June 20, 2021

Snort howto

Snort is an open-source Intrusion Detection/Prevention platform (depending on how you configure it – inline or not) that listens on the network for nasty things (which you define) and then tells you about it. It tells you a lot at first, like a deluge, but then you tweak it to tell less – but more important – things over time as you tune. It can log nasty events to a file, email you, or whatever.

Install Snort

You have to allow Snort to listen on an interface that’d configured oddly. You basically set up what’s called either mirror or span port on your switch upstream (which some basic switches don’t do, but there are ways to work around that), then put an extra interface in your Snort box that only listens for things. That interface has to be sort of not configured, just a dummy listener, I’ll explain later. If you don’t have both of these things set up, the rest won’t work, unless of course you have your snort box inline, but then you should already know what you’re doing and have experience, otherwise experimenting might break your whole network, not allowing it to connect upstream and get to stuff, so it might be a good idea to start with an IDS instead of an IPS…your choice.

While installing snort, you have to tell it what network to listen for, in this example I tell it to listen to 10.1.2.0/24, which means it will listen for all traffic on the 10.1.2.whatever network, and all traffic going to all computers that use that, so it will listen to a computer at 10.1.2.100, one at 10.1.2.231, etc. and report what they all do back to your snort box. the /24 means the netmask is 255.255.255.0, which is pretty common on home networks.

apt-get install mysql-server apache2 php5

Now install snort, in this case, the version that integrates with mysql. You’ll have to specify with interface to listen on, and your database:

apt-get install snort-mysql

now install a parser tool, called acidbase:

apt-get install acidbase (ignore warnings, just create a database when prompted)

now create the database:

cd /usr/share/doc/snort-mysql
zcat create_mysql.gz | mysql -u <user> -p <databasename>
rm /etc/snort/db-pending-config
/etc/init.d/snort start

now visit http://localhost/acidbase/

and you should see a management panel

I wanted to manage my server on eth0 and listen to a mirror port on eth1, so I set up my networking like (change the IP to what yours really is or it won’t work):

vi /etc/networking/interfaces
  # This file describes the network interfaces available on your system
  # and how to activate them. For more information, see interfaces(5).
 
  # The loopback network interface
  auto lo
  iface lo inet loopback
 
  # The primary network interface
  auto eth0
  iface eth0 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        gateway 192.168.1.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 8.8.8.8
 
auto eth1
iface eth1 inet manual
        up ifconfig eth1 promisc up
        down ifconfig eth1 promisc down

reference: http://www.aboutdebian.com/snort.htm