Snort+SnortSam+MySQL+BASE installation

1. Introduction
2. Current software versions
3. Installation
4. Web interface
5. Blocking configuration
  5.1. Blocking on firewall
  5.2. "Close connection" function
  5.3. Snort as anti-spam tool
6. Update
7. Base update
8. Uninstall
9. More information

1. Introduction

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

To make more secure your server you can install Snort+SnortSam+BASE(ACID) software. Snort will dynamically find out all known signatures of hacker's attack and save these data in MySQL database. BASE dynamically create full report, who , when and how tried to scan or hack your server. SnortSam automatically reconfigure your firewall to block attacker's IP.

You need to follow script instruction to install and configure three services :
1. Snort+SnortSam (installation and configuration)
2. BASE (installation and configuration)
3. MySQL (creation Snort database)

Snort+SnortSam (any server)
BASE  needs server where Apache has been installed and started (Web, Mail or CP server)
MySQL needs server where MySQL has been installed and started (MySQL or Mail server)

You can install all services to one or different servers. It depends on what H-Sphere services installed on them. The easiest way to install Snort to Mail server because it already has Apache and MySQL installed on it. In any case download and execute installation script on each these server.

2. Current software versions

Snort-2.4.5 (RPM build 1)
Snortsam-2.50 (RPM build 1)
Base-1.2.4
JPGraph-1.16

3. Installation

Warning: Installation script supports the following OSs:
Red Hat Linux release 7.3
Red Hat Enterprise Linux
CentOS 3.x
CentOS 4.x
Trustix
Fedora Core 1-5
FreeBSD 5.x

3.1. Download installation script snort_inst.sh (old version snort_inst.linux.sh) and execute it:
[root@localhost root]# wget http://www.root0.net/snort/snort_inst.sh
[root@localhost root]# sh snort_inst.sh
Step one. Script asks what services would you like to install and/or configure on this server
Use "1", "2", "3" keys to enable/disable services, "-" to continue and "q" to exit without installation:
OS = Red Hat Enterprise Linux ES release 3 (Taroon)
Select services for installation and configuration:

	1) SNORT [X]
	2) MYSQL [X]
	3) BASE  [X]

	q) quit
	-) continue

Enter your choice [1,2,3]: -
Step two. Script will check Apache and MySQL (if you selected them) and asks name of new Snort database, user names and its password: 
MYSQL installation check
MySQL server found and ready	[ OK ]
Apache DocumentRoot	[ OK ]
MySQL server IP [localhost]
	Enter MySQL database name [snort]: mysnortdatabase
	Enter MySQL user name [snort]: mysnortuser
	Enter "mysnortuser" password [snorttest]: mysuperpassword
Step three. Downloading, installation, configuration Snort and BASE.
Creation MySQL database: 
Snort installation
  Download
  Install
Snort installation	[ OK ]
BASE installation
  Download
  Unpack
BASE installation [ OK ]
Download create_mysql file
Download create_mysql file [ OK ]
MySQL configuration
MySQL configuration [ OK ]
Snort configuration
  PROCESS on /etc/snort/snort.conf ...	[ OK ]
Snortsam configuration
  PROCESS on /etc/snort/snortsam.conf ...	[ OK ]
BASE configuration
  PROCESS on /hsphere/shared/apache/htdocs/base/base_conf.php ...	[ OK ]

###############################
### Installation successful ###
###############################

[root@localhost root]#
Warning: (FreeBSD) If you made installation on FreeBSD server, you have to add two following firewall rules:
    ipfw add 87 deny ip from any to table(87) via <INTERFACE>
    ipfw add 88 deny ip from table(88) to any via <INTERFACE>
        SnortSam can't block attacker's IPs without these rules.

    It is example from my server:
	localhost# ipfw add 10 deny ip from any to table\(87\) via lnc0
	00010 deny ip from any to table(87) via lnc0
	localhost# ipfw add 11 deny ip from table\(88\) to any via lnc0
	00011 deny ip from table(88) to any via lnc0
	localhost#
Warning: (All OSs) Open 898 (SnortSam) port on local firewall for localhost, if it is closed.

3.2. Run SnortSam and Snort:
Linux:
[root@localhost root]# /etc/init.d/snortsamd start
[root@localhost root]# /etc/init.d/snortd start
FreeBSD:
localhost# /usr/local/etc/rc.d/000.snortsamd.sh start
localhost# /usr/local/etc/rc.d/snortd start
3.3. Check system log: 
[root@localhost root]# tail -5 /var/log/messages
If you see something like: 
...
Jul 21 18:22:55 localhost snort: INFO => [Alert_FWsam](FWsamCheckIn) Connected to host 127.0.0.1.
...
Jul 21 18:23:01 localhost snort: Log directory = /var/log/snort
Jul 21 18:23:01 localhost snort: Snort initialization completed successfully
Congratulation software was installed successfuly.

3.4 Possible problems:
Problem #1: 
[root@localhost snort]# /etc/rc.d/init.d/snortd start
Starting snort: /usr/local/bin/snort: error while loading shared libraries:
 libpcap.so.0.6.2: cannot open shared object file: No such file or directory
                                                           [FAILED]
[root@localhost snort]#
Solution: 
[root@localhost snort]# locate libpcap.so
/usr/lib/libpcap.so.0.8.3
/usr/lib/libpcap.so
/usr/lib/libpcap.so.0
/usr/lib/libpcap.so.0.8
[root@localhost snort]# ls -la /usr/lib/libpcap.so.0.8.3
-rwxr-xr-x  1 root root 138364 Jun 13  2005 /usr/lib/libpcap.so.0.8.3
[root@localhost snort]# ln -s /usr/lib/libpcap.so.0.8.3 /usr/lib/libpcap.so.0.6.2
[root@localhost snort]# /etc/rc.d/init.d/snortd start
Starting snort:                                            [  OK  ]
[root@localhost snort]#
Problem #2: 
[root@localhost root]# /etc/rc.d/init.d/snortd start
Starting snort: /usr/local/bin/snort: error while loading shared libraries: libmysqlclient.so.12:
 cannot open shared object file: No such file or directory
                                                           [FAILED]
[root@localhost root]#
Solution: 
[root@localhost root]# locate libmysqlclient.so
/usr/lib/libmysqlclient.so
/usr/lib/libmysqlclient.so.14
/usr/lib/libmysqlclient.so.14.0.0
/usr/lib/libmysqlclient.so.12
[root@localhost root]# ln -s /usr/lib/libmysqlclient.so.14.0.0 /usr/lib/libmysqlclient.so.12
[root@localhost root]# /etc/rc.d/init.d/snortd start
Starting snort:                                            [  OK  ]
[root@localhost root]#

4. Web interface

4.1. Now in your browser type
http://<BASE_SERVER_IP>/base/ (new ACID version)
Result : BASE1

4.2. Click "Setup page" link.
Result : BASE2

4.3. Press "Create BASE AG" button:
Result : BASE3

4.4. Click "Main page" or "Home" link:
Result : BASE4

4.5. Let's check our new system.
In your browser type http://<SNORT_SERVER_IP>/cmd.exe
And check BASE page again. It will show alerts:
http://<BASE_SERVER_IP>/base/
Result : BASE5

Now your new Web interface is ready.

Here you can check the same BASE pages on several servers in world:
http://156.17.123.166/acid_main.php
http://www.kdev.it/acid/acid_main.php
http://202.44.130.173/acid/acid_main.php
http://linuxgw.phj.hu/acidlab/acid_main.php
http://gruppo3.ca.infn.it:8080/acid/acid_main.php
http://www.securebroker.de/secure/acid_main.php

5. Blocking attackers and spammers

5.1. Blocking on firewall

Fine, it is working, but you want to block attackers via firewall as soon as they try to hack or scan your server. No problem.
SnortSam was installed for this. You just have to add special block configuration option for each Snort rule.

All Snort rules located in /etc/snort/rules directory. You need to find the Snort rule with definite SID (Signature ID) and add something like:
"fwsam: src, 60 minutes;"
It is not easy task. That is why we created iptsamconf.sh script. It will do it for you. This script is already on your server in /etc/snort directory.

Let's say you want to block intruders that scan for the "cmd.exe" vulnerability for 30 minutes. Modify the existing Snort rule (to be found web-iis.rules).
You need to add "fwsam: src, 30 minutes;" to rule with SID 1002.

Enable block intruder (SID 1002): 

[root@localhost root]# /etc/snort/tools/iptsamconf.sh -s 1002 -t 30
Disable block intruder (SID 1002): 
[root@localhost root]# /etc/snort/tools/iptsamconf.sh -s 1002
iptsamconf.sh statistics in /etc/snort/tools/iptsamconf.stat file

Examples:

    Enable blocking attakers:
[root@localhost test]# /etc/snort/tools/iptsamconf.sh -t 30 -s 1002

FILE: /etc/snort/rules/web-iis.rules

RULE:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;)

 +++ Enable fwsam function. SID: 1002 TIME: 30 minutes ...

NEW RULE:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7; fwsam: src, 30 minutes;)

[root@localhost test]#
    Disable blocking:
[root@localhost test]# /etc/snort/tools/iptsamconf.sh -s 1002
FILE: /etc/snort/rules/web-iis.rules

RULE:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7; fwsam: src, 30 minutes;)

 --- Disable fwsam function. SID: 1002 ...

NEW RULE:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;)

[root@localhost test]#
Warning: Check "dontblock" directives in /etc/snort/snortsam.conf file and add your servers or networks there. Like:
dontblock 192.168.0.0/16
dontblock 10.0.0.0/8
dontblock 127.0.0.1
Don't forget to restart snort and snortsam processes:
Linux:
[root@localhost root]# /etc/init.d/snortsamd restart
[root@localhost root]# /etc/init.d/snortd restart
FreeBSD:
localhost# /usr/local/etc/rc.d/000.snortsamd.sh restart
localhost# /usr/local/etc/rc.d/snortd.sh restart
Now all iptsamconf.sh statistics is in /etc/snort/tools/iptsamconf.stat file.
More about /etc/snort/tools/iptsamconf.sh read here.
Also you can download my iptsamconf.stat.example file (02.01.2006) and import these rules: 
[root@localhost root]# /etc/snort/tools/iptsamconf.sh -v -f iptsamconf.stat.example
 +++ Enable fwsam function. SID: 1668 TIME: 60 minutes ...
 +++ Enable fwsam function. SID: 2392 TIME: 60 minutes ...
 +++ Enable fwsam function. SID: 4650 TIME: 60 minutes ...
...
[root@localhost root]#
After that check your /etc/snort/tools/iptsamconf.stat file and restart snort.
Now you are ready to repulse attackers. Just recheck BASE from time to time and add/edit blocking in snort rules via iptsamconf.sh script.

5.2. "Close connection" function

Warning: Make sure that libnet-1.0.2a (do not use other LibNet versions) package installed on your server: 
[root@localhost root]# rpm -qa | grep libnet
If not, you can get RPM package on our site and install it. See "Update" section.

There is another way to stop atacker or spammer.
If you don't want to block IPs on firewall, you can add "close connection" function to Snort rule. In this case connection will be closed as soon as packet content coincide with rule content. Use iptsamconf.sh script with "-c" option for this.
Example: 
[root@localhost root]# /etc/snort/tools/iptsamconf.sh -s 30000000 -c
FILE: /etc/snort/rules/root0net_spam.rules

RULE:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"root0.net Possible spam"; content-list:/etc/snort/tools/spam_phrases;
nocase; logto:/var/log/snort/30000000.log; depth:2000; sid:30000000;)

 +++ Enabled resp function. SID: 30000000...

NEW RULE:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"root0.net Possible spam"; content-list:/etc/snort/tools/spam_phrases;
nocase; logto:/var/log/snort/30000000.log; depth:2000; sid:30000000; resp:rst_all;)

[root@localhost root]#

5.3. Snort as anti-spam tool

You found tons of spam letters with phrase "Online Pharmaceutical" or "Vlsagra $3.3" in qmail queue, or local mailboxes and spammer is sending such letters again and again.
No problem. We created custom rule (/etc/snort/rules/root0net_spam.rules file) for this. Just add this phrases to special file (/etc/snort/tools/spam_phrases), uncomment root0net_spam.rules in the /etc/snort.conf. 
include $RULE_PATH/root0net_spam.rules
This rule file contains only one rule with SID 30000000.
Use iptsamconf.sh to add "close connection" function to this rule. 
[root@localhost root]# /etc/snort/tools/iptsamconf.sh -s 30000000 -c
and restart Snort.
Now if mail contain phrases "Online Pharmaceutical" or any other from /etc/snort/tools/spam_phrases file Snort automatically close connection on 25 port and spammer will be rejected.
Test this rule from remote server: 
[root@remote root]# echo "kjhkjhkjh Online Pharmaceutical jhgjfghgf" | mail your_mailbox@your_domain.com
Also you can see spam statistic in BASE interface and block spamer's IP, if you want, via iptsamconf.sh script.

6. Update

6.1. Download last packages:
http://www.root0.net/snort/r73/ (Red Hat Linux release 7.3)
http://www.root0.net/snort/res3/ (Red Hat Enterprise Linux)
http://www.root0.net/snort/co31/ (CentOS 3.1 and other)
http://www.root0.net/snort/co42/ (CentOS 4.2)
http://www.root0.net/snort/trust/ (Trustix)
http://www.root0.net/snort/fc1/ (Fedora Core 1)
http://www.root0.net/snort/fc3/ (Fedora Core 2,3)
http://www.root0.net/snort/fc5/ (Fedora Core 4,5)
http://www.root0.net/snort/f53/ (FreeBSD 5.x)

Linux:
[root@localhost root]# wget http://www.root0.net/snort/[OS]/snort-X.X.X-X.rpm
[root@localhost root]# wget http://www.root0.net/snort/[OS]/snortsam-X.XX-X.rpm
Where [OS] is "r73", "res3", "co31", "trust", "fc1" or "fc3" ("Red Hat Linux release 7.3", "Red Hat Enterprise Linux", "CentOS", "Trustix", "Fedora Core" 1 or 3)

FreBSD:
localhost# fetch http://www.root0.net/snort/f53/snort-X.X.X-X.tgz
localhost# fetch http://www.root0.net/snort/f53/snortsam-X.XX-X.tgz
6.2. Save blocking statistic:
[root@localhost root]# mv /etc/snort/tools/iptsamconf.stat /etc/snort/tools/iptsamconf.stat.backup
6.3. Stop processes:
Linux:
[root@localhost root]# /etc/init.d/snortd stop
[root@localhost root]# /etc/init.d/snortsamd stop
FreeBSD:
localhost# /usr/local/etc/rc.d/snortd.sh stop
localhost# /usr/local/etc/rc.d/000.snortsamd.sh stop
6.4. Update packages:
Linux:
[root@localhost root]# rpm -Uvh snort-X.X.X-X.rpm
[root@localhost root]# rpm -Uvh snortsam-X.XX-X.rpm
FreBSD:
localhost# pkg_delete snort-X.X.X-X.tgz
localhost# pkg_delete snortsam-X.XX-X.tgz
localhost# pkg_add snort-X.X.X-X.tgz
localhost# pkg_add snortsam-X.XX-X.tgz
6.5. Restore blocking statistic:
[root@localhost root]# /etc/snort/tools/iptsamconf.sh -f /etc/snort/tools/iptsamconf.stat.backup
6.6. Start processes:
Linux:
[root@localhost root]# /etc/init.d/snortsamd start
[root@localhost root]# /etc/init.d/snortd start
FreeBSD:
localhost# /usr/local/etc/rc.d/000.snortsamd.sh start
localhost# /usr/local/etc/rc.d/snortd.sh start

7. Base update

Read documentation

8. Uninstall

Linux:
[root@localhost root]# /etc/init.d/snortd stop
[root@localhost root]# /etc/init.d/snortsamd stop
[root@localhost root]# rpm -e snort
[root@localhost root]# rpm -e snortsam
[root@localhost root]# rm -rf /etc/snort
[root@localhost root]# rm -rf <APACHE_DOCUMENT_ROOT>/base
[root@localhost root]# rm -rf <APACHE_DOCUMENT_ROOT>/adodb
[root@localhost root]# rm -rf <APACHE_DOCUMENT_ROOT>/jpgraph*
[root@localhost root]# mysql -u root -p -e "DROP DATABASE <SNORT_DATABASE_NAME>;"

FreeBSD:
localhost# /usr/local/etc/rc.d/snortd.sh stop
localhost# /usr/local/etc/rc.d/000.snortsamd.sh stop
localhost# pkg_delete snort
localhost# pkg_delete snortsam
localhost# rm -rf /etc/snort
localhost# rm -rf <APACHE_DOCUMENT_ROOT>/base
localhost# rm -rf <APACHE_DOCUMENT_ROOT>/adodb
localhost# rm -rf <APACHE_DOCUMENT_ROOT>/jpgraph*
localhost# mysql -u root -p -e "DROP DATABASE <SNORT_DATABASE_NAME>;"

9. More information

Snort and SnortSam configuration documentation and examples you can find in /etc/snort/snort and /etc/snort/snortsam directories.
http://www.snort.org Snort home page.
http://www.snortsam.net SnortSam home page.
Snort the Best Open Source in 2003.

Home

© root0.net