soup4you2
August 18th, 2003, 18:49
How to setup and secure Snort, MySQL and Acid on FreeBSD

This document will guide a user through the installation of Snort, MySQL, and ACID. It will also guide the user through the process of securing the machine. The intention is to give users that are new to any of the software the opportunity to build an enterprise-class system based completely on free, open-source tools. Following the instructions in this document will get you the following:

Snort logging to MySQL and outputting to ACID.
An easy method of updating your software via the ports collection.
The fastest NIDS for your money.
I'm arlready going to assume you have the latest ports and arlready have your windowmanager installed and configured.



Installing phplot
Change directory to /usr/ports/graphics/phplot
make WITH_X11=yes
When presented with a menu of options to configure into phplot, choose GD 2, then hit ok.
make install clean
Installing Adodb
Change directory to /usr/ports/databases/adodb
make ; make install clean
Installing libnet
Change directory to /usr/ports/net/libnet
make ; make install clean
Installing Snort
Change directory to /usr/ports/security/snort
make -DWITH_MYSQL -DWITH_FLEXRESP ; make install
Change directory to /usr/ports/security/acid
make ; make install clean
Editing the necessary files

Several files need to be edited/customized for this to work. I will not go into optimizing snort.conf here since it is covered in wonderful detail in the Snort User's Manual. However I will tell you what to change to log to MySQL and some other tips to make it work. Also, some other files need to be changed for Apache and Acid to work correctly.

For Snort
Change directory to /usr/local/etc and issue the command "cp snort.conf-sample snort.conf".
chmod 644 snort.conf
Open snort.conf in a text editor and change "var RULE_PATH ./" to "var RULE_PATH /usr/local/share/snort".
You may need to add the following lines to snort.conf:
"var HTTP_PORTS 80 443"
In Section 3 change the following in the database section:
"output database: log, mysql, user=snortman password=snortman
dbname=snort host=localhost"
cp /usr/local/etc/classification.config-sample /usr/local/etc/classification.config
For Apache
Go into /etc/hosts and define your host there. For example, my test system is named "ariel.bsdhound.com", so my /etc/hosts file looks like this:
127.0.0.1 ariel.bsdhound.com localhost
Go into /usr/local/etc/apache/httpd.conf.
Change the following lines:
DocumentRoot "/usr/local/www/data" to DocumentRoot "/usr/local/www/acid"
Directory "/usr/local/www/data" to Directory "/usr/local/www/acid"
For ACID
1. chmod 644 /usr/local/www/acid/acid_conf.php
2. Go into /usr/local/www/acid/acid_conf.php
3. Edit the following lines:
$DBlib_path = "/usr/local/www/data.default/php/adodb";
$alert_dbname = "snort";
$alert_password = "snortman";
$ChartLib_path = "/usr/local/lib/php/phplot";
$portscan_file = "/var/log/snort/portscan.log";
Adding a user for Snort
Snort has the ability to run as a normal user, so if there is ever an exploit and someone uses Snort to take over your box, they won't own the entire system. This also means that your database's root password isn't sitting in a clear-text file (snort.conf). To add a user, type "adduser" and give it the following options:

Please enter a username
Enter username [snort]: snortman
Enter full name [ ]:
Enter shell csh date no sh tcsh [no]: no
Enter home directory (full path) [/home/snortman]:
Uid [1002]:
Enter login class: default [ ]:
Login group snortman [snortman]:
Login group is snortman''. Invite snortman into other groups: guest no [no]:
Enter password [ ]:
Enter password again [ ]:
It's a good idea to use this user exclusively to run Snort so it doesn't need a shell. **Side Note.. FreeBSD 5 Has a new option for randomizing passwords you might want to try that out..**


Setting up MySQL (i'm assuming you arlready have mysql installed here)
Create a file called /etc/my.cnf
The file should contain something like this:
[mysqld]
bind-address=127.0.0.1
port = 3306
skip-name-resolve
log
safe-show-database
Setting up MySQL to accept data from Snort
As root at the shell type "echo "CREATE DATABASE snort;" | /usr/local/bin/mysql -u root -p"
Log into mysql and type "grant INSERT,SELECT on snort.* to snortman@localhost;"
SET PASSWORD FOR snortman@localhost=PASSWORD('snortman');
Quit mysql
Type "/usr/local/bin/mysql -p < /usr/ports/security/snort/work/snort-1.8.6/contrib/create_mysql snort"
Type "mkdir /var/log/snort"
Type "chown snortman:snortman /var/log/snort/*"



Snort startup script
This is a basic snort startup script. Put this in /usr/local/etc/rc.d. For FreeBSD. Don't forget to chmod 755!/bin/sh
#!/bin/sh
sleep 3
case "$1" in
start)
if [ -x /usr/local/bin/snort ]; then
/usr/local/bin/snort -c /usr/local/etc/snort.conf -i xl0 -u snortman -g snortman -D > /dev/null && echo -n ' snort'
fi
;;
stop)
/usr/bin/killall snort > /dev/null 2>&1 && echo -n ' snort'
;;
*)
echo "" echo "Useage: 'basename $0' { start|stop }"
echo ""
exit 64
;;
esac
Snort rules update script
#!/bin/sh
# Update rules
cd /tmp
rm -rf rules
fetch http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
# rm snortrules.tar*
mv /tmp/rules/*.rules /usr/local/share/snort


Testing your box
As root type "shutdown -r now"; when the box comes up you can check that Snort, Apache and MySQL are running with the "ps aux" command. Other diagnostic commands you can use if the system doesn't work right away are:
ifconfig *&*a
Now look and see if it shows "UP,BROADCAST,RUNNING, PROMISC ,SIMPLEX,MULTICAST"
Now everything should be working properly.. If you set everything up right you can log into acid by going to http://hostname
Now dont forget to set your firewall rules..