Installation & Configuration Of Intrusion Detection With Snort, ACIDBASE, MySQL, And Apache2 On Ubuntu 9.04 Using SPM

This tutorial describes how to install and configure Snort intrusion detection system (IDS), ACIDBASE (Basic Analysis and Security Engine), MySQL, and Apache2 on Ubuntu 9.04 using packages from Ubuntu’s Synaptic Package Manager. Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which ACIDBASE will use to display in a graphical interface in web browser.

1. System Preparations & Software Installations

1.1 Installation

Download 32bit or 64bit version of Desktop Ubuntu 9.04 from http://www.ubuntu.com/getubuntu/download.

1.2 Network & System Configuration

Connect you computer to the network. Although number of different network configurations will allow system to work, the preferred network configuration would be as follows:

• Located in DMZ (De-Militarized Zone)
• Static IP address with NAT hiding its IP behind Firewall
• Connected to the monitoring port on the switch.

Create new administrator called <your_username>, with password <your_password>.

1.3 Software Installation

The first thing to do after installation completes is to it install all updates recommended by Ubuntu. To access updates proceed to System > Administration > Update Manager. Enter your password and select Check. Select Install Updates.

From the Desktop go to System > Administration > Synaptic Package Manager. Enter your password and select Search.

Search for the following packages and install them:

• Acidbase with all affected packages
• Snort-MySQL with all affected packages
• MySql-server-5.0 with all affected packages
• Libpcap0.8-dev
• libmysqlclient15-dev
• MySql-client-5.0
• Bison
• Flex
• Apache2
• Libapache2-mod-php5
• Php5-gd
• Php5-mysql
• Libphp-adodb
• Php-pear
• SSH

2. Gain Root Access

From the Desktop go to Applications > Accessories > Terminal and type:

$ sudo -i
$ Then your password.

3. Configure Snort

Configuration file snort.conf needs to be modified to suit individual needs.

Open /etc/snort/snort.conf with text editor (nano, vi, vim, etc.).

# vim /etc/snort/snort.conf

Change var HOME_NET any to var HOME_NET 192.168.1.0/24 (your home network may differ from 192.168.1.0). In case you have more than one network to monitor you should enter them as follows var HOME_NET [192.168.1.0/24,10.10.1.0/24]. Change var EXTERNAL_NET any to var EXTERNAL_NET !$HOME_NET (this is stating everything except HOME_NET is external).

Change var RULE_PATH ../rules to var RULE_PATH /etc/snort/rules. Scroll down the list to the section with # output database: log, mysql, user=, remove the # from in front of this line.

Example: output database: log, mysql, user=<your_username> password=<your_password> dbname=snort host=localhost (see above when new user was created).

Make note of the username, password, and dbname. You will need this information when we set up the MySQL db. Save and quit.

4. Setup the snort and archive MySQL databases

4.1 MySQL setup

Log into the MySQL server.

# mysql -u root -p

Sometimes there is no password set so just hit enter.

If you get a failed logon, try the above command again and enter YOUR_PASSWORD.

If there is no password you need to create a password for the root account.

Note: Once you are in MySQL the # is now a mysql>

mysql> create user <your_username>@localhost;
mysql> SET PASSWORD FOR <your_username>r@localhost=PASSWORD(‘<your_password>’);
mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘<your_password>);

4.2 Create Snort database

mysql> create database snort;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to <your_username>@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;

4.3 Create Archive database

mysql> create database archive;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to <your_username>@localhost;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on archive.* to archive;
mysql> exit

4.4 Create Tables in Snort and Archive databases

We will use the snort schema for the layout of snort and archive databases.

# cd /usr/share/doc/snort-mysql
# zcat create_mysql.gz | mysql –u <your_username> –h localhost –p snort
# zcat create_mysql.gz | mysql –u <your_username> –h localhost –p archive

4.5 Confirm creation of databases and existence of newly created tables

Logon to MySQL and check for databases we just created and tables inside of those databases. If everything was created successful you will see four (4) databases (mysql, test, snort and archive) in mysql databases and approximately 16 tables in each of the databases.

# mysql -u root –p
mysql> show databases;
mysql> use snort;
mysql> show tables;
mysql> use archive;
mysql> show tables;
mysql> exit

4.6 Test Snort

In the terminal type:

# snort -c /etc/snort/snort.conf

If everything went well you should see an ascii pig.

To end the test hit ctrl + c.