Thursday, August 07, 2008

Build your own IDS or IPS - Part 2 - Installing and Configuring Snort with MySQL

This is from one of my old documentation, After going through my three part how to you should have your own IDS/IPS running and logging to MySQL DB

Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort

ACID stands for Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

Continuation from Part 1 -Installing and Configuring ACID

Snort - Install with Mysql support and Configure snort.conf for output modules

root@router2:/src/snort-2.2.0# ./configure --with-mysql=/usr/local/mysql-*********.**
root@router2:/src/snort-2.2.0# make
root@router2:/src/snort-2.2.0# make install

Now to configure snort edit -> snort.conf
root@router2:/src/snort-2.2.0/etc# vi snort.conf

Snort Output Modules

The next part is the configuration of the output modules of which we will use the syslog module alert_syslog to send alerts to syslog and database to additionally log to a MySQL database.

The alert_syslog module requires some options for what has to be logged. If like in my case you are using SnortSnarf to analyse the logfile you'll have to add the option LOG_PID else SnortSnarf has problems.

As stated before we will use ACID and thus we need to set up snort to log to a database. I chose MySQL for no particular reason (well, I've heard more from MySQL than from postgreSQL but that's all).

The database output module requires the following parameters:

log | alert

Log to the alert facility. Also possible would be the log facility. If you would like to get portscan alerts into the database you have to use alert here.

This is the type of database.

Here you define the username to be used with the database.

The required password for the given user.

The name of the database to be used for logging into.

Here you define the host on which the database is running. Use localhost if the database is running on the snort sensor itself.

Here you put in a unique name which is used to differentiate between various sensors if more than one is logging into a single database.

Now let's take a look on the output module part of /etc/snort/snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
output database: alert, mysql, user=snort password=mypassword dbname=snort host=localhost sensor_name=mysensor

If you are using more than one physical snort sensor and would log to a database I would recommend using a central database on a separate machine. You then can correlate alert data with a single console getting a better overview when attacks are found.

On to
Part 3 - Installing and Configuring MySQL for ACID and Snort

Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort

No comments:

For suggestion and concerns E-mail