Assumptions:
- You have installed and somewhat adequately secured FreeBSD
- You have a basic knowledge of the FreeBSD OS and have network connectivity on this system
- If you don't know this / have your system setup, you know how to RTFM (Google)
- You have updated your ports tree prior to building this stuff
Ok, now that we have established the assumptions, let's go over the software that we are going to use for this implementation:
Requirements:
- Apache22 - Core webserver to serve up your base /usr/ports/www/apache22
- MySQL 50 - Database server to house your snort data /usr/ports/databases/mysql50-server/ (also -client and -scripts)
- php5 - php support for apache22 /usr/ports/lang/php5
- base - your snort alert and event viewing tool /usr/ports/security/base
- barnyard - the tool that takes the unified snort logs and puts them into your MySQL database /usr/ports/security/barnyard
- snort - your IDS engine /usr/ports/security/snort
- oinkmaster - snort rule updater /usr/ports/security/oinkmaster
- phpmyadmin a GUI tool to help you manage your MySQL databases /usr/ports/databases/phpmyadmin
Installation:
Apache22 - install and edit httpd.conf then start and test
secure2# cd /usr/ports/www/apache22 && make install cleanMySQL 50 - install and set a password for root user
.
.
.
secure2# vi /usr/local/etc/apache22/httpd.conf
.
secure2# /usr/local/sbin/apachectl start
.
.
you should now be able to browse to http://ipofinstalledhost/ and receive the "It Works!" message.
secure2# cd /usr/ports/databases/mysql50-server/ && make install cleanphp5 - php5 install be sure to select apache when asked for configuration options!
.
.
.
secure2# cd /usr/ports/databases/mysql50-scripts/ && make install clean
.
.
.
secure2# cd /usr/ports/databases/mysql50-client/ && make install clean
.
.
.
secure2# /usr/local/etc/rc.d/mysql-server start
secure2# mysqladmin -u root password "passwordwithouquoteshere"
secure2# mysqladmin -u root -h localhost password "passwordwithouquoteshere"
secure2# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 88965
Server version: 5.0.45-log FreeBSD port: mysql-server-5.0.45
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql>
secure2# cd /usr/ports/lang/php5 && make install cleanBASE - install and prepare base for use
.
.
.
secure2# vi /usr/local/etc/apache22/httpd.conf
.
.# insure that the following is in your httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
.
.
secure2# apachectl restart
secure2# cd /usr/ports/security/base && make install cleanNow that we have setup the previous components we can access BASE by browsing to http://ipofinstalledhost/base/ where you should see the following BASE configuration screen:
.#be sure to select MySQL support...PDF is optional
.
.
. #configure apache22 to serve base
secure2# vi /usr/local/etc/apache22/httpd.conf
.
##place this at the bottom of httpd.conf
Alias /base/ "/usr/local/www/base/"
##save
secure2# apachectl restart
chown -R www:www /usr/local/www/base/
mysql -u root -p
mysql> create database base_demo;
Query OK, 1 row affected (0.00 sec)
secure2# mysql -u root -p base_demo < /usr/local/www/base/sql/create_base_tbls_mysql.sql
We will be going through this setup process in a bit, first we need to get snort with barnyard up and running.
snort - install and configure the system to use snort.
secure2# cd /usr/ports/security/snort/ && make install cleanoinkmaster - magical snort rule updater?
#be sure to Enable MySQL support
.
#add tables to the database...
secure2# mysql -u root -p base_demo < /usr/local/share/examples/snort/create_mysql #configure snort.conf secure2# vi /usr/local/etc/snort/snort.conf #modify this file as needed for your network.... . #configure logging only for unified..i.e. the following lines output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 #I'll write more about tuning SNORT rules later, but for now this will get you started. #before we can start snort to test, we will need to get the latest signatures using oinkmaster!
secure2# cd /usr/ports/security/oinkmaster/ && make install clean
.
.
secure2# vi /usr/local/etc/oinkmaster.conf
#get your registration code from snort.org and plug it into the Snort 2.4 download url in the oinkmaster file....
barnyard - log unified snort output to database
secure2# cd /usr/ports/security/barnyard/ && make install cleanPutting it all together and starting it up.
#be sure to Enable MySQL support
.
secure2# vi /usr/local/etc/barnyard.conf
#configure your barnyard to log the data..the following lines are important
# set the hostname (currently only used for the acid db output plugin)
config hostname: secure2
# set the interface name (currently only used for the acid db output plugin)
config interface: em1
# Converts data from the dp_log plugin into an approximation of Snort's
# "ASCII packet dump" mode. Argument:
output log_dump
# password database connect trash
output alert_acid_db: mysql, sensor_id 1, database base_demo, server 127.0.0.1, user root, password passwordhere
output log_acid_db: mysql, sensor_id 1, database base_demo, server 127.0.0.1, user root, password passwordhere detail full
secure2# oinkmaster -o /usr/local/etc/snort/rules/
secure2# /usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -i em1 -u root -D > /dev/null -n
secure2# /usr/local/bin/barnyard -c /usr/local/etc/barnyard.conf -g /usr/local/etc/snort/gen-msg.map -s /usr/local/etc/snort/rules/sid-msg.map -d /var/log/snort/ -f snort.log -w /var/log/snort/barnyard.waldo -p /usr/local/etc/snort/rules/classification.config
once all of this is done, your snort should be logging the unified data, barnyard reading it and slapping it into your database.
Now, let's get back to our configuration for BASE. Browse to http://ipofinstalledhost/base/ and select the continue option. The next few screens are filled with the configuration options to connect you to the base database(s). Simply input the information for the db, dbuser, dbpass and you will be all set!
Congratulations, you now have a functioning SNORT install using barnyard, MySQL and BASE. I did not cover the install of phpmyadmin, but you should be able to Google it and figure it out...
I'll be following this post up with the addition of bleeding snort rules, how to properly tune your snort configuration, the use of SGUIL (TRUE NSM) and several other goodies relating to network security... so stay posted.
Cheers,
JJC
5 comments:
Updated for managing your snort rules@
http://global-security.blogspot.com/2007/12/managing-snort-rulesets-cont.html
Cheers,
JJC
having problem with starting barnyard. It says
"Access denied for user 'root'@'localhost' (using password: YES)"
but I can access the database using mysql -u root -prootpassword
I have also tried using 127.0.0.1 instead of localhost but it didn't work.
Can u tell me how did u setup ur mysql-server after installing it?
looks like a basic authentication issue, I would suggest reviewing the mysql access logs.
Did you get this resolved? My apologies for not getting back sooner, I did not see the comment until just recently.
JJC
Post a Comment