If not redirected, please click here https://www.thesecuritybuddy.com/network-security/how-to-install-snort-ids-on-a-linux-system/
In the last articles, I explained:
What is a Firewall?
What is Intrusion Detection System?
How to configure Firewalls in Linux?
I also explained few attacks like:
What is ARP Spoofing?
And
How to detect ARP Spoofing attack in your system?
In this article, I will explain how to install an Intrusion Detection System in your system.
I am using a Linux system here. The advantage of Linux is, it is open source and it gives lots of opportunities for experiments.
An Intrusion Detection System inspects all inbound and outbound traffic in your system and detects suspected attacks. In this article, I will show how to install Snort Intrusion Detection System in your Linux machine.
So, let's start.
1. Install LAMP Server :
LAMP suite is Linux-Apache-Mysql-PHP. We would need to install this for our Snort IDS. To do that, first install tasksel and then lamp server.
# sudo apt-get install tasksel
# sudo tasksel install lamp-server
You will be prompted for mysql root password during the installation process. Give a password and remember it. You will again need it later.
2. Create Snort Database :
Follow the steps mentioned below to create snort database :
# mysql -u root -p
Enter
password: 
Welcome
to the MySQL monitor.  Commands end with ; or \g.
Your
MySQL connection id is 42
Server
version: 5.5.44-0ubuntu0.12.04.1 (Ubuntu)
Copyright
(c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle
is a registered trademark of Oracle Corporation and/or its
affiliates.
Other names may be trademarks of their respective
owners.
Type
'help;' or '\h' for help. Type '\c' to clear the current input
statement.
mysql>
create
database snort;
Query
OK, 1 row affected (0.05 sec)
mysql>
GRANT
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE
TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'snort'@'localhost'
IDENTIFIED BY 'password';
Query
OK, 0 rows affected (0.00 sec)
mysql>
FLUSH
PRIVILEGES;
Query
OK, 0 rows affected (0.00 sec)
mysql>
quit
Bye
#
3.
Install Snort :
Now, install snort by typing:
 
# sudo apt-get -y install snort-mysql
During installation, provide IP address for your local network. Select to configure snort database manually to connect with the previously created database.
Now, install snort by typing:
# sudo apt-get -y install snort-mysql
During installation, provide IP address for your local network. Select to configure snort database manually to connect with the previously created database.
4.
Configure Snort :
Update the database with snort table structure.
# pushd /usr/share/doc/snort-mysql
Update the database with snort table structure.
# pushd /usr/share/doc/snort-mysql
#
/usr/share/doc/snort-mysql$ sudo zcat create_mysql.gz | mysql -u
snort -p snort
password:
#
popd
#
Modify the snort configuration file to include mysql specific information.
# sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=<password> dbname=snort host=localhost/" /etc/snort/snort.conf
#
Modify the snort configuration file to include mysql specific information.
# sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=<password> dbname=snort host=localhost/" /etc/snort/snort.conf
Remove
pending configuration file:
# sudo rm -rf /etc/snort/db-pending-config
# sudo rm -rf /etc/snort/db-pending-config
For
Debian or Ubuntu, you might have to check /etc/snort/database.conf
for proper value of database, user, password and host.
You might also have to change 'ipvar HOME_NET any' to your home subnet like:
ipvar HOME_NET 192.168.1.1/24 in /etc/snort/snort.conf
You might also have to change 'ipvar HOME_NET any' to your home subnet like:
ipvar HOME_NET 192.168.1.1/24 in /etc/snort/snort.conf
5.
Start Snort service :
# sudo /etc/init.d/snort start
# sudo /etc/init.d/snort start
# sudo /etc/init.d/snort status
#
tail /var/log/syslog
Snort should successfully start.
Snort should successfully start.
If
it fails, however, try to execute the following command and detect
the actual reason of error:
# sudo /usr/sbin/snort -c /etc/snort/snort.conf -i eth0
You may have to select proper interface for your system instead of eth0.
6. Install ACID :
# sudo /usr/sbin/snort -c /etc/snort/snort.conf -i eth0
You may have to select proper interface for your system instead of eth0.
6. Install ACID :
We
need to install web front end to monitor snort's output. ACID solves
the purpose.
Follow the following steps to install ACID.
# sudo apt-get -y install acidbase
During installation, select mysql database and mysql administrator password.
7. Configure ACID :
We need to configure ACID now.
# sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ 10.10.1.10/255.255.255.0#" /etc/acidbase/apache.conf
You would need to give your IP instead of 10.10.1.10.
This step will allow access to acidbase from your desktop.
Restart Apache server for the changes to take effect.
# sudo /etc/init.d/apache2 restart
Follow the following steps to install ACID.
# sudo apt-get -y install acidbase
During installation, select mysql database and mysql administrator password.
7. Configure ACID :
We need to configure ACID now.
# sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ 10.10.1.10/255.255.255.0#" /etc/acidbase/apache.conf
You would need to give your IP instead of 10.10.1.10.
This step will allow access to acidbase from your desktop.
Restart Apache server for the changes to take effect.
# sudo /etc/init.d/apache2 restart
8. Final Touch :
Finally, you would need to access acidbase web front-end and configure it.
Open your browser and type:
http://localhost/acidbase/base_db_setup.php
Select the button which says, “Create BASE AG” and return to main page.
9. Some Testing :
You can now do some basic testing.
Open your terminal and type:
# sudo nmap -p1-65535 -sV -sS -O 127.0.0.1
Now, refresh the acidbase. You should see the results of the port scan in your acidbase front-end.
Well, you may want to install and configure Oinkmaster to automate the rule update process and receive updated rules for Snort. Visit the Snort Website to do that.
So, that was all about installation of Snort Intrusion Detection System in your Linux machine.
These are some simple steps to perform, but good enough for your system to stay protected!
So, stay safe, stay protected!

 
No comments:
Post a Comment