Using Snort for Intrusion Detection
Snort is a popular open-source intrusion detection system. You can find it at http://www.snort.org/. Snort analyzes traffic and tries to detect and log suspicious activity. It can also send alerts based on its analysis.
Snort Installation
In this lesson, we will install Snort from source. Additionally, we wonât be installing the standard version of Snort but will compile it to send its logs to a MySQL database. Moreover, weâll install a web-based tool, SnortReport, so we can easily access the information provided by Snort. Letâs start with Snort itself. Download the latest tarball and extract it to a convenient locationâperhaps the same place where youâre unpacking the source code for the other software packages weâll work with in this lesson. We will configure Snort to log its alerts into a MySQL database, so we assume you already have MySQL installed. If youâre on a system like Fedora Core, also make sure you have the Perl regular expression development library installed. These are available as RPM packages. (Retrieve the `pcre-devel.X.rpm` from your favorite RPM repository.)
Additionally, before compiling, you should create a group and user for Snort:
groupadd snortAnd:
useradd -g snort snort -s /dev/nullNow you can begin compiling. Navigate to the directory containing the Snort source code and run the following command:
./configure --with-mysqlThen:
makeAnd (as root):
make installSnort operates using a set of rules. Youâll need to copy these rules from the `rules` directory within the tarball source to `/etc/snort/rules/`. You should also copy all configuration files found there to `/etc/snort/`. Essentially, run: cp *.rules /etc/snort/rules/, cp *.conf /etc/snort, cp *.config /etc/snort, and cp *.map /etc/snort.
Configuring Snort
First, we need to modify the `snort.conf` file to reflect details about your network. In this file, youâll find the following variable:
var HOME_NET X.X.X.X/XChange it to match your networkâs range. For example, for a typical Class C network, update `X` to `192.168.0.0/16`. Additionally, ensure that the `RULE_PATH` variable points to `/etc/snort/rules`.
Since weâve configured Snort to log its alerts into a MySQL database, we need to make some preparations. First, in the `snort.conf` file, add the following line:
output database: log, mysql, user=snort password=XXXXX dbname=snort host=localhostNext, create the âsnortâ database. Run the following command (assuming you have MySQL ârootâ user privileges on your machine):
mysqladmin -u root -p create snortOpen the MySQL shell and create a âsnortâ user with privileges to create, insert, select, delete, and update tables:
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;Then, set a password for the `snort` user using the following command:
SET PASSWORD FOR snort@localhost=PASSWORD('XXXXX');Now, we need to create the main tables in the Snort database. Navigate to the `contrib` directory in the Snort source code and run the following command:
mysql -u root -p < create_mysql snortThen, create additional tables using:
zcat snortdb-extra.gz | /usr/local/mysql/bin/mysql -p snortAt this point, you should have all the tables necessary for the Snort MySQL system. Running a `SHOW TABLES;` query will display the following:
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| flags |
| icmphdr |
| iphdr |
| opt |
| protocols |
| reference |
| reference_system|
| schema |
| sensor |
| services |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+Everything is now set up for Snort to start logging alerts. A great web-based frontend for monitoring Snort alerts is SnortReport. Itâs written in PHP and can be easily installed on the web server hosting Snort. You can find it at Circuits Maximus: http://www.circuitsmaximus.com/SnortReport. It provides a graphical representation of alerts by protocol type. For this graphing capability, youâll need the `libphp-jpgraph` library. This is part of the Debian package, though its source code can be found on Ibibilo. Youâll also need to enable the GD library for your PHP installation, which is typically enabled by default if youâve installed PHP4 or later versions.
To install, simply extract the SnortReport source into your web root. Then copy the PHP files that make up `libphp-jpgraph` into a subdirectory called `jpgraph` within the SnortReport directoryâthis is where SnortReport will look for them. Next, open the `srconf.php` file and update the MySQL password variable for the `snort` user (`$pass = âXXXXXâ;`). Ensure the variable for the `jpgraph` path points to the correct location:
define("JPGRAPH_PATH", "./jpgraph/");You donât have to enable graphing. If your PHP installation lacks GD support or you donât have `jpgraph`, set the variable in `srconf.php` to `FALSE`.
Now, if you navigate your browser to the location of SnortReport, you should see something like this:
You can now monitor the Snort intrusion detection system via the web.
Updating and Adding Snort Rules
As mentioned earlier, Snort operates based on a set of rules stored in `/etc/snort/rules`. You can download new rules from http://www.snort.org/dl/rules/. Download the tarball corresponding to your version of Snort. At the time of writing, Snort is at version 2.x. Be sure to grab the tarball for your specific `.x` version (e.g., 2.1, 2.2, etc.).
If you manage just one or two servers, manually updating the rules after a new tarball release is practical. Rename the old `rules` directory to something like `rules.YYYYMMDD` or a name of your choice, then put the new rules directory in its place and restart Snort. If you manage multiple machines, creating a script to automate this process makes sense. A popular tool for updating and managing Snort rules is Oinkmaster. Itâs available at http://oinkmaster.sourceforge.net/. Their website contains excellent documentation on how to use this tool to keep your rules updated.