Monday, December 24, 2007

OpenBSD 4.2 IDS solution - snort and base

OpenBSD is great system to turn into a one box IDS solution.

** Please note: There are several ways of installing theses packages, compiling them from source code, compiling and installing from ports or simply using packages. Use the method that you would prefer.

First step is to have all the pre-reqs taken care of:

Following software are required:

1. OpenBSD (os)
2. MySQL server
3. Apache
4. Php5 or 4 ( I am going to go with php5 in this blog)
5. Php5 modules
6. PEAR
7. PEAR modules
8. Snort and snort rules.
9. Adodb
10. BASE


As you can see it needs quite a bit of installs to turn that openbsd box into full fledged IDS system that has nice graphical interface to view IDS alerts.

I won't dive into how to install the OS (OpenBSD of course). I am going with the 4.2 OpenBSD install. Please go over my OpenBSD Tips and tricks from my other blog to do the pre-reqs.

Now to our first step: Perform the following as root


Install mysql server:



shell#> pkg_add -v mysql-server-5.0.45.tgz

** This should install all the dependencies related to mysql server.

After the install , initialize the default mysql database.


shell#> /usr/local/bin/mysql_install_db


Start mysql for first time and set root password:

shell#> /usr/local/bin/mysqld_safe &
shell#> /usr/local/bin/mysqladmin -u root password 'my-password'


** If needed install any dependencies : If required.

Now lets setup mysql to start automatically after the reboot:

To start MySQL from boot, edit /etc/rc.conf.local:

shell#> vi /etc/rc.conf.local

- add the following:

mysql=YES

Save and quit.

-Now edit: /etc/rc.local:

shell# vi /etc/rc.local

** After the 'starting local daemons' and before the following echo '.' Insert the following into the /etc/rc.local file:

if [ X"${mysql}" == X"YES" -a -x /usr/local/bin/mysqld_safe ]; then

echo -n " mysqld"; /usr/local/bin/mysqld_safe --user=_mysql --log --open-files-limit=256 &

for i in 1 2 3 4 5 6; do
if [ -S /var/run/mysql/mysql.sock ]; then
break
else
sleep 1
echo -n "."
fi
done
#
# Apache chroot Settings

mkdir -p /var/www/var/run/mysql
sleep 2
ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
fi



So why the
"ln -f /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock"??? .
This line is so that apache can access mysql data socket within the chrooted jail.

*** Also, don't forget to create the /var/www/var/run/mysql directory first.

Make apache startup automatically



Make sure apache starts up on boot. To do this, edit /etc/rc.conf :

shell#> vi /etc/rc.conf


edit

httpd_flags=NO to httpd_flags=""

SAVE and QUIT.


Install SNORT



To install snort, I have always found that its better to install from PORTS instead of pre-compiled package.
so lets install it from ports here.

cd /usr/ports/net/snort
env FLAVOR="mysql flexresp" make install

** Note: Use flavor option flexresp if you would like to turn this box into an IPS instead of IDS.
Otherwise you can omit the "flexresp" from the env line.


This will install snort and also create _snort user and group.

Next step is to get the latest snort rules from http://www.snort.org - VRT certified rules.
Register with the site and get the latest VRT certified snort rules.

Extract the rules in the /etc/snort directory:

You should now see rules directory with snort rules.

Create a /var/log/snort directory: <---This is where snort will log its findings by default.
shell#>mkdir /var/log/snort




** snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log

We will start Snort a lot like we started MySQL:



shell#> echo "snort=YES" >> /etc/rc.conf.local
shell#> vi /etc/rc.local


Add this to the bottom of your rc.local:


if [ X"${snort}" == X"YES" -a -x /usr/local/bin/snort ]; then
echo -n " snort"; /usr/local/bin/snort -D -d -c /etc/snort/snort.conf -u _snort -g _snort
fi



We will do the configuration of snort later lets just get the pre-reqs done first.
So now on to php installation


PHP5.0 installation

Installing php5:

Install the php core first:

pkg_add -v php5-core-5.2.3.tgz

Copy the php.ini-recommended file to php.ini:

cp /usr/local/share/examples/php5/php.ini-recommended /var/www/conf/php.ini

Then install the modules that you need. Note** you may not need all the modules that I am listing here but i use them hence.:)

pkg_add -v php5-gd-5.2.3.tgz

Enable the module by typing: /usr/local/sbin/phpxs -a gd

pkg_add -v php5-mysql-5.2.3.tgz

Enable te module by typing: /usr/local/sbin/phpxs -a mysql

pkg_add -v php5-odbc-5.2.3.tgz

Enable the module by typing : /usr/local/sbin/phpxs -a odbc

At this point PHP part of the installation is complete.

Now on to configuring some of the programs that we just installed.

++++++++++++++++++


Configuring APACHE for PHP5.



By default the liphp5.so should be in: /usr/local/lib/php/ directory , you can double check and see where its located

find / -name "libphp5.so"

- Now enable php in apache:

vi /var/www/conf/httpd.conf

add: under module section

LoadModule php5_module /usr/local/lib/php/libphp5.so

add: application type:

AddType application/x-httpd-php .php .php4 .php3 .htm .html
AddType application/x-httpd-php-source .phps


- Now edit the DirectoryIndex line in httpd.conf:

DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3

- Stop and start apache :

apachectl stop
apachectl start


- Now lets test if php is working or not.

vi /var/www/htdocs/phpinfo.php


Type:


" "

** Remove the quotes , these are just so that you can see its code.

:wq! <---- write and quit (save & quit vi) Try accessing the phpinfo test page and make sure it shows up. ** make sure that apache has already been started. Type httpd to make sure. or apachectl start .


SNORT Database



Creating the SNORT database:

mysqladmin -u root -p create SNORT

Ports installs the schema script for SNORT database, find where the script is:

find / -name "create_mysql"

If you followed the above instructions on installation of snort then it should be in ports directory:

/usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql

so now we create tables etc using the create_mysql script:

mysql -u root -p SNORT < /usr/ports/net/snort/w-snort-2.6.0.2p1-mysql-flexresp-prelude/snort-2.6.0.2/schemas/create_mysql

You can verify if the tables were created by:


mysql -u root -p SNORT

mysql> show tables;



Now add the snort user and set the permissions:


mysql -u root -p

mysql> use mysql;
mysql> grant all privileges on snort.* to snort@"localhost" identified by 'passwrd';
mysql> flush privileges;


Now lets move on to configuring snort to log to database


SNORT: Logging to database



Now to configure snort to log to database. To do so, edit the snort.conf file located in /etc/snort/

vi /etc/snort/snort.con

First Lets configure the INTERNAL interface:

Setup HOME_NET to your INTERNAL NETWORK.

You can leave EXTERNAL_NET to any.

** again configure these according to your network.

logging to DB:

Uncomment and change the output database lines to:

output database: log, mysql, user=snort password=password dbname=snort host=localhost
output database: alert, mysql, user=root password=password dbname=snort host=localhost


- create a directory called /var/log/snort

mkdir /var/log/snort


To test snort with db type:

/usr/local/bin/snort -c /etc/snort/snort.conf

if you get any error , please look at the error carefully it maybe that you are using rules that are incompatible with the snort version. Always match your rules to the version of snort you are using. Sometime the easiest fix could be just commenting the line causing the badness. I would google for the error first though.

Now we are ready to install and configure BASE.


Installing and configuring BASE



BASE relies on ADODB for snort db connectivity.
++++++++++++++++++++++++++

Get ADODB:
** make sure you have wget installed on your openbsd to do this or just browse over to the link to download adodb.

wget http://downloads.sourceforge.net/adodb/adodb496a.tgz?modtime=1191342715&big_mirror=0

Place it in the /var/www/htdocs directory and then decompress it:

tar -zxvf adodb496a.tgz

It will create a adodb directory.

++++++++++++++++++++++++++


Install PEAR and its modules



Download & install PEAR and some of the modules that are required by base to Graph etc.:

pkg_add -v pear-1.5.0p1.tgz

This will install PEAR. Now to install the PEAR modules.

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz


+++++++++++++++++


Installing BASE:



Download and extract BASE:

get the latest BASE from:

wget http://downloads.sourceforge.net/secureideas/base-1.3.9.tar.gz?modtime=1195646853&big_mirror=0

extract the tar-gzipped file in /var/www/htdocs directory

tar -zxvf base-1.3.9.tar.gz

Rename base-1.3.9 to base

mv base-1.3.9 base


Configuring base:




cd /var/www/htdocs/base
cp base_conf.php.dist base_conf.php


EDIT the base_conf.php to change the following:


$DBlib_path
Full path to the ADOdb installation
"../adodb"
$DBtype
Type of database used
"mysql"
$BASE_urlpath
The root URI of your site
"/base"
$alert_dbname
The alert database name
"snort"
$alert_host
The alert database server
"localhost"
$alert_port
The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)
""
$alert_user
The username for the alert database
"snort"
$alert_password
The password for the username
"snort_user_password"



That is all for configuring SNORT with BASE on openbsd.

Now we are ready to test out base install:

Fire up web browser and type in the url : http://your-snort-base-server/base/

One last thing to do is copy over the signatures directory (this includes description of all the signatures in text file) from /etc/snort/doc

cp -rf /etc/snort/doc/signatures /var/www/htdocs/base


Some troubleshooting snort and base install/config



Make sure user _snort has write permissions to the /var/log/snort directory.

Monday, December 17, 2007

OpenBSD post install Tips & Tricks :)

After the initial install of OpenBSD , its a good idea to get the latest ports and to point your PKG_PATH to a good mirror that has pre-compiled packages.

In my case, I point to : ftp5.usa.openbsd.org.
Another good trick is to save the names of all the packages into a file so that you can easily search for pre-compiled packages.

TO GET THE LATEST PORTS:

$shell> ftp ftp.openbsd.org
$shell> get pub/OpenBSD/4.2/port.tar.gz


Decompress the ports.tar.gz file to /usr

$shell> tar –zxvf ports.tar.gz

PLAYING WITH PACKAGES:

First thing to do is to get the names of all the packages into a file. This will help us in searching for a particular package:

$shell> ftp ftp.openbsd.orgcd /pub/OpenBSD/4.2/packages/i386
$shell> mdir *

GIVE THE FILENAME: packages.lst

Unless you specified a path , package.lst should be in your home directory.

Now point your PKG_PATH to a good fast mirror:

$shell> vi ~/.profile

add the following lines:

PKG_PATH=ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.2/packages/i386/
export PKG_PATH

Now since we have names of all the packages in a text file : packages.lst.
Whenever we want to look for package that is pre-compiled , just do :

$shell> grep package-name packages.lst

I get the name of the package if it exists and then i can just do:

$shell> pkg_add -v package-name


Simple trick eh??:)