TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Webmaster:
Blaise Carrera
SNORT - The Easy Tutorial - Tutorial

Snort Tutorial
Last Change : Mar 27 2008 french flagenglish flag


Tool
Install
Ergonomy
Forum



Details What is Snort ?
Screenshots
Prerequisites
Snort
BASE
Update Snort
Bleedingsnort Rules
Port Mirroring




If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!


1 - INSTALL SNORT

You can install Snort with a package or manually. If you install it with a package you will get an old Snort version because the packages are not updated frequently but you will not need to look after the Snort dependencies or install tools for the compilation.

1.a PACKAGE INSTALLATION (Snort 2.3.3) 1.b MANUAL INSTALLATION (Snort 2.6.1.3)


1.a PACKAGE INSTALLATION (Snort 2.3.3)

Install snort compiled to send the logs to MySQL:

#apt-get install snort-mysql
A tutorial will pop up. Enter the following settings:

- the networks under surveillance: any



- if you want to set up a database for snort-mysql to go to: no



Continue with point 2.


1.b MANUAL INSTALLATION (Snort 2.6.1.3)

We must first install the compilation tools and the Snort dependencies:

The compilation tools:

#apt-get install build-essential
LIBNET and its developpement files.
Libnet is a generic networking API that provides access to several protocols:

#apt-get install libnet1-dev
LIBPCAP and its developpement files.
Libpcap is a library to capture network packets.

#apt-get install libpcap0.8-dev
LIBPCRE and its developpement files.
Pcre is a library of functions using the same syntax and semantics as Perl 5.

#apt-get install libpcre3-dev
MySQL development libraries and header files:

#apt-get install libmysqlclient12-dev
CHECKINSTALL to remove easily programs installed from sources:

#apt-get install checkinstall


Download Snort and uncompress it.

#tar -xvf snort-2.6.1.3.tar.gz
Create two directory, one to store the configuration files, the other one to store the Snort rules.

#mkdir /etc/snort
#mkdir /etc/snort/rules
Copy the Snort configuration files inside the /etc/snort/ directory.

#cp snort_inline-2.6.1.3/etc/* /etc/snort/
Copy two files inside our new /etc/snort/rules directory:
- classification.config: defines URLs for the references found in the rules.
- reference.config: includes information for prioritizing rules.

#cp snort-2.6.1.3/etc/classification.config /etc/snort_inline/rules/
#cp snort-2.6.1.3/etc/reference.config /etc/snort_inline/rules/
Create a user called snort to launch Snort:

#useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS
Create a log directory owned by the snort user:

#mkdir /var/log/snort
#chown -R snort /var/log/snort
You need first to use the "configure" command to check the dependancies and prepare Snort to be compiled for MySQL.

#cd snort_inline-2.6.1.3
#./configure --with-mysql
If you installed all the dependencies correcty, the "configure" command must end without any error!
If you have an error message, See below.

Then we compile and install Snort.

#make
#checkinstall
See the CheckInstall page for more details about this command.
Below the output on our test system:

checkinstall 1.6.0, Copyright 2002 Felipe Eduardo Sanchez Diaz Duran
This software is released under the GNU GPL.

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values:

0 - Maintainer: [ root@ubuntu ]
1 - Summary: [ Package created with checkinstall 1.6.0 ]
2 - Name: [ snort ]
3 - Version: [ 2.6.1.3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ i386 ]
8 - Source location: [ snort-2.6.1.3 ]
9 - Alternate source location: [ ]
10 - Requires: [ ]


Error messages you can get after the "./configure --with-mysql" command:

Build-essential is not installed

root@ubuntu:/home/po/Desktop/snort-2.6.1.3# ./configure --with-mysql
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... no
checking whether to enable maintainer-specific portions of Makefiles... no
checking for style of include used by make... none
checking for gcc... no
checking for cc... no
checking for cc... no
checking for cl... no
configure: error: no acceptable C compiler found in $PATH
See `config.log' for more details.


Libnet1-dev is not installed

ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place


Libpcap0.8-dev is not installed

ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org
or use the --with-libpcap-* options, if you have it installed
in unusual place


Libpcre3-dev is not installed

ERROR! Libpcre header not found, go get it from
http://www.pcre.org


Libmysqlclient12-dev is not installed

**********************************************
ERROR: unable to find mysql headers (mysql.h)
checked in the following places
/usr/include
/usr/include/mysql
/usr/local/include
/usr/local/include/mysql
**********************************************



2 - CONFIGURE THE SQL DATABASE

Add a password for the MySQL root user:

#mysqladmin -u root password new_root_password
Create the MySQL database and tables in order to receive the Snort logs:

#mysql -u root -p
>create database snort;
Since it is dangerous to access the database with the root user, we need to create a user who has only permissions on the snort database:

>grant all on snort.* to snortuser@localhost identified by 'snortpassword';
reload mysql privileges:

>flush privileges;
>exit;
Now we have to create the tables inside the snort database:
By chance the tables are already created and we just have to find and import them into the Sql server:

Packaged installation

Find the tables: dpkg -L snort-mysql
We are looking for the create_mysql.gz file, it is normally located in the /usr/share/doc/snort-mysql folder.
Then we have to unzip the file:

#gzip –d /usr/share/doc/snort-mysql/create_mysql.gz
Import the MySql tables:

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql
Manual installation

#mysql -u root -p snort < schemas/create_mysql



3 - CONFIGURE SNORT FOR SQL

We now have to forward the logs into the MySql database:
This is already done by installing the snort-mysql package, we just need only to configure the username and password to access the snort database.
In the /etc/snort/snort.conf file, we have to change the line between (#DBSTART#) and (#DBEND#):

output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
Always in the same file, uncomment the following lines:

ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG ALERT
output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
}
Let's start Snort !!

snort –u snort –c /etc/snort/snort.conf
It means that Snort is started under the snort user and will load the config stored in the /etc/snort/snort.conf file. For security reasons it's always better to run programs without the root user.

If you see the Snort banner, it means that Snort is correctly loaded, if not, carefully read the error message.

We have to add a line inside the /etc/crontab file to start Snort automatically after a reboot:

@reboot root snort -u snort -c /etc/snort/snort.conf >> /dev/null
The first part of the tutorial is over!
This means Snort should be installed along with the programs needed to support it. Now we will need to read the logs generated by Snort and forwarded into the Mysql database. For this we will use the BASE php script and follow its tutorial.






If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!