Sie sind auf Seite 1von 16

IDS Installation and configuration manual Version 2.

0 2 Sep, 2011
0

IDS
Installation and Configuration
manual




SOMALI RESEARCH
AND
EDUCATION NETWORK



Team Member EmailKTH Credits
Zhaoyu Wang zhaoyu@kth.se 30
Saber Khamooshi saberk@kth.se 15
Dan Wu dawu@kth.se 15
Hantao Wang hantao@kth.se 15
IliasKaronis karonis@kth.se 15
Muhammad SheharyarSaeed mssaeed@kth.se 15
NomanMumtaz Ali nmali@kth.se 15


Champion BjrnPehrson

Coach Bruce Zamaere
AnandKannan
Erik Eliasson
My Anderberg
Hans Eriksson
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
1



Content
Revision History .............................................................................................. 2
1. Introduction .................................................................................................. 3
2. Purpose ........................................................................................................ 3
3. Scope ........................................................................................................... 3
4. Audience ...................................................................................................... 4
5. Assumptions................................................................................................. 4
6. Installation & Configuration ......................................................................... 5
6.1 Use of backslash .................................................................................. 5
6.2 Snort package Installation ................................................................... 5
6.3 Set up LAMP ...................................................................................... 6
6.4 Install and Configure BASE .............................................................. 10
7. Test Snort ................................................................................................... 13
8. Links &References ..................................................................................... 15



IDS Installation and configuration manual Version 2.0 2 Sep, 2011
2


Revision History


Version Date Changes Author(s)
Version 1.0 23 August,
2011
Draft version of IDS
installation and
configuration guide
Muhammad Sheharyar Saeed
Zhaoyu Wang
Version 2.0 2
September,
2011
Add testing part Muhammad Sheharyar Saeed
Zhaoyu Wang


IDS Installation and configuration manual Version 2.0 2 Sep, 2011
3


1. Introduction
An Intrusion Detection System (IDS) is a device or application such as SNORT,
which can monitor network and system activities for malicious activities, basing on
some rules, to guarantee the confidentiality, integrity, and availability of network
system resources
[1]
.
An IDS is different from a firewall. Metaphorically, a firewall likes a lock of a
building, while an IDS likes a monitoring system of this building. Once a thief is
breaking into the building or an internal staff doing something bad, the real-time
monitoring system will ring the alarm.

The figure right shows a simple
IDS. Data coming into a switch
with mirrored port is mirrored to
the port which the IDS is
connected to. The interface on the
IDS is in promiscuous mode
allowing it to inspect all traffic
[2]
.








2. Purpose

The purpose of the present document is to guide through the installation and
configuration of IDS (Intrusion detection system) on the Ubuntu server which will
operate in the SomaliREN Network Operations Center.

3. Scope

The document provides a step by step guidance on how to install as well as configure
IDS on the NOCs Ubuntu Server in order to satisfy the required monitoring
specifications.

IDS Installation and configuration manual Version 2.0 2 Sep, 2011
4

4. Audience

This manual is addressed to the SomaliREN teams members working on network
deployment tasks and the responsible for the NOC Somali network engineers.

5. Assumptions

This manual will cover the installation and configuration of Snort on Ubuntu 11.04
platform. Snort can be installed with a package or manually. We choose to install it
with a package; therefore we will not need to look after the Snort dependencies or
install tools for the compilation.
[3]


The following packets will be installed step by step:
snort-mysql:
Including: libltdl7, libmysqlclient16, libprelude2, mysql-common, oinkmaster,
snort-common, snort-common-libraries, snort-mysql and snort-rules-default
lamp-server:
Including: Libpcap0.8-dev, libmysqlclient15-dev, mysql-client-5.0,
mysql-server-5.0, bison, flex, apache2, libapache2-mod-php5, php5-gd,
php5-mysql, libphp-adodb and php-pear
Basic Analysis and Security Engine (BASE)

IDS Installation and configuration manual Version 2.0 2 Sep, 2011
5


6. Installation & Configuration

6.1 Use of Backslash

There will be several examples in our manual, where one line in this document will
not be enough for one line displayed in the Ubuntu terminal. So we will use \ to split
it into multiple lines. For instance, the following should be one line in your
configuration file, not two.

If you are copying and pasting, you can remove the backslashes to make it in one line.
[4]


6.2 Snort Package Installation

The first step, lets install snort with following command:

It will prompt to set the address range for the local network:

output database: log, mysql, user=snortuser password=somaliren dbname=snort \
host=localhost
#apt-get install snort-mysql
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
6

The networks under surveillance: any

And the prompt about setting up a database for snort-mysql to log to will be popped
up:

We want to set up a database manually; therefore we select <NO>.
[5]



6.3 Set up LAMP

After snort-server is installed, now it is time to install LAMP
(Linux-Apache-MySQL-PHP); MySQL will serve as the database for snort. Issuing
the following command to install LAMP:

During the install process, it will ask you to set MySQL root password.
# sudo tasksel install lamp-server
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
7


Next step, we will create snort database.
Enter the MySQL editing mode with user root:


Create snort database named snort in MySQL editing mode:


It is dangerous to access the database with root user; therefore wed better to create a
new user who can only access the snort database.

In our scenario, we set somaliren as the password of the new mysql user named
snortuser. You can replace it to set a password you want.

Reload mysql privileges:

The snort database is ready, now we need to create the tables inside the database:
# sudo mysql -u root -p
>create database snort;
>grant all on snort.* to snortuser@localhost identified by 'somaliren';
>flush privileges;
>exit;
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
8

Luckly the tables are already prepared. What we have to do is to find and import them
into MySQL.
Use the following line to search the create_mysql.gz file:

The output should looks like this:

As shown above, it is located in the /usr/share/doc/snort-mysql/creat_mysql.gz.
Unzip this file with the following line:


Now, it is time to import the tables to MySQL:

Then enter your password for MySQL root user to continue.

dpkg -L snort-mysql
/usr/share/doc/snort-mysql
/usr/share/doc/snort-mysql/CREDITS.gz
/usr/share/doc/snort-mysql/BUGS
/usr/share/doc/snort-mysql/README-database-upgrade.Debian
/usr/share/doc/snort-mysql/README.csv
/usr/share/doc/snort-mysql/AUTHORS
/usr/share/doc/snort-mysql/create_mysql.gz
/usr/share/doc/snort-mysql/README.Maintainer
/usr/share/doc/snort-mysql/README.gz
/usr/share/doc/snort-mysql/NEWS.gz
/usr/share/doc/snort-mysql/snort_rules.html
/usr/share/doc/snort-mysql/USAGE.gz
/usr/share/doc/snort-mysql/copyright
/usr/share/doc/snort-mysql/NEWS.Debian.gz
/usr/share/doc/snort-mysql/README-database.Debian
/usr/share/doc/snort-mysql/README.FLEXRESP
/usr/share/doc/snort-mysql/README.PLUGINS
/usr/share/doc/snort-mysql/README.database.gz
/usr/share/doc/snort-mysql/changelog.Debian.gz
#gzip d /usr/share/doc/snort-mysql/create_mysql.gz
#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
9

Since snort-mysql and LAMP packages are installed, it is time to configure our snort
to access the snort database of MySQL.
The snort.conf file can be found in /etc/snort/snort.conf.

Find the following line:

Change it to:

Change the password somaliren to the password you have set for your snort
database.
In the same file, find following lines and uncomment them:


Now we are ready to start Snort.

The following figure shows the screenshot of starting snort service.
[6]


#nano /etc/snort/snort.conf
# output database: log, mysql, user=root password=test dbname=db host=localhost
output database: log, mysql, user=snortuser password=somaliren dbname=snort \
host=localhost
ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG ALERT
output database: log, mysql, user=snortuser password=snortpassword dbname=snort
\ host=localhost
}
#snort u snort c /etc/snort/snort.conf
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
10




6.4 Install and Configure BASE

Download base-1.4.5 with the following command:

We need to un-compress the file and put it in the correct location:


ADOdb (Active Data Objects Data Base) is needed for BASE. AdOdb is a database
abstraction library for PHP. Download it with following command:

Un-press the file and put it in the correct folder:


Now Base is installed, it is time to configure it.
The first step is to modify the file named base_conf.php.dist. It located in the BASE
directory.

# wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
#tar zxvf base-1.4.5.tar.gz
#mv base-1.4.5 /var/www/base/
#wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-513-for-php5/adodb513.zip
#unzip adodb513.zip
#mv adodb513 /var/www/base/
#nano /var/www/base/base_conf.php.dist
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
11

The following lines should be changed, according your settings.

After this we should rename this file from base_conf.php.dist to base_conf.php.

Then import the BASE MySQL tables into the snort database:


Another thing is to set BASE GRAPHS:
1. We need to install php5-gd for handling graphics directly from PHP scripts.

2. Then restart the apache:

3. Download and install the php-pear package for the libraries.

$DBlib_path=/var/www/base/adodb5;

$DBtype=mysql;

$alert_dbname = snort;
$alert_host = localhost;
$alert_port = ;
$alert_user = snortuser;
$alert_password = somaliren;

$archive_dbname = snort;
$archive_host = localhost;
$archive_port = ;
$archive_user = snortuser;
$archive_password = somaliren;
#mv /var/www/base/base_conf.php.dist /var/www/base/base_conf.php
# mysql -u root -p snort < /var/www/base/sql/create_base_tbls_mysql.sql
# apt-get install php5-gd
# /etc/init.d/apache2 restart
# apt-get install php-pear
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
12

4. Install the following packages: Because there are some dependencies, it is
important to install the scripts in the following order.
[7]



#pear install --force Image_Color
#pear install --force Image_Canvas
#pear install --force Image_Graph
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
13


7. Test Snort

Finally, the installation and configuration is done. It is time to check our work:
Open a web browser and go to http://localhost/base/base_main.php and look at your
events.

The following is the screen shot of our BASE page:


For testing our Snort server, we run NMAP on another machine to perform a portscan
of the Snort server using following command:

192.16.126.77 is the IP address of Snort server. The portscan traffic is seen as a threat.
Open the webpage of BASE to check the TCP Traffic Profile. The portscan alerts
should be seen as follows:



And these alerts can also be sent by email:
# nmap -p1-65535 -sV -sS -O 192.16.126.77
IDS Installation and configuration manual Version 2.0 2 Sep, 2011
14


This small window can be found at the bottom of the page.
The following picture shows the received email:



IDS Installation and configuration manual Version 2.0 2 Sep, 2011
15



8. Links &References


[1]. Intrusion Detection System, Wikipedia, last view 24 Aug, 2011; Available:
http://en.wikipedia.org/wiki/Intrusion_detection_system

[2]. Snort IDS, Ubuntu, last view 24 Aug, 2011; Available:
https://help.ubuntu.com/community/SnortIDS

[3]. Snort_tutorial, Openmaniak, last view 24 Aug, 2011; Available:
http://openmaniak.com/snort_tutorial_snort.php#ancre-point2

[4]. Snort manual.pdf, snort.org, last view 24 Aug, 2011; Available:
http://www.snort.org/assets/166/snort_manual.pdf

[5]. Snort_tutorial, Openmaniak, last view 24 Aug, 2011; Available:
http://openmaniak.com/snort_tutorial_snort.php#ancre-point2

[6]. Snort IDS, Ubuntu, last view 24 Aug, 2011; Available:
https://help.ubuntu.com/community/SnortIDS

[7]. Snort tutorial base, openmanika, last view 24 Aug, 2011; Available:
http://openmaniak.com/snort_tutorial_base