Snort Install on FreeBSD - Neohapsis

boreddizzyΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 8 μήνες)

268 εμφανίσεις



Snort Install on FreeBSD
A Guide to get Snort, Acid, and Postgresql working on FreeBSD














Mike Sconzo
msconzo@tamu.edu

Texas A&M University


Table Of Contents


Table Of Contents
...............................................................................................................2
Introduction
.........................................................................................................................3
Introduction
.........................................................................................................................3
Additional Information
.......................................................................................................3
Gather the Necessary Tools
................................................................................................3
Begin the Installation/Configuration
...................................................................................4
Install Postgres
............................................................................................................4
Install Snort
.................................................................................................................4
Install Apache
.............................................................................................................5
Install PHP
..................................................................................................................6
Install Acid
..................................................................................................................6
Final Steps
...................................................................................................................7
Other Tools
.................................................................................................................8
Resources
....................................................................................................................9
Appendix
...........................................................................................................................10
Configuring Logrotate
..............................................................................................10

Figure 1: Final working Acid screen
..................................................................................8
Introduction

The purpose of this paper is to provide a basic How-To on configuring Snort to work
with Acid and Postgresql on a FreeBSD machine. I have noticed that there seem to be
quite a number of documents out there that go over how to do this on Linux or FreeBSD
with MySQL, but it seems that nobody is covering Postgres…so I am.

This guide is most definitely not the end-all-be-all, but it will tell you how to get the
programs setup and running in a relatively quick fashion. I am going to assume that you
probably have some working knowledge of FreeBSD so some of this might be review,
and some of it will hopefully be new!

Additional Information

If you have questions, comments, corrections, additions or whatever else there is to do to
a paper please let me know. I can be reached via email
msconzo@tamu.edu
and like
hearing from people. So, if you used this and you like it and wanted to tell me that would
be awesome!

As for a stable place to keep this on the net…well I’ll try to keep a somewhat updated
version at somewhere…and this is subject to change.

Gather the Necessary Tools

Some good things to have at hand while doing this are:
• IP address of the management interface
• Related information netmask, hostname, DNS servers and gateway
• A working knowledge of UNIX and perhaps a working install of FreeBSD
• Knowledge of how the FreeBSD ports collection works (the software will be
installed via port collection)
• Basic idea of how to ‘craft’ SQL statements
• A willingness to learn how things work…

This document is written for installing Snort, Acid and Postgres on a FreeBSD system.
In order to make sure we are all on the same page here are the version numbers of the
important software packages. FreeBSD 4.8, Snort 2.0.0, Acid 0.9.6.b23, Postgresql 7.3.3
and Apache 1.2.27. Now just because you use those exact package numbers doesn’t
mean this will automatically work, however it should increase your chances of having a
useable system. I’m tempted to say this should work with the latest versions of each of
those packages but don’t hold me to anything.

Begin the Installation/Configuration

First off you want to install FreeBSD 4.8, I’m not going to walk you though that so we
will move on. This set of instructions should not be considered absolute, there is more
the likely some instruction following (from port installs) along the way, but I tried to
document everything the best I could.
Install Postgres

In this exercise Postgres will act as our backend SQL server. This is what is going to
store the Snort alerts for retrieval via the web by Acid.
To install `cd /usr/ports/databases/postgres7 && make install` follow any instructions
during install. This will print out some post-install instructions, they should be covered in
this document. So, feel free to read them (maybe to get a better understanding of what’s
going on). Note the install should create a user named pgsql.

Then initialize the database
`su -l pgsql -c initdb`

Start the database service
`/usr/local/etc/rc.d/010.pgsql.sh start`.

Create a database to use with Snort/Acid
`createdb snort`
Install Snort

A break from installing/configuring Postgres to tackle the installation of Snort.
`cd /usr/ports/security/snort && make install –DWITH_POSTGRES`

Do a quick `chmod 4550 /usr/local/bin/snort`
Yes, I’m aware that setting things SUID is not a good thing, but in order to use
logrotate as well as a few other things that weren’t going to run as root this was a
necessary evil. However, I have been trying to think of a way around this so if
you have one let me know!

Edit /usr/local/etc/snort.conf
Change/uncomment/add the following line:
output database: log, postgresql, user=snortusr password=password dbname=snort
Back to Postgres to create all the necessary database attributes/tables/etc in Postgres for
Snort
`cd /usr/ports/security/snort/work/contrib/`
`cat create_postgresql | psql snort`
Note, that in Postgres 7.3+ they have done away with the DATETIME variable I have own version
of this file if you are using v7.3+ Available at: http://sooshie.tamu.edu/cgi-
bin/cvsweb.cgi/scripts/create_postgresql
`zcat snortdb_extra.gz | psql snort`

Note, this file can usually be found in /usr/ports/security/snort/work/snort-2.0.0/contrib

Edit setup_postgres_snort_tables to use the password of your choosing
`cat setup_postgres_snort_tables`
This is the file that I have included, its correctly sets the database permissions and the snortusr
account and password. Available at: http://sooshie.tamu.edu/cgi-
bin/cvsweb.cgi/scripts/setup_postgres_snort_tables

One last change to Postgres to speed it up a bit.
In /usrlocalpgsql/data/postgresql.conf change set ‘fsync=false’

Restart Postgres
`/usr/local/etc/rc.d/010.pgsql.sh restart`

Install Apache

Install Apache. I am using apache13-modssl out of the ports collection. You can use the
web server software of your choice, but I would recommend sticking with Apache
because it supports everything you will need to get this up and running.

`cd /usr/ports/www/apache13-modssl && make install`
This should install OpenSSL if you don’t already have it installed. If it doesn’t you will
probably need to do something like:
`cd /usr/ports/security/openssl && make install`
After OpenSSL is installed you will need to generate a key…so do that.

Make sure you load the php4 module in Apache /usr/local/etc/apache/httpd.conf
You should have the following line somewhere in your htttpd.conf file.
AddType application/x-httpd-php .php .php3

LoadModule php4_module libexec/apache/libphp4.so

AddModule mod_php4.c
You will also need the following section:
Alias /acid/ "/usr/local/www/acid/"
<Directory "/usr/local/www/acid">
Options MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Install PHP

You also need PHP because this is what Acid is written in (using php-4.3.3)
`cd /usr/ports/www/mod_php4 && make install`

You should add support for postgres, jpgraph, socket support, gd and adodb for use with
Acid. Just follow the directions.

Install Acid

Now you get to install Acid. Jpgraph and adodb need to be installed, however this should
be taken care of by the following command. Note, that in the Makefile it specifies
mysql323-server as a RUN_DEPENDS. You should be able to remove this dependency
(the line ${LOCALBASE}/libexec/mysqld:${PORTSDIR}/databases/mysql323-server \)
and have things work. I have not had a chance to try it myself, so I’m not going to
guarantee it.
`cd /usr/ports/security/acid && make install`

Now change 2 files:
/usr/local/ww/acid/acid_db_setup.php
Change all occurrences of DATETIME to TIMESTAMP in the Postgres sections

/usr/local/ww/acid/create_acid_tbls_pgsql.sql
Do a find/replace on all DATETIME in the file and change to TIMESTAMP

Edit/add the following lines to /usr/local/www/acid/acid_conf.php
$Dbtype = "postgres";

$alert_dbname = "snort";
$alert_user = "snortusr";
$alert_password = "<password specified earlier in the Postgres file>";

$ChartLib_path = "/usr/local/share/jpgraph";
$DBlib_path = "/usr/local/www/data.default/php/adodb"
$portscan_file = "/path/to/portscan.log"

If the Acid installation did not add jpgraph and adodb to your system just do the 2
following commands:
`cd /usr/ports/graphics/jgraph && make install`
`cd /usr/ports/databases/adodb && make install`

Final Steps

Ok, everything should be installed and configured. Now we just fire things up!

Start Apache
`/usr/local/sbin/apachectl startssl`

Start Snort
`/usr/local/bin/snort -d -u snort -g wheel -i <interface> -c /usr/local/etc/snort.conf`

Connect to http://yoursnortbox/acid/
If everything has worked out the way it should have, there is a webpage with a button that
says ‘Create ACID AG’ click that, and next time you view the page you should see an
actual acid screen (like the one on the following page Figure 1).



Figure 1: Final working Acid screen
Other Tools

A quick side note, I also use logrotate in my setup so I can manage some of the flat files
that snort produces. This allows me to keep the information in multiple formats (incase
the need arises). If you would like to configure logrotate similar to mine please view the
Appendix.

In addition to Acid there are a number of great tools available out there to use with Snort,
way to many for me to name, but check out
http://www.snort.org/dl/contrib/
.

You should also consider getting on some of the mailing lists that are hosted at snort.org.
A list as well as brief description can be found at
http://www.snort.org/lists.html
.

Resources

Here are a few of the documents that I used during my numerous configurations of Snort.

http://www.snort.org/docs/FreeBSD47RELEASE-Snort-MySQLVer1-3.pdf

That is a great beginners document with additional information on how to get FreeBSD
up and running in a snap as well as setting up Snort and MySQL. There is also a great
shell script that if placed in /usr/local/etc/rc.d will allow you to start snort automatically
on boot.

http://www.andrew.cmu.edu/~rdanyliw/snort/acid_config.html

A how-to on configuring Acid. This is where I got the information on the database
permissions for Acid (so I could generate the Postgresql script mentioned earlier)

http://www.kellys.net/snort/

A great quick read document, helped me with my first initial installation of Snort with
Postgres.


Appendix

Configuring Logrotate

I am currently using logrotate to rotate some of flat files created by snort. Such as the
alert file and portscan.log. Simple reason behind this is I parse these scripts on a daily
basis, and this was the easiest way to keep a past record of files and continue to parse
them. First the install.
`cd /usr/ports/sysutils/logrotate && make install`

To configure this is rather easy, in the file /usr/local/etc/logrotate.conf you need to
specify how long you want to keep the logs, the frequency at which to update them, as
well as a directory to store specifics in. Usually this line looks “include
/usr/local/etc/logrotate.d” in that directory you want to place a file (in my case snort),
and include the following lines in that file.

/home/snort/alert {
postrotate
/usr/bin/killall -HUP snort
endscript
}
/home/snort/portscan.log {
compress
postrotate
/usr/bin/killall -HUP snort
endscript
}

This configuration will rotate Snort’s alert and portscan.log files every time period
compressing portscan.log and after the files have been rotated ‘hanging-up’ the process
causing Snort to restart and create new log files and write to them.

One last thing to add before this part works. You must tell cron to run logrotate. This
can be done by adding the following line to /etc/crontab

30 8 * * * root /usr/local/sbin/logrotate /usr/local/etc/logrotate.conf

This will rotate the logs every day at 8:30am.