Ping: software guys

[Raven]

Anyone here have experience with a NIDS?

I am trying to set up Snort with a mySQL database but have some questions.

[Raven]

The Monday morning bump.

[DaddyTorgo]

i used to sell NIDS, but i have no idea of the technical side of them. that's all. just wanted to put a plug in for my short-lived sales career selling Dragon NIDS for Enterasys.

[Daimyo]

I've set up Snort, MySQL, and ACID a couple times before, but I used RHEL 4 and the RPMs so it was pretty straight forward.

[Daimyo]

DOLA, I found this document that I wrote up at the time for the lower level techs to setup snort for test environments. It assumes a minimal install of RHEL4 (that is what the cd numbers reference), but I'm sure you could use any distro as long you could find the equivalent RPMs for it.


Snort Sensor

Get Files

• Snort (2.3.0)
• Snort mysql support (2.3.)
• Libcap (0.6.2 -- or whichever version Snort requires)
• Libmysqlclient

http://www.snort.org/dl/binaries/lin...3.0-1.i386.rpm
http://www.snort.org/dl/binaries/lin...3.0-1.i386.rpm
ftp://rpmfind.net/linux/redhat/updat...8.0.2.i386.rpm
cd3: mysqlclient10-3.23.58-4.RHEL4.1.i386.rpm

Install RPMs

# mkdir /usr/tools
# cd /usr/tools

# wget http://www.snort.org/dl/binaries/lin...3.0-1.i386.rpm
# wget http://www.snort.org/dl/binaries/lin....3.0-1.src.rpm
# wget http://www.snort.org/dl/binaries/lin...3.0-1.i386.rpm
# wget ftp://rpmfind.net/linux/redhat/updat...8.0.2.i386.rpm

# mount /media/cdrom
# cp /media/cdrom/RedHat/RPMS/mysqlclient10-3.23.58-4.RHEL4.1.i386.rpm /usr/tools

# rpm -ivh --force libpcap-0.6.2-17.8.02.i386.rpm
# rpm -ivh snort-2.3.0-1.i386.rpm

# mkdir /usr/src/redhat
# mkdir /usr/src/redhat/SOURCES
# rpm -ivh snort-2.3.0-1.src.rpm

# rpm -ivh mysqlclient10-3.23.58-4.RHEL4.1.i386.rpm
# rpm -ivh snort-mysql-2.3.0-1.i386.rpm
# up2date -u

Configure Snort

# nano /etc/snort/snort.conf

Set var HOME_NET to equal local subnet in CIDR notation (ie 10.0.0.0/24) and uncomment it (delete the #).

Comment out the “var HOME_NET any” line with a #.

Scroll down to the output section and uncomment the line:
output database: log, mysql, user=root password=test dbname=db host=localhost

and change it to (substitute a good password for
output database: log, mysql, user=snort password= dbname=snortdb host=localhost


Database Server

Get Files

• MySql 4.1.7
• Perl-DBD-MySql
• Perl DBIcd /media


cd2: mysql-4.1.7-4.RHEL4.1.i386.rpm
cd2: perl-DBD-MySQL-2.9004-3.1.i386.rpm
cd2: perl-DBI-1.40-5.i386.rpm
cd4: mysql-server-4.1.7-4.RHEL4.1.i386.rpm

# rpm -ivh perl-DBI-1.40-5.i386.rpm
# rpm -ivh --nodeps mysql-4.1.7-4.RHEL4.1.i386.rpm
# rpm -ivh perl-DBD-MySQL-2.9004-3.1.i386.rpm
# rpm -ivh --replacepkgs mysql-4.1.7-4.RHEL4.1.i386.rpm
# rpm -ivh mysql-server-4.1.7-4.RHEL4.1.i386.rpm
# up2date -u

Configure MySQL

# cd /etc/init.d
# mysqld start
# mysql
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
mysql> create database snortdb;
mysql> grant INSERT,SELECT on root.* to snort@localhost;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf');
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb.* to snort@localhost;

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snortdb.* to snort;
mysql> exit

# mysql -u root -p < /usr/src/redhat/SOURCES/snort-2.3.0/schemas/create_mysql snortdb


Web Server

Get Files

• Apache
• PHP
• ACID


cd2: httpd-2.0.52-9.ent.i386.rpm
cd2: httpd-su-exec-2.0.52-9.ent.i386.rpm
cd2: apr-0.9.4-24.1.i386.rpm
cd2: apr-util-0.9.4-17.1.i386.rpm
cd2: php-4.3.9-3.1.i386.rpm
cd2: php-pear-4.3.9-3.1.i386.rpm
cd2: curl-7.12.1-3.i386.rpm
cd2: libidn-0.5.6-1.i386.rpm
cd2: php-mysql-4.3.9-3.1.i386.rpm
cd4: php-gd-4.3.9-3.1.i386.rpm

Install RPMs

# rpm -ivh --nodeps httpd-su-exec-2.0.52-9.ent.i386.rpm
# rpm -ivh apr-0.9.4-24.1.i386.rpm
# rpm -ivh apr-util-0.9.4-17.1.i386.rpm
# rpm -ivh httpd-2.0.52-9.ent.i386.rpm

# rpm -ivh --nodeps php-pear-4.3.9-3.1.i386.rpm
# rpm -ivh libidn-0.5.6-1.i386.rpm
# rpm -ivh curl-7.12.1-3.i386.rpm
# rpm -ivh php-4.3.9-3.1.i386.rpm
# rpm -ivh php-mysql-4.3.9-3.1.i386.rpm
# rpm –ivh php-gd-4.3.9-3.1.i386.rpm
# up2date -u
# service httpd stop
# service httpd start

[Daimyo]

DOLA, that's from almost exacty a year ago too... so I'm sure version numbers have changed.

[gstelmack]

Snort? NIDS? I'm a geek and I'M lost with all this.

[Daimyo]

Quote:

Originally Posted by gstelmack

Snort? NIDS? I'm a geek and I'M lost with all this.

Network-based Intrusion Detection System

They exist at the network layer (as opposed to a Host-based IDS) and inspect network traffic at the packet level in an effort to identify traffic that shouldn't be there. A NIPS (P = prevention) takes it another step and actually attempts to block traffic it identifies as dangerous.

Snort is open source NIDS that has basically become the defacto standard.

[Fidatelo]

I write software for a living and I had no clue what the heck was going on until I googled snort.

The thread did make me think it might be funny to post a tech thread that was just full of made up acronyms just to really confuse people

[Raven]

Thanks, Daimyo. This should be helpful.