Home » IDS » Snort + Mysql on RHEL 5.4

This document describes the steps for install and setting up Snort the opensource intrustion detection system. It also describes the process for updating the signature definitions.

Snort is an opensource IDS (Intrusion Detection System) written and maintained by a company called sourcefire. It is one of the best IDS available and is free (Kinda).

Downloading Snort

Since we us Redhat Enterprise Linux 5 here go to the snort download page and select snort-2.8.5.2-1.RH5.i386.rpm. Since we will also be using the BASE web interface to view the alerts also download the snort-mysql-2.8.5.2-1.RH5.i386.rpm add-on that allows snort to log its alerts to a MySQL database.

Installing Snort

Installing Snort via the rpms is very easy. Just use the rpm command like the following.

[root@mytest src]# rpm -Uvh snort-2.8.5.2-1.RH5.i386.rpm snort-mysql-2.8.5.2-1.RH5.i386.rpm
Preparing...                ########################################### [100%]
  1:snort                    ########################################### [ 50%]
  2:snort-mysql          ########################################### [100%]

That’s it, Snort is installed and the rpm install script already configures Snort to start at boot.

[root@mytest src]# chkconfig --list |grep snort
snortd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

Configuring Snort

Here is where the real magic happens. He now need to configure Snort for use. Typicaly your server will have two NICs. One will be for remote administration and one will be dedicated to Snort. In our case I will use eth0 for remote administration and logging into the computer and I’ll use eth1 for Snort. We want to dedicate the whole interface to snort because we will be placing it in promiscus mode which will cause the network interface to take sniff all the traffic coming across its segment.

Configure Dedicated Network Interface

You don’t actually need to use a real IP for the Snort interface so when you configure the if-cfg file just leave out the actual IP info In redhat the network config files are located under /ettc/sysconfig/network-scripts/ so I’ll place the following in /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet

Then recycle the network service with the service network restart command.

[root@mytest network-scripts]# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down interface eth1:                              [  OK  ]
Shutting down loopback interface:                        [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                  [  OK  ]
Bringing up interface eth1:                                 [  OK  ]

This will then turn on your network interface. You can verify that the interface is up and on with the ifconfig command.

[root@mytest network-scripts]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:C0:F2:01:16:73
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
         Interrupt:193 Base address:0xdde0

Snort Sysconfig file

So now that we have our network up it’s time to configure Snort to use the new network interface we just created. You can tell snorrt to either usee a certain NIC or ALL. In our case we only want it to use eth1 so edit /etc/sysconfig/snort find the line that has INTERFACE=eth0 and change it to INTERFACE=eth1

# What interface should snort listen on?  [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth1

Next since we will be logging to MySQL we need to shut off the standard flat file out by commenting out the ALERTMODE option. This step is actually really important. Without it no matter what you tell the snort config file, it will not send any logs to the MySQL database.

# How should Snort alert? Valid alert modes include fast, full, none, and
# unsock.  Fast writes alerts to the default "alert" file in a single-line,
# syslog style alert message.  Full writes the alert to the "alert" file
# with the full decoded header as well as the alert message.  None turns off
# alerting. Unsock is an experimental mode that sends the alert information
# out over a UNIX socket to another process that attaches to that socket.
# -A {alert-mode}
# output alert_{type}: {options}
#ALERTMODE=fast

Create and Configure the Database

We now need to create and configure our mysql database and tables where Snort’s events will be logged. The snort rpm you installed earlier placed a MySQL database scheme at /usr/share/snort-2.8.5.2/schemas/create_mysql Sso first we will need to manually create the MySQL database.

[root@mytest ~]# mysql
mysql> create database snort;
Query OK, 1 row affected (0.09 sec)
mysql> exit
Bye

Next we will import the database scheme to the snorrt database we just created with the following command.

[root@mytest ~]# mysql snort < /usr/share/snort-2.8.5.2/schemas/create_mysql

Last we need to create a snort user in mysql with full access to the database and tables we just created. In the following example replace secret password with an actual password.

[root@mytest ~]# mysql snort
mysql> grant all on snort.* to 'snort'@'%' identified by 'secret password';
Query OK, 0 rows affected (0.04 sec)
mysql> exit
Bye

Snort Configuration File

The actual Snort config file is located in /etc/snort and is called snort.conf’ Really the only things we should edit in this file are the VAR options that are specific to our network and the log line that defines our snort connection.

#This should reflect all the subnets we have on our network.
var HOME_NET [10.0.0.0/24,10.0.10.0/24,10.0.23.0/24]
var EXTERNAL_NET any
# Configure your server lists.  This allows snort to only look for attacks to
# systems that have a service up.  Why look for HTTP attacks if you are not
# running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.
var DNS_SERVERS [10.0.0.42,10.0.23.42]
var SMTP_SERVERS $HOME_NET
#Any computer that was a webserver running should be in this list
var HTTP_SERVERS [10.0.0.23,10.0.23.42]
#Any Machine that is running any type of SQL server should be listed here
var SQL_SERVERS [10.0.0.60,10.0.0.61]
var TELNET_SERVERS $HOME_NET
var FTP_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
#Now we should define our database config
output database: log, mysql, user=snort password=secretpassword dbname=snort host=localhost

That’s it after that you can start snort with a simple service snortd start

Configuring Switches for Snort

In the old days of hubs every packet was always sent out every port. This was inefficient and a huge security risk. So Switches came along to make sure only the port that needed the data got the packet. It did this my keeping an internal list of which mac was on which port. Then it only sends out packets destine for the mac associated with each port. This is much more efficient and secure but for snort this actually causes a problem. In order to see every packet to inspect it, it needs the switch to treat it’s port like a hub. Luckily in managed Cisco switches you have the ability to mirror ports or vlans to another port or vlan.

On our vlan we will assume that we have two vlans. In reality we probably have many more but for our example it doesn’t matter we will also assume that our dedicated network interface is plugged in to port GigabitEtherrnet0/5.

Switch> conf t
Switch> monitor session 1 source vlan 1 - 2 rx
Switch> monitor session 1 destination interface gigabitEthernet0/5

This will tell your switch to take all traffic on vlan 1 & 2 and mirror them to gigabitEthernet port 0/5

after that write and save your config. Now snort should be getting all the traffic from your vlans. As stated above if you have multiple Vlans then add more monitor session 1 source statements. You can combine all sorts of interfaces and vlans.

Updating Scanning Signatures

Unfortunately updating snort rules requires an account on the snort.org website. Their are free and paid subscriptions based accounts. The free account gets new signatures 30 days after the paid account. For our purposes we will be using the free version for now. So create your free account via the Signup Page and after you do the whole email confirm thing login to the website at the Login Page When you login Click on the Get Rules button this will take you to a download page and show you two sections one for VRT Subscription users and one for Registered users (Free 30days late). Select the snortrules-snapshot-CURRENT.tar.gz from the registered users section, this file is usually about 25-30MB so be patient. Once you download this tar archive to your snort machine create a tmp dir and unarchive all the files with the tar command again.

[root@mytest src]# mkdir snort-rules-temp
[root@mytest src]# cd snort-rules-temp
[root@mytest snort-rules-temp]# tar -zxf ../snortrules-snapshot-CURRENT.tar.gz

Once you uncompressed the rules you need to copy only the normal rules. Copy the normal rules to the /etc/snort/rules directory.

[root@mytest snort-rules-temp]# cp rules/* /etc/snort/rules/

Test the so rules with

[root@mytest src]# snort -c /etc/snort/snort.conf -T

If everything looks good recycle snort with service snortd restart For best results you should update your snort rules every week.

References

One thought on “Snort + Mysql on RHEL 5.4

  1. Sachin says:

    Would have been good if you had this sent to a mysql and had base showing up the same.

Leave a Reply

Your email address will not be published. Required fields are marked *

</Random> is Stephen Fry proof thanks to caching by WP Super Cache