Installation & Configuration Of Intrusion Detection With Snort, ACIDBASE, MySQL, And Apache2 On Ubuntu 9.04 Using SPM

Want to support HowtoForge? Become a subscriber!
 
Submitted by redgreg68 (Contact Author) (Forums) on Mon, 2009-09-21 18:57. :: Ubuntu | Security

Installation & Configuration Of Intrusion Detection With Snort, ACIDBASE, MySQL, And Apache2 On Ubuntu 9.04 Using SPM

This tutorial describes how to install and configure Snort intrusion detection system (IDS), ACIDBASE (Basic Analysis and Security Engine), MySQL, and Apache2 on Ubuntu 9.04 using packages from Ubuntu’s Synaptic Package Manager. Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which ACIDBASE will use to display in a graphical interface in web browser.

 

1. System Preparations & Software Installations

1.1 Installation

Download 32bit or 64bit version of Desktop Ubuntu 9.04 from http://www.ubuntu.com/getubuntu/download.

 

1.2 Network & System Configuration

Connect you computer to the network. Although number of different network configurations will allow system to work, the preferred network configuration would be as follows:

  • Located in DMZ (De-Militarized Zone)
  • Static IP address with NAT hiding its IP behind Firewall
  • Connected to the monitoring port on the switch.

Create new administrator called <your_username>, with password <your_password>.

 

1.3 Software Installation

The first thing to do after installation completes is to it install all updates recommended by Ubuntu. To access updates proceed to System > Administration > Update Manager. Enter your password and select Check. Select Install Updates.

From the Desktop go to System > Administration > Synaptic Package Manager. Enter your password and select Search.

Search for the following packages and install them:

  • Acidbase with all affected packages
  • Snort-MySQL with all affected packages
  • MySql-server-5.0 with all affected packages
  • Libpcap0.8-dev
  • libmysqlclient15-dev
  • MySql-client-5.0
  • Bison
  • Flex
  • Apache2
  • Libapache2-mod-php5
  • Php5-gd
  • Php5-mysql
  • Libphp-adodb
  • Php-pear
  • SSH

 

2. Gain Root Access

From the Desktop go to Applications > Accessories > Terminal and type:

$ sudo -i
$ Then your password.

 

3. Configure Snort

Configuration file snort.conf needs to be modified to suit individual needs.

Open /etc/snort/snort.conf with text editor (nano, vi, vim, etc.).

# vim /etc/snort/snort.conf

Change var HOME_NET any to var HOME_NET 192.168.1.0/24 (your home network may differ from 192.168.1.0). In case you have more than one network to monitor you should enter them as follows var HOME_NET [192.168.1.0/24,10.10.1.0/24]. Change var EXTERNAL_NET any to var EXTERNAL_NET !$HOME_NET (this is stating everything except HOME_NET is external).

Change var RULE_PATH ../rules to var RULE_PATH /etc/snort/rules. Scroll down the list to the section with # output database: log, mysql, user=, remove the # from in front of this line.

Example: output database: log, mysql, user=<your_username> password=<your_password> dbname=snort host=localhost (see above when new user was created).

Make note of the username, password, and dbname. You will need this information when we set up the MySQL db. Save and quit.

 

4. Setup the snort and archive MySQL databases

4.1 MySQL setup

Log into the MySQL server.

# mysql -u root -p

Sometimes there is no password set so just hit enter.

If you get a failed logon, try the above command again and enter YOUR_PASSWORD.

If there is no password you need to create a password for the root account.

Note: Once you are in MySQL the # is now a mysql>

mysql> create user <your_username>@localhost;
mysql> SET PASSWORD FOR <your_username>r@localhost=PASSWORD(‘<your_password>’);
mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘<your_password>);

 

4.2 Create Snort database

mysql> create database snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <your_username>@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;

 

4.3 Create Archive database

mysql> create database archive;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to <your_username>@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to archive;
mysql> exit

 

4.4 Create Tables in Snort and Archive databases

We will use the snort schema for the layout of snort and archive databases.

# cd /usr/share/doc/snort-mysql
# zcat create_mysql.gz | mysql –u <your_username> –h localhost –p snort
# zcat create_mysql.gz | mysql –u <your_username> –h localhost –p archive

 

4.5 Confirm creation of databases and existence of newly created tables

Logon to MySQL and check for databases we just created and tables inside of those databases. If everything was created successful you will see four (4) databases (mysql, test, snort and archive) in mysql databases and approximately 16 tables in each of the databases.

# mysql -u root –p
mysql> show databases;
mysql> use snort;
mysql> show tables;
mysql> use archive;
mysql> show tables;
mysql> exit

 

4.6 Test Snort

In the terminal type:

# snort -c /etc/snort/snort.conf

If everything went well you should see an ascii pig.

To end the test hit ctrl + c.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2010-12-14 01:07.

please i have a problem with data bases, look at this result :

database:          host = localhost
database:   sensor name = 192.168.201.136
database: mysql_error: Table 'db.sensor' doesn't exist
database: mysql_error: Table 'db.sensor' doesn't exist
SQL=INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) VALUES ('192.168.201.136','eth0',1,0, 0)
database: mysql_error: Table 'db.sensor' doesn't exist
database: Problem obtaining SENSOR ID (sid) from db->sensor
ERROR:
 When this plugin starts, a SELECT query is run to find the sensor id for the
 currently running sensor. If the sensor id is not found, the plugin will run
 an INSERT query to insert the proper data and generate a new sensor id. Then a
 SELECT query is run to get the newly allocated sensor id. If that fails then
 this error message is generated.

 Some possible causes for this error are:
  * the user does not have proper INSERT or SELECT privileges
  * the sensor table does not exist

 If you are _absolutely_ certain that you have the proper privileges set and
 that your database structure is built properly please let me know if you
 continue to get this error. You can contact me at (roman@danyliw.com).

Fatal Error, Quitting..
Submitted by ruata (not registered) on Fri, 2011-04-22 17:31.
Copy & paste from the tutorial is a bad practice, so always type by yourself. I hope that will help you.
Submitted by Christian Wilken (not registered) on Fri, 2009-09-25 22:31.
 Shouldn't part 4.2 look like this (or is there in fact a DB called "root"?):
 
[...]
mysql> create database snort;
mysql> grant INSERT,SELECT on snort.* to root@localhost;
[...]
 
 instead of:
 [...]
mysql> create database snort;
mysql> grant INSERT,SELECT on snort.* to root@localhost;
[...]
Submitted by Anonymous (not registered) on Thu, 2009-09-24 00:55.
Please proof-read and correct your syntax in section 4.1. 
Submitted by oly562 (registered user) on Mon, 2011-09-12 22:55.
i think there is more to it than obvious syntax typos. thats ok, we all should review those thing. but the archive user isnt working more importantly in mysql. shrugs...
Submitted by Anonymous (not registered) on Wed, 2009-11-18 08:00.
honestly, if you're too blind to see the r in that needs to be removed, what the hell are you doing installing and configuring snort in the first place?
Submitted by Anonymous (not registered) on Wed, 2011-04-20 18:37.
<user>r@localhost, what is this r used for?