Saturday, January 2, 2010



1. Setup MySQL DB environment
•create database snort;
•grant insert,select on root.* to snort@localhost;
•set password for snort@localhost=password('abc123');
•grant create,insert,select,delete,update on snort.* to snort@localhost;
•grant create,insert,select,delete,update on snort.* to snort;

2. Import MySQL DB schema
•mysql -u root -p < /home/linuxcbt/temp/Snort/snort- /schemas/create_mysqlsnort

3. Setup Snort NIDS /etc/snort environment
•mkdir /etc/snort && cp -v /home/linuxcbt/temp/Snort/snort- /etc/* /etc/snort

Note: Snort's primary configuration file for NIDS mode: /etc/snort/snort.conf

4. Download the latest Snort rules file and extract to: /etc/snort/rules

Note: Snort rules are available as follows:

1. Registered users: with delay

2. Subscriber: no delay - NOT FREE

3. Unregistered users: release version (very old) of rules

4. Various third-party sites: i.e. Bleeding Snort, etc.
•cd /etc/snort && tar -xzvf snortrules*

5. Configure: /etc/snort/snort.conf to use MySQL and rules
•MySQL - output
•Rules - path to the rules

6. Start Snort in NIDS mode
•snort -i eth0 -c /etc/snort/snort.conf -D

7. Setup BASE web analysis application
•tar -xzvf adodb480.tgz

Note: adodb480.tgz - provides DB-connectivity for BASE to MySQL
• Download BASE from
• Configure: base_conf.php file
• $BASE_urlpath = '/base';
• $Dblib_path = "/var/www/html/adodb";
• $Dbtype = 'mysql';
• alert_dbname = 'snort';
• alert_host = 'localhost';
• alert_password = 'abc123';

Note:•Ensure that your Apache instance has PHP support
•Ensure that 'php-mysql*' package is installed

8. Connect to BASE via web browser

Note: Consider protecting '/base' application using HTDIGEST or basic auth

No comments:

Post a Comment