ATHENA.EDU.

VN

SNORT ALERT SYSTEM SMS

GINGVIN : TRN NG KHOA

HCVIN : NGUYN TIN THANH

Page |1
ATHENA.EDU.VN

I. M hnh:

M hnh gm 1 my ch centos ci t Apache, MySQL, Snort BASE + ACID, cc gi h tr

cho snort nh Barnyard, v Oinkmaster. Ngai ra cn cn ci t thm gi GSM h tr kt
ni ng b ha vi thit b gi tin nhn.

Nh m hnh trn, khi c du hiu b tn cng. Sensor machine s updatelog xung Database
h thng s alert qua BASE v ACID, v s gi tin SMS.

Page |2
ATHENA.EDU.VN

1. M hnh hat ng chi tit:

Theo m hnh trn, cc kin trc trn h thng s ch cho ta thy lm th no kt hp tt

c cc phn mm h tr xy dng ton b IDS.

M hnh gm cc unauthorized people, h thng SnortSms v Administrator. Cc unauthorized

people s tn cng xm nhp vo h thng. Sensor ca h thng snort s c t 1
schedule kim tra log h thng. Nu n c tm thy bt k du hiu ca s xm nhp vo
h thng, n s gi tin nhn SMS n Administrators rng h thng ca bn ang b xm nhp.

II. Cc bc build h thng SMSAlertSystem.

1. Ci t snort-base:
a. Ci t Snort

Ci cc gi yu cu sau:

Chng ta dng lnh yum ci t tt c cc gi trn.

Ci t snort

Page |3
ATHENA.EDU.VN

chp snort vo /snort

cd /snort

Gii nn snort

tar -zxvf snort-2.8.4.1.tar.gz

cd snort-2.8.4.1

- Ln lt thc hin cc sau ci t snort

#./configure --with-mysql --enable-dynamicplugin

#Make

Page |4
ATHENA.EDU.VN

#Make Install

Cu hnh snort

To th mc hat ng cho snort

mkdir /etc/snort

mkdir /etc/snort/rules

mkdir /var/log/snort

Page |5
ATHENA.EDU.VN

Di chuyn vo th mc va gii nn snort khi ny. Di chuyn tip vo th mc etc nm

trong th mc snort. Chp tan b file vo th mc /etc/snort va to khi ny.
cd /etc
cp * /etc/snort
To nhm & ngi dng cho snort
groupadd snort
useradd -g snort snort -s /sbin/nologin # user snort s khng c quyn log vo h
thng.
Set quyn s hu v cho php Snort ghi log vo th mc cha log
chown snort:snort /var/log/snort/
Ci t tp rule cho SNORT
ti rule mi nht t http://www.snort.org

- Gii nn
tar -xzvf snortrules-snapshot-2.8.tar.gz
cd rules
cp * /etc/snort/rules

Cu hnh snort
File cu hnh /etc/snort/snort.conf

- Sa dng 46
var HOME_NET 192.168.1.0/24
- Sa dng 49
var EXTERNAL_NET !$HOME_NET
-Sa dng:
110: var RULE_PATH /etc/snort/rules
688: output database: log, mysql, user=snort password=123456 dbname=snort
host=localhost
Save li

Thit Lp Snort khi ng cng h thng:

To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort
ln -s /usr/local/bin/snort /usr/sbin/snort
Snort cung cp cc scrip khi ng trong th mc rpm/ ; (th mc gii nn snort)

Page |6
ATHENA.EDU.VN

cp /snort/snort-2.8.4.1/rpm/snortd /etc/init.d/
cp /snort/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort

t quyn li cho file snortd :

chmod 755 /etc/init.d/snortd
chkconfig snortd on
service snortd start

khi ng snort ch debug nu bn mun kim tra li:

/snort/snort-2.8.4.1/src/snort -u snort -g snort -d -c /etc/snort/snort.conf

Qun l snort bng webmin:

(bc ny c th b qua lm tip phn 4)
- Ci webmin

Log vo Webmin, chn chc nng Webmin Modules, import thm Snort module vo
Webmin:

Tch hp snort vo webmin:

chp snort-1.1.wbm vo th mc gii nn snort
http:/localhost:10000
Webmin, chn Webmin Configuration, Webmin Modules, From uploaded file,
ch n th mc cha snort-1.1.wbm
tin hnh ci t

Page |7
ATHENA.EDU.VN

To CSDL snort vi MySQL

#service mysqld start
Trc tin ta cn set password cho root trong MySQL.
#mysqladmin -u root password 123456
#mysql -p

To password cho ti khon snort.

mysql> use mysql;

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';

To CSDL cho snort.

mysql> create database snort;

Page |8
ATHENA.EDU.VN

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to

snort@localhost;
mysql> flush privileges;
mysql> exit
To cc table t /snort/snort-2.8.4.1/schemas/create_mysql cho database snort (th
mc gi nn snort)
mysql -u root -p < /snort/snort-2.8.4.1/schemas/create_mysql snort
mysql -p
show databases;
use snort;
show tables;
Quan st cc tables

Ci t BASE v ADODB

Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.

cd snort/snort-2.8.4.1
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
; (my phi online)

Ci t ADODB
Ti ADODB ti: http://nchc.dl.sourceforge.net/sourceforge/adodb/
cp adodb480.tgz /var/www/html/
cd /var/www/html/
tar -xzvf adodb480.tgz

Ci BASE

Ti BASE ti: http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz

#cp /snort/base-1.4.4.tar.gz /var/www/html/
#tar -zxvf base-1.4.4.tar.gz

#mv base-1.4.4/ base/

#cd base
#cp base_conf.php.dist base_conf.php

Page |9
ATHENA.EDU.VN

#vi base_conf.php
Sa cc dng sau:
57 $BASE_urlpath = '/base';
79 $DBlib_path = '/var/www/html/adodb';
101 $alert_dbname = 'snort';
105 $alert_password = '123456';
108 $archive_exists = 1; # Set this to 1 if you have an archive DB
109 $archive_dbname = 'snort';
112 $archive_user = 'snort';
113 $archive_password = '123456';
355 $external_whois_link = 'index.php';
382 $external_dns_link = 'index.php';
385 $external_all_link = 'index.php';
Save li
#service snortd restart
#service httpd restart

2. Ci t SNORt-ACID

P a g e | 10
ATHENA.EDU.VN

By gi BASE c ci t, ta tip tc ci thm gi AICD cho snort

Download m ngun:
http://prdownloads.sourceforge.net/phplot/phplot-4.4.6.tar.gz
http://prdownloads.sourceforge.net/phplot/phplot-4.4.6.tar.gz

Gii nn v t acid vo th mc con ca httpd DocumentRoot:

# cp acid-0.9.6b21.tar.gz /var/www/html
# tar -zxvf acid-0.9.6b21.tar.gz
# cp phplot-4.4.6.tar.gz /var/www/html
# tar -zxvf phplot-4.4.6.tar.gz
Kim tra xem php c c cu hnh ng vi gd khng:
http://locolhost/phplot-4.4.6/examples/test_setup.php
Nu khng xem c cc biu v d, bn phi xem li php c c bin dch vi
th vin gd v bt h tr gd trong /etc/php.ini cha (extension=gd.so).

To bng d liu lu tr cc alert dnh ring cho acid:

# mysql -u root -p
mysql> create database snort_archive;
mysql> grant INSERT,SELECT,UPDATE, DELETE on snort_archive.* to
snort@localhost identified by '123456';
mysql> exit
# mysql snort -u root -p < create_acid_tbls_mysql.sql
Cu hnh cc thng s cn thit cho acid trong file acid_conf.php

P a g e | 11
ATHENA.EDU.VN

$ChartLib_path = "../phplot-4.4.6"; // tu chn, nu php h tr gd

/* File format of charts ('png', 'jpeg', 'gif') */
$chart_file_format = "png";

Hon tt qu trnh ci t v bt u s dng acid theo di cc hot ng trn mng

c snort pht hin: http://localhost/acid/

3. Ci t kt ni vi thit b gi tin nhn SMS

Ci t gi gsm v cc gi ph thuc h tr kt ni vi thit b di ng bng lnh yum

#yum I install gsm*
Sau khi han tt qu trnh ci t kim tra xem ci t han tt hay cha
#rpm qa |grep gsm

Ok gsm v cc gi ph thuc c ci t, chng ta tin hnh cu hnh c th

kt ni n thit b di ng.
#cp usr/share/doc/gammu-1.11.0/examples/config/gammurc /etc
#nano /etc/gammurc
Cu hnh nh sau:

Chng ta tin hnh kt ni vi thit bi di ng qua cng COM/USB

Kim tra kt ni thnh cng hay cha
#wvdialconf /etc/wvdial.conf

P a g e | 12
ATHENA.EDU.VN

Ok, chng ta kt ni thnh cng n thit b di ng,by gi chng ta c th tin

hnh gi tin nhn sms bng command.
#echo "sms alert test" | gammu --sendsms TEXT +1884371028

Ok tin nhn sms chng ta gi thnh cng.

BARNYARD and OINKMASTER

Now chng ta c th ci thm 2 gi Barnyard, v Oinkmaster h tr cho snort ( co
th khng cn ci).
Barnyard l mt h thng u ra cho Snort. Snort to ra mt nh dng u ra c bit
nh phn c gi l `` thng nht''Barnyard ln c tp tin ny., V sau resends cc
d liu vo c s d liu back-end. Khng ging nh cc plugin sn lng c s d
liu, Barnyard qun l vic gi cc s kin cc c s d liu v lu gi chng khi
c s d liu tm thi khng th chp nhn cc kt ni.Gip tng performance cho
snort.
Download: http://sourceforge.net/projects/barnyard/
Oinkmaster, cc bn c th tham kho thm ti
http://openmaniak.com/inline_oink.php
Download : http://oinkmaster.sourceforge.net/

P a g e | 13
ATHENA.EDU.VN

Ok chng ta bulid gn xong h thng,nhng g chng ta cn lm cn li l lam sao

khi snort update log v database th h thng t ng s gi tin nhn SMS .
4. Ci t site qun l
By gi chng ta s lm iu .
Fist chng ta cn download b source php t a ch:
http://sourceforge.net/projects/snortsas/files/source.tar.gz/download
Cng ta s gii nn gi va down v vo th mc con ca httpd DocumentRoot:
#cp source.tar.gz /var/www/html/
#tar xzvf source.tar.gz
y l gi h tr lu phone book v cp nht s thay i CSDL,log ca snort
,trong gi ny cn h tr 1 s tool v snort-base nm trong th mc base( cc bn c
th cu hnh li nh cu hnh snort-base o trn hoc khng) .
Chng ta tin hnh config.
To database
#mysql u root p
mysql> use mysql;
mysql> CREATE USER 'sms'@'localhost' IDENTIFIED BY '123456';
mysql> create database thesis;
mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to
sms@localhost;
mysql> flush privileges;
mysql>exit
mysql u root p < /var/www/html/source/database.sql

tin hnh cu hnh:

# gedit /var/www/html/source/db.php

P a g e | 14
ATHENA.EDU.VN

By gi ta c th truy cp vo trang qun l phonebook qua:

http://localhost/source/index_isuper.php
Lu cc bn vo database thesis iu chnh li password trong table User ng
nhp.

P a g e | 15
ATHENA.EDU.VN

Phone book lu thng tin m h thng s gi sms n

User setting:

P a g e | 16
ATHENA.EDU.VN

5. Tin hnh cu hnh li crontab

gedit /etc/crontab;

Crontab t schedule chay script php cp nht log.nu log c thay i s t ng

gi sms cho s in thai lu trong phone book.
Restart li crond
#service crond restart.

P a g e | 17
ATHENA.EDU.VN

Config lai file kirimsms.php

#gedit /var/www/html/source/kirimsms.php
$db_hostname="localhost"; //hostname
$db_username="snort"; //username mysql
$db_password="123456"; //password mysql
$db_name="snort"; //nama database

///////////////////////////////////
$db_hostname2="localhost";//hostname
$db_username2="sms"; //username mysql
$db_password2="123456"; //password mysql
$db_name2="thesis"; //name database
//////////////////////////////////

Ok,chng ta build xong h thng snort alert qua sms

Gi chng ta s ci nmap vo my client v tin hnh scan my snort,
Snort s alert qua base, acid,v ghi log xung database. H thng t ng gi tin
nhn sms cnh bo .

P a g e | 18