All about Information Technology!

Install Snort IDS on Ubuntu

15/07/2012 Thanos Karp IDS/IPS, Security, Ubuntu, 0

SnortĀ® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire.

Snort Home Page

Installation

We need Apache, Mysql and PHP. Read this post for instructions on how to install LAMP.

Create Snort database

Connect to mysql server:

mysql -u root -p

Execute

CREATE DATABASE snort;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'snort'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES;

Exit MySQL

quit

Install Snort

sudo apt-get -y install snort-mysql

In the address range field enter for ex: 192.168.2.0/24.

At the end of Snort’s installation you will be prompted if you wish to set up a database.
Choose no. We will manually configure the database later.

Snort Configuration

pushd /usr/share/doc/snort-mysql

Create database tables

sudo zcat create_mysql.gz | mysql -u snort -p snort

Modify the Snort configuration to make use of the MySQL database.

sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=password dbname=snort host=localhost/" /etc/snort/snort.conf

Remove the pending Snort database configuration file. 

sudo rm -rf /etc/snort/db-pending-config

Start Snort

sudo /etc/init.d/snort start

 

ACID Installation
Acidbase is a web frontend to monitor Snort’s output.

sudo apt-get -y install acidbase

During the installation process you will be prompted to configure a database for acidbase. Choose yes and use MySQL for the database type.

ACID Configuration

How to allow access from other workstations to connect and not just localhost.

sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ x.y.z.k/255.255.255.0#" /etc/acidbase/apache.conf

Where x.y.z.k is the ip address of a remote workstation.

Restart apache

sudo /etc/init.d/apache2 restart

Access the acidbase web frontend at http://localhost/acidbase/base_db_setup.php.
Choose the button “Create BASE AG”.

Return to the main page http://localhost/acidbase/base_main.php.

 

Test IDS

sudo nmap -p1-65535 -sV -sS -O localhost

Open Acidbase main page http://localhost/acidbase/base_main.php,
refresh if necessary and you should see the results of the port scan.

, , , , , ,

Leave a Reply

Recent Posts

Popular Posts

Links

Recent Comments

Tag Cloud

5 add address apache backtrack backup change cmd command computer create database disable enable file files Find firewall free get how to information install installation ip line linux list mysql name network password remote retrieve security server service setup sql system ubuntu user users windows windows 7

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Meta

Categories

Older posts

Engine: WordPress Design: Kwatery Prywatne