By: Salman.A.Francis linuxadminiter@gmail.

com THE BELOW SIMPLE STEP BY STEP PROCEDURE TO MANAGE THE TASK First of All we must know what is Snort and what Acid is.

THIS IS A HOWTO TO SETUP SNORT WITH ACID ON RHEL 4.0

Snort = Free program for Network Intrusion Detections System Acid = Analysis Console for Intrusion Detection or We can say a Web frontend for Snort, as it works with the Snort’s log Alerts. Please remember that your system must have php-4.3.5 or greater for the following to work you can check it by the following command. #rpm –qa php  If you don’t have php-4 or greater downloads it and configures it. Now let’s move to Configure Snort with Acid First download all the necessary packages for its proper functioning. 1. Acid 2. Adodb 3.Acidlab 4. Mysql 5. Snort 6. Jpgraph 7. Php-4 8. Apache Can be downloaded from www.sourceforge.net Now let’s start the configurations. First we will setup Snort from source code as follow: #tar zxvf Snort.tar The above will untar the Snort.tar and will create necessary directories in newly created snort directory. The main directories created are (etc and schemas) We also have to download the latest rules from www.snort.org/dl Now after the above step We have to create following directories our selves. # mkdir /etc/snort & #mkdir /etc/snort/rules #mkdir /var/log/snort Now copy the directories created by untar of Snort i.e its all files from etc to /etc/snort And copy the files from rules directory (which was downloaded from www.snort.org/dl) to our created /etc/snort/rules directory.

Now perform the following after completion of the above steps #. /configure snort –with-mysql # make #make install If all goes well the snort is installed yet not configured for its configuration we have to edit Snort.conf file found in /etc/snort/snort.conf therefore we perform the following: # vi /etc/snort/snort.conf and edit the configurations files as under ########################################## #################SNORT.CONF################ var HOME_NET any Change to var HOME_NET 192.168.5.211 (or any of your internal network ip or ip range)

var EXTERNAL_NET any Change to var EXTERNAL_NET !$HOME_NET var RULE_PATH ../rules Change to var RULE_PATH /etc/snort/rules Also uncomment the line which says and change the user, password and dbname according to your preference e.g.
Output database: log, mysql, user=snort password=snort123 dbname=snort host=localhost

Now Snort configuration is finished now let’s check if snort is running so for this we will type the following command # Snort –c /etc/snort/snort.conf If all goes well the above command will successfully run the snort in nids (network intrusion detection system) mode. The above will automatically create (alert file) if some one tries to intrude (hack or scan etc) in our network. The alert file will be created in the directory which we created that is /var/log/snort/. By studying the alert file we can see who tries to penetrate in our network. Now we will configure mysql First we start mysql with the command. #service mysqld start and then we will perform as follows: #mysql -Enter mysql> mysql>SET PASSWORD FOR ‘root’@’localhost=PASSWORD (‘your Password’); mysql>Enter new password: ******  mysql>Repeat password: ***** 

mysql>exit And now enter the mysql with the following command #mysql –u root –p  Provide the password and now at mysql prompt apply the commands as follows mysql> create database snort;  mysql> grant INSERT, SELECT, on snort.* to snort@localhost;  mysql> SET PASSWORD FOR ‘snort’@’localhost’=PASSWORD(‘snort123’); mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort; mysql>exit Now at shell prompt type the following to create tables in the newly created database snort #mysql –D snort –u root –p </root/snort-2.6.1.4/schemas/create_mysql If no error occurs the tables in snort data base is created. Now we need a front end for Snort which will make use of alert file and log it graphically on the web. For such purpose we will utilize Acid (The package) Perform the following steps: #tar zxvf acid.tar  First create a new directory named acid as under: #mkdir /var/www/html/acid  Now copy the content of the acid directory recently untarred to /var/www/html/acid. After this #tar zxvf adodb.tar  Now copy the content of the adodb directory recently untarred to the same /var/www/html/acid directory Now untar the jpgraph.tar the same way i.e. #tar zxvf jpgraph.tar  Now copy the content of the jpgraph directory recently untarred to the same /var/www/html/acid directory Now find the file named acid_conf.php in the /var/www/html/acid directory and edit as described below

################################################### ####################acid_conf.php#####################

$DBlib_path = “/var/www/html/acid”;

(This line shows the path of adodb files and we know that we copy the adodb directory in /var/www/html/acid) (This shows the database type)

$DBtype = “mysql”;

Change the following in output plugin as well as in Archive DB $alert_dbname =”snort”; $alert_host =”localhost”; $alert_port = “3306”; $alert_user = “snort”; $alert_password = “snort123”; (database name) (localhost name) (mysql port for connection) (user name) (password for user snort)

Lastly we have to change the following $ChartLib_path = “/var/www/html/acid/jpgraph/src”; (The path which leads to Jpgraph.php) That’s it we have done the entire configuration: Now lets restart all the services: # service httpd restart  # service mysqld restart  # snort –c /etc/snort/snort.conf  After restarting the service open you web browser and point it to http://localhost/acid and press enter. If all goes well you will see the following but before this you have to crate AG by clicking on the create buttons. I hope you guys have understood every step if you have problems just e-mail on my personal account i.e. E-mail : linuxadminister@gmail.com

JPGPRAPH

Sign up to vote on this title
UsefulNot useful