My home gateway is providing wireless internet access for all home computing devices, including the computer which I am writing on. For an added layer of security, I have recently added network intrusion detection (NIDS) function on the unix box using Snort.
Snort is an open-source Network Intrusion Detection System capable of analyzing packets and identify potential security threats, and BASE is a php-based program providing a graphical interface, analyzing network statistics and data collected by Snort. [http://en.wikipedia.org/wiki/Snort_(software)].
Having done some research online, I came across this great guide on installing "Snort and BASE on FreeBSD". [http://rackerhacker.com/2007/05/27/install-snort-and-base-on-freebsd/]
Giving credit to the guide mentioned above, I pretty much referenced it throughout the entire installation of Snort, except for the BASE part which isn't covered. Here is my interpretation of the entire "HowTo" base on my installation experience:
- Update BSD ports collection using "portsnap fetch extract update"
- Install Snort (enable MySQL option) and Oinkmaster under /usr/ports/security
- Install MySQL from /usr/ports/database/mysql50-server. I used version 50 while newer versions are available, because MySQL client was already installed on my system and their versions need to match.
- Modify "oinkmaster.conf" file (copied from /usr/local/etc/oinkmaster.conf.sample), and specify rule file's location:
url = file:///snortrules-snapshot-2860.tar.gz
The rules file has to be .tar.gz format. In my case, it is saved to hard-drive, so for the above example I used "file" option. Oinkmaster also supports retrieving rules file over the internet, allowing for periodic update using crontab (see other examples in the configuration file for more details).
Note, register with Snort to obtain the latest rule files, and download from their site is only permitted once every 15 minutes for security reasons.
- Extract Snort rules to rules directory
# oinkmaster -o /usr/local/etc/snort/rules/
- Configure MySQL database. Create database "testdb" using "# mysql -u snort -psnortpassword testdb < /usr/local/share/examples/snort/create_mysql", and the database will be where Snort writes to and BASE reads from.
- Grant user "snort" access to database "testdb". Login to MySQL as root user, using "mysql -u root".
> GRANT ALL PRIVILEGES ON testdb.* TO 'snort'@'localhost' IDENTIFIED BY 'snortpassword';
- To confirm, login to MySQL as snort using "mysql -u snort -p". You will then be prompted for password.
> show databases;
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| testdb |
- Configure "snort.conf" file under /usr/local/etc/snort/ and uncomment the lines:
# config detection: search-method lowmem
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort password=snortpassword dbname=testdb host=localhost
Ensure the database name matches that previously created.
- Configure "rules" file - I was using rules file snortrules-snapshot-2860.tar.gz, and noted quite alot of errors (e.g. data_type not known) when I test run Snort. So, I commented out some lines in the following rules in addition to "local.rules":
> web-client.rules
> x11.rules
> attack-responses.rules
> backdoor.rules
> spyware-put.rules # I had to comment this file out entirely due to large number of errors...
Finally, update "/etc/rc.conf" so it starts automatically:
### Snort/BASE Solution ###
mysql_enable="YES"
snort_enable="YES"
snort_interface="tun0" # I am using PPPoE access at home
Start Snort using "/usr/local/etc/rc.d/snort start", if there are no errors then the following messages should appear in /var/log/messges:
Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5998:4] P2P Skype client login startup [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.2.10:50854 -> 212.8.163.76:12350
Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5999:4] P2P Skype client login [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 212.8.163.76:12350 -> 192.168.2.10:50854
Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5998:4] P2P Skype client login startup [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.2.10:50854 -> 212.8.163.76:12350
Jun 5 00:12:48 HomeFreeBSD snort[1273]: [1:5693:4] P2P Skype client start up get latest version attempt [Classification: Potential Corporate Privacy Violation] [Priority: 1]: {TCP} 192.168.2.10:50855 -> 204.9.163.158:80
BASE Installation
- Install BASE (enable MySQL) and adodb from /usr/ports/security/base and /usr/ports/database/adodb respectively.
I already have apache (HTTP Server) previously installed on my system, otherwise it is located under /usr/ports/www/apache22 and there are lots of good tutorials on how to get your web-server up and running.
The following is for configuring BASE:
# /usr/local/etc/apache22/httpd.conf
DocumentRoot "/usr/local/www/base"
...
# This should be changed to whatever you set DocumentRoot to.
...
Allow from All
# Enable PHP in apache
LoadModule php5_module libexec/apache22/libphp5.so
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
Update $Dblib variable to /usr/local/share/adodb/ in /usr/local/www/base/base_conf.php
$DBlib_path = '/usr/local/share/adodb/';
$DBtype = 'mysql';
/* Alert DB connection parameters*/
$alert_dbname = 'testdb';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = 'snortpassword';
Lastly, MySQL by default listens over network. This means anyone can connect to the database over the internet; an unnecessary security risk. Disable MySQL listening to network connection:
# cp /usr/local/share/mysql/my-large.cnf /usr/local/etc/my.cnf
# vi /usr/local/etc/my.cnf
# Don't listen on a TCP/IP port at all...
skip-networking
If things go well, Snort and BASE system should be up and running and you should see the following (as you can see, my database name is "snort_log"):
