SNORT with ACID

snort

THIS IS A HOWTO TO SETUP SNORT WITH ACID ON RHEL 4.0 / CentOS

This is one of my old post , but i hope many people will still find it very useful. The same scenario might work with latest Linuxes.

So what is Snort and Acid ?

Snort  is a Free program for Network Intrusion Detection System
Acid is an Analysis Console for Intrusion Detection or We can say a Web frontend for Snort, as it works with Snort’s log Alerts.

Please remember that your system must have php-4.3.5 or greater for the following to work you can check it by the following command.

#rpm –qa php

If you don’t have php-4 or greater downloads it and configures it.

Now let’s move to Configure Snort with Acid

First download all the necessary packages for its proper functioning.
1. Acid
2. Adodb
3.Acidlab
4. Mysql
5. Snort
6. Jpgraph
7. Php-4 8. Apache

Can be downloaded from www.sourceforge.net

Now let’s start the configurations.
First we will setup Snort from source code as follow:

#tar zxvf Snort.tar

The above will untar the Snort.tar and will create necessary directories in newly created snort directory. The main directories created are (etc and schemas)
We also have to download the latest rules from www.snort.org/dl

Now after the above step
We have to create following directories our selves.

 # mkdir /etc/snort
 &
 #mkdir /etc/snort/rules
 #mkdir /var/log/snort

Now copy the directories created by untar of Snort i.e its all files from etc to /etc/snort
And copy the files from rules directory (which was downloaded from www.snort.org/dl) to our created /etc/snort/rules directory.

Now perform the following after completion of the above steps

#. /configure snort –with-mysql
 # make
 #make install

If all goes well the snort is installed yet not configured for its configuration we have to edit Snort.conf file found in /etc/snort/snort.conf therefore we perform the following:
# vi /etc/snort/snort.conf and edit the configurations files as under

#################SNORT.CONF################

var HOME_NET any Change to var HOME_NET 192.168.5.211 (or any of your internal network ip or ip range)

var EXTERNAL_NET any Change to var EXTERNAL_NET !$HOME_NET

var RULE_PATH ../rules Change to var RULE_PATH /etc/snort/rules

Also uncomment the line which says and change the user, password and dbname according to your preference e.g.
Output database: log, mysql, user=snort password=snort123 dbname=snort host=localhost

Now Snort configuration is finished now let’s check if snort is running so for this we will type the following command

# Snort –c /etc/snort/snort.conf

If all goes well the above command will successfully run the snort in nids (network intrusion detection system) mode.

The above will automatically create (alert file) if some one tries to intrude (hack or scan etc) in our network. The alert file will be created in the directory which we created that is /var/log/snort/.
By studying the alert file we can see who tries to penetrate in our network.

Now we will configure mysql
First we start mysql with the command.

 #service mysqld start

and then we will perform as follows:

#mysql -Enter
 mysql>
 mysql>SET PASSWORD FOR ‘root’@’localhost=PASSWORD (‘your
 Password’);
 mysql>Enter new password: *****
 mysql>Repeat password: *****
 mysql>exit
 And now enter the mysql with the following command
 #mysql –u root –p
 Provide the password and now at mysql prompt apply the commands as follows
 mysql> create database snort;
 mysql> grant INSERT, SELECT, on snort.* to snort@localhost;
 mysql> SET PASSWORD FOR ‘snort’@’localhost’=PASSWORD(‘snort123’);
 mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to
 snort@localhost;
 mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to
 snort;
 mysql>exit

Now at shell prompt type the following to create tables in the newly created database snort
#mysql –D snort –u root –p If no error occurs the tables in snort data base is created.

Now we need a front end for Snort which will make use of alert file and log it graphically on the web.
For such purpose we will utilize Acid (The package)
Perform the following steps:

#tar zxvf acid.tar

First create a new directory named acid as under:

#mkdir /var/www/html/acid

Now copy the content of the acid directory recently untarred to /var/www/html/acid. After this

#tar zxvf adodb.tar

Now copy the content of the adodb directory recently untarred to the same /var/www/html/acid directory

Now untar the jpgraph.tar the same way i.e.

#tar zxvf jpgraph.tar

Now copy the content of the jpgraph directory recently untarred to the same /var/www/html/acid directory

Now find the file named acid_conf.php in the /var/www/html/acid directory and edit as described below

################acid_conf.php#####################
$DBlib_path = “/var/www/html/acid”; (This line shows the path of adodb files

and we know that we copy the adodb directory in /var/www/html/acid)

$DBtype = “mysql”; (This shows the database type)

 

Change the following in output plugin as well as in Archive DB

$alert_dbname =”snort”; (database name)
 $alert_host =”localhost”; (localhost name)
 $alert_port = “3306”; (mysql port for connection)
 $alert_user = “snort”; (user name)
 $alert_password = “snort123”; (password for user snort)

Lastly we have to change the following

$ChartLib_path = “/var/www/html/acid/jpgraph/src”; (The path which leads to Jpgraph.php)

That’s it we have done the entire configuration:

Now lets restart all the services:

# service httpd restart
 # service mysqld restart
 # snort –c /etc/snort/snort.conf

After restarting the service open you web browser and point it to http://localhost/acid and press enter.

If all goes well you will see the following but before this you have to crate AG by clicking on the create buttons.

I hope you guys have understood every step if you have problems just comment.

Thanks

Salman Aftab