This tutorial describes how you can install and configure the Snort IDS (intrusion detection system) and BASE (Basic Analysis and Security Engine) on an Ubuntu 6.06 (Dapper Drake) system. With the help of Snort and BASE, you can monitor your system – with BASE you can perform analysis of intrusions that Snort has detected on your network. Snort will use a PostgreSQL database to store/log the data it gathers.
Installing The Packages.
- Obtain root privileges:
$ sudo -i
- If you are behind a web proxy, use the http_port environment variable to specify which proxy to use, and optionally your authentication credentials (if you need them, if not just omit the ‘user:pass@’ part):
- Check the Ubuntu repositories. Uncomment all lines starting with ‘deb’ (or at least the ones referring to Universe):
# vi /etc/apt/sources.list
- Update your packages list:
# apt-get update
- Install postgresql-8.1, snort and snort-pgsql (the latest Snort rules can be found at: http://www.snort.org/pub-bin/downloads.cgi)
# apt-get install snort postgresql-8.1 snort-pgsql
Creating The Snort Database And Configuring Postgresql.
- Create the snort database, tables and database user. Remember to use a strong password for the snort user:
# su postgres
$ createdb snort
$ zcat /usr/share/doc/snort-pgsql/create_postgresql.gz | psql snort
$ createuser -P snort
Enter password for new user: snort-password
Enter it again: snort-password
Shall the new user be a superuser? (y/n) n
Shall the new user be allowed to create databases? (y/n) n
Shall the new user be allowed to create more new users? (y/n) n
- Log in to the database:
$ psql snort
- Grant all privileges to snort user on every table and sequence:
psql> grant all privileges on database snort to snort;
- To check the tables, indexes, etc. (and privileges), execute:
- Edit snort.conf file:
# vi /etc/snort/snort.conf
After the line that reads:
add a couple of lines that read like these (each one in a single line, they might display wrapped here due to width constraints):
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433 output database: alert, postgresql, user=snort password=snort-password dbname=snort host=postgresql-host-ip
- Adjust postgresl configuration. We need to edit postgresql.conf and ph_hda.conf:
# vi /etc/postgresql/8.1/main/postgresql.conf
Search for the line that has the listen_address directive and set it to the IP address of the host running postgresql (un-comment it if necessary):
listen_addresses = postgresql-host-ip
Next we need to allow TCP/IP connections from the snort sensor host IP address, using password authentication:
# vi /etc/postgresql/8.1/main/pg_hba.conf
After the line that reads:
host all all 127.0.0.1/32 md5
add the following line:
host snort snort snort-sensor-host-ip/32 password
- Restart postgresql to apply the previous changes:
# /etc/init.d/postgresql-8.1 restart
- Start snort in interactive mode, using interface eth0 (just to check everything works as expected):
# snort -i eth0 -c /etc/snort/snort.conf
- To check all the needed services are running you can execute:
# ps -ef |grep <SERVICE>
where <SERVICE> is snort, apache, postgresql, etc.
- Test if the database is logging alerts, send some suspicious traffic to the snort sensor host (for example, using nmap or nessus):
# su postgres
$ psql snort -c “select count (*) from event”
You should get a growing value each time you send more suspicious traffic and execute the SQL query.
Installing BASE Pre-Requisites.
- Install Apache 2, PHP (version 4 in the examples shown below, but you can use PHP 5 aswell), the PHP GD extension and the PGP adodb library. There are many configuration options whose specifics are best addressed by the appropriate package’s documentation.
# apt-get install apache2 libapache2-mod-php4 php4-gd php4-pgsql libphp-adodb
- Create a file called test.php under /var/www/ and write:
<?php phpinfo(); ?>
- Make sure that the following lines are included in /etc/php4/apache2/php.ini and un-commented:
- Restart Apache 2 to enable the newly installed PHP extensions:
# /etc/init.d/apache2 restart
- Now use your web browser to look at the URL http://web-server-ip-address/test.php. It should give you info about your system, Apache and PHP, postgres, gd, …
Installing And Configuring BASE
- Download BASE from http://sourceforge.net/projects/secureideas. At the moment of writing this, 1.2 is the most up to date version. Execute the following commands as root to put BASE under /var/www/base:
# mv base-1.2.tar.gz /var/www/
# cd /var/www/
# tar xvzf base-1.2.tar.gz
# rm base-1.2.tar.gz
# mv base-1.2 base
# cd /var/www/base
The file base_conf.php.dist needs to be copied to base_conf.php (just in case you do something wrong; you can always start from the original copy):
# cp base_conf.php.dist base_conf.php # vi base_conf.php
Next we need to adjust a few variables (you can have a look at the rest of the file to tweak other configuration values):
# If you would like to use the user authentication # system. Remember to add a user before setting it to 1! $Use_Auth_System = 1; $BASE_urlpath = '/base'; $DBlib_path = '/usr/share/php/adobd'; $DBtype = 'postgres'; $alert_dbname = 'snort'; $alert_host = 'postresql-host-ip'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'snort-password'; # We dont have an archive db, so set this to 0 $archive_exists = 0;
- Open the base_main.php page in a browser. If the any database changes are required, BASE will prompt for action. Click on the “Setup page” link to be brought to the DB configuration page (base_db_setup.php).
- This next page will facilitate the creation of the necessary tables. Click on the “Create BASE AG” buttons as seen below. BASE tables Adds tables to extend the Snort DB to [Create BASE AG] support the BASE functionality
- If you do not have PEAR::Image_Graph installed, install it using:
# apt-get install php-image-graph
PEAR::Image_Color is needed but it’s not packaged in Ubuntu 6.0.6, so you need to download it from http://pear.php.net/package/Image_Color/download and install it under /usr/share/php/Image/. You can do this by executing:
# apt-get install php4-pear
# pear install Image_Color
- At the time of writing this howto, there is a bug in /var/www/base/base_qry_common.php that prevents the graphs from being displayed. You will need to remove the empty line after the ‘?>’ line.
By Roberto Uribeetxeberria and Iñaki Arenaza.
What You Reap Is What You Sow.