Monday, December 24, 2007

OpenBSD 4.2 IDS solution - snort and base

OpenBSD is great system to turn into a one box IDS solution.

** Please note: There are several ways of installing theses packages, compiling them from source code, compiling and installing from ports or simply using packages. Use the method that you would prefer.

First step is to have all the pre-reqs taken care of:

Following software are required:

1. OpenBSD (os)
2. MySQL server
3. Apache
4. Php5 or 4 ( I am going to go with php5 in this blog)
5. Php5 modules
6. PEAR
7. PEAR modules
8. Snort and snort rules.
9. Adodb
10. BASE


As you can see it needs quite a bit of installs to turn that openbsd box into full fledged IDS system that has nice graphical interface to view IDS alerts.

I won't dive into how to install the OS (OpenBSD of course). I am going with the 4.2 OpenBSD install. Please go over my OpenBSD Tips and tricks from my other blog to do the pre-reqs.

Now to our first step: Perform the following as root


Install mysql server:



shell#> pkg_add -v mysql-server-5.0.45.tgz

** This should install all the dependencies related to mysql server.

After the install , initialize the default mysql database.


shell#> /usr/local/bin/mysql_install_db


Start mysql for first time and set root password:

shell#> /usr/local/bin/mysqld_safe &
shell#> /usr/local/bin/mysqladmin -u root password 'my-password'


** If needed install any dependencies : If required.

Now lets setup mysql to start automatically after the reboot:

To start MySQL from boot, edit /etc/rc.conf.local:

shell#> vi /etc/rc.conf.local

- add the following:

mysql=YES

Save and quit.

-Now edit: /etc/rc.local:

shell# vi /etc/rc.local

** After the 'starting local daemons' and before the following echo '.' Insert the following into the /etc/rc.local file:

if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then

echo -n " mysqld"; /usr/local/bin/mysqld_safe --user=_mysql --log --open-files-limit=256 &

for i in 1 2 3 4 5 6; do
if [ -S /var/run/mysql/mysql.sock ]; then
break
else
sleep 1
echo -n "."
fi
done
#
# Apache chroot Settings

mkdir -p /var/www/var/run/mysql
sleep 2
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi



So why the
"ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock"??? .
This line is so that apache can access mysql data socket within the chrooted jail.

*** Also, don't forget to create the /var/www/var/run/mysql directory first.

Make apache startup automatically



Make sure apache starts up on boot. To do this, edit /etc/rc.conf :

shell#> vi /etc/rc.conf


edit

httpd_flags=NO to httpd_flags=""

SAVE and QUIT.


Install SNORT



To install snort, I have always found that its better to install from PORTS instead of pre-compiled package.
so lets install it from ports here.

cd /usr/ports/net/snort
env FLAVOR="mysql flexresp" make install

** Note: Use flavor option flexresp if you would like to turn this box into an IPS instead of IDS.
Otherwise you can omit the "flexresp" from the env line.


This will install snort and also create _snort user and group.

Next step is to get the latest snort rules from http://www.snort.org - VRT certified rules.
Register with the site and get the latest VRT certified snort rules.

Extract the rules in the /etc/snort directory:

You should now see rules directory with snort rules.

Create a /var/log/snort directory: <---This is where snort will log its findings by default.
shell#>mkdir /var/log/snort




** snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log

We will start Snort a lot like we started MySQL:



shell#> echo "snort=YES" >> /etc/rc.conf.local
shell#> vi /etc/rc.local


Add this to the bottom of your rc.local:


if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u _snort -g _snort
fi



We will do the configuration of snort later lets just get the pre-reqs done first.
So now on to php installation


PHP5.0 installation

Installing php5:

Install the php core first:

pkg_add -v php5-core-5.2.3.tgz

Copy the php.ini-recommended file to php.ini:

cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini

Then install the modules that you need. Note** you may not need all the modules that I am listing here but i use them hence.:)

pkg_add -v php5-gd-5.2.3.tgz

Enable the module by typing: /usr/local/sbin/phpxs -a gd

pkg_add -v php5-mysql-5.2.3.tgz

Enable te module by typing: /usr/local/sbin/phpxs -a mysql

pkg_add -v php5-odbc-5.2.3.tgz

Enable the module by typing : /usr/local/sbin/phpxs -a odbc

At this point PHP part of the installation is complete.

Now on to configuring some of the programs that we just installed.

++++++++++++++++++


Configuring APACHE for PHP5.



By default the liphp5.so should be in: /usr/local/lib/php/ directory , you can double check and see where its located

find / -name "libphp5.so"

- Now enable php in apache:

vi /var/www/conf/httpd.conf

add: under module section

LoadModule php5_module /usr/local/lib/php/libphp5.so

add: application type:

AddType application/x-httpd-php .php .php4 .php3 .htm .html
AddType application/x-httpd-php-source .phps


- Now edit the DirectoryIndex line in httpd.conf:

DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3

- Stop and start apache :

apachectl stop
apachectl start


- Now lets test if php is working or not.

vi /var/www/htdocs/phpinfo.php


Type:


" "

** Remove the quotes , these are just so that you can see its code.

:wq! <---- write and quit (save & quit vi) Try accessing the phpinfo test page and make sure it shows up. ** make sure that apache has already been started. Type httpd to make sure. or apachectl start .


SNORT Database



Creating the SNORT database:

mysqladmin -u root -p create SNORT

Ports installs the schema script for SNORT database, find where the script is:

find / -name "create_mysql"

If you followed the above instructions on installation of snort then it should be in ports directory:

/usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql

so now we create tables etc using the create_mysql script:

mysql -u root -p SNORT < /usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql

You can verify if the tables were created by:


mysql -u root -p SNORT

mysql> show tables;



Now add the snort user and set the permissions:


mysql -u root -p

mysql> use mysql;
mysql> grant all privileges on snort.* to snort@"localhost" identified by 'passwrd';
mysql> flush privileges;


Now lets move on to configuring snort to log to database


SNORT: Logging to database



Now to configure snort to log to database. To do so, edit the snort.conf file located in /etc/snort/

vi /etc/snort/snort.con

First Lets configure the INTERNAL interface:

Setup HOME_NET to your INTERNAL NETWORK.

You can leave EXTERNAL_NET to any.

** again configure these according to your network.

logging to DB:

Uncomment and change the output database lines to:

output database: log, mysql, user=snort password=password dbname=snort host=localhost
output database: alert, mysql, user=root password=password dbname=snort host=localhost


- create a directory called /var/log/snort

mkdir /var/log/snort


To test snort with db type:

/usr/local/bin/snort -c /etc/snort/snort.conf

if you get any error , please look at the error carefully it maybe that you are using rules that are incompatible with the snort version. Always match your rules to the version of snort you are using. Sometime the easiest fix could be just commenting the line causing the badness. I would google for the error first though.

Now we are ready to install and configure BASE.


Installing and configuring BASE



BASE relies on ADODB for snort db connectivity.
++++++++++++++++++++++++++

Get ADODB:
** make sure you have wget installed on your openbsd to do this or just browse over to the link to download adodb.

wget http://downloads.sourceforge.net/adodb/adodb496a.tgz?modtime=1191342715&big_mirror=0

Place it in the /var/www/htdocs directory and then decompress it:

tar -zxvf adodb496a.tgz

It will create a adodb directory.

++++++++++++++++++++++++++


Install PEAR and its modules



Download & install PEAR and some of the modules that are required by base to Graph etc.:

pkg_add -v pear-1.5.0p1.tgz

This will install PEAR. Now to install the PEAR modules.

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz


+++++++++++++++++


Installing BASE:



Download and extract BASE:

get the latest BASE from:

wget http://downloads.sourceforge.net/secureideas/base-1.3.9.tar.gz?modtime=1195646853&big_mirror=0

extract the tar-gzipped file in /var/www/htdocs directory

tar -zxvf base-1.3.9.tar.gz

Rename base-1.3.9 to base

mv base-1.3.9 base


Configuring base:




cd /var/www/htdocs/base
cp base_conf.php.dist base_conf.php


EDIT the base_conf.php to change the following:


$DBlib_path
Full path to the ADOdb installation
"../adodb"
$DBtype
Type of database used
"mysql"
$BASE_urlpath
The root URI of your site
"/base"
$alert_dbname
The alert database name
"snort"
$alert_host
The alert database server
"localhost"
$alert_port
The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)
""
$alert_user
The username for the alert database
"snort"
$alert_password
The password for the username
"snort_user_password"



That is all for configuring SNORT with BASE on openbsd.

Now we are ready to test out base install:

Fire up web browser and type in the url : http://your-snort-base-server/base/

One last thing to do is copy over the signatures directory (this includes description of all the signatures in text file) from /etc/snort/doc

cp -rf /etc/snort/doc/signatures /var/www/htdocs/base


Some troubleshooting snort and base install/config



Make sure user _snort has write permissions to the /var/log/snort directory.

14 comments:

Lyle said...

I am trying to follow this How-To but I get to a part of the documentation where I dont understand what you mean.

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

What are the refernces to the web pages for? Are we supposed to download something get something from those sites?

Rick said...

The text was wrapped, so the web pages you see are supposed to be on the same line as the command above them, if I am not mistaken.

TUO said...

thanks :)
it took me about 10 shots to get it all to work for me
still learning my away around the BSD OS

i used for the pear part of the insall
just

pear install Image_Color
pear install Log
pear install Numbers_Roman
pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz


and it work, because i try how you said and it was giving me an error

btw the path for the pear file is at
/usr/local/bin/
i found

mcoy said...

Hi,
1) installation snort from ports isn't the best solution for security reason (old, unsupported version)
2) installation with flexresp has no sens on "IDS"
3) use barnyard to send logs from snort to database for beter performance

Parvinder Bhasin said...

mccoy, thanks for pointing those things out.

When I was writing this, my install was more in terms of "IPS" , I am glad you pointed that out.

Yes!! another way of snort install would be through source code.
BTW: The ports maintainers DO keep track of patches and recent updates and try to incorporate that in their ports packages. And even if you install from Source code, there maybe a new patch that gets released and you may not be aware of ...bringing your source code install and ports install about the same level. :)
But still thanks for pointing that out too, I will mention that on top of the blog.

Cheers!

sameer said...

great tutorial, but i'm stuck on one part:

"Once extracted use the supplied sql script to create the BASE database:

mysql -u root -p "

can you elaborate on this step? this script you mention, where is it? what's it called? how do i run it? where do i run it?

you walked us this far, how about including a few extra steps to make it complete? :P

Parvinder Bhasin said...

Sameer,

Thanks for the comments. I apologise for not fine editing this tutorial. There is no base database step. Just follow on to the next step.

Let me know if you still have issues.

-Parvinder Bhasin

sameer said...

now you tell me. :)

i really didn't know what i was doing, but i found a script that entered some tables into the mysql database. i poked around the help and found a way to insert these tables into the database. i think the command was "source" or something along those lines when logged into mysql. i really hope that didn't break anything.

everything else works flawlessly. it's really good to come across a howto that focuses your platform exactly, and one that's CURRENT! so thanks again for putting this together.

there is one issue that i've come across. i don't know how to fix it, and google hasn't revealed anything too helpful.

so, the BASE interface works perfectly. all the links work, except for one - the administration link.

when i click that link, i get the following:

--------
Error loading the DB Abstraction library: from "../adodb505/adodb.inc.php"

Check the DB abstraction library variable $DBlib_path in base_conf.php
--------------

again, it's ONLY when i click the administration link.

the path obviously points to the right place, or nothing else would work. in addition, another interesting thing, i can't use the full path. if i use the full path, and yes, i make sure i omit the trailing '/' i get this message for everything.

is it a bug? is it something, that needs to be configured inside adodb.inc.php, or somewhere else in base_conf.php, or both?

any and all help, as always, will be greatly appreciated.

mcoy said...

Hi,
update for 4.3 :)
/usr/local/sbin/phpxs doesn't exist
You have manualy move /var/www/conf/php5.sample to /var/www/conf php5.
In new version of BASE (1.4.1) another two pear modules are required: pear-Mail and pear-Mail-Mime
errata:
-php5-gd-5.2.3.tgz
+php5-gd-5.2.3-no_x11.tgz

miguelito said...

instead of using the '../adodb' as you mentioned, i found using '/htdocs/adodb' seems to work.

list.mail said...

If you have Mysql connectivity problems, try
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock

pbsl said...

thanks for sharing this site. you can download lots of ebook from here

http://feboook.blogspot.com

Carlos said...

sameer, that's a bad configuration problem to fix it you should try this:


$DBlib_path = '/htdocs/adodb5/';

replace de version number if you got an older or newer one.


Regards,

Carlos Cerda

Alan said...

Hi.

Great guide. But the version of Snort in the ports tree is still 2.8.4.1. Same with the pkg. This is so old that Snort website doesn't publish rules for it. How do I upgrade?