Tutorial for running Snort with MySQL and web-based interface for ski Snort alert.
A server apache (with php)
A server mysql,
Barnyard acts as a buffer between Snort and MySQL to relieve your server.
Download the web interface basis:
Base is the best time web interface for Snort.
Oinkmaster you can now update your rules automatically.
_Other Additional programs: __
You can find them at:
tar xvzf snort-22.214.171.124.tar.gz
tar xvzf barnyard-0.2.0.tar.gz
mkdir / opt/barnyard020
mkdir / opt/snort2832
cd / opt
ln-s snort2832 / snort
ln-s barnyard020 / barnyard
cd / opt/SOURCES/barnyard-0.2.0
Compilation of barnyard:
. / configure - prefix = / opt / barnyard - enable-mysql - with-mysql-includes = / opt / mysql / include - with-mysql-libraries = / opt / mysql
Normally you have to satisfy some dependencies but you will be asked explicitly. (ex: libpcap-devel)
. / configure - prefix = / opt / snort - enable-mysql - with-mysql-includes = / opt / mysql / include - with-mysql-libraries = / opt / mysql
Create the Mysql database:
cd / opt/SOURCES/snort-126.96.36.199/schemas
The you should find a file named create_mysql.
Create a database and a mysql user for snort
You find a tutorial on mysql commands HEREYou also have the opportunity to do so with phpmyadmin.
CREATE DATABASE snort DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
localhost 'IDENTIFIED BY' snort 'WITH GRANT OPTION;
Injection of the file provides:
mysql-u root-p snort-D <create_mysql
mkdir-p / var / log / snort
cp-a / opt/SOURCES/snort-188.8.131.52/etc / opt / snort /
touch / var / log / snort / snort.log
For the user snort:
It is preferable to a shell for no security
vi / etc / passwd
snort: x: 5030:5030:: / dev / null: / bin / false
Configuring the web based interface:
You have to install this interface in php DocumentRoot of your apache to use it must have aupravant install adodb.
tar xvzf base-1.4.1.tar.gz
chown-R user-apache: php4-core
After meeting here with your browser: http://ip-de-votre-serveur/base-php4 or else here: http://base.domain.fr if you configure a virtualhost
Download it here:
Unpack it in / opt for example, installation of the interface based on the way you will be asked.
For me for example who is doing a link in / opt /:
cd / opt
ln-s adodb5 adodb
is / opt / adodb
Be careful to run snort it must have the rules and have the rules must register here:
https: / / www.snort.org/snort-rules/ # rules
After creating your account, download the rules of your choice and unpack them in the directory: / opt / snort /
cd / opt / snort /
tar xvzf snortrules-snapshot-CURRENT.tar.gz
You can add the Community rules made by people like you and me but also proficiency: p:
They are downloadable from the site of snort at the same location as the Current.
cd / opt / snort
The snort.conf file:
Edit and modify according to:
For example to monitor an interface uncomment:
var HOME_NET $ eth0_ADDRESS
To connect to the mysql database:
output database: log, mysql, user = snort password = password dbname = snort host = localhost
If you encounter problems starting snort use the option to debug, run snort as follows:
cd / opt / snort / bin
. / snort-c .. / etc / snort.conf
You will probably like me a library problem:
cd / usr / local / lib
ln-s / opt / snort / lib / snort_dynamicrules snort_dynamicrules
ln-s / opt / snort / lib / snort_dynamicpreprocessor snort_dynamicpreprocessor
ln-s / opt / snort / lib / snort_dynamicengine snort_dynamicengine
Start your Snort as follows:
. / snort-m 027-D-d-l / var / log / snort /-u snort-g snort-c / opt / snort / etc / snort.conf-S HOME_NET = [192.168.1.0/24]-i eth0
You can replace the ip-address / xx with a single IP address if you want to monitor a single server.
Before having relevant lift you need to do some manipulation in the etc directory of snort you find a file named threshold.conf this file you will not go back in false alarms.
Example for me with lotus reassembled alerts (I confess not to have applied on my lotus nunux: p):
cd / opt / snort / etc
For this file to be took into account it will include in its uncomment snort.conf
In the file uploaded threshold.conf this (adapt of course):
# Attacks on lotus domino
suppress gen_id 1 sig_id 13,819, track by_dst, ip 184.108.40.206
As you can see to create this kind of rules they need to understand the gen_id sig_id and the rules in question, why in the web interface based on your mouse snort as if in the image below:
You should have the information at the bottom left of your browser as this image:
After this change you must restart snort and then you'll have warnings of attacks on lotus.
Set oinkmaster for the latest oinkmaster rules to automatically update:
Appointments to Article Installation and Configuration Oinkmaster.
Another little trick:
If you trust completely certain ip address you can ensure that snort does not analyze the traffic from the latter (to improve performance) for that just at the end of your command line to launch snort add this:
"not host 92.121.200.xxx"
Refining your snort.conf:
If you protect a network mainly composed of Linux, a change is to be done. Search frag3 in your file and modify the line as below:
preprocessor frag3_engine: policy linux timeout 180 detect_anomalies