Snort mysql reports.
An Intrusion Detection system is like a burglar alarm for your computer. It monitors you network and system activities for malicious activities or policy violations and reports to some kind of Management Station. this is great as it lets your know who where when & how people are trying to break into your network, and knowing this is half the battle. you may be thinking that this isn’t enough and you want to block all hacks from happening, well most IDS systems include some “Network Intrusion Prevention” features. however the main concern should be closing up vulnerabilities rather then blocking someone already trying to hack your systems ,after all its a bit late if they are already in your system, and this way you may block any innocent users.
So what the best IDS, well infoworld.com said that the The greatest open source software of all time was Snort, and if its the best open source software of all time, you can sure as hell bet its the best open source IDS. Snort contains a full featured IDS as well as receiving regular updates to its rules library as well as great Network Intrusion Prevention features. So lets discuss how to install this and get it reporting to a MySQL database.
So first you’ll need a computer to run Snort on, if you just want to run your IDS on a single sever then its fine to install snort on that machine. however if you want to employ an IDS across your whole network you’ll need a switch with a port mirroring functionality (most managed switched) so that the IDS server transparently receives all network data.
This computer needs to have MySQL running in order for Snort to report to a database, a good tutorial for this can be found here. Once you have installed MySQL you need to setup some users for Snort to use, first login to MySQL:
mysql -u [USER NAME] -p
then create the new database and users:
CREATE DATABASE snort;grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;SET PASSWORD FOR snort@localhost=PASSWORD('snort-db');flush privileges;
now its time to install snort:
apt-get updateapt-get install snort-mysql
During the setup you’ll be asked for your “Address range for the local network:”, here enter the CIDR address of your network range. If you don’t understand CIDR ranges look here for more info. Basically if your snort server covers a whole network use 192.168.0.0/16 and if its just your local computer use [YOUR IP]/32.
The next screen you will see ask you if you if you have a database server, so long as your went through the create database & user steps earlier is ok to click <Yes>:
this will then complete the Snort install. you will probably get some errors to do with the “/etc/snort/db-pending-config” file, this is because we haven’t fully setup our database and config file settings:
Now to fix these problems lets make our database:
cd /usr/share/doc/snort-mysql/zcat create_mysql.gz | mysql -u snort -D snort -psnort-db
now we need to configure the snort.conf file to contain our database settings
nano /etc/snort/snort.conf
you’ll need to change some settings at line 763 to read:
output database: log, mysql, user=snort password=snort-db dbname=snort host=127.0.0.1
alternatively you can download my snort.conf, it uses the username: snort, password:snort-db database: snort host: 127.0.0.1.
Now the database and Snort have been successfully configured we can remove the db-pending-config file and start snort:
rm /etc/snort/db-pending-config/etc/init.d/snort start
to test that snort is running correctly type:
/etc/init.d/snort status
You should see something that looks like this:
and that’s it, snort will now be monitoring your network and updating your MySQL database as to any alerts, to get the full list of alerts so far run this command:
mysql -u "snort" -p"snort-db" -e"use snort; SELECT * FROM event INNER JOIN signature ON event.signature=signature.sig_id ORDER BY event.timestamp;"
Remember this database will only fill up with alerts if snort has detected any malicious activities, it is possible that there isnt any. If your running any web service its likely that you’ll have allot of information in your database vary quickly, to clear it run this at your MySQL prompt:
DELETE FROM data;DELETE FROM event;DELETE FROM icmphdr;DELETE FROM iphdr;DELETE FROM opt;DELETE FROM tcphdr;DELETE FROM udphdr;DELETE FROM signaturev;DELETE FROM sig_class;DELETE FROM sig_reference;DELETE FROM reference;DELETE FROM reference_system;DELETE FROM acid_event;DELETE FROM acid_ip_cache;
Setup an IDS with Snort & MySQL « The Tech Tutorial