Install Snort IDS on Ubuntu

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire.

Snort Home Page

Installation

We need Apache, Mysql and PHP. Read this post for instructions on how to install LAMP.

Create Snort database

Connect to mysql server:

mysql -u root -p

Execute

CREATE DATABASE snort;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'snort'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES;

Exit MySQL

quit

Install Snort

sudo apt-get -y install snort-mysql

In the address range field enter for ex: 192.168.2.0/24.

At the end of Snort’s installation you will be prompted if you wish to set up a database.
Choose no. We will manually configure the database later.

Snort Configuration

pushd /usr/share/doc/snort-mysql

Create database tables

sudo zcat create_mysql.gz | mysql -u snort -p snort

Modify the Snort configuration to make use of the MySQL database.

sudo sed -i "s/output log_tcpdump: tcpdump.log/#output log_tcpdump: tcpdump.lognoutput database: log, mysql, user=snort password=password dbname=snort host=localhost/" /etc/snort/snort.conf

Remove the pending Snort database configuration file.

sudo rm -rf /etc/snort/db-pending-config

Start Snort

sudo /etc/init.d/snort start

 

ACID Installation
Acidbase is a web frontend to monitor Snort’s output.

sudo apt-get -y install acidbase

During the installation process you will be prompted to configure a database for acidbase. Choose yes and use MySQL for the database type.

ACID Configuration

How to allow access from other workstations to connect and not just localhost.

sudo sed -i "s#allow from 127.0.0.0/255.0.0.0#allow from 127.0.0.0/255.0.0.0 x.y.z.k/255.255.255.0#" /etc/acidbase/apache.conf

Where x.y.z.k is the ip address of a remote workstation.

Restart apache

sudo /etc/init.d/apache2 restart

Access the acidbase web frontend at http://localhost/acidbase/base_db_setup.php.
Choose the button “Create BASE AG”.

Return to the main page http://localhost/acidbase/base_main.php.

 

Test IDS

sudo nmap -p1-65535 -sV -sS -O localhost

Open Acidbase main page http://localhost/acidbase/base_main.php,
refresh if necessary and you should see the results of the port scan.

%d bloggers like this: