Distributed Snort and BASE under OpenBSD
Although there are many tutorials in the net about installing Snort and BASE in the Internet, I decided to write my personal experience of installing Snort and Base in a distributed way under OpenBSD version 4.7.
Now for any people that may not know, distributed installation in this case will be to separate the database and reporting (to be done by our management station) from the actual processing of network traffic and alert generation (to be done by our snort sensor).
Snort Management Server
Software required:
- MySQL
- Apache (installed by default in OpenBSD)
- BASE (Basic Analysis and Security Engine)
- PHP
- ADOdb
- Pear
MySQL
Install the mysql-server package using pkg_add.
If you want, read the file /usr/local/share/doc/mysql/README.OpenBSD, but mainly you will need to do the following.
Run the command /usr/local/bin/mysql_install_db to finalize the mysql installation. After that command has finished we will need to start the mysql server using the command.
/usr/local/bin/mysqld_safe &
But before we start doing any work to the databases, we will secure the installation of mysql by running the command.
/usr/local/bin/mysql_secure_installation
Answer the questions that appear in the screen.
Now so that the mysql server starts when the server boots up add the following to /etc/rc.local
if [ -x /usr/local/bin/mysqld_safe ] ; then
su -c mysql root -c '/usr/local/bin/mysqld_safe >/dev/null 2>&1 &'
echo -n ' mysql'
fi
Database and user creation
First we will create the snort database
mysqladmin -u root -p create snort
Next, we will create the users and assigned them permissions to the database. We will create two users one for the snort sensors and another for base.
To go into the mysql database use the command
mysql -u root -p
mysql>grant INSERT,SELECT on root.* to snort@localhost;
mysql>SET PASSWORD FOR snort@localhost=PASSWORD('sensorpassword');
mysql>grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
mysql>grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
mysql>grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@[sensor_ipaddress] IDENTIFIED BY 'sensorpassword';
mysql>SET PASSWORD FOR base@localhost=PASSWORD('basepassword');
mysql>grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to base@localhost;
mysql>grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to base;
Finally copy the squema that comes with the snort installation (snort will be installed in the sensors later on) that is located under /usr/local/share/examples/snort/ or you can pick it up from here and run the following command.
mysql -u root -p < /dir_to_squema/create_mysql snort
Basic mysql troubleshooting
To check that the tables have being created and the users we created before have access to the database tables use the command:
mysqlshow -u snort -p snort
Enter password:
Database: snort
+------------------+
| Tables |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+To check the users configured in mysql:
mysql> select host, user, password from mysql.user;
To check the grants for a specific user:
mysql> show grants for snort@localhost;
ADOdb
Download the files from http://adodb.sourceforge.net and extract it under /var/www/htdocs
BASE
Get the latest version of BASE from http://base.secureideas.net.
Extract the file into /var/www/htdocs so you end up with the directory base.
Edit the file base_conf.php with this settings. This are the minimal changes required to make BASE work, but go through the config file and modify any additional settings for your environment.
$BASE_urlpath = '/base/'
$DBlib_path = '/htdocs/adodb/' # chroot apache
$DBtype = 'mysql'
$alert_dbname = 'snort'
$alert_host = 'localhost'
$alert_user = 'base'
$alert_password = 'thepassword'
The options $external_whois_link and $external_dns_link point now to dnsstuff but now the queries are not free so if you want an alternative you can use the following options.
$external_whois_link = 'http://www.zoneedit.com/whois.html?zone=';
$external_dns_link = 'http://my-addr.com/ip/';
Apache
Apache comes installed by default in OpenBSD and is configured to be chrooted to /var/www. The only changes required are.
Modify /etc/rc.conf.local to load Apache at startup.
httpd_flags=""
As I mention before Apache is chrooted so we need to allow access to mysql from Apache by doing:
mkdir -p /var/www/var/run/mysql
ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
Next we will create some users to enable authentication to connect to the BASE web page.
htpasswd -cm /var/www/conf/.htpasswd randomuser
Finally edit /var/www/conf/httpd.conf with the following settings.
AddType application/x-httpd-php .php
DirectoryIndex index.html index.php
AuthType Basic
AuthName "Base console for Snort"
AuthUserFile "/var/www/conf/.htpasswd"
Require valid-user
PHP
Install the package php5-core with pkg_add. Once it finishes installing, it will tell you the next step to do to finish the installation but either way the command you need to run is:
ln -s /var/www/conf/modules.sample/php5.conf /var/www/conf/modules
Next install php5-gd using pkg_add. The same as before at the end of the installation it will tell you the next step for you to do but basically is:
ln -fs /var/www/conf/php5.sample/gd.ini /var/www/conf/php5/gd.ini
Finally install the package php5-mysql using pkg_add. And the same as before, the command to run at the end of the installation is:
ln -fs /var/www/conf/php5.sample/mysql.ini /var/www/conf/php5/mysql.ini
The last thing to finish the php configuration is to modify the php include path so it can find later on PEAR. So go ahead and modify this entry under /var/www/conf/php.ini
include_path=".:/conf/php5:/pear"
PEAR
Install the package pear with pkg_add. After pear has finished installing make sure that PEAR directory is pointing to /var/www/conf/php5 by running the command
pear config-show | grep php_dir
PEAR directory php_dir /usr/local/share/php5
If is not you can modify the setting by running the command
pear config-set php_dir /var/www/conf/php5
Next we will install the following pear packages.
pear channel-update pear.php.net
pear install PEAR
pear install Image_Color
pear install Numbers_Roman
With the following packages if we don’t specify the version it will throw an error message so we will need to specify the version number that appears in the error message.
pear install Image_Canvas-0.3.2
pear install Numbers_Words-0.16.2
pear install Image_Graph-0.7.2
Final checks
After you finish installing everything in the management server, start or restart apache using the command apachectl start.
Now you should be able to point your web browser to the BASE web page using the url http://snortmgmtserver/base. When you access the web page for the first time it will show up a page indicating that BASE hasn’t being configured yet (missing tables in the database). Click on the “Setup page” link and then on the “Create BASE AG” button so we can start using BASE.
Once you are in the main page of BASE click on the link “Graph Alert Data” to make sure that PEAR and Image Canvas are being found by PHP.
Snort sensor
Software required
- Snort
- Oinkmaster
- Barnyard 2
It is recommended that the snort sensor has two network interfaces so one of them can be used as a management interface and the other can be used for monitoring the network traffic. An additional note is to not configure an IP address to the interface that is going to be used for monitoring the network traffic.
Snort
Install the package snort-2.8.4.1-mysql (or newer version) with pkg_add. After it finish installing add the following to /etc/rc.local so Snort can start when the server boots up.
if [ -x /usr/local/bin/snort ]; then
echo -n ' snort'; /usr/local/bin/snort -c /etc/snort/snort.conf -i fxp1 -D -o -u _snort -g _snort -t /var/snort -l /var/snort/log
fi
Here is a small explanation on the various options I used for Snort, check the snort manual for more information.
-i = Sniff packets on Interface (our monitoring interface)
-D = run as daemon
-o = Change the order in which the rules are applied to packets. Instead of being applied in the standard Alert->Pass->Log order, this will apply them in Pass->Alert->Log order. Useful in the case that you have pass rules in your local.rules file to filter some of the alerts generated.
-u and -g = user and group that snort will run under after initialization.
-t = chroot directory for snort.
-l = logging/alert directory.
Create the directory /var/snort and /var/snort/log if they don’t exist.
Now edit the snort configuration file located under /etc/snort/snort.conf so it can load the appropriate rules and generates the alerts in the unified2 format.
To output the information in unified2 format add the following line.
output unified2: filename snort.u2, limit 128
If you are using the emerging threats rules add the following line.
include $RULE_PATH/emerging.conf
After you first downloaded emerging threats rules
After you have downloaded the emerging threats rules edit the file /etc/snort/rules/emerging.conf and uncomment the rules you want to be loaded with snort.
Also update the sid-msg.conf file so snort can correlate the sid of the alert with the appropiate message. The procedure is as follows:
Make a backup of the original file (located under /etc/snort)
cp sid-msg.map sid-msg.map.orig
Now combine the original file with the one provided by emerging threats.
cat rules/sid-msg.map sid-msg.map.orig | sort -u > sid-msg.map
Oinkmaster
Install the oinkmaster package using pkg_add.
Then edit the oinkmaster configuration file with the following settings. The oinkmaster configuration file is located under /etc/oinkmaster.conf
url = http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz
Before we download the new rules for snort create the following directory if it doesn’t exits /etc/snort/backup.
To download the new rules using oinkmaster use the following command
/usr/local/bin/oinkmaster -o /etc/snort/rules/ -b /etc/snort/backup
The options I used for the command are (check oinkmaster manual for more information):
-o = directory where to save the new rules
-b = directory where to save a backup of the rules that are being replaced.
To run oinkmaster everyday so it can update the rules add the following to the crontab (see oinkmaster manual for more examples)
This example will run oinkmaster every day at 02:00 and save the output to a file.
0 2 * * * /usr/local/bin/oinkmaster -o /etc/snort/rules/ -b /etc/snort/backup 2>&1 > /var/log/snort/oinkmaster.log
Extra oinkmaster notes
Just a reminder that if you comment/uncomment any of the rules files, everytime oinkmaster fetches an update it will rewrite the file unless you tell it not to do it.
Here are some important oinkmaster options
skipfile [filename] = never update the file mention in the command. A good option to add to the oinkmaster is to skip the emerging.conf configuration file so it doesn’t comment back again all the rules to load, the oinkmaster.conf file will contain more information and example for the commands. For example:
skipfile emerging.conf
disablesid [sid_number] = disable alert rule with the mentioned sid number
enablesid [sid_number] = enable alert rule with the mentioned sid number
Barnyard 2
Get the Barnyard application from the website http://www.securixlive.com/barnyard2
Extract the file and run the following commands to compile it and install it:
./configure --with-mysql
make
make install
Next we will configure barnyard with the appropiate settings. The configuration file is located under /etc/snort/barnyard2.conf
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
config hostname: vmtvgpssnort1
config interface: fxp1
config daemon
config set_gid: _snort
config set_uid: _snort
config process_new_records_only
input unified2
output database: alert,mysql,user=snort dbname=snort password=sensorpassword host=[ip address of mysql server]
Now so that Barnyard can start everytime the server boots up add the following to /etc/rc.local
if [ -x /usr/local/bin/barnyard2 ]; then
echo -n ' barnyard2'; /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/snort/log -f snort.u2 -w /etc/snort/barnyard2.waldo
fi
The options I used for barnyard2 are these. See the manual for barnyard2 for more information
-c
-d
-f
-w
Final steps and checks
After we have configured everything it is time to start the application in the server.
First start Snort using the same command line as the one we wrote for /etc/rc.local
/usr/local/bin/snort -c /etc/snort/snort.conf -i fxp1 -D -o -u _snort -g _snort -t /var/snort -l /var/snort/log
Check the output in /var/log/message for any errors. This is an example of the last two lines when Snort has successfully started.
Snort initialization completed successfully (pid=4813)
Not Using PCAP_FRAMES
After Snort has successfully started, start Barnyard2 using the same command as the one we wrote for /etc/rc.local
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/snort/log -f snort.u2 -w /etc/snort/barnyard2.waldo
This is an example of the output that barnyard2 will show when it has successfully started and is using the bookmark store in the waldo file.
--== Initialization Complete ==--
Barnyard2 initialization completed successfully (pid=48)
Using waldo file '/etc/snort/barnyard2.waldo': spool directory = /var/snort/log spool filebase = snort.u2 time_stamp = 1282297366 record_idx = 1259
Opened spool file '/var/snort/log/snort.u2.1282297366'
Waiting for new data
Once both applications have successfully started you will start to see alerts in the BASE web page. From this point you will need to fine tune your configuration of Snort so it alerts only in the traffic you are only interested.
Extras
As in OpenBSD doesn’t exist the /etc/rc.d/ directory, like in FreeBSD, containing scripts to restart the various daemons running and also because the kill -HUP command doesn’t work to restart the process if is running as a non-root user, I decided to create some scripts to help start, stop, restart and test either snort or barnyard2. You can get the scripts from here:
Snort daemon control script
Barnyard2 daemon control script
Tags: barnyard2, base, distributed, openbsd, snort
- Permalink
- Alberto Diaz
- 31 Aug 2010 12:12 PM
- Comments (0)
