Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...

Share 0 More Next Blog» Create Blog Sign In

Chris P. O'Connell's Outlook

Outbox
My views on the state of technology and, occasionally on a less exciting note, society.

Home Nagios Intrusion Detection 201 CMR 17.00

Tuesday, December 13, 2011 Followers

Snort Installation: Step-by-step on Ubuntu 10.04.3 Join this site

with Google Friend
Connect
Snort is an awesome Intrusion Detection System (IDS). This incredible IDS is also free!!!
Unfortunately, Snort is a real pain to install. Members (13) More »

Lots of instructions on how to install Snort are out on the internet, but most of them are
outdated. There are several books you can buy on the subject, but I've found that they too are
severely outdated. I've gathered instructions from a variety of sites and books to complete this
how-to, enabling Snort to be installed on a modern version of Ubuntu. If anyone finds any
trouble with these instructions please leave a comment!

The following instructions have been verified on Ubuntu Server 10.04.3 32-bit with the ubutu-
desktop package sets installed. Other required package versions: Already a member? Sign in

Snort 2.9.1.2
Mysql 5.1 Subscribe To
libdnet 1.12
Posts
daq 0.6.2
You will also need a machine with two NIC cards unless you intend to do all administration via a Comments
local terminal and web sessions.

Blog Archive
You can install Snort from the package repository, however the version in the repository is
really, really old. As a result we're going to do this all from scratch by downloading and ► 2013 (11)
compiling the required source code.
► 2012 (20)

1. Drop to your terminal window. Type sudo apt-get update and press enter. ▼ 2011 (42)
2. Type sudo apt-get -y install build-essential libpcap0.8-dev ▼ December (8)
libmysqlclient15-dev mysql-client-5.1 mysql-server-5.1 bison flex Why I Use KeePassX
apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb Password Manager
php-pear libc6-dev g++ gcc pcregrep libpcre3-dev and press enter. Google Hangout
Television
3. Enter your superuser password when prompted. Get some coffee, this may take a while.
Commercial
4. MYSQL will require you to create a root password. This password is used just for
Buying the Right Books
MYSQL. Enter your password twice and be sure to document the MYSQL root for Your Kindle
password. I'm going to use mysqlpassword for our example.
Why I Bought a Macmini
5. You may receive a warning about libphp-adodb, click OK.
Snort Installation:
6. When you return to the command prompt visit http://code.google.com/p/libdnet Step-by-step on
/downloads/list. Ubuntu 10.04.3...
7. Download libdnet-1.12.tgz. Intrusion Detection
8. Open your terminal and type cd ~/Downloads then press enter. Systems (Part 1:
Network Intru...
9. Type tar -xvzf libdnet-1.12 and press enter.
Nagios: My First Public
10. Type cd libdnet-1.12 and press enter. Speech
11. Type ./configure and press enter. Handy Virtualization
12. Type make and press enter. Tools

13. Type make install and press enter. ► November (10)

1 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...

14. Type ldconfig and press enter. ► October (4)

15. Type sudo ln -s /usr/local/lib/libdnet.1 /usr/lib/libdnet.1 and ► September (2)
press enter.
► August (1)
16. Go to http://www.snort.org/snort-downloads and download the snort-2.9.1.2.tar.gz file
► July (1)
and the daq-0.6.2.tar.gz file.
17. Next, you will need to grab the latest rule set from the Registered User Release section ► June (2)
of http://www.snort.org/snort-rules/?#rules. You must register a free account before you ► April (2)
can download these rules. In our case we will get the snortrules-snapshot-2912.tar.gz. ► March (2)
18. Open your terminal and type cd ~/Downloads then press enter. ► February (6)
19. Type tar xvzf snort-2.9.1.2.tar.gz and press enter.
► January (4)
20. Type tar xvzf daq-0.6.2.tar.gz and press enter.
► 2010 (8)
21. Type cd daq-0.6.2 and press enter.
22. Type ./configure and press enter.
23. Type make and press enter.
24. Type make install and press enter.
25. Type cd .. and press enter.
26. Type cd snort-2.9.1.2 and press enter.
27. Type ./configure -enable-dynamicplugin --with-mysql and press enter.
28. Type make and press enter.
29. Type make install and press enter.
30. Next you get to provision MYSQL.
These next ten lines are taken directly from cited source 3 (at the bottom of my entry).
31. Start by typing mysql -u root -p and pressing enter.
32. When prompted for the password enter mysqlpassword and press enter.
33. Type create database snort; and press enter.
34. Type create database snort_archive; and press enter.
35. Type show databases; and press enter. You will hopefully see the following tables:

36. Type use snort; and press enter.

37. Type grant all privileges on snort.* to 'snort'@'localhost'
identified by 'snort_password'; and press enter.
38. Type grant all privileges on snort.* to 'root'@'localhost'
identified by 'mysqlpassword'; and press enter.
39. Type use snort_archive; and press enter.
40. Type grant all privileges on snort_archive.* to
'snort'@'localhost' identified by 'snort_password'; and press enter.
41. Type exit and press enter.
42. Now, from the command line you need to run the script that will create the snort table.
To do this type sudo mysql -D snort -u snort -p < ~/Downloads/snort-
2.9.1.2/schemas/create_mysql and press enter.
43. Enter snort_password password and press enter. If you get any error messages on
this step please be sure you used sudo. Even if you are logged into as the super user
sudo must be used for these commands.
44. Now we have to create an identical schema for the Snort archive database. To do so
type sudo mysql -D snort_archive -u snort -p < ~/Downloads/snort-
2.9.1.2/schemas/create_mysql and press enter.
45. Enter snort_password password and press enter. If you get any error messages on
this step please be sure you used sudo. Even if you are logged into as the super
user sudo must be used for these commands.
46. This should have created the database schemas, but just to be sure, let's check it out.

2 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...

Type mysql -u root -p and press enter.

47. Enter mysqlpassword and press enter.
48. Next type use snort; and press enter.
49. Now let's take a peak at the tables and make sure the right ones have been created.
Type show tables; and press enter. You should see something similar to the
following:

50. If all looks good then you're in business. Type exit and press enter.
51. OK, it's time to create the snort user in Linux.
52. Type sudo adduser snort and press enter.
53. Enter the superuser password when prompted.
54. Enter in a new password for the snort user and press enter. For our example I am using
snortpassword.
55. Confirm the password and press enter.
56. Press enter 5 times through all the fields and confirm by pressing Y.
57. Type sudo chsh snort and press enter.
58. Type /bin/true and press enter.
59. Now lock the snort user account by typing sudo passwd snort -l and pressing
enter.
60. Type sudo mkdir -p /etc/snort/rules /var/log/snort and press enter.
61. Type sudo chown -R root.snort /var/log/snort and press enter.
62. Type sudo chmod -R 770 /var/log/snort and press enter.
63. Type sudo ldconfig and press enter.
64. Let's test to make sure Snort is working. Type snort --version. Hopefully you'll see
this:

65. Let's get the rules extracted and in place. To do so type cd ~/Downloads and press
enter.
66. Type sudo tar xvzf snortrules-snapshot-2912.tar.gz -C /etc/snort
and press enter.
67. The following changes need to be made to the /etc/snort/etc/snort.conf file:
1. find the line that reads dynamicdetection directory /usr/local
/lib/snort_dynamicrules and remark it by adding a # in front. Set the following
lines:
2. var RULE_PATH /etc/snort/rules
3. var SO_RULE_PATH /etc/snort/so_rules
4. var PREPROC_RULE_PATH /etc/snort/preproc_rules
5. Remark the entire preprocessor reputation section.
6. Search for dynamic library rules. Unremark all of the dynamic rules.
68. Next, from the command line you need to test your snort configuration. Type snort -c
/etc/snort/etc/snort.conf and press enter. If you don't see any errors you're in

3 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...

good shape. Don't worry about the warnings you may see.

Base: The web-based interface

That was exhausting, I know, but you should be in good shape at this point. The next, and final
step is to get the web interface up and running. The web interface is called BASE.

1. Visit http://sourceforge.net/projects/secureideas and download base-1.4.5.tar.gz.

2. Drop to the command line and type cd ~/Downloads and press enter.
3. Type tar xvzf base-1.4.5.tar.gz and press enter.
4. Type mv base-1.4.5 /var/www/base and press enter.
5. Type
pear install Image_Color Image_Canvas-alpha Image_Graph-alpha and press enter.
6. Type chown www-data /var/www/base and press enter.
7. Type chmod 755 /var/www/base and press enter.
8. Edit /etc/php5/apache2/php.ini. Search out the line called error_reporting. The line should read as follows:
error_reporting = E_ALL & ~E_NOTICE
9. Type service apache2 reload and press enter.
10. Open up your web browser and visit http://localhost/base. You should see the following happy screen greeting you:
11. Click continue.

12. If you click continue on this screen you can configure the database via web-interface. I don't recommend this. The last step errors out. Instead, use the
13. Close your web browser.
14. Open /var/www/base_conf.php.dist. Ensure the following lines read as follows:
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'snort_password';

/* Archive DB connection parameters */

$archive_exists = '1'; # Set this to 1 if you have an archive DB
$archive_dbname = 'snort_archive';
$archive_host = 'localhost';
$archive_port = '';
$archive_user = 'snort';
$archive_password = 'snort_password';
15. Find the following line (search for DBLib) and ensure it reads as follows:
$DBLib_path = '/usr/share/php/adodb';
16. Find the following line (search for BASE_urlpath) and ensure it reads as follows:
$BASE_urlpath = '/base';
17. Save and quit.
18. Type cp /var/www/base/base_conf.php.dist /var/www
/base/base_conf.php and press enter.
19. Type chown www-data:www-data /var/www/base and press enter.
20. Type chown -R www-data:www-data /var/www/base/* and press enter.
21. Open your web browser and visit http://localhost/base. You should see
something like this:

22. Click Create AG. If all goes well you should see the following:

4 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...

23. Now when you visit http://localhost/base you should see the Base screen:

24. Drop to the command line and type mysqldump -u root -p snort >snort.db
and press enter.
25. Enter mysqlpassword when prompted.
26. Type mysql -u root -p snort_archive < snort.db and press enter.
27. Enter mysqlpassword when prompted.
28. Type mysql -u root -p and press enter.
29. Type use snort_archive; and press enter.
30. Type grant all privileges on snort_archive.* to
'snort'@'localhost' identified by 'snort_password'; and press enter.
31. Type exit and press enter.
32. Now, refresh your base page and you should see Use Alert Database on the right hand
side. Click Use Alert Database to ensure the page loads.

Testing... finally!
Getting to this point took a long time, no questions about it! Now that you're done we can test
some of the fun stuff. Let's start by getting the IP address of your NIC card:

1. Type ifconfig and press enter. Hopefully you have two NICs installed. Note the IP
address of eth1.
2. Type snort -c /etc/snort/etc/snort.conf -v and press enter.
3. Start pinging and port scanning the IP addresses that your Snort box is using, then
refresh the BASE home page. You should start seeing tons of alerts!

Good luck!

Cited sources:

1. http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10
2. http://ubuntuforums.org/showthread.php?t=145641
3. http://ubuntuforums.org/showthread.php?t=919472
4. http://bailey.st/blog/2010/10/06/compiling-snort-2-9-0/
5. http://www.thegeekstuff.com/2010/08/snort-tutorial/
6. http://www.snort.org/assets/158/013-snortinstallguide2912.pdf
7. http://ubuntuforums.org/showpost.php?p=5786356&postcount=4
8. https://forums.snort.org/forums/third-party-tools/topics/configuring-base-with-snort
9. http://blog.csmonkey.com/2009/03/how-to-duplicate-mysql-database.html

Posted by Chris O'Connell at 1:00 PM

5 of 6 06/27/2013 09:24 PM
Chris P. O'Connell's Outlook Outbox: Snort Installation: Step-b... http://outlookoutbox.blogspot.com/2011/11/snort-installation-...

Recommend this on Google

Reactions:

2 comments:

Prathibha P G February 15, 2013 at 1:35 AM

Sir,
I have followed your tutorial,but at the last step I am getting the following error
ERROR: /etc/snort/etc/snort.conf(328) => Length of the http request method shoould not exceed
the max request method length of '7'.
Kindly help me

Reply

Prathibha P G February 15, 2013 at 2:05 AM

I am also getting errors when pear install is given,they says unknown package. and apache2:
Syntax error on line 236 of /etc/apache2/apache2.conf: Could not open configuration file
/etc/apache2/sites-enabled/dequeue: No such file or directory
...fail!
Kindly help me

Reply

Comment as: Select profile...

Publish Preview

Newer Post Home Older Post

Subscribe to: Post Comments (Atom)

Simple template. Template images by RBFried. Powered by Blogger.

6 of 6 06/27/2013 09:24 PM