elmore
October 24th, 2002, 01:15
How-To Setup and Install Snort with MySQL on OpenBSD

Ok in this the latest installment of my how-to's we're going to discuss
Installing Snort. Snort is a wonderful Intrusion Detection System (IDS).
Quite possibly the best available. It's free to. OK, here's the standard
disclaimer, I am no snort expert, I have set it up a number of times, I
know the basic steps to get you up and running, tweaking and fine tuning
are completely up to you. So, once we've got it installed go RTFM so you
can understand what it is that you'll need to coninue to do. One last thing,
in the interest of time I have done things as fast as possible, I could go
on for a very long time on security etc. Please, Please, pretty please
apply your own personal security practices to this document. I am writing
this how-to from a testbox in my house, behind my firewall, and IDS system,
that was carefully installed and scrutinized over, this is a down and dirty let's
get something up and running type doc. Not a well refined tune everything up doc.
This will not keep you from getting hacked, especially if you don't apply your
own security practices. I take no responsibility. Sorry for the rant.
Let's get started.

This how-to is going to cover several things, so get ready here they
are in the order we'll cover them.


1. Setting up and configuring MySQL.
2. Setting up and configuring Snort.
3. Other Issues


Things this how-to assumes, This how-to assumes that all these services are
going to be running on the same box, they don't have to and we'll discuss, super
briefly, how-to implement snort on multiple boxes but we'll go into no great depth,
I of course will answer any questions you may have in the appropriate forums on
my website.

1. MySQL Installation

Installing MySQL can be a little bit tricky, sometimes the port doen't seem to work
quite right for me. Most of the time it's fine though. You can install MySQL a few
different ways:


1. From the ports tree (covered here)
2. From source
3. From the OpenBSD ftp site (precompiled binary.)


A. Installation

Well let move right on into the installation then, start off by doing the
following:

[code:1:24c737fdc7]
computer# cd /usr/ports/databases/mysql
computer# make && make install
computer# cd /usr/ports/packages/i386/All/
computer# pkg_add mysql-server-3.23.49.tgz
[/code:1:24c737fdc7]

You might get an error when you package_add mysql-server
something like:


pkg_add(mysql-server-3.23.49): add of dependency `p5-DBI-1.21' failed!
pkg_add(mysql-server-3.23.49): add of dependency `p5-DBD-Msql-Mysql-1.22.19' failed!


In this case you'll want to compile those dependencies. they can be located
here:

[code:1:24c737fdc7]
computer# cd /usr/ports/databases/p5-DBI
computer# cd /usr/ports/databases/p5-Msql-Mysql

do a make && make install in each of those directories.
[/code:1:24c737fdc7]

MySQL should be installed now.

B. MySQL Configuration

Now you have MySQL installed but you need to know what to do with it.
For right now, what we're going to do is set it up to startup automatically
upon boot and we're going to setup the root user password for MySQL

Starting up MySQL automatically is fairly easy you're going to copy a script
that comes with the port and then edit the rc.local file like so:

[code:1:24c737fdc7]
computer# cd /usr/local/share/mysql
computer# cp mysql.server /etc
computer# echo /etc/mysql.server start >> /etc/rc.local
[/code:1:24c737fdc7]

Then you'll need to edit the my sql.server file.
Edit the following line:


datadir=/var/mysql

to

datadir=/home/mysql


Keep in mind you don't have to edit the datadir.
I find that it's better to change the datadir because my
/var partition is often small.

When you change the datadir make sure you tar up and move /var/mysql
to do this just:

[code:1:24c737fdc7]
computer# cd /var
computer# tar czvfp mysql.tar.gz mysql
computer# cp mysql.tar.gz /home
cumputer# cd /home
computer# tar xzvfp mysql.tar.gz
[/code:1:24c737fdc7]

Now you'll need to change the root password for MySQL. First we're going to need
to startup Mysql like so:

[code:1:24c737fdc7]
computer# /etc/mysql.server start
[/code:1:24c737fdc7]

Now verify that Mysql is running by doing the following:

[code:1:24c737fdc7]
computer# ps ax

Look for something like this:

31452 p4 I 0:00.05 /bin/sh /usr/local/bin/safe_mysqld --datadir=/home/mysql --pid-file=/home/mysql/computer.pid
13332 p4 I 0:00.08 /usr/local/libexec/mysqld --basedir=/usr/local --datadir=/home/mysql --user=mysql --pid-file=/home/mysql/computer.pid

[/code:1:24c737fdc7]


Now change that password by doing this:

[code:1:24c737fdc7]
computer# /usr/local/bin/mysqladmin password <somepasswordhere>

where <somepasswordhere> is your password without the <>
[/code:1:24c737fdc7]


I recommend to not use the same Mysql root password as the root password
to your system. As the mysql root password will at some point show up
in clear text in some config file somewhere.

That's it for the Mysql install at the moment there will be some basic configuration
of the snort database covered a little later.



2. Snort

A. Installation

Snort can be compiled in the same manner as mysql, from source,
from the ports or via the OBSD ftp site. Of course here we'll be
using the ports tree. The OBSD crew does a pretty good job of
keeping snort somewhat up to date. To install snort do the following

[code:1:24c737fdc7]
computer# cd /usr/ports/net/snort
computer# cd /usr/ports/net/snort
computer# make show VARNAME=FLAVORS
postgresql mysql smbalert flexresp
computer# env FLAVOR="mysql flexresp" make install
[/code:1:24c737fdc7]

Once you've done that snort should be installed.

B. Snort configuration

OK first things first we need to make the snort database to login to.
So let's do that.

[code:1:24c737fdc7]
computer# /usr/local/bin/mysqladmin -u root -p create SNORT-ALERT
Enter password:
computer#
[/code:1:24c737fdc7]

Now you've created your database. Next we need to add the snort structure
the database so do the following:

[code:1:24c737fdc7]
computer# cd /usr/ports/net/snort/w-snort-1.8.3-mysql-flexresp/snort-1.8.3/contrib
computer# /usr/local/bin/mysql -u root -p SNORT-ALERT < create_mysql
Enter password:
computer#
[/code:1:24c737fdc7]

Now you've got your structure to log to.

*NOTE* - I highly recommend creating a mysql user and giving that user insert
select privs to your snort database, instead of using the mysql root user,
we won't be doing that here but you should probably do that for any production
box. Please see the mysql documentation on how-to do this.

Next thing we need to do is to configure snort. We'll need a base set of
snort rules and a config file. so do the following:

[code:1:24c737fdc7]
computer# mkdir /etc/snort
computer# mkdir /etc/snort/rules
computer# cd /usr/local/share/examples/snort
computer# tar czvfp snort.rules.orig.tar.gz *
computer# cp snort.rules.orig.tar.gz /etc/snort/rules
computer# cd /etc/snort/rules
computer# tar xzvfp snort.rules.orig.tar.gz
[/code:1:24c737fdc7]

Now you have you base set of rules up and a default conf file.
Well, we need to edit the default conf file, so snort knows
what to do don't we. Open /etc/snort/rules/snort.conf
in your favorite text editor (vi). We're just going to
cover some basics, just enough to get you up and running.
the file has a lot to it and you really need to do some
reading to get into the nitty gritty fine tuning.

snort.conf

In step 1 you really need to setup your home net, this example
will assume that your setting snort up on a firewall where your
external interface is plugged into a cable modem and it is dynamic.

[code:1:24c737fdc7]
var HOME_NET any

to

var HOME_NET $eth0_ADDRESS
[/code:1:24c737fdc7]

Where $eth0 is the name of your external interface connected
to your cable modem, like, xl0, fxp0, dc0 etc. for me:

[code:1:24c737fdc7]
var HOME_NET $xl0_ADDRESS
[/code:1:24c737fdc7]

If this were a static address you would have

[code:1:24c737fdc7]
var HOME_NET [xxx.xxx.xxx.xxx/yy]
[/code:1:24c737fdc7]

where x = your IP and y = your subnet, most likely /32
for a single machine.

so on and so forth.


You should also have a look at the other parameters:


var SMTP
var DNS_SERVERS
var SQL_SERVERS


self explanatory just apply what applicable to you.

For the most part you'll leave step 2 of the conf file
alone. I do think you should ucomment the following lines:

snort.conf
[code:1:24c737fdc7]
#preprocessor portscan-ignorehosts: $DNS_SERVERS

to

preprocessor portscan-ignorehosts: $DNS_SERVERS

and

#preprocessor arpspoof

to

preprocessor arpspoof
[/code:1:24c737fdc7]

There's a lot of other stuff you can do in step 2 unfortunately
it's hard to taylor make a how-to for your individual setup,
the best thing I can tell you is that you need to just read
through the snort docs. and find out which is best for you.

Step 3 is where we'll be spending most of our time. There's a lot to log.
so we'll need to be setting some stuff up. Uncomment the following lines:

[code:1:24c737fdc7]
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
output database: log, mysql, user=root password=test dbname=db host=localhost
[/code:1:24c737fdc7]

ok now that's done you need to change the output database line to read like this:

[code:1:24c737fdc7]
output database: alert, mysql, user=root password=<yourpassword> dbname=SNORT-ALERT host=localhost encoding=ascii detail=full
[/code:1:24c737fdc7]

OK now your done with step 3 moving onto step 4 of the
config file. Look down towards the end of step 4 se all those lines
that include your rules. you need to decide which ones to use and
which ones you don't need, obviously, you really don't need stuff
like web-iis.rules if you don;t run an iis server, unless you just
want to see code red stuff. just use common sense here people.

alright save that file. Now we're almost ready to run.
one last thing you need to do

[code:1:24c737fdc7]
computer# mkdir /var/log/snort
[/code:1:24c737fdc7]

Now startup snort like so

[code:1:24c737fdc7]
computer# /usr/local/bin/snort
[quote]
Which should yeild an ouput like this:
[/quote]
[code]
testbox# /usr/local/bin/snort
Log directory = /var/log/snort

Initializing Network Interface xl0
using config file ./snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file ./snort.conf

++++++++++++++++++++++++++++++++++++++++++++++++++ +
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
fopen: No such file or directory
spp_portscan: logfile open error (/var/log/snort/portscan.log)
Fatal Error, Quitting..
testbox# mkdir /var/log/snort
testbox# /usr/local/bin/snort
Log directory = /var/log/snort

Initializing Network Interface xl0
using config file ./snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file ./snort.conf

++++++++++++++++++++++++++++++++++++++++++++++++++ +
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database: user = root
database: password is set
database: database name = SNORT-ALERT
database: host = localhost
database: data encoding = ascii
database: detail level = full
database: sensor name = 10.26.1.217
database: sensor id = 1
database: schema version = 104
database: using the "alert" facility
884 Snort rules read...
884 Option Chains linked into 102 Chain Headers
0 Dynamic rules
++++++++++++++++++++++++++++++++++++++++++++++++++ +

Rule application order: ->activation->dynamic->alert->pass->log

--== Initializing Snort ==--
Decoding Ethernet on interface xl0

--== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch@sourcefire.com, www.snort.org)
[/code]
[/code:1:24c737fdc7]
Now your running snort in non Daemon mode, if you got this far then
everything should be working. hit CTRL-C to get out of that.
Now we need to set snort up to run in Daemon mode. This is easy just
do the following:

[code:1:24c737fdc7]
computer# /usr/local/bin/snort -D
[/code:1:24c737fdc7]

Now you want to set it up to start automatically
so just do this:

[code:1:24c737fdc7]
computer# echo /usr/local/bin/snort -D >> /etc/rc.local
[/code:1:24c737fdc7]

Now you always want snort running so you need to come up with a good script
to run to check that snort is doing it's job something like this:

chk-snort
[code:1:24c737fdc7]
#!/bin/sh -f

ps=`/bin/ps ax | egrep -v "grep|$0" | grep snort`

if [ "$ps" != "" ]; then
:
echo "snort is alive!!
($ps)"
else
(
host=`hostname`
echo "To: root"
echo "Subject: snort on $host missing"
echo "From: root@somehost (chk-snort @ $host)"
echo
echo "snort is dead on $host..."
echo; echo "starting a new snort"
/usr/local/bin/snort -c /usr/local/share/snort/snort.conf -D
) | /usr/sbin/sendmail -t
fi
[/code:1:24c737fdc7]

or something to that effect. Once you have a script in place you should probably
put it in the crontab and run it every so often, every half-hour or something like
that. This will make sure you're never without snort for very long. Now your
snort setup is complete.

3. Other Issues and Concerns.

Initially I was going to write a how-to that also included a web based front-end.
I was going to use Demarc for that front-end. Unfortuately Demarc is no longer an OpenSource
project, and is not freely available in the snort tarballs or on the snort website. Demarc
remains free for private study and use and to non-profit organizations ( I Think). Since this
software is not readily available to everyone I will not write a how-to about it. I will look
into other freely available front-end for snort and write either and addendum to this How-To
or write another How-To. In either case, stay tuned as I's like to do this in the next few days.
I just need to evaluate what other front-end client are readily available and are free and easy
to use. If you still wish to use the Demarc product you can reach them here. http://www.puresecure.com

You may wish to install some sort of log reader, and set it up to e-mail you every day with events,
plenty of scripts are freely available on the snort website. You may also wish to keep your rules updated,
There are also plenty of scripts that will do this for you. There are loads of things that you can do with snort.
Stay tuned to this how-to for future addendums on these subjects. The snort website can be found here.
http://www.snort.org

Snort can also work in a distributed model, meaning you can have several snort sensors or boxes running
snort all logging back to a central databse, to do this you'll need to install snort on the desired boxes,
and the mysql-client on each of those boxes. You'll need to setup the mysql server to except logins
from the snort database user from those specific IP's. Hopefully I'll also be able to write an addendum for
this in the future as well.

That's about it for now, if you enjoyed reading this how-to or, if this how-to helped you out at all
please feel free to contact me either in the forums on my website or via e-mail. I'd love to hear from
you, as I'm always anxious to hear from anybody who has read my how-to's.

-elmore-
www.screamingelectron.org
elmore@screamingelectron.org

elmore
December 10th, 2002, 07:53
Here's a couple of additional links I just found off deadly.


http://www.deadly.org/article.php3?sid=20021210023015
http://www.samag.com/documents/s=1147/sam0108m/0108m.htm
http://www.alphademon.com/unix/snortbsd.txt

soup4you2
February 5th, 2003, 20:03
Here's a quick guide for freebsd.. not quite as good as yours but it'll do.... remember dont trust default configs

http://bsdhound.com/modules.php?name=News&file=article&sid=56