Friday, August 08, 2008

Build your own IDS or IPS - Part 3 - Installing and Configuring MySQL for ACID and Snort


This is from one of my old documentation, After going through my three part how to you should have your own IDS/IPS running and logging to MySQL DB

Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort


ACID stands for Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.


Continuation from Part 2 - Installing and Configuring Snort with MySQL


i'm pretty sure some procedure for installation have change from when I wrote this how to please check your readme files for more information
----------------------------------------------------
Mysql Installation and Configuration for ACID and Snort
----------------------------------------------------

==================================================================
root@router2:/usr/local# tar -xzvf mysql-standard-5.0.0-alpha-pc-linux-i686.tar.gz
root@router2:/usr/local# ln -s full-path-to-mysql-VERSION-OS mysql
root@router2:/usr/local# cd mysql
root@router2:/usr/local/mysql# scripts/mysql_install_db
root@router2:/usr/local/mysql# chown -R root .
root@router2:/usr/local/mysql# chown -R mysql data
root@router2:/usr/local/mysql# chgrp -R mysql .
root@router2:/usr/local/mysql# bin/mysqld_safe --user=mysql &
=================================================================

to start mysql - "bin/mysqld_safe --user=mysql &"

-----------------------


Configuring MySQL for SNORT and ACID use

To allow Snort to send alerts to MySQL you first have to install MySQL. With most linux distributions there are MySQL packages available so you should use them. If not you'll probably have to compile and install it from scratch by downloading the tarball from http://www.mysql.org/. Take a look at the documentation shipped with MySQL to set it up.

When you have a running MySQL daemon you have to initialize a snort database. This is documented in the next section.

Since there should be a password set for each account you'll have to use the -p option on the mysql commandline.

==============================================================
[root@ids01 /root]# mysql -u root -p
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 133 to server version: 3.23.32

Type 'help;' or '\h' for help. Type '\c' to clear the buffer

mysql>create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> connect snort
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id: 139
Current database: snort

mysql> status
--------------
mysql Ver 11.12 Distrib 3.23.32

Connection id: 139
Current database: snort
Current user: root@localhost
Current pager: stdout
Using outfile: ''
Server version: 3.23.32
Protocol version: 10
Connection: Localhost via UNIX socket
Client characterset: latin1
Server characterset: latin1
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 1 day 2 hours 6 min 21 sec

Threads: 14 Questions: 4272 Slow queries: 0 Opens: 58 Flush tables: 1 Open tables: 18 Queries per second avg: 0.045
--------------

mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
================================================

To generate the required table structure of the database use the create_mysql script which can be found in the contrib section of the original Snort tarball.

================================================
[root@ids01 /root]# mysql -u root -p snort < ./contrib/create_mysql ================================================= You'll have to add a userid/password pair for the database, remember to change xxxx to a password suitable for your environment! ================================================= [root@ids01 /root]# mysql -u root -p mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 148 to server version: 3.23.32 Type 'help;' or '\h' for help. Type '\c' to clear the buffer mysql> insert into user (User,Password) values('snort',PASSWORD('xxxx'));
Query OK, 1 row affected (0.00 sec)

mysql> exit
Bye
=================================================

Now add some extra tables for your convenience shipped in the contrib section of the snort tarball and my RPM using the command

=================================================
zcat snortdb-extra.gz | mysql -u root -p snort
=================================================

If you wish to use the archiving feature of ACID you'll have to create another database snort_archive (or any other name you prefer) exactly the same way as you defined the snort database.

From now on the database is ready to be used for logging with the database output module of snort which you could now activate in /etc/snort/snort.conf.

-------------------------------------------------------------------------------
DONE - It should be Working Perfectly NOW!


Part 1 -Installing and Configuring ACID
Part 2 - Installing and Configuring Snort with MySQL
Part 3 - Installing and Configuring MySQL for ACID and Snort



No comments:

For suggestion and concerns E-mail