OpenBSD is great system to turn into a one box IDS solution.
** Please note: There are several ways of installing theses packages, compiling them from source code, compiling and installing from ports or simply using packages. Use the method that you would prefer.
First step is to have all the pre-reqs taken care of:
Following software are required:
1. OpenBSD (os)
2. MySQL server
3. Apache
4. Php5 or 4 ( I am going to go with php5 in this blog)
5. Php5 modules
6. PEAR
7. PEAR modules
8. Snort and snort rules.
9. Adodb
10. BASE
As you can see it needs quite a bit of installs to turn that openbsd box into full fledged IDS system that has nice graphical interface to view IDS alerts.
I won't dive into how to install the OS (OpenBSD of course). I am going with the 4.2 OpenBSD install. Please go over my OpenBSD Tips and tricks from my other blog to do the pre-reqs.
Now to our first step: Perform the following as root
Install mysql server:
shell#> pkg_add -v mysql-server-5.0.45.tgz
** This should install all the dependencies related to mysql server.
After the install , initialize the default mysql database.
shell#> /usr/local/bin/mysql_install_db
Start mysql for first time and set root password:
shell#> /usr/local/bin/mysqld_safe &
shell#> /usr/local/bin/mysqladmin -u root password 'my-password'
** If needed install any dependencies : If required.
Now lets setup mysql to start automatically after the reboot:
To start MySQL from boot, edit /etc/rc.conf.local:
shell#> vi /etc/rc.conf.local
- add the following:
mysql=YES
Save and quit.
-Now edit: /etc/rc.local:
shell# vi /etc/rc.local
** After the 'starting local daemons' and before the following echo '.' Insert the following into the /etc/rc.local file:
if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then
echo -n " mysqld"; /usr/local/bin/mysqld_safe --user=_mysql --log --open-files-limit=256 &
for i in 1 2 3 4 5 6; do
if [ -S /var/run/mysql/mysql.sock ]; then
break
else
sleep 1
echo -n "."
fi
done
#
# Apache chroot Settings
mkdir -p /var/www/var/run/mysql
sleep 2
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi
So why the
"ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock"??? .
This line is so that apache can access mysql data socket within the chrooted jail.
*** Also, don't forget to create the /var/www/var/run/mysql directory first.
Make apache startup automatically
Make sure apache starts up on boot. To do this, edit /etc/rc.conf :
shell#> vi /etc/rc.conf
edit
httpd_flags=NO to httpd_flags=""
SAVE and QUIT.
Install SNORT
To install snort, I have always found that its better to install from PORTS instead of pre-compiled package.
so lets install it from ports here.
cd /usr/ports/net/snort
env FLAVOR="mysql flexresp" make install
** Note: Use flavor option flexresp if you would like to turn this box into an IPS instead of IDS.
Otherwise you can omit the "flexresp" from the env line.
This will install snort and also create _snort user and group.
Next step is to get the latest snort rules from http://www.snort.org - VRT certified rules.
Register with the site and get the latest VRT certified snort rules.
Extract the rules in the /etc/snort directory:
You should now see rules directory with snort rules.
Create a /var/log/snort directory: <---This is where snort will log its findings by default.
shell#>mkdir /var/log/snort
** snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log
We will start Snort a lot like we started MySQL:
shell#> echo "snort=YES" >> /etc/rc.conf.local
shell#> vi /etc/rc.local
Add this to the bottom of your rc.local:
if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u _snort -g _snort
fi
We will do the configuration of snort later lets just get the pre-reqs done first.
So now on to php installation
PHP5.0 installation
Installing php5:Install the php core first:
pkg_add -v php5-core-5.2.3.tgz
Copy the php.ini-recommended file to php.ini:
cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini
Then install the modules that you need. Note** you may not need all the modules that I am listing here but i use them hence.:)
pkg_add -v php5-gd-5.2.3.tgz
Enable the module by typing:
/usr/local/sbin/phpxs -a gd
pkg_add -v php5-mysql-5.2.3.tgz
Enable te module by typing:
/usr/local/sbin/phpxs -a mysql
pkg_add -v php5-odbc-5.2.3.tgz
Enable the module by typing : /usr/local/sbin/phpxs -a odbc
At this point PHP part of the installation is complete.
Now on to configuring some of the programs that we just installed.
++++++++++++++++++
Configuring APACHE for PHP5.
By default the liphp5.so should be in: /usr/local/lib/php/ directory , you can double check and see where its located
find / -name "libphp5.so"
- Now enable php in apache:
vi /var/www/conf/httpd.conf
add: under module section
LoadModule php5_module /usr/local/lib/php/libphp5.so
add: application type:
AddType application/x-httpd-php .php .php4 .php3 .htm .html
AddType application/x-httpd-php-source .phps
- Now edit the DirectoryIndex line in httpd.conf:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3
- Stop and start apache :
apachectl stop
apachectl start
- Now lets test if php is working or not.
vi /var/www/htdocs/phpinfo.php
Type:
" "
** Remove the quotes , these are just so that you can see its code.
:wq! <---- write and quit (save & quit vi) Try accessing the phpinfo test page and make sure it shows up. ** make sure that apache has already been started. Type
httpd
to make sure. or apachectl start
.SNORT Database
Creating the SNORT database:
mysqladmin -u root -p create SNORT
Ports installs the schema script for SNORT database, find where the script is:
find / -name "create_mysql"
If you followed the above instructions on installation of snort then it should be in ports directory:
/usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql
so now we create tables etc using the create_mysql script:
mysql -u root -p SNORT < /usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql
You can verify if the tables were created by:
mysql -u root -p SNORT
mysql> show tables;
Now add the snort user and set the permissions:
mysql -u root -p
mysql> use mysql;
mysql> grant all privileges on snort.* to snort@"localhost" identified by 'passwrd';
mysql> flush privileges;
Now lets move on to configuring snort to log to database
SNORT: Logging to database
Now to configure snort to log to database. To do so, edit the snort.conf file located in /etc/snort/
vi /etc/snort/snort.con
First Lets configure the INTERNAL interface:
Setup HOME_NET to your INTERNAL NETWORK.
You can leave EXTERNAL_NET to any.
** again configure these according to your network.
logging to DB:
Uncomment and change the output database lines to:
output database: log, mysql, user=snort password=password dbname=snort host=localhost
output database: alert, mysql, user=root password=password dbname=snort host=localhost
- create a directory called /var/log/snort
mkdir /var/log/snort
To test snort with db type:
/usr/local/bin/snort -c /etc/snort/snort.conf
if you get any error , please look at the error carefully it maybe that you are using rules that are incompatible with the snort version. Always match your rules to the version of snort you are using. Sometime the easiest fix could be just commenting the line causing the badness. I would google for the error first though.
Now we are ready to install and configure BASE.
Installing and configuring BASE
BASE relies on ADODB for snort db connectivity.
++++++++++++++++++++++++++
Get ADODB:
** make sure you have wget installed on your openbsd to do this or just browse over to the link to download adodb.
wget http://downloads.sourceforge.net/adodb/adodb496a.tgz?modtime=1191342715&big_mirror=0
Place it in the /var/www/htdocs directory and then decompress it:
tar -zxvf adodb496a.tgz
It will create a adodb directory.
++++++++++++++++++++++++++
Install PEAR and its modules
Download & install PEAR and some of the modules that are required by base to Graph etc.:
pkg_add -v pear-1.5.0p1.tgz
This will install PEAR. Now to install the PEAR modules.
/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
+++++++++++++++++
Installing BASE:
Download and extract BASE:
get the latest BASE from:
wget http://downloads.sourceforge.net/secureideas/base-1.3.9.tar.gz?modtime=1195646853&big_mirror=0
extract the tar-gzipped file in /var/www/htdocs directory
tar -zxvf base-1.3.9.tar.gz
Rename base-1.3.9 to base
mv base-1.3.9 base
Configuring base:
cd /var/www/htdocs/base
cp base_conf.php.dist base_conf.php
EDIT the base_conf.php to change the following:
$DBlib_path
Full path to the ADOdb installation
"../adodb"
$DBtype
Type of database used
"mysql"
$BASE_urlpath
The root URI of your site
"/base"
$alert_dbname
The alert database name
"snort"
$alert_host
The alert database server
"localhost"
$alert_port
The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)
""
$alert_user
The username for the alert database
"snort"
$alert_password
The password for the username
"snort_user_password"
That is all for configuring SNORT with BASE on openbsd.
Now we are ready to test out base install:
Fire up web browser and type in the url : http://your-snort-base-server/base/
One last thing to do is copy over the signatures directory (this includes description of all the signatures in text file) from /etc/snort/doc
cp -rf /etc/snort/doc/signatures /var/www/htdocs/base
Some troubleshooting snort and base install/config
Make sure user _snort has write permissions to the /var/log/snort directory.