5 IDS Installation Configuration Manual Version 2.0

IDS Installation and configuration manual Version 2.0 2 Sep, 2011

0

IDS

Installation and Configuration

manual

SOMALI RESEARCH

AND

EDUCATION NETWORK

Team Member EmailKTH Credits

Zhaoyu Wang [email protected] 30

Saber Khamooshi [email protected] 15

Dan Wu [email protected] 15

Hantao Wang [email protected] 15

IliasKaronis [email protected] 15

Muhammad SheharyarSaeed [email protected] 15

NomanMumtaz Ali [email protected] 15

Champion BjrnPehrson

Coach Bruce Zamaere

AnandKannan

Erik Eliasson

My Anderberg

Hans Eriksson


1

Content

Revision History .............................................................................................. 2

1. Introduction .................................................................................................. 3

2. Purpose ........................................................................................................ 3

3. Scope ........................................................................................................... 3

4. Audience ...................................................................................................... 4

5. Assumptions................................................................................................. 4

6. Installation & Configuration ......................................................................... 5

6.1 Use of backslash .................................................................................. 5

6.2 Snort package Installation ................................................................... 5

6.3 Set up LAMP ...................................................................................... 6

6.4 Install and Configure BASE .............................................................. 10

7. Test Snort ................................................................................................... 13

8. Links &References ..................................................................................... 15


2

Revision History

Version Date Changes Author(s)

Version 1.0 23 August,

2011

Draft version of IDS

installation and

configuration guide

Muhammad Sheharyar Saeed

Zhaoyu Wang

Version 2.0 2

September,

2011

Add testing part Muhammad Sheharyar Saeed

Zhaoyu Wang


3

1. Introduction

An Intrusion Detection System (IDS) is a device or application such as SNORT,

which can monitor network and system activities for malicious activities, basing on

some rules, to guarantee the confidentiality, integrity, and availability of network

system resources [1]

.

An IDS is different from a firewall. Metaphorically, a firewall likes a lock of a

building, while an IDS likes a monitoring system of this building. Once a thief is

breaking into the building or an internal staff doing something bad, the real-time

monitoring system will ring the alarm.

The figure right shows a simple

IDS. Data coming into a switch

with mirrored port is mirrored to

the port which the IDS is

connected to. The interface on the

IDS is in promiscuous mode

allowing it to inspect all traffic [2]

.

2. Purpose

The purpose of the present document is to guide through the installation and

configuration of IDS (Intrusion detection system) on the Ubuntu server which will

operate in the SomaliREN Network Operations Center.

3. Scope

The document provides a step by step guidance on how to install as well as configure

IDS on the NOCs Ubuntu Server in order to satisfy the required monitoring

specifications.


4

4. Audience

This manual is addressed to the SomaliREN teams members working on network

deployment tasks and the responsible for the NOC Somali network engineers.

5. Assumptions

This manual will cover the installation and configuration of Snort on Ubuntu 11.04

platform. Snort can be installed with a package or manually. We choose to install it

with a package; therefore we will not need to look after the Snort dependencies or

install tools for the compilation. [3]

The following packets will be installed step by step:

snort-mysql:

Including: libltdl7, libmysqlclient16, libprelude2, mysql-common, oinkmaster,

snort-common, snort-common-libraries, snort-mysql and snort-rules-default

lamp-server:

Including: Libpcap0.8-dev, libmysqlclient15-dev, mysql-client-5.0,

mysql-server-5.0, bison, flex, apache2, libapache2-mod-php5, php5-gd,

php5-mysql, libphp-adodb and php-pear

Basic Analysis and Security Engine (BASE)


5

6. Installation & Configuration

6.1 Use of Backslash

There will be several examples in our manual, where one line in this document will

not be enough for one line displayed in the Ubuntu terminal. So we will use \ to split

it into multiple lines. For instance, the following should be one line in your

configuration file, not two.

If you are copying and pasting, you can remove the backslashes to make it in one line. [4]

6.2 Snort Package Installation

The first step, lets install snort with following command:

It will prompt to set the address range for the local network:

output database: log, mysql, user=snortuser password=somaliren dbname=snort \

host=localhost

#apt-get install snort-mysql


6

The networks under surveillance: any

And the prompt about setting up a database for snort-mysql to log to will be popped

up:

We want to set up a database manually; therefore we select . [5]

6.3 Set up LAMP

After snort-server is installed, now it is time to install LAMP

(Linux-Apache-MySQL-PHP); MySQL will serve as the database for snort. Issuing

the following command to install LAMP:

During the install process, it will ask you to set MySQL root password.

# sudo tasksel install lamp-server


7

Next step, we will create snort database.

Enter the MySQL editing mode with user root:

Create snort database named snort in MySQL editing mode:

It is dangerous to access the database with root user; therefore wed better to create a

new user who can only access the snort database.

In our scenario, we set somaliren as the password of the new mysql user named

snortuser. You can replace it to set a password you want.

Reload mysql privileges:

The snort database is ready, now we need to create the tables inside the database:

# sudo mysql -u root -p

>create database snort;

>grant all on snort.* to snortuser@localhost identified by 'somaliren';

>flush privileges;

>exit;


8

Luckly the tables are already prepared. What we have to do is to find and import them

into MySQL.

Use the following line to search the create_mysql.gz file:

The output should looks like this:

As shown above, it is located in the /usr/share/doc/snort-mysql/creat_mysql.gz.

Unzip this file with the following line:

Now, it is time to import the tables to MySQL:

Then enter your password for MySQL root user to continue.

dpkg -L snort-mysql

/usr/share/doc/snort-mysql

/usr/share/doc/snort-mysql/CREDITS.gz

/usr/share/doc/snort-mysql/BUGS

/usr/share/doc/snort-mysql/README-database-upgrade.Debian

/usr/share/doc/snort-mysql/README.csv

/usr/share/doc/snort-mysql/AUTHORS

/usr/share/doc/snort-mysql/create_mysql.gz

/usr/share/doc/snort-mysql/README.Maintainer

/usr/share/doc/snort-mysql/README.gz

/usr/share/doc/snort-mysql/NEWS.gz

/usr/share/doc/snort-mysql/snort_rules.html

/usr/share/doc/snort-mysql/USAGE.gz

/usr/share/doc/snort-mysql/copyright

/usr/share/doc/snort-mysql/NEWS.Debian.gz

/usr/share/doc/snort-mysql/README-database.Debian

/usr/share/doc/snort-mysql/README.FLEXRESP

/usr/share/doc/snort-mysql/README.PLUGINS

/usr/share/doc/snort-mysql/README.database.gz

/usr/share/doc/snort-mysql/changelog.Debian.gz

#gzip d /usr/share/doc/snort-mysql/create_mysql.gz

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql


9

Since snort-mysql and LAMP packages are installed, it is time to configure our snort

to access the snort database of MySQL.

The snort.conf file can be found in /etc/snort/snort.conf.

Find the following line:

Change it to:

Change the password somaliren to the password you have set for your snort

database.

In the same file, find following lines and uncomment them:

Now we are ready to start Snort.

The following figure shows the screenshot of starting snort service. [6]

#nano /etc/snort/snort.conf

# output database: log, mysql, user=root password=test dbname=db host=localhost

output database: log, mysql, user=snortuser password=somaliren dbname=snort \

host=localhost

ruletype redalert

{

type alert

output alert_syslog: LOG_AUTH LOG ALERT

output database: log, mysql, user=snortuser password=snortpassword dbname=snort

\ host=localhost

}

#snort u snort c /etc/snort/snort.conf


10

6.4 Install and Configure BASE

Download base-1.4.5 with the following command:

We need to un-compress the file and put it in the correct location:

ADOdb (Active Data Objects Data Base) is needed for BASE. AdOdb is a database

abstraction library for PHP. Download it with following command:

Un-press the file and put it in the correct folder:

Now Base is installed, it is time to configure it.

The first step is to modify the file named base_conf.php.dist. It located in the BASE

directory.

# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz

#tar zxvf base-1.4.5.tar.gz

#mv base-1.4.5 /var/www/base/

#wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-513-for-php5/adodb513.zip

#unzip adodb513.zip

#mv adodb513 /var/www/base/

#nano /var/www/base/base_conf.php.dist


11

The following lines should be changed, according your settings.

After this we should rename this file from base_conf.php.dist to base_conf.php.

Then import the BASE MySQL tables into the snort database:

Another thing is to set BASE GRAPHS:

1. We need to install php5-gd for handling graphics directly from PHP scripts.

2. Then restart the apache:

3. Download and install the php-pear package for the libraries.

$DBlib_path=/var/www/base/adodb5;

$DBtype=mysql;

$alert_dbname = snort;

$alert_host = localhost;

$alert_port = ;

$alert_user = snortuser;

$alert_password = somaliren;

$archive_dbname = snort;

$archive_host = localhost;

$archive_port = ;

$archive_user = snortuser;

$archive_password = somaliren;

#mv /var/www/base/base_conf.php.dist /var/www/base/base_conf.php

# mysql -u root -p snort < /var/www/base/sql/create_base_tbls_mysql.sql

# apt-get install php5-gd

# /etc/init.d/apache2 restart

# apt-get install php-pear


12

4. Install the following packages: Because there are some dependencies, it is

important to install the scripts in the following order. [7]

#pear install --force Image_Color

#pear install --force Image_Canvas

#pear install --force Image_Graph


13

7. Test Snort

Finally, the installation and configuration is done. It is time to check our work:

Open a web browser and go to http://localhost/base/base_main.php and look at your

events.

The following is the screen shot of our BASE page:

For testing our Snort server, we run NMAP on another machine to perform a portscan

of the Snort server using following command:

192.16.126.77 is the IP address of Snort server. The portscan traffic is seen as a threat.

Open the webpage of BASE to check the TCP Traffic Profile. The portscan alerts

should be seen as follows:

And these alerts can also be sent by email:

# nmap -p1-65535 -sV -sS -O 192.16.126.77


14

This small window can be found at the bottom of the page.

The following picture shows the received email:


15

8. Links &References

[1]. Intrusion Detection System, Wikipedia, last view 24 Aug, 2011; Available:

http://en.wikipedia.org/wiki/Intrusion_detection_system

[2]. Snort IDS, Ubuntu, last view 24 Aug, 2011; Available:

https://help.ubuntu.com/community/SnortIDS

[3]. Snort_tutorial, Openmaniak, last view 24 Aug, 2011; Available:

http://openmaniak.com/snort_tutorial_snort.php#ancre-point2

[4]. Snort manual.pdf, snort.org, last view 24 Aug, 2011; Available:

http://www.snort.org/assets/166/snort_manual.pdf

[5]. Snort_tutorial, Openmaniak, last view 24 Aug, 2011; Available:

http://openmaniak.com/snort_tutorial_snort.php#ancre-point2

[6]. Snort IDS, Ubuntu, last view 24 Aug, 2011; Available:

https://help.ubuntu.com/community/SnortIDS

[7]. Snort tutorial base, openmanika, last view 24 Aug, 2011; Available:

http://openmaniak.com/snort_tutorial_base

5 IDS Installation Configuration Manual Version 2.0

Documents

Transcript of 5 IDS Installation Configuration Manual Version 2.0