Snort on Debian Lenny with remote postgreSQL server logging

Posted by Dark Training on August 19, 2009 tags: | debian | security

Snort on Debian Lenny with remote postgreSQL server logging

So this is going to take into assumption that you already have installed snort and Debian as well as postgres on a remote server

We are going to start under that following assumptions

  • You already have a working remote PostgreSQL server
  • You are starting from a vanilla Debian Lenny install
  • You are working from a central folder in the steps below (IE /home/user/snort )
  • You have used snort and or PostgreSQL before

Fist we are going to need to get the packages, now you could run apt-get install snort, but the current debian snort version is 2.7.0-20.4 (as of this writing) Debian package, however the current stable version is 2.8.4.1, I prefer to stay on the cutting edge so we are going to be installing from source.

Grab the installer from snort.org, we are going to use wget to in order to get the file 

wget http://dl.snort.org/snort-current/snort-2.8.4.1.tar.gz

Un-gzip that file and get rid of the tar file (save space). 

tar -xf snort-2.8.4.1.tar.gz; rm snort-2.8.4.1.tar.gz

Lets get the other files that we are going to need from the debian repo 

sudo apt-get install libpcap0.8-dev libpcre++-dev gcc postgresql-client libpq-dev make

For those that want to know, the files are libpcap (required for snort), the gcc compiler, a connector for postgre so we can talk to the remote server and the postgre development tools which will be required for compilation.

Compile and load

Lets build that source! 

cd snort-2.8.4.1
sudo ./configure --with-postgresql
sudo make
sudo make install

Now you have a snort installed, we need to get it working before we can send out remote logs to the postgres server. First, snort wont do anything if we don't have rules, you can get them from snort http://www.snort.org/snort-rules/#rules, but you will need to register for a free account or paid account (if you want the newest rules).

In my case I downloaded snortrules-snapshot-2.8.tar.gz, as before you will need to un compress the gzip file and remove the junk; 

tar -xf snortrules-snapshot-2.8.tar.gz; rm snortrules-snapshot-2.8.tar.gz

That creates 4 folders, doc, etc, rules, so_rules.

Since we compiled from source, it did not make the "usual" snort directory that you would get from using apt-get install snort. NOT A BIG DEAL, we can just make it and move the files we need. 

sudo mkdir /etc/snort; sudo mv snort-2.8.4.1/etc/* /etc/snort/; sudo mv rules/ so_rules/ /etc/snort/; sudo mkdir -p /var/log/snort/

You can now delete the other stuff you are not going to need anymore !!! THIS ASSUMES YOU ARE STILL IN THE SAME DIR !!! BECAREFUL YOU ARE NOT IN / or you will delete the actual system files 

sudo rm -Rf doc/ etc/ snort-2.8.4.1/

Config file

We need to make some changes to the base snort.conf file in order to get it to log to the server. Below I show the line as it was and what you need to change it to after the ->. 

var HOME_NET any -> var HOME_NET <strong>your ip scope IE 192.168.0.0/24</strong>
....
output database: alert, postgresql, user=snort dbname=snort -> output database: alert, postgresql, user=snort dbname=snort host=<strong>your snort server ip</strong> password=password
output database: log, postgresql, user=snort dbname=snort host=<strong>your snort server ip</strong> password=password
....
var RULE_PATH ../rules - > var RULE_PATH <strong>/etc/snort/rules</strong>

Next we need to test that we can connect to the postgres database; 

/usr/lib/postgresql/8.3/bin/psql -U snort -h 192.168.150.2

If that works, then you know you have a good setup, if you get "could not connect to server:", check the firewall and make sure that it's allowing your snort box's ip address. Also don't forget that you need to add the snort box to the pg_hba.conf on the PostgreSQL server.

Now its time to test if all this is working, now in my case I have two NICs on my server, eth0 is the public NIC and eth1 is set to passive mode. Adjust the command below to reflect the NIC you want to use in your environment. 

sudo snort -b -i eth1 -c /etc/snort/snort.conf

Taking it to the next level: BASE

Now that you have SNORT sending to your postgres server, you may want to consider using a front end to make sense of the data that is being stored in the database. A popular front end is called BASE from secure ideas. You can get the latest version from source forge http://sourceforge.net/projects/secureideas/.

Installing base base-1.4.3.1.tar.gz is kind of pain, so please try to follow the steps as closely as you can. As above we are going to making some assumptions:

  • You followed the tutorial above and have working SNORT server and Postgre DB backend that is receiving data.
  • You already have an apache server running and it has php5
  • You have configured your postgres server allow access from that apache server

First we need to go out and get the most recent version of base, http://sourceforge.net/projects/secureideas/ in our example we are using base-1.4.3.1.tar.gz. 

 wget http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.3.1/base-1.4.3.1.tar.gz

Now lets unpack and remove the un-needed file 

tar -xf base-1.4.3.1.tar.gz; rm tar -xf base-1.4.3.1.tar.gz

Now we need to make a folder in your apache root to store it, in this case we are assuming your root is the default /var/wwww/ 

sudo mkdir /var/www/base

Now we are going to move everything from the base-1.4.3.1 folder to the new /var/www/base folder we just created and remove the now empty dir. 

sudo mv base-1.4.3.1/* /var/www/base/; rmdir base-1.4.3.1

Now we need to install some things inorder to get base up and running: 

sudo apt-get install php5-pgsql libphp-adodb php5-gd php-pear

Begin the headache

So out of the box, in my experience, base didn't want to play nice. Below are the modifications that you are going to need to make to get base going: First we need to update the /etc/php5/apache2/php.ini to include the postgres php object. Under the Section "Dynamic Extensions" 

extension=gd.so

Now reboot apache for the change to take effect: 

 sudo /etc/init.d/apache2 restart

Now we need to install a few options that will allow the UI to work, in this case I initially had some trouble getting the graphs to load it would give the following error:

Error loading the Graphing library:

Check your Pear::Image_Graph installation!

  • Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.
  • Make sure PEAR libraries can be found by php at all:
    pear config-show | grep "PEAR directory"
    PEAR directory php_dir /usr/share/pear This path must be part of the include path of php (cf. /etc/php.ini):
    php -i | grep "include_path"<br>include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php

I was able to fix this with the install options below: 

sudo pear install Image_Color Mail Mail_mime
sudo pear install --alldeps Image_Graph-0.7.2
pear install --alldeps Numbers_Words-0.15.0
pear install Image_Canvas-0.3.1

I had to comment out a line in in /var/www/base/includes/base_action.inc.php because I was getting an error "Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/base/includes/base_action.inc.php" The fix for me was to goto the line number it references and comment out:

"include_once("Mail/mime.php"); //r.rioux added for PEAR::Mail attachments"

You should now be able to navigate to http://yourserver/base

complete the install steps, which are self explanatory with exception to choosing the adodb, when asked for the location on that step use /usr/share/php/adodb/

After completing the above, you will be given a conf file that you can copy and paste into /var/www/base/base_conf.php

That should do it, you should now have a "Base" install of base.

If the graphs wont load and you still get an error, try: 

sudo pear install Image_Canvas-alpha Image_Color Image_Graph-alpha