White paper network ids and ips deployment Strategies Nicholas Pappas

Download 2,67 Mb. Pdf ko'rish
bet	19/25
Sana	14.05.2024
Hajmi	2,67 Mb.
	#233760

1 ... 15 16 17 18 19 20 21 22 ... 25

Snort Installation
Before we create the Snort database we build and install Snort from ports. To do
that follow these steps.
cd /usr/ports/net/snort
export FLAVOR=mysql
make install
NOTE: At the end of the compile it states how to invoke Snort properly
--start of snip--
snort-2.6.0.2p1-mysql: complete
--- snort-2.6.0.2p1-mysql -------------------
An up-to-date set of rules is needed for Snort to be useful as an IDS.
These can be downloaded manually or net/oinkmaster can be used to
download the latest rules from several different sources.
It is recommended that snort be run as an unprivileged chrooted user.
A _snort user/group and a log directory have been created for this
purpose. You should start snort with the following options to take
advantage of this:
-c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log
--end of snip--
Now you should have a user and group at the OS level added with the name of
"_snort". To check this run:
tail -n 1 /etc/passwd
_snort:*:557:557:Snort Account:/nonexistent:/sbin/nologin
Nicholas Pappas
44
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Ok time to build the snort database.
cd /usr/ports/net/snort/w-snort-2.6.0.2p1-mysql/snort-2.6.0.2/schemas
mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.33-log OpenBSD port: mysql-server-5.0.33\
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.\
mysql> CREATE DATABASE snort;
Query OK, 1 row affected (0.05 sec)
mysql> connect snort
Connection id: 4
Current database: snort
mysql> show tables;
Empty set (0.02 sec)
mysql> source create_mysql;
--output snipped for brevity--
Nicholas Pappas
45
@ 2021 SANS Institute
Author Retains Full Rights

© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec)
mysql> GRANT INSERT, SELECT, CREATE, UPDATE, DELETE on snort.* to \
snort@localhost IDENTIFIED BY 'secret-password';
mysql> quit;
At this time, we should have a snort database created, and a user named "snort"
which will be used to send events to the MySQL database. Now do these steps to
ensure Snort will come up automatically:
chmod 4755 /usr/local/bin/snort
chgrp _snort /usr/local/bin/snort
Although were are not quite done with the Snort setup yet, let's move on.
Nicholas Pappas
46
@ 2021 SANS Institute
Author Retains Full Rights

Download 2,67 Mb.

1 ... 15 16 17 18 19 20 21 22 ... 25

Download 2,67 Mb.

Pdf ko'rish