RE3R-C2RULE230T4 55$preproc2ru+esL7 and replace it 3ith> 1*+1*4(!*)0+!12-3 $etc$snort$preproc!r"les 0o3 search for Koutput data,ase: +o!6 &(s7+6 user=root password=test d,na&e=d, ost=+oca+ ost L and replace it 3ith> o"tp"t database/ log5 mysql5 "ser6)7+*,28+ pass%ord6127794*: dbname6:2-2;27+,28+ host6347Le!end: USERN0ME M 4o"r SnortAs $C "sername (/hat shall be "sed later in config"ration)* 30SS8-R) M 4o"r SnortAs $C "sername pass3ord (/hat shall be "sed later in config"ration)* )0T090SEN0ME M the name of the Snort database (/hat shall be "sed later in config"ration)* 4-ST M the hostname of the machine r"nning Snort (1s"ally this is localhost7 specially if yo" shall only have one sensor)* 0o3 goto the end of the file and search for> : *nc+ude ;3RE3R-C2RULE230T4$preprocessor5ru+es : *nc+ude ;3RE3R-C2RULE230T4$decoder5ru+es %nd comment them o"t* 0o3 close and e(it the snort5conf file "sing K:<L*
Le!end:
)9N0ME = /he database name that yo" shall "se for Snort* SN-RT)9USER = /he snort db "ser that yo" shall "se for Snort* Y-UR30SS8-R) = /he pass3ord that yo" shall "se for the Snort db "ser* 9root:snortbo( ;<= &(s7+ 1p &nter pass3ord> Jelcome to the MySQL monitor* -ommands end 3ith E or Ng* 4o"r MySQL connection id is O) Server version> 5*)*5Da-6O5lenny6 ($ebian) /ype AhelpEA or ANhA for help* /ype ANcA to clear the b"ffer* mysqlP (*+2-+ :2-2;27+ :;,28+< Q"ery 2B7 D ro3 affected ()*)) sec) mysqlP =*2,- (*+2-+5 >,7+*-5 7+0+(-5 :+0+-+5 )1:2-+ 4, :;,28+.. -4 7,4*-:;)7+*?04(20347-< Q"ery 2B7 ) ro3s affected ()*)) sec) mysqlP 7+- 127794*: @4* 7,4*-:;)7+*?04(20347-6127794*:ABC4)*127794*:BD< Q"ery 2B7 ) ro3s affected ()*)) sec) mysqlP @0)73 1*>E>0+=+7< Q"ery 2B7 ) ro3s affected ()*)) sec) mysqlP exit Cye 0o3 lets set"p the database schema for Snort> 9root:snortbo( schemas<= cd schemas$ 0o3 lets import the schema into the database 3e created for Snort> 9root:snortbo( schemas<= mysql -p -" 7,4*-:;)7+* :;,28+ F create!mysql &nter pass3ord> 4o" shall be asked to enter the pass3ord yo" set for the SN-RT)9USER that yo" set"p in the previo"s lines above*
0o3 lets make s"re that everything 3ent 3ell and o"r database is ready> 9root:snortbo( schemas<= mysql -p &nter pass3ord> Jelcome to the MySQL monitor* -ommands end 3ith E or Ng* 4o"r MySQL connection id is O, Server version> 5*)*5Da-6O5lenny6 ($ebian) mysqlP sho% databases< 5--------------------5 Q $atabase Q 5--------------------5 Q informationRschema Q Q )9N0ME Q Q mysql Q 5--------------------5 , ro3s in set ()*)) sec) mysqlP "se :;,28+< 'eading table information for completion of table and col"mn names 4o" can t"rn off this feat"re to get a q"icker start"p 3ith -% $atabase changed mysqlP sho% tables< 5---------------------------5 Q /ablesRinR)9N0ME Q 5---------------------------5 Q data Q Q detail Q Q encoding Q Q event Q Q icmphdr Q Q iphdr Q Q opt Q Q reference Q Q referenceRsystem Q Q schema Q Q sensor Q Q sigRclass Q Q sigRreference Q Q signat"re Q Q tcphdr Q Q "dphdr Q 5---------------------------5 DG ro3s in set ()*)) sec) mysqlP exit
%fter the installation of the php e(tensions is finished lets move on to config"re C%S&* #oto yo"r 3eb bro3ser and open the follo3ing link> http>IIlocalhostIbase-D*O*OI Note: 8f yo" have changed the name of the C%S& directory7 then donAt forget to bro3se that name and not the directory base-D*O*O* 0o3 yo" sho"ld have reached the C%S& set"p page7 3hich looks like this>
&nter the path of the %$2db7 3hich is> $var$%%%$adodb5. %nd then press on the 7"bmit K"ery b"tton* 4o" shall no3 be taken to the ne(t screen of C%S& set"p7 3hich is similar to>
8nsert yo"r database name7 database hostname7 database "sername7 and the "sernameAs pass3ord that 3e created earlier for Snort to "se* Note: yo" can leave the database port field empty if yo" didnAt change the defa"lt port K??@AL* Finally press the 7"bmit K"ery b"tton* 0o3 yo" sho"ld have reached the third C%S& set"p page>
!ere 3e can define a "sername and pass3ord for it to be "sed 3ith accessing C%S&* -hoose a "sername7 pass3ord7 and add the "sernameAs f"ll name and press the 7"bmit K"ery b"tton* 0o3 yo" sho"ld have reached the fo"rth C%S& set"p page>
#o ahead and press the (reate ;27+ 2= b"tton* %fter doing that 3e shall get the res"lts page 3hich looks like>
/his page informs yo" of the completion of the C%S& set"p* 4o" can no3 go ahead and press on the Kstep 5L link fo"nd at the bottom of the page* /his shall lead yo" to the C%S& login page>
&nter the "sername and pass3ord yo" chose previo"sly7 and yo" shall be inside C%S&>
%s yo" can see it is clean no37 there is no activity yet* /o generate some noise and see if snort is doing its .obX From another comp"ter initiate a port scan "sing nmap on the C2Y that is r"nning Snort> root:scanbo( ;= nmap -s7 ip-address-of-snort-box -p1-10 H $id 8 mention that 3e havnAt started Snort yetX Jell yes act"ally 3e havenAt and 3e need to do that first before o"r nmap noisy .ob gets discovered by Snort*
So do3nload this start"p script for snort from here* -opy it7 and do the follo3ing> 9root:snortbo( ;<= cp "b"nt".snort.init.txt $etc$init.d$snort 9root:snortbo( ;<= cho%n root/root $etc$init.d$snort 9root:snortbo( ;<= chmod 500 $etc$init.d$snort 0o3 if yo" are "sing eth) for monitoring then yo" donAt need to change the settings in the script7 b"t if yo" are "sing for e(ample ethDX /hen edit the snort file and search for> 9root:snortbo( ;<= vim $etc$init.d$snort >@2(+6Leth0L %nd change it to> >@2(+6Leth1L Save and e(it K+scL then K/xL* &verything is ready no37 lets start Snort> 9root:snortbo( ;<= $etc$init.d$snort restart 0o3 go and r"n the nmap scan command again to generate some noise and 3atch C%S& as it displays the information abo"t that attack for yo"* Con!ratu+at*ons now Snort *s up and runn*n!5
8r*tten ,(: 0+* 0+1S e&er( (a>a: 9BnCr() L*nu< 0ra, Co&&un*t( ,*nar( #at% +*nu<ac #dot% or! Spec*a+ T an>s: Snort )e'e+opers for the 3onderf"l 8$SI8 S* ,od *5DaDen for the start"p script