Snort is an open source packet sniffer and logger that can be used as a lightweight Intrusion Detection System (IDS) to detect a variety of attacks and probes such as buffer overflows, stealth port scans, CGI attacks, and more. The Basic Analysis and Security Engine (BASE) displays and reports intrusions and attacks logged in the Snort database in a web browser for convenient analysis.
This section covers installing general support software required for Snort -MySQL and the PHP scripting language.
You may install the MacPorts package manager with these instructions, which include instructions for installing XWindows (X11). Follow the instructions carefully and perform all non-optional steps.
We'll use MySQL to store Snort alerts in a database for BASE to access and display.
Install MySQL with MacPorts.
%%sudo port install mysql5 +serverExecute the mysql_install_db5 command to do a first-time setup for MySQL5.
%%sudo -u mysql mysql_install_db5Start MySQL and set it to run at system boot.
%%sudo launchctl load -w /Library/LaunchDaemons/org.macports.mysql5.plistVerify the MySQL process is running with this command.
%%ps -ax | grep mysqlIf MySQL is running you will see output similar to this.
26683 ?? Ss 0:00.05 /opt/local/bin/daemondo --label=mysql5 --start- 26692 ?? S 0:00.02 /bin/sh /opt/local/lib/mysql5/bin/mysqld_safe - 26712 ?? S 0:16.90 /opt/local/libexec/mysqld --basedir=/opt/local 20796 p2 R+ 0:00.00 grep mysql
Set the MySQL root password
%%sudo /opt/local/lib/mysql5/bin/mysqladmin -u root password <mypassword>Perform a MySQL root account login test with the new root password.
%%mysql5 -u root -p
You may install PHP 4 or 5, but a good PHP5 binary installer that works with Apple's Apache 1.3 is Marc Liyanage’s PHP 5 package.
Download and run the installer package, do an “easy install”, and afterwards edit the file /usr/local/php5/lib/php.ini for MacPorts' MySQL5 as shown.
mysql.default_socket = /opt/local/var/run/mysql5/mysqld.sock
The BASE interface uses the file index.php, so if you want to have a simple "/base" url to access the BASE web interface locate the httpd.conf file (/etc/httpd/httpd.conf for Apple's built-in Apache) and append "index.php" to the DirectoryIndex directive as shown.
<IfModule dir_module> DirectoryIndex index.html index.php </IfModule>Now turn on the web server.
Go to System Preferences on the Apple menu.
Click the Sharing icon.
Check the Web Sharing checkbox, or remove the check and check it again.
To prepare to test PHP, create a file named test.php in the Apache document root directory (/Library/WebServer/Documents for Apple's built-in Apache) that contains the line shown below.
<?php phpinfo() ?>.
Now open url http://localhost/test.php in your web browser. If PHP is working properly you will see a PHP status table.
Login to MySQL as root.
%%mysql5 -u root -p
Once logged into MySQL as root, create a Snort database and user, and set the Snort database permissions.
mysql>create database snort;mysql>grant INSERT,SELECT on root.* to snort@localhost;mysql>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;mysql>grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;mysql>SET PASSWORD FOR snort@localhost = OLD_PASSWORD('<snortdb-passwd>');mysql>exit
Perform this command to install BASE and its dependency adodb via MacPorts.
%%sudo port install base
Make symbolic links to the Apache document root.
%%cd <Apache-docroot>%%sudo ln -s /opt/local/share/adodb adodb%%sudo ln -s /opt/local/share/base base
Make a copy of the BASE sample file with the extension "dist" removed from the name.
%%cd /opt/local/share/base%%sudo cp base_conf.php.dist base_conf.php
Open the file base_conf.php in a text editor.
%%pico /opt/local/share/base/base_conf.php
Modify the file variables as shown.
$BASE_urlpath = '/base'; $DBlib_path = '/<Apache-docroot>/adodb'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_user = 'snort'; $alert_password = '<mysql-snort-password>'; $archive_dbname = 'snort'; $archive_user = 'snort'; $archive_password = '<mysql-snort-password>'; $archive_host = 'localhost';
Here we install Snort, import the Snort MySQL database schema, and configure Snort.
Use these steps to install Snort via MacPorts.
%%sudo port install snort +mysql5 +server
Make a place for Snort settings files, rules, and logs.
%%sudo mkdir –p /opt/local/etc/snort/rules%%sudo mkdir /var/log/snort
In order to run a full set of rules you must register at Snort.org. Then go to the Snort rules page and download the “registered user” release (you may also pay and get the “subscription release”) of the Snort rules file from here and unzip it.
%%cd <snort-rules-download-dir>/rules%%sudo cp * /opt/local/etc/snort/rules%%sudo cp *.config /opt/local/etc/snort
Though Snort has no mechanism to update rules automatically, you should download the latest rules and restart Snort every few weeks to make sure it knows about the latest attack profiles.
Rename the snort.conf sample file to snort.conf.
%%cd /opt/local/etc/snort%%sudo mv snort.conf.dist snort.conf%%sudo pico /opt/local/etc/snort/snort.conf
Then open snort.conf in a text editor.
%%sudo pico /opt/local/etc/snort/snort.conf
Modify the RULE_PATH and database variables exactly as shown, and the HOME_NET as appropriate.
# Path to your rules files var RULE_PATH /opt/local/etc/snort/rules # database: log to a variety of databases output database: alert, mysql, user=snort password=<snortpwd> dbname=snort host=localhost var HOME_NET [10.1.1.0/24,192.168.1.0/24]
The defaults for the other variables in snort.conf should be OK for most purposes.
Import the Snort database schema into the Snort MySQL database as shown.
%%cd /opt/local/share/snort/schemas%%cat create_mysql | mysql5 –u root -p snort
Login to MySQL as root.
%%mysql5 –u root –p
Then display the tables in the Snort database.
mysql>show databases;mysql>use snort;mysql>show tables;mysql>exit
+------------------+ | Tables_in_snort | +------------------+ | data | | detail | | encoding | | event | | icmphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 16 rows in set (0.00 sec)
Add the tables that BASE needs to the Snort database with these commands.
%%cd /opt/local/share/base/sql%%cat create_base_tbls_mysql.sql | mysql5 -u root -p snort
Now show the tables again and you will see new tables prefixed with “acid” because BASE is based on the older Analysis Console for Intrusion Databases (ACID) project.
+------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 22 rows in set (0.01 sec)
This completes installation and configuration of all necessary software for Snort and Base.
Snort may be started in the foreground or background –running it in the foreground is a good idea until you know it is running properly because error messages are displayed and help to verify the setup.
Running Snort as a foreground process allows you to see error messages so it is a good idea to start Snort this way until you confirm Snort is working properly. Just omit the –D (daemon mode) option and Snort runs in the foreground.
%%sudo snort –c /opt/local/etc/snort/snort.conf
Make sure that MySQL support is enabled. When Snort is compiled with MySQL support, you will see this in the database section of the Snort messages that scroll across your terminal window (output trimmed):
database: compiled support for ( mysql ) database: configured to use mysql database: user = root database: password is set database: database name = snort database: host = localhost database: sensor name = <ip address> database: sensor id = 1 database: schema version = xxx database: using the "alert" facility --== Initialization Complete ==--
After the initialization information is displayed, you will see live packet capture information on the terminal screen if you are connected to a network. Now kill the Snort foreground process by typing Cntl-C to take a look at the summary information as shown below. Pay particular attention to the "Action Stats" section (output trimmed):
Snort received 216 packets
Analyzed: 216(100.000%)
Dropped: 0(0.000%)
=========================
Breakdown by protocol:
TCP: 10 (4.630%)
UDP: 98 (45.370%)
ICMP: 60 (27.778%)
ARP: 19 (8.796%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 23 (10.648%)
DISCARD: 0 (0.000%)
==========================
Action Stats:
ALERTS: 1
LOGGED: 1
PASSED: 0
If the alerts and/or logged stats are zero then Snort may not logging properly to MySQL and you won't see any activity in BASE. On the other hand, Snort might not have seen anything that would trigger an alert so you could run a Nessus scan against the Snort workstation to trigger an alert.
Once you know Snort is working properly, you may run it in the background with the –D (daemon) switch.
%%sudo snort –D –c /opt/local/etc/snort/snort.conf
If you installed Snort with the +server variant you may use launchctl to set Snort to run at system boot, but if you still don't want to run Snort at startup then you may simply omit this step.
%%sudo launchctl load -w /Library/LaunchDaemons/org.macports.snort.plist
If you did not install Snort with the +server variant or choose not to run the launchctl command, you may run Snort in the background with the Snort startup script as shown.
%%sudo /opt/local/share/snort/snort.sh start
Go to http://localhost/base/index.php to view the BASE main page. You may have to wait awhile until Snort detects an intrusion or probe, so you may not see any activity reported on the BASE web page immediately after installing Snort.
To learn more about Snort, you may review full documentation, check the FAQ, or use the Snort mailing lists for further assistance. To learn more about BASE, check the FAQ or use the BASE mailing lists for further assistance.