Snort mailing list archives
Installing snort 1.8-beta build 37 in a chroot while logging to m ysql in RedHat 7.1
From: Chris Owen <cowen () gt ca>
Date: Wed, 4 Jul 2001 04:23:22 -0400
These are the steps I followed to make Snort 1.8-beta build 37 log to a mysql database while being in a chroot on a RedHat Linux 7.1/i386 box. I found the documentation to be a little dodgy so I wrote this with the hope that it will be of use to someone... somewhere. I have snort logging to the database and stream4 is working like a dream against http://snort.sourceforge.net/attack_scripts-0.1.tar.gz. I'll mess with stick and snot tomorrow morning to see if I can break it =). This will probably look lame with word wrapping... sorry. My questions are at the bottom. ---[ Step-by-step instructions ]------- First I installed the mysql, libpcap, openssl and ntp rpms then configured ntp. Next I checked out and compiled the latest build of snort, which happens to be 37 right now: cvs -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort login press enter, there's no password. cvs -z3 -d:pserver:anonymous () cvs snort sourceforge net:/cvsroot/snort co snort cd snort ./configure --with-mysql=/usr make Next I created the user snort with the following command: useradd -c "snort user" -d /var/snort -s /bin/nosh -M -r snort Next I created the following directory structure with 'mkdir -p': /var/snort /var/snort/bin /var/snort/etc /var/snort/etc/rules /var/snort/log /var/snort/var/lib/mysql Next I changed the permissions on the /var/snort/log/ directory so snort could create its logs: chgrp snort /var/snort/log chmod 775 /var/snort/log Next I copied the following files: snort -> /var/snort/bin snort.conf -> /var/snort/etc classification.config -> /var/snort/etc *.rules -> /var/snort/etc/rules And created the following hardlink: cd /var/snort/var/lib/mysql; ln /var/lib/mysql/mysql.sock . *1 I filtered connections to mysql on my management interface: *2 iptables -A INPUT -j DROP -i eth0 -p tcp -dport 3306 I started mysql: /etc/init.d/mysqld start I removed the default users and the test database supplied with RedHat's mysql package: mysql -e "DELETE FROM user WHERE Host='localhost' AND User=''" mysql -e "DELETE FROM user WHERE Host='localhost.localdomain'" mysql -e "DELETE FROM db WHERE Host='%'" mysqladmin -u root drop test I put a password on the mysql root user: mysqladmin -u root password <password> Then created the snort database: mysql -u root -p -e "CREATE DATABASE snort" And created the user for the database snort: mysql -u root -p -e "GRANT CREATE,INSERT,SELECT ON snort.* TO snort@localhost IDENTIFIED BY '<password>'" I populated the snort database with the create_mysql script from the cvs: mysql -D snort -u snort -p < ./contrib/create_mysql Revoked create permission for snort@localhost (see Questions 3 and 4): mysql -u root -p -e 'GRANT INSERT,SELECT ON snort.* TO snort@localhost IDENTIFIED BY '<password>'" Edited snort.conf: - Added the output line: output database: log, mysql, user=snort password=<password> dbname=snort host=localhost - Fixed the include statements to point to the correct directories, for example: "include exploit.rules" was changed to "include /etc/rules/exploit.rules" - Edit the var's in Step #1 of the conf. And then started snort sniffing on an interface protected by iptables. *3 /var/snort/bin/snort -t /var/snort -u snort -g snort -c /etc/snort.conf -z est -l /log -i eth1 -D It works! Test it with http://snort.sourceforge.net/attack_scripts-0.1.tar.gz, http://packetstorm.securify.com/distributed/stick.tgz or http://www.geocities.com/sniph00/ Then type: mysql -u root -p -D snort -e "SELECT * from event" Some udp alerts get logged... yay! I added the following lines to /etc/rc.d/rc.local /sbin/iptables -A INPUT -i eth0 -j DROP -p tcp --dport 3306 *4 /sbin/iptables -A OUTPUT -o eth1 -j DROP *4 rm /var/snort/var/lib/mysql/mysql.sock *5 sleep 10s; cd /var/snort/var/lib/mysql; ln /var/lib/mysql/mysql.sock . *5 /var/snort/bin/snort -t /var/snort -u snort -g snort -c /etc/snort.conf -z est -l /log -i eth1 ---[ Footnotes ]-------------------- *1. This has to be remade each time mysql restarts. *2. My filtering is much tighter than just this. I also turned off pretty much everything in "chkconfig --list" and updated with all the latest errata at ftp://updates.redhat.com. *3. I'm stopping packets with: iptables -A OUTPUT -o eth1 -j DROP *4. These will be moved out to their proper spot in /etc/sysconfig/iptables with the other rules later. *5. I guess I'll add these to my mysql init script if there isn't a better solution. ---[ TODO ]------------------------- Now create an init script for snort to put in /etc/rc.d/init.d and link to it from /etc/rc.d/rc3.d. ---[ Questions ]---------- (sorry if they're stupid.) 1) Is there a better way of handling logging to mysql than creating a hardlink to mysql.lock? Why doesn't the database plugin use an AF_INET socket instead? 2) Is there a way to stop all logging to "alert" and "portscan.log" in the log directory, having all the information put in the database instead? Create a /dev/null in my chroot and ln to it? 3) Does using iptables to block outgoing traffic on the sniffing interface make it sufficiently difficult to detect? 4) What are the least permissions the user snort@localhost could have in mysql for snort to be able to log? Is INSERT,SELECT tight? 5) What are the least permissions I need to give the user that ACID will be using to read the database? 6) When I start snort I receive the message "PATH_VARRUN is set to /var/run/ on this operating system". Do I need to account for this in my chroot somehow? 7) Is there any anyway to minimize fake UDP alerts the way stream4 minimizes fake TCP alerts? 8) Have I done anything silly? Am I missing anything? I guess I could play with the preprocessors a bit more... suggestions? 9) Is there anyway I should write this so that it would be of more use to people? I could write what I had to do to make acid over ssl work on RedHat as well... 10) Does anyone have a snazzy init script written for RedHat's latest initscripts (5.83 I think) that I could have? peace.out(); Chris. P.S. I'm really looking forward to playing with barnyard/queuing. How's that coming along? =) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Installing snort 1.8-beta build 37 in a chroot while logging to m ysql in RedHat 7.1 Chris Owen (Jul 04)