Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS

Want to support HowtoForge? Become a subscriber!
 
Submitted by ruribeetxeberria (Contact Author) (Forums) on Wed, 2007-04-25 17:50. :: Ubuntu | Monitoring | Security

Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS

This tutorial describes how you can install and configure the Snort IDS (intrusion detection system) and BASE (Basic Analysis and Security Engine) on an Ubuntu 6.06 (Dapper Drake) system. With the help of Snort and BASE, you can monitor your system - with BASE you can perform analysis of intrusions that Snort has detected on your network. Snort will use a PostgreSQL database to store/log the data it gathers.

Installing The Packages.

  1. Obtain root privileges:

    $ sudo -i

  2. If you are behind a web proxy, use the http_port environment variable to specify which proxy to use, and optionally your authentication credentials (if you need them, if not just omit the 'user:pass@' part):

    # export http_proxy="http://user:pass@proxy-ip:proxy-port/"

  3. Check the Ubuntu repositories. Uncomment all lines starting with 'deb' (or at least the ones referring to Universe):

    # vi /etc/apt/sources.list

  4. Update your packages list:

    # apt-get update

  5. Install postgresql-8.1, snort and snort-pgsql (the latest Snort rules can be found at: http://www.snort.org/pub-bin/downloads.cgi)

    # apt-get install snort postgresql-8.1 snort-pgsql

Creating The Snort Database And Configuring Postgresql.

  1. Create the snort database, tables and database user. Remember to use a strong password for the snort user:

    # su postgres
    $ createdb snort
    $ zcat /usr/share/doc/snort-pgsql/create_postgresql.gz | psql snort
    $ createuser -P snort

    Enter password for new user: snort-password
    Enter it again: snort-password
    Shall the new user be a superuser? (y/n) n
    Shall the new user be allowed to create databases? (y/n) n
    Shall the new user be allowed to create more new users? (y/n) n
    CREATE USER

  2. Log in to the database:

    $ psql snort

  3. Grant all privileges to snort user on every table and sequence:

    psql> grant all privileges on database snort to snort;

  4. To check the tables, indexes, etc. (and privileges), execute:

    psql> \dt
    psql> \dp

  5. Edit snort.conf file:

    # vi /etc/snort/snort.conf

    After the line that reads:

    	  preprocessor stream4_reassemble
    	

    add a couple of lines that read like these (each one in a single line, they might display wrapped here due to width constraints):

    	  preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433 
    	  output database: alert, postgresql, user=snort password=snort-password dbname=snort host=postgresql-host-ip
    	

  6. Adjust postgresl configuration. We need to edit postgresql.conf and ph_hda.conf:

    # vi /etc/postgresql/8.1/main/postgresql.conf

    Search for the line that has the listen_address directive and set it to the IP address of the host running postgresql (un-comment it if necessary):

    	  listen_addresses = postgresql-host-ip
    	

    Next we need to allow TCP/IP connections from the snort sensor host IP address, using password authentication:

    # vi /etc/postgresql/8.1/main/pg_hba.conf

    After the line that reads:

    	  host all all 127.0.0.1/32 md5
    	  

    add the following line:

    	  host snort snort snort-sensor-host-ip/32 password
    	
  7. Restart postgresql to apply the previous changes:

    # /etc/init.d/postgresql-8.1 restart

Snort Configuration

  1. Start snort in interactive mode, using interface eth0 (just to check everything works as expected):

    # snort -i eth0 -c /etc/snort/snort.conf

  2. To check all the needed services are running you can execute:

    # ps -ef |grep <SERVICE>

    where <SERVICE> is snort, apache, postgresql, etc.

  3. Test if the database is logging alerts, send some suspicious traffic to the snort sensor host (for example, using nmap or nessus):

    # su postgres
    $ psql snort -c "select count (*) from event"

    You should get a growing value each time you send more suspicious traffic and execute the SQL query.

Installing BASE Pre-Requisites.

  1. Install Apache 2, PHP (version 4 in the examples shown below, but you can use PHP 5 aswell), the PHP GD extension and the PGP adodb library. There are many configuration options whose specifics are best addressed by the appropriate package's documentation.

    # apt-get install apache2 libapache2-mod-php4 php4-gd php4-pgsql libphp-adodb

  2. Create a file called test.php under /var/www/ and write:

    	  <?php
    	      phpinfo();
    	  ?>
    	
  3. Make sure that the following lines are included in /etc/php4/apache2/php.ini and un-commented:

    	  extension=pgsql.so
    	  extension=gd.so
    	
  4. Restart Apache 2 to enable the newly installed PHP extensions:

    # /etc/init.d/apache2 restart

  5. Now use your web browser to look at the URL http://web-server-ip-address/test.php. It should give you info about your system, Apache and PHP, postgres, gd, ...

Installing And Configuring BASE

  1. Download BASE from http://sourceforge.net/projects/secureideas. At the moment of writing this, 1.2 is the most up to date version. Execute the following commands as root to put BASE under /var/www/base:

    # mv base-1.2.tar.gz /var/www/
    # cd /var/www/
    # tar xvzf base-1.2.tar.gz
    # rm base-1.2.tar.gz
    # mv base-1.2 base
    # cd /var/www/base

    The file base_conf.php.dist needs to be copied to base_conf.php (just in case you do something wrong; you can always start from the original copy):

    # cp base_conf.php.dist base_conf.php # vi base_conf.php

    Next we need to adjust a few variables (you can have a look at the rest of the file to tweak other configuration values):

    	  # If you would like to use the user authentication
    	  # system. Remember to add a user before setting it to 1!
    	  $Use_Auth_System = 1;
    	  $BASE_urlpath = '/base';
    	  $DBlib_path = '/usr/share/php/adobd';
    	  $DBtype = 'postgres';
    	  $alert_dbname   = 'snort';
    	  $alert_host     = 'postresql-host-ip';
    	  $alert_port     = '';
    	  $alert_user     = 'snort';
    	  $alert_password = 'snort-password';
    	  # We dont have an archive db, so set this to 0
    	  $archive_exists   = 0; 
    	
  2. Open the base_main.php page in a browser. If the any database changes are required, BASE will prompt for action. Click on the "Setup page" link to be brought to the DB configuration page (base_db_setup.php).

  3. This next page will facilitate the creation of the necessary tables. Click on the "Create BASE AG" buttons as seen below. BASE tables Adds tables to extend the Snort DB to [Create BASE AG] support the BASE functionality

  4. If you do not have PEAR::Image_Graph installed, install it using:

    # apt-get install php-image-graph

    PEAR::Image_Color is needed but it's not packaged in Ubuntu 6.0.6, so you need to download it from http://pear.php.net/package/Image_Color/download and install it under /usr/share/php/Image/. You can do this by executing:

    # apt-get install php4-pear
    # pear install Image_Color

  5. At the time of writing this howto, there is a bug in /var/www/base/base_qry_common.php that prevents the graphs from being displayed. You will need to remove the empty line after the '?>' line.

The End.

By Roberto Uribeetxeberria and Iñaki Arenaza.

What You Reap Is What You Sow.

Good luck!


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2012-04-12 06:14.

i did all changes according to tutorial but when i check this command # snort -i eth0 -c /etc/snort/snort.conf

ERROR: database: Connection to database 'snort' failed

how to remove this problem.

plz help

Submitted by Anonymous (not registered) on Wed, 2009-12-02 21:41.

The steps in this how to are in the incorrect order. 1) First you must create the database. DO NOT import the schema yet. # su postgres $ createdb snort 2) Then create the database user. $ createuser -P snort Enter password for new user: snort-password Enter it again: snort-password Shall the new user be a superuser? (y/n) n Shall the new user be allowed to create databases? (y/n) n Shall the new user be allowed to create more new users? (y/n) n 3) Log in to the database, grant all privileges to snort user on the database: $ psql snort psql> grant all privileges on database snort to snort; 4) Finally, import the schema. Here's the important part: Import the schema as the database user, snort. $ zcat /usr/share/doc/snort-pgsql/create_postgresql.gz | psql -U snort snort

Submitted by Anonymous (not registered) on Fri, 2009-12-04 20:23.

The steps in this HOWTO are in the incorrect order.

1) First you must create the database. DO NOT import the schema yet.

   # su postgres

   $ createdb snort

2) Then create the database user.

   $ createuser -P snort

   Enter password for new user: snort-password

   Enter it again: snort-password

   Shall the new user be a superuser? (y/n) n

   Shall the new user be allowed to create databases? (y/n) n

   Shall the new user be allowed to create more new users? (y/n) n

3) Log in to the database, grant all privileges to snort user on the database:

   $ psql snort psql> grant all privileges on database snort to snort;

4) Finally, import the schema. Here's the important part: Import the schema as the database user, snort.

   $ zcat /usr/share/doc/snort-pgsql/create_postgresql.gz | psql -U snort snort

NOTE: It worked for me! So, I cleaned up what the commentor wrote to make it easier for others to read.

Submitted by Patrick Rynhart (not registered) on Wed, 2009-03-04 09:02.

Hi,

I found that a step was missing regarding the Postgres permissions after:

grant all privileges on database snort to snort;

I had to dump out the list of tables at a postgres prompt (using \d), and then grant access to the tables as follows:

GRANT ALL ON TABLE data, detail, encoding, event, icmphdr, iphdr, opt, reference, reference_ref_id_seq, reference_system, reference_system_ref_system_id_seq, schema, sensor, sensor_sid_seq, sig_class, sig_class_sig_class_id_seq, sig_reference, signature, signature_sig_id_seq, tcphdr, udphdr TO snort;

 Otherwise snort will fail to start with:

 "database: postgresql_error: ERROR:  permission denied for relation sensor"

Here's someone else who had the same issue: http://www.snort.org/archive-1-6575.html 

Regards,

 

Patrick 

Submitted by Tony (not registered) on Fri, 2010-10-29 20:20.

You don't want to grant all privileges - certainly not delete, which would allow $BADGUY to remove evidence.

Slightly better is:

 GRANT INSERT, SELECT, UPDATE ON TABLE data, detail, encoding, event, icmphdr, iphdr, opt, reference, reference_ref_id_seq, reference_system, reference_system_ref_system_id_seq, schema, sensor, sensor_sid_seq, sig_class, sig_class_sig_class_id_seq, sig_reference, signature, signature_sig_id_seq, tcphdr, udphdr TO snort;

Submitted by Anonymous (not registered) on Tue, 2009-08-18 14:21.

Try this:

 ALTER TABLE sensor OWNER TO snort;

Submitted by wackie (registered user) on Tue, 2007-09-11 02:24.

There's a typo in the base_conf.php.dist text

it says $DBlib_path = '/usr/share/php/adobd' and it probably (when default installed) be $DBlib_path = '/usr/share/php/adodb'