Setting up SNORT on Gentoo Part 2

The steps taken here where based on that from the Gentoo Wiki How-To?s. I had to change somethings as they were not working properly on 2007.0
HOWTO Use Snort, Acid, and MySQL Effectively and
HOWTO Apache2 with BASE

Install the packages needed

Yikes, took longer than expected to get this part working to my satisfaction.

The first thing to get working is Apache, PHP and MySQL

The use clause below should speed up compile times, but I only found that out afterwards so it may be a good idea to use it. It is found under /etc/make.conf

USE=?dynamicplugin gd gd-external mysql apache2 php openssl jpg png gif session ?X -gtk ?gnome ?alsa php session pcre hardenedphp gd pear apache2 *postgres *mysql ssl png gif jpeg cli xml?

Edit /etc/portage/package.keywords and add

net-analyzer/snort ~x86
net-analyzer/acid ~x86
dev-php4/jpgraph ~x86

Then do the emerge?s for the needed packages,

emerge php (will install Apache2 as needed)
emerge libnet
emerge mysql
emerge snort
emerge oinkmaster

Next set the services to start at boot

rc-update add snort default
rc-update add mysql default
rc-update add apache2 default

To prevent errors at first start

/usr/bin/mysql_install_db

Then start MySQL and Apache

/etc/init.d/apache start
/etc/init.d/mysql start

Setup MySQL

Next you need to setup MySQL

Set the password and permissions for root (don?t forget the ?;? and the end of the lines), and create the permissions for snort to use the database.

mysql
SET PASSWORD FOR ‘root’@’localhost’ = PASSWORD(‘new_password’);
create database snort;
grant INSERT,SELECT on snort.* to snort@localhost;
SET PASSWORD FOR ‘snort’@’localhost’ = PASSWORD(?new_password?);
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
exit

Import the Snort Database structure

bzcat /usr/share/doc/snort-<version>/schemas/create_mysql.bz2 | mysql -u snort -D snort -p

Setting up Snort

Edit /etc/snort/snort.conf (if this is not there copy it from /etc/snort/snort.conf.distrib)

Look for ?output database? and change as appropriate

output database: alert, mysql, user=snort password=password dbname=snort host=localhost

It is a good idea to request a ?oinkcode? from the Snort site as you can use it to do automatic updates of the Snort rules. Edit /etc/oinkmaster.conf and insert the oinkcode as applicable

E.g.
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.6.tar.gz

If you want to do an immediate update use

/usr/bin/oinkmaster.pl -i -o /etc/snort/rules

Edit /etc/conf.d/snort to set the listen interface

IFACE=br0

Start Snort watching /etc/var/log/message for errors

/etc/init.d/snort start

If snort fails to start use

/etc/init.d/snort stop
/etc/init.d/snort zap

to stop snort and fix the erros that have occurred under /var/log/messages. You may need to check the permissions , I only had to change the log directory

chown -R snort:snort /var/log/snort
chmod -R 770 /var/log/snort

Setup BASE

You will need to first insert ?net-analyzer/base? below into /etc/portage/package.keywords

Emerge base

Once the emerge is done edit /etc/base/base_conf.php

$alert_dbname = ?snort?;
$alert_host = ?localhost?; (localhost can be the IP if BASE is going to run on a different machine)
$alert_port = ??; (only necessary to change if the database is running on a different port)
$alert_user = ?snort?;
@alert_password = ?snortpassword?;

Once that is done open your browser to http://serveraddress/base/base_db_setup.php and click the Setup AG button.

It would be recommended to create a new Role and User with view only access.

You can then activate the authentication system by editing /etc/base/base_conf.php

@Use_Auth_System = 1;

This should have everything in working order, monitor the logs to make sure that no errors are coming up, and fix them as necessary.

The next part of this project will be to install a notification system, although I still an not sure what to use yet Prelude is looking to be an option.

Setting up SNORT on Gentoo Part 1

Install Gentoo. I used the Live CD of 2007.0

Installation took about 1h30 to complete on a dual PIII 933 with 2GB RAM and SCSI drives.

The following steps where then taken to setup the machine as a transparent bridge with an administrative IP

1. Added bridging as a module

echo “bridge” >> /etc/modules.autoload.d/kernel-2.6
update-modules
modprobe bridge

2. Installed the bridge tools

emerge net-misc/bridge-utils

3. Edited /etc/conf.d/net to contain

#set ifconfig as default tool
modules=( “ifconfig” )
# eth0 & eth1 setup to not have any IP
config_eth0=( “null” )
config_eth1=( “null” )

# Bridging (802.1d)
# Assign the NIC’s to the bridge
bridge_br0=”eth0 eth1″
# give the bridge an IP
config_br0=( “196.31.203.52 netmask 255.255.255.240″ )
RC_NEED_br0=”net.eth0 net.eth1”
# Stop broadcast storms from occuring
brctl_br0=( “stp on” )
# Set default route for the bridge so that the internet is
# accessable
routes_br0=( “default gw 196.31.203.49” )

4. Setup the bridge to start at system start

ln -sf /etc/init.d/net.lo /etc/init.d/net.eth1
rc-update add net.eth0 default
rc-update add net.eth1 default

ln -sf /etc/init.d/net.lo /etc/init.d/net.br0
rc-update add net.br0 default
/etc/init.d/net.br0 start

Will follow with the rest soon