Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Installing snort 1.8-beta build 37 in a chroot while logging to m ysql in RedHat 7.1

From: Chris Owen <cowen () gt ca>
Date: Wed, 4 Jul 2001 04:23:22 -0400
These are the steps I followed to make Snort 1.8-beta build 37 log to a
mysql database while being in a chroot on a RedHat Linux 7.1/i386 box.  I
found the documentation to be a little dodgy so I wrote this with the hope
that it will be of use to someone... somewhere.  

I have snort logging to the database and stream4 is working like a dream
against http://snort.sourceforge.net/attack_scripts-0.1.tar.gz.  I'll mess
with stick and snot tomorrow morning to see if I can break it =).

This will probably look lame with word wrapping... sorry.

My questions are at the bottom.


---[ Step-by-step instructions ]-------

First I installed the mysql, libpcap, openssl and ntp rpms then configured
ntp.

Next I checked out and compiled the latest build of snort, which happens to
be 37 right now:

        cvs -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort
login
        press enter, there's no password.
        cvs -z3
-d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort co snort
        cd snort
        ./configure --with-mysql=/usr
        make

Next I created the user snort with the following command:

        useradd -c "snort user" -d /var/snort -s /bin/nosh -M -r snort

Next I created the following directory structure with 'mkdir -p':

        /var/snort
        /var/snort/bin
        /var/snort/etc
        /var/snort/etc/rules
        /var/snort/log
        /var/snort/var/lib/mysql

Next I changed the permissions on the /var/snort/log/ directory so snort
could create its logs:

        chgrp snort /var/snort/log
        chmod 775 /var/snort/log

Next I copied the following files:

        snort                                   -> /var/snort/bin
        snort.conf                              -> /var/snort/etc
        classification.config           -> /var/snort/etc
        *.rules                         -> /var/snort/etc/rules

And created the following hardlink:

        cd /var/snort/var/lib/mysql; ln /var/lib/mysql/mysql.sock .
*1

I filtered connections to mysql on my management interface:
*2

        iptables -A INPUT -j DROP -i eth0 -p tcp -dport 3306

I started mysql:

        /etc/init.d/mysqld start

I removed the default users and the test database supplied with RedHat's
mysql package:

        mysql -e "DELETE FROM user WHERE Host='localhost' AND User=''"
        mysql -e "DELETE FROM user WHERE Host='localhost.localdomain'"
        mysql -e "DELETE FROM db WHERE Host='%'"
        mysqladmin -u root drop test

I put a password on the mysql root user:

        mysqladmin -u root password <password>

Then created the snort database:

        mysql -u root -p -e "CREATE DATABASE snort"

And created the user for the database snort:

        mysql -u root -p -e "GRANT CREATE,INSERT,SELECT ON snort.* TO
snort@localhost IDENTIFIED BY '<password>'"

I populated the snort database with the create_mysql script from the cvs:

        mysql -D snort -u snort -p < ./contrib/create_mysql

Revoked create permission for snort@localhost (see Questions 3 and 4):

        mysql -u root -p -e 'GRANT INSERT,SELECT ON snort.* TO
snort@localhost IDENTIFIED BY '<password>'"

Edited snort.conf:

        - Added the output line:
                output database: log, mysql, user=snort password=<password>
dbname=snort host=localhost
        - Fixed the include statements to point to the correct directories,
for example:
                "include exploit.rules" was changed to "include
/etc/rules/exploit.rules"
        - Edit the var's in Step #1 of the conf.

And then started snort sniffing on an interface protected by iptables.
*3

        /var/snort/bin/snort -t /var/snort -u snort -g snort -c
/etc/snort.conf -z est -l /log -i eth1 -D

It works!  Test it with 
        http://snort.sourceforge.net/attack_scripts-0.1.tar.gz, 
        http://packetstorm.securify.com/distributed/stick.tgz or
        http://www.geocities.com/sniph00/

Then type:

        mysql -u root -p -D snort -e "SELECT * from event"

Some udp alerts get logged... yay!

I added the following lines to /etc/rc.d/rc.local

        /sbin/iptables -A INPUT -i eth0 -j DROP -p tcp --dport 3306
*4
        /sbin/iptables -A OUTPUT -o eth1 -j DROP
*4
        rm /var/snort/var/lib/mysql/mysql.sock
*5
        sleep 10s; cd /var/snort/var/lib/mysql; ln /var/lib/mysql/mysql.sock
.                       *5
        /var/snort/bin/snort -t /var/snort -u snort -g snort -c
/etc/snort.conf -z est -l /log -i eth1


---[ Footnotes ]--------------------


*1.     This has to be remade each time mysql restarts.
*2.     My filtering is much tighter than just this.  I also turned off
pretty much everything in "chkconfig --list" and updated with all the latest
errata at ftp://updates.redhat.com.
*3.     I'm stopping packets with: 
        iptables -A OUTPUT -o eth1 -j DROP
*4.     These will be moved out to their proper spot in
/etc/sysconfig/iptables with the other rules later.
*5.     I guess I'll add these to my mysql init script if there isn't a
better solution.


---[ TODO ]-------------------------


Now create an init script for snort to put in /etc/rc.d/init.d and link to
it from /etc/rc.d/rc3.d.  


---[ Questions ]---------- (sorry if they're stupid.)


1) Is there a better way of handling logging to mysql than creating a
hardlink to mysql.lock?  Why doesn't the database plugin use an AF_INET
socket instead?
2) Is there a way to stop all logging to "alert" and "portscan.log" in the
log directory, having all the information put in the database instead?
Create a /dev/null in my chroot and ln to it?
3) Does using iptables to block outgoing traffic on the sniffing interface
make it sufficiently difficult to detect?
4) What are the least permissions the user snort@localhost could have in
mysql for snort to be able to log?  Is INSERT,SELECT tight?
5) What are the least permissions I need to give the user that ACID will be
using to read the database?
6) When I start snort I receive the message "PATH_VARRUN is set to /var/run/
on this operating system".  Do I need to account for this in my chroot
somehow?
7) Is there any anyway to minimize fake UDP alerts the way stream4 minimizes
fake TCP alerts?
8) Have I done anything silly?  Am I missing anything?  I guess I could play
with the preprocessors a bit more... suggestions?
9) Is there anyway I should write this so that it would be of more use to
people?  I could write what I had to do to make acid over ssl work on RedHat
as well...
10) Does anyone have a snazzy init script written for RedHat's latest
initscripts (5.83 I think) that I could have?



peace.out();
 Chris.

P.S.  I'm really looking forward to playing with barnyard/queuing.  How's
that coming along? =)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: