Run a Business Network on Linux: Intrusion Detection (Part 4)

Part 4: Learn how to configure Snort to collect network data and present useful reports.

By Carla Schroder | Posted Jun 9, 2008
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Carla SchroderIn our first two installments on intrusion detection (see Resources), we got as far as setting up a Snort sensor on our network. Now it's time to set it up to automatically collect new rulesets, and set up BASE (Basic Analysis and Security Engine) to present all that data in a nice digestible way with graphs and sorting tools.

Quick Snort Test

This is a quick and easy way to test Snort and make sure it's doing something. Enter this rule in /etc/snort/rules/local.rules:

alert tcp any any -> $HOME_NET any (msg:"this is only a test"; sid:99887766;)

It means "alert on any TCP packet from any IP address and any port number entering my local network; print the message "this is only a test" in the logfile, and give this rule a made-up ID number that hopefully doesn't conflict with any of the rule SIDs that already exist in /etc/snort/rules. You can follow along like this:

# tail -f /var/log/snort/alert

Generate some network activity—ping, surf the Web, check e-mail—and you'll see output like this:

[**] [1:998877:0] this is only a test [**]
[Priority: 0]
06/05-15:40:00.572281 11.22.33.44:110 -> 44.33.22.11:37573
TCP TTL:50 TOS:0x38 ID:0 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x312AE540 Ack: 0x0 Win: 0x0 TcpLen: 20

Ctrl+C stops tail, though not Snort.

Oinkmaster Rules

Snort gurus regularly create and test new rulesets, and there are three ways to get them. One way is by becoming a paying subscriber, which entitles you to receive updates as soon as they are available. Registered users get updates for free 30 days after they are released to paying subscribers. Unregistered users get updated rules only with new Snort releases, so you should at least be a registered user. Visit Sourcefire VRT Certified Rules to subscribe or register. Then use oinkmaster to download and apply the new rules.

You need to edit /etc/oinkmaster.conf so that it pulls in the correct ruleset for your Snort version. Run snort -V to get your Snort version. Then you need to generate your own oinkcode from your Snort.org User Settings page, and then edit the URL in /etc/oinkmaster.conf to include your oinkcode, like this:

url = http://www.snort.org/pub-bin/dow[...]t_os/snortrules-snapshot-2.7.tar.gz

This command downloads and installs the new rules:

# oinkmaster -o /etc/snort/rules/

Visit Snort downloads to verify the filename, and then visit /usr/share/doc/oinkmaster/ to study the READMEs. This Oinkmaster Readme has a lot of helpful information, including suggestions for automating rule updates with cron .

BASE Preparations


Figure 1. Click for a larger image.

Snort collects a lot of data, and you're welcome to analyze it however you like: spreadsheets, spendy commercial analysis software, mind meld. A common method is using BASE, Basic Analysis and Security Engine. This generates HTML reports and makes nice graphs, and you'll need a LAMP stack to serve up the goodies. Ubuntu Server installs this with one command:

$ sudo tasksel

You'll see an ncurses menu like Figure 1.

This will take awhile, so go have a healthy walk while it works. When it's finished, you'll have a few more packages to install:

$ sudo aptitude install snort-mysql

This removes snort, and replaces it with snort-mysql. (PostgreSQL fans, you may use snort-pgsql instead, and I'm afraid you're on your own since I don't speak Postgres. /usr/share/doc/snort-mysql/README-database.Debian will help you.) Pay attention when it asks you to create a root password for the database, because you'll need it. Why didn't I just tell you to install snort-mysql in the first place? Because I forgot. You'll get an error message when is installed:

Snort will not start as its database is not yet configured.
* Please configure the database as described in
* /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian
* and remove /etc/snort/db-pending-config

A big pitfall for a lot of admins is not knowing how to correctly create the database, so I'm going to walk through this step-by-step and in detail. First open the MySQL monitor as the MySQL root user. This is not the same as the Linux root user, because MySQL has its own root user:

$ mysql --user=root --password=[your root DB password set during installation]
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 16
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

Then run the following commands. I am naming the database "snortdb", giving the snort user admin permissions on the snortdb, and creating a password of snortpass for the snort user:

mysql> create database snortdb;
Query OK, 1 row affected (0.00 sec)
mysql> grant CREATE, INSERT, SELECT, UPDATE on snortdb.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)
mysql> grant CREATE, INSERT, SELECT, UPDATE on snortdb.* to snort;
Query OK, 0 rows affected (0.00 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('snortpass');
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

You can verify it with this command:

mysql> show grants for 'snort'@'localhost';
+---------------------------------------------------------+
| Grants for snort@localhost
+---------------------------------------------------------+
| GRANT USAGE ON *.* TO 'snort'@'localhost' IDENTIFIED BY PASSWORD
'*213D5A315A00B21866C12AA16E098B005C6E7EA1'
| GRANT SELECT, INSERT, UPDATE, CREATE ON `snortdb`.* TO 'snort'@'localhost'
+---------------------------------------------------------+
3 rows in set (0.00 sec)
mysql> exit

Then tell Snort about your new database:

$ cd /usr/share/doc/snort-mysql/
$ zcat create_mysql.gz | mysql -u snort -h localhost -p snortdb

When the last command asks you for a password, use the password you created for your Snort database, which in this example is snortpass.

Now run dpkg-reconfigure snort-mysql to configure Snort to log to your new database. Then delete /etc/snort/db-pending-config and start Snort:

# rm /etc/snort/db-pending-config
# /etc/init.d/snort start

Installing BASE

We'll have to install BASE from sources, which is no big deal since it's a big wad of PHP scripts that simply need to be unpacked. Download and unpack it in /var/www:

# cd /var/www
# wget http://voxel.dl.sourceforge.net/sourceforge/secureideas/base-1.2.2.tar.gz
# tar zxvf base-1.2.2.tar.gz

Rename the base-1.2.2 directory to plain old base. Then copy and edit the example configuration file:

# cd base
# cp base_conf.php.dist base_conf.php
# nano base_conf.php
$Base_urlpath = "/base"
$DBlib_path = "/usr/share/php/adodb";
$DBtype = "mysql";
$alert_dbname = "snortdb";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "snortpass";

You also need to install more packages:

# aptitude install php5-mysql libphp-adodb php5-gd php-pear

When that's finished, run pear to install some necessary items for the graphs:

# pear install Image_Color
# pear install Image_Graph-alpha
# pear install Image_Canvas-alpha

Restart Apache, and Snort too for luck:

# /etc/init.d/apache2 restart
# /etc/init.d/snort restart

Then fire up a Web browser on a neighboring PC. For my test system the URL is http://sonja/base. You should see a nearly-blank page telling you BASE still needs to be set up. Click the Setup Page link, and you should have only a single button to push, marked "create base_ag". Click on it, and then hit the home page link, and there in all of their glory are your new BASE graphs.

I don't know about you, but I'm tired now. Still, it was worth it, and hopefully that will get you over the bumpy parts of getting BASE and Snort up and running. Running and monitoring an intrusion detection is an ongoing job, and Snort offers many ways of fine-tuning to get reliable, focused results. Snort.org has a lot of good documentation, and the user forums and mailing lists are full of good help.

Next Up: Lightweight Mail Services for Servers

A crucial component in many servers is email alerts. But you probably don't want your network littered with full-blown SMTP servers, and you don't have to, because there are a number of nice lightweight SMTP forwarders that you can use. We'll cover these in our next installment of Running a Business Network on Linux.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter