Building a Simple Snort Network Intrusion Detection System (NIDS)
TsengYia#126.com 2008.11.16
Establish a SNORT NIDS system based on the intrusion characteristic rule library.
###########################################################################################
System Environment:
Red Hat Enterprise Linux (2.6.18-8.el5)
Software Environment:
â RHEL5 systemâs built-in RPM packages (most are already present by default, those marked with â[*]â may need additional installation):
httpd-2.2.3-6.el5
mysql-5.0.22-2.1
mysql-server-5.0.22-2.1
mysql-connector-odbc-3.51.12-2.2
mysql-devel-5.0.22-2.1 [*]
php-mysql-5.1.6-5.el5 [*]
php-5.1.6-5.el5
php-common-5.1.6-5.el5
php-pdo-5.1.6-5.el5 [*]
php-cli-5.1.6-5.el5
php-gd-5.1.6-5.el5 [*]
libpcap-0.9.4-8.1
libpcap-devel-0.9.4-8.1 [*]
pcre-6.6-1.1
pcre-devel-6.6-1.1 [*]
###########################################################################################
I. Install related RPM software and configure the AMP environment
1. Installation (process omitted)
2. Configure and start httpd, mysqld
Using default configuration (process omitted).
shell> service httpd start
shell> service mysqld start
shell> chkconfig httpd on
shell> chkconfig mysqld on
II. Configure and start the snort process
1. Compile and install snort
shell> useradd -d /etc/snort -s /sbin/nologin snort
shell> mkdir -p /var/log/snort/
shell> chown snort /var/log/snort/
shell> cd /dl_pkgs/
shell> tar zxvf snort-2.8.3.1.tar.gz
shell> cd snort-2.8.3.1
shell> ./configure âwith-mysql
shell> make && make install
2. Install rule files (including etc/ configuration, doc/manual)
shell> tar zxvf /dl_pkgs/snortrules-snapshot-2.8.tar.gz -C /etc/snort/
# For specific applications of Snort rules, please refer to other resources.
3. Modify the snort.conf configuration file
shell> cd /etc/snort/etc/
shell> cp snort.conf snort.conf.bak
shell> vi snort.conf
var HOME_NET [192.168.0.0/24,192.168.1.0/24,10.1.1.0/24]
var EXTERNAL !$HOME_NET
var RULE_PATH ../rules
output database: log, mysql, user=snort password=secret dbname=snort_log host=localhost
# If using internal hosts for intrusion testing, the HOME_NET and EXTERNAL variables can be left unchanged initially
4. Create the snort_log database
shell> mysql -u root -p
mysql> create database snort_log;
mysql> grant all on snort_log.* to snort@localhost identified by âsecretâ;
mysql> quit
shell> mysql -u snort -p snort_log < /dl_pkgs/snort-2.8.3.1/schemas/create_mysql 5. Start snort shell> snort -dD -u snort -g snort -c /etc/snort/etc/snort.conf
The -D option indicates it starts in daemon mode and runs in the background. If you find that snort has not started correctly using ps aux | grep snort, remove the -D option to run snort and troubleshoot based on the prompts.
[When starting snort with rules, if using version 2.4 rule package (unregistered user version), there may be errors. Comment out the corresponding lines (97/98/452) in the web-misc.rules file based on the prompt as a workaround.]
Appendix: Some common options of the snort tool
-v Display debug information and output packets to the terminal (do not use this option when the system is working as an IDS)
-c Specify the location of the ruleset file
-d Output application layer data
-e Output data link layer data
-l Record data into log files (the directory for saving logs can be specified, default is /var/log/snort/)
-b Use tcpdump format to record data
-A Specify alert mode (fast, full, none, unsock), different modes determine the level of detail of alert information
-T Run self-test (can check command parameters, configuration files, rulesets, etc. before running in daemon mode with -D)
-D Run in daemon mode in the background
-u Specify the user to run (switch to this user after initialization is complete)
-g Specify the group to run
â-> To more conveniently control the operation of snort, a snort service script can be created
shell> vi /etc/init.d/snort
#!/bin/sh
# chkconfig: â 99 99
# description: Snort NIDS DAEMON
PROG=/usr/local/bin/snort
CONF=/etc/snort/etc/snort.conf
ARGS=â-dD -u snort -g snortâ
case â$1â in
start)
$PROG $ARGS -c $CONF
;;
stop)
killall -9 snort
;;
restart)
killall -9 snort
$PROG $ARGS -c $CONF
;;
*)
echo $âUsage: $0 â
exit 1
;;
esac
shell> chmod +x /etc/init.d/snort
shell> chkconfig âadd snort
shell> chkconfig âlevel 2345 snort on
shell> service snort start
III. Configure the base+adodb web frontend
1. Install php-pear and related plugins
Including php-pear and downloaded plugins like Image, Mail, Numbers:
Image_Canvas-0.3.1.tar, Image_Color-1.0.2.tar, Image_Graph-0.7.2.tar
Mail-1.1.14.tar, Mail_Mime-1.5.2.tar, Mail_mimeDecode-1.5.0.tar
Numbers_Roman-1.0.2.tar, Numbers_Words-0.15.0.tar
shell> rpm -ivh /dl_pkgs/php-pear-1.7.2-2.fc10.noarch.rpm
shell> cd /dl_pkgs/pear-plugin/
shell> pear install *.tar
2. Extract adodb, base source packages
shell> cd /var/www/html/
shell> tar zxvf /dl_pkgs/adodb506a
shell> tar zxvf /dl_pkgs/base-1.4.1-tar.gz
shell> mv base-php4 base
3. Configure base
shell> cd /var/www/html/base/
shell> cp base_conf.php.dist base_conf.php
shell> vi base_conf.php # Modify related variables according to the actual situation
$BASE_Language = âsimplified_chineseâ; # To maintain compatibility, it is recommended to use the default English
$BASE_urlpath = â/baseâ;
$DBlib_path = â/var/www/html/adodb5â;
$DBtype = âmysqlâ;
$alert_dbname = âsnort_logâ;
$alert_host = â3306â;
$alert_user = âsnortâ;
$alert_password = âsecretâ;
$archive_exists = 0;
4. Initialize installation
Visit http://Server_IP/base in a browser, and follow the prompts for âsetup pageâ â> âCreate BASE AGâ.
5. Add an administrator user (optional)
1) You can click the âAdministrationâ link at the bottom of http://Server_IP/base to create a new âadminâ user.
2) Modify the /var/www/html/base/base_conf.php file, and enable the Auth_System switch, â$Use_Auth_System = 1;â.
3) Revisit http://Server_IP/base in a browser, and now it requires logging in with the admin user.
IV. Testing
1) Modify the snort.conf file to add a rule
shell> vi /etc/snort/etc/snort.conf
alert tcp any any -> any any (flags:S; msg:âSYN Packets Alert!â; sid:20081122;)
# This rule is too strictly alerting, only for testing, please delete it once done)
2) Restart snort and track alert logs
shell> service snort restart
shell> tail -f /var/log/snort/alert
3) From another host, use tools like nmap to perform a sync scan on the snort server, such as ânmap -sS Server_IPâ, and observe the changes in the alert log in the previous step.
4) Refresh the http://Server_IP/base page, check the alert information, and click âGraph Alert Dataâ on the right to set and view alert images (images may not display when using the Chinese interface).
###########################################################################################