Snort is an open-source Intrusion Detection/Prevention platform (depending on how you configure it – inline or not) that listens on the network for nasty things (which you define) and then tells you about it. It tells you a lot at first, like a deluge, but then you tweak it to tell less – but more important – things over time as you tune. It can log nasty events to a file, email you, or whatever.
You have to allow Snort to listen on an interface that’d configured oddly. You basically set up what’s called either mirror or span port on your switch upstream (which some basic switches don’t do, but there are ways to work around that), then put an extra interface in your Snort box that only listens for things. That interface has to be sort of not configured, just a dummy listener, I’ll explain later. If you don’t have both of these things set up, the rest won’t work, unless of course you have your snort box inline, but then you should already know what you’re doing and have experience, otherwise experimenting might break your whole network, not allowing it to connect upstream and get to stuff, so it might be a good idea to start with an IDS instead of an IPS…your choice.
While installing snort, you have to tell it what network to listen for, in this example I tell it to listen to 10.1.2.0/24, which means it will listen for all traffic on the 10.1.2.whatever network, and all traffic going to all computers that use that, so it will listen to a computer at 10.1.2.100, one at 10.1.2.231, etc. and report what they all do back to your snort box. the /24 means the netmask is 255.255.255.0, which is pretty common on home networks.
apt-get install mysql-server apache2 php5
Now install snort, in this case, the version that integrates with mysql. You’ll have to specify with interface to listen on, and your database:
apt-get install snort-mysql
now install a parser tool, called acidbase:
apt-get install acidbase (ignore warnings, just create a database when prompted)
now create the database:
cd /usr/share/doc/snort-mysql zcat create_mysql.gz | mysql -u <user> -p <databasename> rm /etc/snort/db-pending-config /etc/init.d/snort start
now visit http://localhost/acidbase/
and you should see a management panel
I wanted to manage my server on eth0 and listen to a mirror port on eth1, so I set up my networking like (change the IP to what yours really is or it won’t work):
vi /etc/networking/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.100 netmask 255.255.255.0 gateway 192.168.1.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 126.96.36.199 auto eth1 iface eth1 inet manual up ifconfig eth1 promisc up down ifconfig eth1 promisc down