Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort
ACID stands for Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.
Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
Continuation from Part 1 -Installing and Configuring ACID
-----------------------------------------------------------
Snort - Install with Mysql support and Configure snort.conf for output modules
----------------------------------------------------------
root@router2:/src/snort-2.2.0# ./configure --with-mysql=/usr/local/mysql-*********.**
root@router2:/src/snort-2.2.0# make
root@router2:/src/snort-2.2.0# make install
Now to configure snort edit -> snort.conf
root@router2:/src/snort-2.2.0/etc# vi snort.conf
---------------------
Snort Output Modules
The next part is the configuration of the output modules of which we will use the syslog module alert_syslog to send alerts to syslog and database to additionally log to a MySQL database.
The alert_syslog module requires some options for what has to be logged. If like in my case you are using SnortSnarf to analyse the logfile you'll have to add the option LOG_PID else SnortSnarf has problems.
As stated before we will use ACID and thus we need to set up snort to log to a database. I chose MySQL for no particular reason (well, I've heard more from MySQL than from postgreSQL but that's all).
The database output module requires the following parameters:
================================================================
log | alert
Log to the alert facility. Also possible would be the log facility. If you would like to get portscan alerts into the database you have to use alert here.
mysql|postgrsql|odbc|oracle|mssql
This is the type of database.
user=
Here you define the username to be used with the database.
password=
The required password for the given user.
dbname=
The name of the database to be used for logging into.
host=
Here you define the host on which the database is running. Use localhost if the database is running on the snort sensor itself.
sensor_name=
Here you put in a unique name which is used to differentiate between various sensors if more than one is logging into a single database.
Now let's take a look on the output module part of /etc/snort/snort.conf:
output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
output database: alert, mysql, user=snort password=mypassword dbname=snort host=localhost sensor_name=mysensor
=================================================================
If you are using more than one physical snort sensor and would log to a database I would recommend using a central database on a separate machine. You then can correlate alert data with a single console getting a better overview when attacks are found.
On to
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort
No comments:
Post a Comment