Snort IDS Installation

2010.3.3.Wed

Download Snort and uncompress it.

#tar -xvf snort-2.8.3.3.tar.gz

Create two directory, one to store the configuration files, the other one to store the Snort rules.

#mkdir /etc/snort #mkdir /etc/snort/rules

Copy the Snort configuration files inside the /etc/snort/ directory.

#cp snort_inline-2.8.3.3/etc/* /etc/snort/

Copy two files inside our new /etc/snort/rules directory:
- classification.config: defines URLs for the references found in the rules.
- reference.config: includes information for prioritizing rules.

#cp snort-2.8.3.3/etc/classification.config /etc/snort_inline/rules/ #cp snort-2.8.3.3/etc/reference.config /etc/snort_inline/rules/

Create a user called snort to launch Snort:

#useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS

Create a log directory owned by the snort user:

#mkdir /var/log/snort #chown -R snort /var/log/snort

You need first to use the "configure" command to check the dependancies and prepare Snort to be compiled for MySQL.

#cd snort_inline-2.8.3.3 #./configure --with-mysql

If you installed all the dependencies correcty, the "configure" command must end without any error!
If you have an error message, See below.

Then we compile and install Snort.

#make #checkinstall

See the CheckInstall page for more details about this command.
Below the output on our test system:

checkinstall 1.6.0, Copyright 2002 Felipe Eduardo Sanchez Diaz Duran
This software is released under the GNU GPL.

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values:

0 - Maintainer: [ root@ubuntu ]
1 - Summary: [ Package created with checkinstall 1.6.0 ]
2 - Name: [ snort ]
3 - Version: [ 2.6.1.3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ i386 ]
8 - Source location: [ snort-2.6.1.3 ]
9 - Alternate source location: [ ]
10 - Requires: [ ]

---

Error messages you can get after the "./configure --with-mysql" command:

Build-essential is not installed

root@ubuntu:/home/po/Desktop/snort-2.6.1.3# ./configure --with-mysql
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... no
checking whether to enable maintainer-specific portions of Makefiles... no
checking for style of include used by make... none
checking for gcc... no
checking for cc... no
checking for cc... no
checking for cl... no
configure: error: no acceptable C compiler found in $PATH
See `config.log' for more details.

Libnet1-dev is not installed

ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place

Libpcap0.8-dev is not installed

ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place

Libpcre3-dev is not installed

ERROR! Libpcre header not found, go get it from
http://www.pcre.org

Libmysqlclient12-dev is not installed

**********************************************
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************

---

2 - CONFIGURE THE SQL DATABASE

Add a password for the MySQL root user:

#mysqladmin -u root password new_root_password

Create the MySQL database and tables in order to receive the Snort logs:

#mysql -u root -p >create database snort;

Since it is dangerous to access the database with the root user, we need to create a user who has only permissions on the snort database:

>grant all on snort.* to snortuser@localhost identified by 'snortpassword';

reload mysql privileges:

>flush privileges; >exit;

Now we have to create the tables inside the snort database:
By chance the tables are already created and we just have to find and import them into the Sql server:

Packaged installation

Find the tables: dpkg -L snort-mysql
We are looking for the create_mysql.gz file, it is normally located in the /usr/share/doc/snort-mysql folder.
Then we have to unzip the file:

#gzip –d /usr/share/doc/snort-mysql/create_mysql.gz

Import the MySql tables:

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql

Manual installation

#mysql -u root -p snort < schemas/create_mysql

---

3 - CONFIGURE SNORT FOR SQL

We now have to forward the logs into the MySql database:
This is already done by installing the snort-mysql package, we just need only to configure the username and password to access the snort database.
In the /etc/snort/snort.conf file, we have to change the line between (#DBSTART#) and (#DBEND#):

output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost

Always in the same file, uncomment the following lines:

ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG ALERT output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost }

Let's start Snort !!

snort –u snort –c /etc/snort/snort.conf

It means that Snort is started under the snort user and will load the config stored in the /etc/snort/snort.conf file. For security reasons it's always better to run programs without the root user.

If you see the Snort banner, it means that Snort is correctly loaded, if not, carefully read the error message.

We have to add a line inside the /etc/crontab file to start Snort automatically after a reboot:

@reboot root snort -u snort -c /etc/snort/snort.conf >> /dev/null

The first part of the tutorial is over!
This means Snort should be installed along with the programs needed to support it. Now we will need to read the logs generated by Snort and forwarded into the Mysql database. For this we will use the BASE php script and follow its tutorial.