Archive

Archive for the ‘Information Security’ Category

Intrusion Detection – Installing Snort-Mysql on Debian Linux

August 22nd, 2007 jesse No comments

Intrusion detection software packages can be divided into two large groups: host based and network based.

In the open source community, the most popular host-based solution is Tripwire, while the most popular network-based solution is Snort.

logo_snort.jpg

Typically Snort keeps all of its data in flat files, which is OK but suboptimal if you wish to process and analyze the data with a separate application. Fortunately there are Debian forks which log all data to Mysql or PostgreSql.Here is how to install Snort-mysql in a Debian system.

Install mysql-server and mysql-client packages

% apt-get install mysql-server mysql-client

For convenience, also install the GUI tools Mysql Query Browser and Mysql Admin.

% apt-get install mysql-admin mysql-query-browser

Create the snort database and configure mysql users

% mysql -u root

mysql> create database snort;

mysql> grant *.* on snort.* to snort@localhost identified by "*********";

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| mysql |
| snort |
+--------------------+

mysql> show grants for 'snort'@'localhost';
+--------------------------------------------------------------------------------------------------------------+
| Grants for snort@localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'snort'@'localhost' IDENTIFIED BY PASSWORD '***********************************' |
| GRANT ALL PRIVILEGES ON `snort`.* TO 'snort'@'localhost' |
+--------------------------------------------------------------------------------------------------------------+

Note: Use your own password!

Install snort-mysql

% apt-get install snort-mysql

Note: This will also install the snort-rules-default and snort-common packages, plus a few other dependencies.

Configure the snort-mysql package

% dpkg-reconfigure snort-mysql

Note: Run through the GUI to properly configure the snort software. Necessary information are the system Ethernet port (eth0, eth1, eth2, etc.) and the mysql host (localhost) database (snort) and user/password (snort/snort) information we created above.

Configure the mysql database for snort

The snort-mysql package includes a mysql script to create all the necessary tables within your snort database. Here is how to use it. (From the README file)

% cd /usr/share/doc/snort-mysql/
% zcat create_mysql.gz | mysql -u snort -h localhost -p snort

When prompted for a password enter the password you chose previously.

Run Snort

% /etc/init.d/snort start

You must manually start snort the first time. If you selected properly when reconfiguring the package earlier, snort will automatically start upon system boot in the future.

Use Mysql Admin tool to confirm all is working.

In this screenshort we see that user snort is connected and sleeping – there is no activity, but we know that the snort program has successfully connected to the database and thus everything is configured properly.

screenshot-mysql-administrator-jesselocalhost-via-socket-1.png

 Later I’ll discuss GUI tools for analyzing the collected data

Categories: Information Security Tags: