Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS

Do you like HowtoForge? Please consider to support us by becoming a subscriber.
Submitted by ruribeetxeberria (Contact Author) (Forums) on Wed, 2007-04-25 17:50. :: Ubuntu | Monitoring | Security

Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS

This tutorial describes how you can install and configure the Snort IDS (intrusion detection system) and BASE (Basic Analysis and Security Engine) on an Ubuntu 6.06 (Dapper Drake) system. With the help of Snort and BASE, you can monitor your system - with BASE you can perform analysis of intrusions that Snort has detected on your network. Snort will use a PostgreSQL database to store/log the data it gathers.

Installing The Packages.

  1. Obtain root privileges:

    $ sudo -i

  2. If you are behind a web proxy, use the http_port environment variable to specify which proxy to use, and optionally your authentication credentials (if you need them, if not just omit the 'user:pass@' part):

    # export http_proxy="http://user:pass@proxy-ip:proxy-port/"

  3. Check the Ubuntu repositories. Uncomment all lines starting with 'deb' (or at least the ones referring to Universe):

    # vi /etc/apt/sources.list

  4. Update your packages list:

    # apt-get update

  5. Install postgresql-8.1, snort and snort-pgsql (the latest Snort rules can be found at: http://www.snort.org/pub-bin/downloads.cgi)

    # apt-get install snort postgresql-8.1 snort-pgsql

Creating The Snort Database And Configuring Postgresql.

  1. Create the snort database, tables and database user. Remember to use a strong password for the snort user:

    # su postgres
    $ createdb snort
    $ zcat /usr/share/doc/snort-pgsql/create_postgresql.gz | psql snort
    $ createuser -P snort

    Enter password for new user: snort-password
    Enter it again: snort-password
    Shall the new user be a superuser? (y/n) n
    Shall the new user be allowed to create databases? (y/n) n
    Shall the new user be allowed to create more new users? (y/n) n
    CREATE USER

  2. Log in to the database:

    $ psql snort

  3. Grant all privileges to snort user on every table and sequence:

    psql> grant all privileges on database snort to snort;

  4. To check the tables, indexes, etc. (and privileges), execute:

    psql> \dt
    psql> \dp

  5. Edit snort.conf file:

    # vi /etc/snort/snort.conf

    After the line that reads: 

    	  preprocessor stream4_reassemble

    add a couple of lines that read like these (each one in a single line, they might display wrapped here due to width constraints): 

    	  preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433 
	  output database: alert, postgresql, user=snort password=snort-password dbname=snort host=postgresql-host-ip

  6. Adjust postgresl configuration. We need to edit postgresql.conf and ph_hda.conf:

    # vi /etc/postgresql/8.1/main/postgresql.conf

    Search for the line that has the listen_address directive and set it to the IP address of the host running postgresql (un-comment it if necessary): 

    	  listen_addresses = postgresql-host-ip

    Next we need to allow TCP/IP connections from the snort sensor host IP address, using password authentication:

    # vi /etc/postgresql/8.1/main/pg_hba.conf

    After the line that reads: 

    	  host all all 127.0.0.1/32 md5

    add the following line: 

    	  host snort snort snort-sensor-host-ip/32 password

  7. Restart postgresql to apply the previous changes:

    # /etc/init.d/postgresql-8.1 restart

Snort Configuration

  1. Start snort in interactive mode, using interface eth0 (just to check everything works as expected):

    # snort -i eth0 -c /etc/snort/snort.conf

  2. To check all the needed services are running you can execute:

    # ps -ef |grep <SERVICE>

    where <SERVICE> is snort, apache, postgresql, etc.

  3. Test if the database is logging alerts, send some suspicious traffic to the snort sensor host (for example, using nmap or nessus):

    # su postgres
    $ psql snort -c "select count (*) from event"

    You should get a growing value each time you send more suspicious traffic and execute the SQL query.

Installing BASE Pre-Requisites.

  1. Install Apache 2, PHP (version 4 in the examples shown below, but you can use PHP 5 aswell), the PHP GD extension and the PGP adodb library. There are many configuration options whose specifics are best addressed by the appropriate package's documentation.

    # apt-get install apache2 libapache2-mod-php4 php4-gd php4-pgsql libphp-adodb

  2. Create a file called test.php under /var/www/ and write: 

    	  <?php
	      phpinfo();
	  ?>

  3. Make sure that the following lines are included in /etc/php4/apache2/php.ini and un-commented: 

    	  extension=pgsql.so
	  extension=gd.so

  4. Restart Apache 2 to enable the newly installed PHP extensions:

    # /etc/init.d/apache2 restart

  5. Now use your web browser to look at the URL http://web-server-ip-address/test.php. It should give you info about your system, Apache and PHP, postgres, gd, ...

Installing And Configuring BASE

  1. Download BASE from http://sourceforge.net/projects/secureideas. At the moment of writing this, 1.2 is the most up to date version. Execute the following commands as root to put BASE under /var/www/base:

    # mv base-1.2.tar.gz /var/www/
    # cd /var/www/
    # tar xvzf base-1.2.tar.gz
    # rm base-1.2.tar.gz
    # mv base-1.2 base
    # cd /var/www/base

    The file base_conf.php.dist needs to be copied to base_conf.php (just in case you do something wrong; you can always start from the original copy):

    # cp base_conf.php.dist base_conf.php # vi base_conf.php

    Next we need to adjust a few variables (you can have a look at the rest of the file to tweak other configuration values): 

    	  # If you would like to use the user authentication
	  # system. Remember to add a user before setting it to 1!
	  $Use_Auth_System = 1;
	  $BASE_urlpath = '/base';
	  $DBlib_path = '/usr/share/php/adobd';
	  $DBtype = 'postgres';
	  $alert_dbname   = 'snort';
	  $alert_host     = 'postresql-host-ip';
	  $alert_port     = '';
	  $alert_user     = 'snort';
	  $alert_password = 'snort-password';
	  # We dont have an archive db, so set this to 0
	  $archive_exists   = 0;

  2. Open the base_main.php page in a browser. If the any database changes are required, BASE will prompt for action. Click on the "Setup page" link to be brought to the DB configuration page (base_db_setup.php).

  3. This next page will facilitate the creation of the necessary tables. Click on the "Create BASE AG" buttons as seen below. BASE tables Adds tables to extend the Snort DB to [Create BASE AG] support the BASE functionality

  4. If you do not have PEAR::Image_Graph installed, install it using:

    # apt-get install php-image-graph

    PEAR::Image_Color is needed but it's not packaged in Ubuntu 6.0.6, so you need to download it from http://pear.php.net/package/Image_Color/download and install it under /usr/share/php/Image/. You can do this by executing:

    # apt-get install php4-pear
    # pear install Image_Color

  5. At the time of writing this howto, there is a bug in /var/www/base/base_qry_common.php that prevents the graphs from being displayed. You will need to remove the empty line after the '?>' line.

The End.

By Roberto Uribeetxeberria and Iñaki Arenaza.

What You Reap Is What You Sow.

Good luck!


Copyright © 2007 ruribeetxeberria
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Snort HOWTO
Submitted by Patrick Rynhart (not registered) on Wed, 2009-03-04 09:02.

Hi,

I found that a step was missing regarding the Postgres permissions after:

grant all privileges on database snort to snort;

I had to dump out the list of tables at a postgres prompt (using \d), and then grant access to the tables as follows:

GRANT ALL ON TABLE data, detail, encoding, event, icmphdr, iphdr, opt, reference, reference_ref_id_seq, reference_system, reference_system_ref_system_id_seq, schema, sensor, sensor_sid_seq, sig_class, sig_class_sig_class_id_seq, sig_reference, signature, signature_sig_id_seq, tcphdr, udphdr TO snort;

 Otherwise snort will fail to start with:

 "database: postgresql_error: ERROR:  permission denied for relation sensor"

Here's someone else who had the same issue: http://www.snort.org/archive-1-6575.html 

Regards,

 

Patrick 

reply | view as pdf view as pdf
Typo
Submitted by wackie (registered user) on Tue, 2007-09-11 02:24.

There's a typo in the base_conf.php.dist text

it says $DBlib_path = '/usr/share/php/adobd' and it probably (when default installed) be $DBlib_path = '/usr/share/php/adodb'

reply | view as pdf view as pdf