Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Snort on Ubuntu Linux with webmin

Posted on 2007-11-18
8
6,733 Views
Last Modified: 2013-12-16
I want to install Snort on my ubuntu linux systems Ubuntu 6.06 LTS. I usualy do a lot of the system administration with Webmin. I will like to keep it that way. The main thing is to install snort and I am having a dificult time following the instructions that are in the manual. I wonder if someone has already make this installation in Ubuntu.  any advice, Thanks, M
0
Comment
Question by:marceloNYC
8 Comments
 
LVL 7

Expert Comment

by:Wod
ID: 20371159
what problem do you have installing snort? (error, etc .. )
0
 
LVL 5

Expert Comment

by:Jozk0
ID: 20550990
did you try to run this as root?:

apt-get install snort
0
 

Author Comment

by:marceloNYC
ID: 20600373
yeah I tried tghios and I am still no luck. I need a guidline like some kind of check list and steps to get this to work. I need to know the webmin part mostly. I used to get this to show in webmin as a module. I has mysql setup and the acid program. M
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 6

Expert Comment

by:clearacid
ID: 21013185
This site looks promising - http://ubuntuforums.org/showthread.php?t=145641
Below is the text of the forum step by step guide to install snort on ubuntu.

I finally created a new guide for Feisty which is very similar but if anything easier.
http://ubuntuforums.org/showthread.php?t=483488
 
This guide will show you how to install the IDS system snort. Have snort log to a mysql database. Then be able to access the information in that database with Base which you can access through apache. 
 
Most of the information from this guide I learned from Patrick Harper's Centos guide. I would recommend taking a look at it even if your installing snort on Ubuntu. http://www.snort.org/docs/setup_guid...t_base_SSL.pdf
 
First edit /etc/apt/sources.list and Uncomment these 2 lines. (My file actually has more uncommented so I'm not sure which sources you'll actually need. If you run into problems try uncommenting more. You can always change it back when your done.)
 
 
Quote:
deb http://us.archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu breezy-updates main restricted  
 
Next update
 
Quote:
sudo apt-get update  
 
Install snort with mysql support
 
Quote:
sudo apt-get install snort-mysql  
 
The ubuntu will bring up a configuration dialog and a network that you can use. I replaced this with any so it will log all traffic. Next it'll ask if you want to set snort to log to a mysql server. For now we'll say no because we haven't set mysql up yet. 
 
Before testing snort I'm going to go ahead and install oinkmaster and get the latest rules. Oinkmaster is a program that you can use to automatically fetch snort rules.
 
 
Quote:
sudo apt-get install oinkmaster  
 
Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.
 
Replace
 
Quote:
url = http://www.snort.org/dl/rules/snortr...hot-2_2.tar.gz  
 
with
 
Quote:
url =http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fa b9a70e2a4/snortrules-snapshot-2.3.tar.gz  
 
just make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code. Pay attention to the version of snort your using. To find out type snort -V. My example above is version 2.3.
 
Now to test oinkmastser
 
Quote:
sudo oinkmaster -o /tmp/
ls /tmp  
 
The -o switch is for output directory. You should see several .rules files in /tmp now.
 
If everything works out alright then update your snort rules
 
Quote:
sudo oinkmaster -o /etc/snort/rules/  
 
A good idea is to add oinkmaster to a cron job to update your rules automaticlly. I'm a bit rusty with crons so I'm gona leave that out of this how to until I read up on them again.  
 
Now edit the snort config file
 
Quote:
sudo vi /etc/snort/snort.conf  
 
In the begging there are a couple of variable you should check on. The default should work fine. Read over the config file, the comments provide more information about the preprocessors and other snort options.
 
Quote:
var HOME_NET any
 
var RULE_PATH /etc/snort/rules  
 
At the very end you'll find the rules list. Here you can uncomment additional rule sets depending on what rules you want to monitor.
 
Nows the time to fire snort up using the snort config file.
 
Quote:
sudo snort -c /etc/snort/snort.conf  
 
By default snort logs alerts to /var/log/snort/alert
 
To test snort I used another computer and did a scan with nmap.
 
Quote:
sudo nmap -sS Your_IP_Address  
 
If you look through /var/log/snort/alert you should see some port can activity. Do a search on the file. If its empty then something is wrong.
 
Quote:
sudo cat /var/log/snort/alert  
 
Now to install mysql
 
Quote:
sudo apt-get install mysql-server  
 
Theres a couple of questions apt asks for and I just used the default by pressing enter a couple of times.
 
Edit the snort config file again so we can change where snort logs its outputs
 
Quote:
sudo vi /etc/snort/snort.conf  
 
Comment out so it looks like the following. Mine was line 512.
 
Quote:
# output log_tcpdump: tcpdump.log  
 
Uncomment, line 529
 
Quote:
output database: log, mysql, user=root password=test dbname=db host=localhost  
 
For this guide I'm going to use snort as my user, password and database. I would recommend you use something different, just note what it is. If you are logging to aother mysql server then change localhost to what ever ip the server is.
 
Quote:
output database: log, mysql, user=snort password=snot dbname=snort host=localhost  
 
I don't know anything about mysql. I followed Patrick's guide word for word. Download snort from snort.org and extract it. Since my version of snort was 2.3.2 thats what I downloaded from snort.org. Then we'll set up a database for snort.
 
Quote:
mysql -u root
set password for root@localhost=password('PICK_A_PASSWORD');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWORD_SNORT_CONF');
grant create,delete,insert,select,update on snort.* to snort@localhost;
grant create,delete,insert,select,update on snort.* to snort;
exit  
 
Pay attention to the semicolons ;
 
Create the tables
 
Quote:
mysql -u root -p < ~/snort-2.3.2/schemas/create_mysql snort  
 
Check the database
 
Quote:
mysql -u root -p
show databases;
use snort
show tables;
exit  
 
You should be able to fire up snort with no problems.
 
Quote:
sudo snort -c /etc/snort/snort.conf  
 
*I Updated this section and found adodb in the repository
Install apache our webserver and php with mysql & adodb
 
Quote:
sudo apt-get install apache2 php5-mysql libphp-adodb  
 
Download base
http://sourceforge.net/project/showf...ease_id=384975
Move base to /var/www, extract and delete the archive.
 
Quote:
sudo mv base-1.2.2.tar.gz
cd /var/www
sudo tar -xvzf base-1.2.2.tar.gz
sudo rm base-1.2.2.tar.gz
mv base-1.2.2 base  
 
Edit the base configuration
 
Quote:
sudo cp base/base_conf.php.dist base/base_conf.php
sudo vi base/base_conf.php  
 
$Base_urlpath = /base
$Dblib_path = /usr/share/adodb/;
Change line 85 and so on to match your mysql database. Such as the username, password etc.
 
I was expecting this to work but for some reason it didn't. I fired up firefox and went to localhost and when I clicked the folder base it kept trying to download a file. I tried restarting apache but the only thing that actually worked was a reboot. Go figure.
 
If you goto http://localhost/base you should see a link to the setup page. Click it and then click Setup Base AG. Now click home and Base should be up an running. 
 
Now in order to get the graph to work
 
Quote:
sudo apt-get install php5-gd php-pear
sudo pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha  
 
Restart Apache and make sure snort is running
 
Quote:
sudo /etc/init.d/apache2 restart
sudo /etc/init.d/snort start  
 
For some reason when I was trying to install Image_Color it was missing a dependency that was already installed. If you get the same error try the following.
 
Quote:
sudo apt-get remove php5-gd
sudo apt-get install php5-gd  
 
This is my first HOWTO. Good luck & have fun.

Open in new window

0
 

Author Comment

by:marceloNYC
ID: 21051540
I want to be able to add the module in Webmin for snort. M
0
 
LVL 4

Accepted Solution

by:
H_D_A earned 500 total points
ID: 21133685
0
 

Author Closing Comment

by:marceloNYC
ID: 31409844
Thank YOU!!!!
0
 
LVL 4

Expert Comment

by:H_D_A
ID: 21155575
I am glad it was helpful
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question