Created By: Ari Novikoff of Marari Network Solutions 1) This installation assumes that you are running in server/gateway
mode and have both an internal (eth0) -and- external interface (eth1).
Contrib From: Trevor Ouellette and
Abe Loveless
Thanks To: Keith Woody for his help with the perl code in the snort.conf template.
Platform: ALL SME Server versions from 5.0 to 5.6 inclusive
Last Modified: February 6, 2003 at 11:20 AM [GMT -6:00]
PLEASE READ THIS ENTIRE DOCUMENT -BEFORE- YOU
INSTALL ANY OF THE RPM'S
2) This installation assumes that you have not drastically modified your
server or changed the default MySQL password.
3) There is no performance guarantee. No warranty either expressed or
implied that this howto or any of the rpms in it will suit your needs.
You assume full responsibility when you install the package. If you
don't know what you're doing, I -strongly- suggest that you obtain a
bit of help from someone who does so you don't compromise your
security.
4) I've received lots of emails from people all over the world
that have used this howto and the rpms in it without any problems. If you
have any problems, you probably didn't read this important warning.
PROBLEM
You want to install SNORT IDS as a daemon on your SME server with MySQL database extensions for logging but you'd rather have something easier on the eyes to look at as far as statistical reporting of intrusions on your network thank just POTL (plain old text logs). You'd like to make (reasonably) sure that SNORT rules remain up to date.
SOLUTION
# wget http://www.snort.org/dl/binaries/linux/snort-2.0.2-4.i386.rpm
# wget http://www.snort.org/dl/binaries/linux/snort-mysql-2.0.2-4.i386.rpm
# wget
http://www.marari.net/downloads/snort/sme-acid-2.0.0-1ari.noarch.rpm
If you'd like the Guardian add-in module for snort, and you're
using the SME Server 5.6, please download:
# wget
http://www.marari.net/downloads/snort/trevor-mitel-guardian-2.0-1.noarch.rpm
# /etc/rc.d/init.d/snortd stop
# rpm -e trevor-mitel-guardian
# rpm -e sme-acid-2.0.0-1ari
#
rpm -e snort-mysql
# rpm -e snort
# mysqladmin drop snort_archive
# mysqladmin drop snort_log
Step 1
From the command prompt, issue the following commands:
And if you've decided to install the Guardian Add-On, then run the following:
# rpm -ivh
snort-2.0.2-4.i386.rpm snort-mysql-2.0.2-4.i386.rpm
# rpm -ivh sme-acid-2.0.0-1ari.noarch.rpm
SME Server 5.6 The above packages will do just about everything for you including the
following:
Step 2 Open your web browser and go to https://www.yourdomain.com/acid You'll be greeted with a screen that reads something like:
Successfully created 'acid_ag' Now follow the "Main Page" link at the bottom of the page and...
Step 3
Edit the config
# pico /etc/e-smith/templates/etc/snort/snort.conf/00snort.conf
goto about line 362
put # in front of preprocessor asn1_decode
# preprocessor asn1_decode
crtl-x say yes to keep changes
Reboot
# shutdown -r now Congratulations! You are done.... for now :-)
A Note About Guardian A Note About the Snort Rules Updater
# rpm -ivh trevor-mitel-guardian-2.0-1.noarch.rpm
see http://www.cert.org/kb/acid for more information.
This is installed in /opt/administration/acid/adodb/
see http://php.weblogs.com/adodb for more information.
This is installed in /opt/administration/acid/jpgraph/
see http://www.aditus.nu/jpgraph for more information.
You'll need to login with the admin username and password.
Once you're authenticated, voila. All your work is about to pay off.
The database version is valid, but the ACID DB structure (table: acid_ag) is not present. Use the Setup page to
configure and optimize the DB.
Simply follow the link "Setup Page" and click on the "Create ACID AG" button on the left hand side.
It should yield results of:
Successfully created 'acid_ag_alert'
Successfully created 'acid_ip_cache'
Successfully created 'acid_event'
Guardian is an active defense system for snort. What it does is add in an ipchains (1.0-2) or iptables (2.0-1) rule that effectively denies all traffic from the offending IP address for 24 hours. If this presents a problem for you, please DO NOT install the Guardian add-on.
The new script will update the rules for your snort installation. It will
automatically download the current updates from http://www.snort.org and update
your server. This may not be a feasible solution if you have previously modified
your rules. All changes to your original rules will be over-written and
forgotten. If this happens to your system, just stop the scheduled updates and
restore your old rules by coping them from /etc/snort/rules-update/old-rules to
the normal location (/etc/snort/).
The system is automatically configured to update the snort rules on a weekly
basis. You may also wish to schedule the update process to run at a different
interval, or not at all. To alter the scheduled update, execute the appropriate
command as follows:
Stop Weekly Update:
# rm /etc/cron.weekly/update-snort.cron
Add Daily Update:
# ln -s /etc/snort/rules-update/update-rules.sh /etc/cron.daily/update-snort.cron
Add Weekly Update:
# ln -s /etc/snort/rules-update/update-rules.sh /etc/cron.weekly/update-snort.cron
Add Monthly Update:
You can run updates manually by executing: Special Thanks To: Disclaimer: Copyright ©2002, 2003 Marari Network Solutions
# ln -s /etc/snort/rules-update/update-rules.sh /etc/cron.monthly/update-snort.cron
Trevor Oullette for the Guardian module. Great
work and thanks for the co-contrib :)
Abe Loveless for updating the ari-mitel-acid rpm to work with the more current
snort-1.9.0-1 modules and the snort auto-rules updating.
This process has been tested and seems to work just fine. This process is
intended only for informational purposes and will not guarantee that your
environment will be secure. Please consult with a security expert if you have
additional security concerns. This HowTo document may be openly distributed and
shared providing it is not altered from this original state. Use of this
information is completely at YOUR OWN RISK.