Snort and ACID ============== Snort is an open source Intrusion Detection System (IDS) which you can find more information about at http://www.snort.org. ACID (Analysis Console for Intrusion Databases) is a tool to help analyse a database of intrusion logs using PHP. More information is available at http://www.cert.org/kb/acid/ 1) Compile Snort with database logging extensions - cd /usr/ports/security/snort - make WITH_POSTGRES= install clean - Run the commands shown after it is installed to init the database 2) Install Apache (http://www.apache.org/) - cd /usr/ports/www/apache13 - make install clean 3) Install mod_php4 (http://www.apache.org/) - cd /usr/ports/www/mod_php4 - make install clean When it asks make sure that you tell it to build the postgres, gd, png and sockets support into it. 4) Install ADODB (http://php.weblogs.com/adodb/) - cd /usr/ports/databases/adodb - make install clean 5) Install PHPlot (http://www.phplot.com/) - cd /usr/ports/graphics/phplot - make install clean 6) Install GD (http://www.boutell.com/gd/) - cd /usr/ports/graphics/gd - make install clean 7) Unpack the snort archive somewhere handy like /tmp. Some files will be needed from it. 8) Create the Snort database, user and tables. Run.. ~ > psql -U psql template1 template1=# CREATE DATABASE snort; template1=# CREATE USER snort WITH PASSWORD 'mysnortpassword'; template1=# psql -U psql snort snort=> \i /path/to/snort-1.8.3/contrib/create_postgresql snort=> 9) Create your snort config file. I copied /usr/local/etc/snort.conf-sample and then modified that. The things to edit are 'var HOME_NET any' - change this to whatever your home network is. Then you need to add the line to get it to log to the database, something like.. output database: alert, postgresql, host=localhost user=snort dbname=snort password=mysnortpassword 10) Create a snort startup file in /usr/local/etc/rc.d/snort.sh - mine looks like... [ -- SNIP -- ] #!/bin/sh IFACE=tun0 RULES=/usr/local/etc/gsoft.snort SNORTUSER=nobody case "$1" in start) if [ -x /usr/local/bin/snort ]; then cd /usr/local/share/snort /usr/local/bin/snort -i $IFACE -c $RULES -l /tmp -u ${SNORTUSER} -D && echo -n ' snort' fi ;; stop) if [ -r /var/run/snort_${IFACE}.pid ]; then kill `cat /var/run/snort_${IFACE}.pid` rm -f /var/run/snort_${IFACE}.pid fi ;; *) echo "usage: $0 {start|stop}" 1>&2 exit 64 ;; esac [ -- SNIP -- ] Remember to change the variables at the top to suit your configuration. 10) Configure ACID - Create a symlink from your web area to the /usr/local/libexec/acid directory. (Presuming your web server is set to follow symlinks, otherwise you'll need to copy it) - Edit the config file /usr/local/libexec/acid/acid_conf.php - Change DBtype to 'postgres'. - Change the db name and user to 'snort'. - Change the password to whatever you've used. - Go through the options - I only changed 'use_sig_list' to 2. 11) Start Snort - Run /usr/local/etc/rc.d/snort.sh start - Make sure no errors are generated by Snort. 12) Check ACID - View the ACID web page - It will ask you to click on a link to create some database structures. 13) Test Snort/ACID - Run nmap on the host from a remote system. - Make sure the packets will pass through the interface being tested.(ie testing from a machine on your LAN won't work if Snort is watching tun0) Notes.. The timezone offset appears to get applied twice. I'm not sure why this is so or what to do about it :(