Installation of SNORT APACHE PHP MYSQL and Snort

Installation of SNORT, APACHE, PHP, MYSQL and Snort. Report. n n Presented By Ositadimma Maxwell Ejelike Bahman Radjabalipour

HARDWARE AND SOFTWARE n n n Operating System: Windows 2003 Server Enterprise Edition and Microsoft Windows XP Hardware: Compaq 1600 Pentium III dual Processor Server and Pentium IV workstation Software Installed n n n n n Apache_1. 3. 24 -win 32 -x 86 -src. msi www. apache. org Php-4. 3. 0 -Win 32. zip www. php. com Snort_243_Installer. exe www. snort. org Win. Pcap_3_1. exe http: //www. winpcap. org Snortrules_snapshot_CURRENT [1]. tar. gz www. snort. org Snortreport-1. 3. 1. tar. gz Jpgraph-1. 20. 3. tar. gz Gd-2. 0. 33. zip Mysql-4. 0. 17 -win. zip Winrar

SOFTWARE INSTALLTION DIRECTORIES n n n n n Operating System: E: drive. Snort: F: Snortapps Apache: E: Program FilesApache GroupApache Snort. Report: E: Program FilesApache GroupApachehtdocssnortreport JPGraph: E: Program FilesApache GroupApachejpgraph-1. 20. 3 GD: E: Program FilesApache GroupApachegd-2. 0. 33 MYSQL: E: bin mysql PHP: F: Snortappsphp Ethereal: E: Program FilesEthereal

WINPCAP n n n It captures packets from the network cables and throws them to snort It’s a Windows version of libpcap used in Linux for running snort The Win. Pcap gets information about the network adapters in the network.

SNORT n n Open sourced, lightweight, network intrusion detection system Uses easy to learn rules to detect and log the signatures of possible attacks It can also be use as a Sniffer It’s a free utility with active community support

MYSQL n n SQL based database software Most supported platform for storing snort alerts Stores all IDS alerts triggered from our snort sensors. Snort can log directly to MYSQL natively, as the alerts come in.

MYSQL CONTD

MYSQL CONTD. n n Winmysqladmin Edit my. ini file n n Ran winmysqladmin from a command prompt Bind My. SQL to the system localhost IP address, we use 127. 0. 0. 1 Set the communication port; it's 3306 for a typical My. SQL installation. Set the key_buffer setting for snort data, we choose 64 M

MYSQL CONTD. n Cleaning MYSQL and creating DB for Snort n n n n n mysql -u root –p delete from user where host = "%"; delete from user where user = "“ select * from user drop database test show databases create database snort create database archive Grant INSERT, SELECT, UPDATE on snort. * to snort@localhost identified by "snortdba";

APACHE WEB SERVER n n Web Server of choice for most websites The sole purpose is for hosting the Snort. Report web-based console

APACHE WEB SERVER FOR SNORT n n Load. Module php 4_module F: /Snortapps/php/sapi/php 4 apache. dll Add. Module mod_php 4. c Addtype application/x-httpd-php. phtml Order deny, allow Deny from all Allow from 127. 0. 0. 1

PHP n n n General-purpose scripting language for web development Support for a database-enabled web page Provides support for Snort. Report

PHP FOR SNORT n Copy "F: snortappsphp 4 ts. dll" to " E: WINDOWSsystem 32". n Copy "C: snortappsPHPsapiphp 4 apache 4. dll" to "E: Program FilesApache GroupApacheModules" n n Copy the file "E: snortappsphp. ini-dist" to our ROOT Folder (E: WINDOWS) and renamed it to "php. ini". Edit the php. ini max_execution_time = 60 session. save_path = E: /windows/temp removed the ; in front of "; extension=php_gd. dll" doc_root = E: program filesapache groupapachehtdocssnortreport extension_dir = F: Snortappsphpextensions

JDGRAPH AND GD 2. 0. 11 n n n A general graphics library that supports PNG images It is used to display the nice pie graph in Snort. Report Uncompress it to the directory where Apache is installed

SNORTREPORT n n Snort Report is an add-on module for the Snort Intrusion Detection System. It provides real-time reporting from the My. SQL database generated by Snort. It’s a Web-based application for viewing all IDS alerts All sensor information is consolidated here for viewing

SNORTREPORT INSTALLATION n n Uncompress Snort. Report Navigate to the snortreport folder and choose srconf. php. Edit the variables below: $server = "localhost"; n $user = "snort"; n $pass = "snortdb"; n $dbname = "snort"; define(“Path of JDGRAPH", “Path of GD"); Reboot the machine n n n Start your browser and type: http: //localhost/snortreport

Configuring snort. conf n n n var HOME_NET 192. 168. 15. 24/32 output database: alert, mysql, user=snort dbname=snort password=PASSWORD host=127. 0. 0. 1 port=3306 sensor_name=maxserver include $RULE_PATH/bahman_Maxwell. rules Include F: Snortappsetcclassification. config Include F: Snortappsetcreference. config

Configuring Snort as a Service n n n snort /SERVICE /INSTALL -de -c F: snortappsetcsnort. conf -l F: snortappslog -i 2 /SERVICE: Windows command to access the Services commands /INSTALL: The command that installs the program as a Window service

Running Snort as a service

Snort Report

Ethereal sniffing the packets