Step #1 – Initial Setup of FreeBSD and hardware
In this step I am not going to go into exact details since that would be a document all by itself. My example install will include a 20GB /var partition, plenty of room for the snort databases, and a minimal install profile.
For my hardware I have a 2Ghz P4, 1GB RAM, 80GB Hard Drive, and two Gigabit NICs. This should give me plenty of resources for my lab network and lab internet connection. One NIC will be used for the actual “sniffing” of the network while the other will be for accessing a web interface.
At this point you should have the following on your FreeBSD System:
-Minimal Installation
-Ports Tree
-Source (optional)
-Internet Connectivity
-Static IP for web interface
Step #2 – Installing the required software (via ports tree)
Install MySQL 4.1
cd /usr/ports/databases/mysql41-server
make BUILD_OPTIMIZED=yes install clean
Install Apache 2.2
cd /usr/ports/www/apache22
make install clean
-When prompted for install options, leave default
Install PHP5
cd /usr/ports/lang/php5
make install clean
Keep the default options and add: APACHE
Install PHP5 Extensions
cd /usr/ports/lang/php5-extensions
make install clean
Keep the default options and add: GETTEXT, GD, MYSQL, PDF, ZIP, ZLIB
Install Snort
cd /usr/ports/security/snort
make install clean
Keep the default options and add: MYSQL
Install Base
cd /usr/ports/security/base
make install clean
Keep the default options and add: MYSQL, PDF
Install PHPMyAdmin (optional)
cd /usr/ports/databases/phpmyadmin
make install clean
Keep the default options
Install Oinkmaster
cd /usr/ports/security/oinkmaster
make install clean
rehash
Step #3 – Configuring MySQL 4.1
Starting MySQL
/usr/local/etc/rc.d/mysql-server start
Changing the MySQL root password
mysqladmin –u root password
Setup #4 – Configure Apache22 (Bare minimum changes)
Adding a kernel module for Apache22
vi /boot/loader.conf
Add the line: accf_http_load=”YES”
:wq
Enter the command: kldload accf_http
DNS Name Resolution – Do this if your IP is not resolved by DNS
vi /etc/hosts
add the line:
example: 192.168.1.100 snort snort.lab1.local
Configuring the httpd.conf file
(Note: This is a general config and is not intended to cover all situations)
vi /usr/local/etc/apache22/httpd.conf
Change the following lines
ServerName :80
Listen :80
DirectoryIndex index.html index.php
Add the following lines(around line 290):
Alias /phpMyAdmin/ “/usr/local/www/phpMyAdmin/”
Order deny,allow
Allow from all
AuthType basic
AuthName “Private Area”
AuthUserFile “/usr/local/www/password”
Require valid-user
Alias /base/ “/usr/local/www/base/”
Order deny,allow
Allow from all
AuthType basic
AuthName “Private Area”
AuthUserFile “/usr/local/www/password”
Require valid-user
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
:wq
Set the password file for Apache access
Enter the command: htpasswd –c /usr/local/www/password
(This will prompt you to enter a password)
To add additional user or change existing users passwords:
Enter the command: htpasswd /usr/local/www/password
Configure PHP
Enter the command: cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini
Change one line in /usr/local/etc/php.ini: error_reporting = E_NOTICE to error_reporting = E_ALL & ~E_NOTICE
Test Apache22 to verify it is working
Enter the command: apachectl start
Open a web browser and surf to http://
You should see a page displaying “It Works!”
Step #5 – Configuration of PhpMyAdmin (optional)
Edit configuration files
vi /usr/local/www/phpMyAdmin/libraries/config.default.php
edit line: $cfg[‘Servers’][$i][‘password’] = ‘’
:wq!
Test PhpMyAdmin
Using a web browser surf: http:///phpMyAdmin/
You should be prompted for a password and allowed access
Step #6 – SQL Snort Configuration
Setup MySQL databases for Snort
Using PhpMyAdmin create the following databases: snort and archive
Select the snort database in the dropdown on the left
Copy the SQL commands from the file /usr/local/share/examples/snort/create_mysql into the “Run SQL” box under the SQL tab in PHPMyAdmin and select “GO”
Select the archive database in the dropdown on the left
Copy the SQL commands from the file /usr/local/share/examples/snort/create_mysql into the “Run SQL” box under the SQL tab in PHPMyAdmin and select “GO”
Creating a Snort SQL user
On the main screen, click on “Privileges”
Verify that user root has a password associated with it for both localhost and your FQDN name
Click “Add a new User”
Add the following:
User name: snort
Host:
Password:
Click “GO”
Find the “Database-specific privileges”
Use the drop down to select the “snort” database
Select the following privledges: SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER,INDEX,DROP
Click “GO”
Click the house icon in the upper left corner
On the main screen, click on “Privileges”
Click the edit icon
Find the “Database-specific privileges”
Use the drop down to select the “archive” database
Select the following privledges: SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER,INDEX,DROP
Click “GO”
Edit the Snort Configuration File – (Note: This is a VERY basic snort config)
vi /usr/local/etc/snort/snort.conf
Delete EVERYTHING and add:
var HOME_NET [10.0.0.0/8,192.168.0.0/16,172.0.0.0/16,172.26.0.0/16]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH ./rules
dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/
dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream4: disable_evasion_alerts
#preprocessor bo
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
output database: log, mysql, user=snort password=epic2533 dbname=snort host=localhost
output database: alert, mysql, user=snort password=epic2533 dbname=snort host=localhost
output alert_unified: filename /var/log/snort/snort.alert, limit 512
output log_unified: filename /var/log/snort/snort.log, limit 512
include classification.config
include reference.config
include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-botcc.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
#include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-voip.rules
include $RULE_PATH/bleeding-web.rules
Step #7 – Updating Snort Rules
Create script for updating snort rules
mkdir /root/scripts
vi /root/scripts/bleedingupdate.sh
oinkmaster –o /usr/local/etc/snort/rules/ -u \
http://www.bleedingsnort.com/bleeding.rules.tar.gz
:wq!
chmod 777 /root/scripts/bleedingupdate.sh
cp /usr/local/etc/oinkmaster.conf.sample /usr/local/etc/oinkmaster.conf
Test the script
/root/scripts/bleedingupdate.sh
ls /usr/local/etc/snort/rules
(You should see a bunch of files bleeding-.rules)
Set rules to automatically update
vi /etc/crontab
1 */3 * * * root /root/scripts/bleedingupdate.sh && /usr/local/etc/rc.d/snort restart
:wq!
Step #8 – Setting up everything to run on startup
Add the following to the /etc/rc.conf file
apache22_enable=”YES”
mysql_enable=”YES”
snort_enable=”YES”
snort_interface=”bge0”
Change bge0 interface to the interface you want to the interface “sniff” with, such as “xl0”.
Restart you FreeBSD box
reboot
Step #9 – Setting up and using BASE
BASE installation
chmod –R 777 /usr/local/www/base/
Use a web browser and got to http:///base/
Fill out the questions prompted
(Note: The path to Adodb is: /usr/local/share/adodb)
Make sure you enable the checkmark to use the Archive database
Checking to see if BASE is working
Use a web browser and got to http:///base/
If you see the base webpage and there are no errors, its working
Step #10 – Verify everything is working
Make use both you NICs are connected to you network traffic
Use a web browser and got to http:///base/
Need more information or help?
FreeBSD – http://www.freebsd.org
Snort – http://www.snort.org
BASE - http://sourceforge.net/projects/secureideas
Bleeding Snort Rules - http://www.bleedingsnort.com/
This document only addresses the installation of Snort as an IDS system and just scratches the surface of what Snort is capable of.
