Problem
You want to use SnortCenter to remotely manage your distributed Snort sensors.
Solution
Follow the recipes Installing and Configuring MySQL (Recipe 2.11) and Configuring MySQL for Snort (Recipe 2.12) to prepare your Snort installation for SnortCenter. Also, follow the recipe for Installing Snort on Linux or Installing Snort on Windows to install your sensors.
First, install Apache. At the time of this writing, the current version is 2.0.50. Use the following commands to install Apache:
[root@localhost root]# tar zxvf httpd-2.0.50.tar.gz [root@localhost root]# cd httpd-2.0.50 [root@localhost httpd-2.0.50]# ./configure --prefix=/www --enable-so [root@localhost httpd-2.0.50]# make [root@localhost httpd-2.0.50]# make install [root@localhost httpd-2.0.50]# /www/bin/apachectl start
Next, check the system to make sure the web server is working by opening a web browser and entering your IP address or "localhost." You should see the default Apache web page.
Next, upgrade to the latest version of libxml2. At the time of this writing, the current version is 2.6.0-1. Use the following commands to install libxml2:
[root@localhost httpd-2.0.50]# /www/bin/apachectl stop [root@localhost httpd-2.0.50]# cd .. [root@localhost root]# rpm -Uvh libxml2-devel-2.6.0-1.i386.rpm [root@localhost root]# rpm -Uvh libxml2-python-2.6.0-1.i386.rpm [root@localhost root]# rpm -Uvh libxml2-2.6.0-1.i386.rpm
Next, install PHP. At the time of this writing, the current version is 5.0.0. Use the following commands to install PHP:
[root@localhost root]# tar zxvf php-5.0.0.tar.gz [root@localhost root]# cd php-5.0.0 [root@localhost php-5.0.0]# ./configure --prefix=/www/php --with-apxs2= /www/bin/apxs --with-config-filepath=/www/php --enable-sockets --with-mysql=/usr/local/mysql --with-zlib-dir=/usr/local --with-gd [root@localhost php-5.0.0]# make [root@localhost php-5.0.0]# make install [root@localhost php-5.0.0]# cp php.ini-dist /www/php/php.ini
You must also make the following changes to the /www/conf/httpd.conf file:
[root@localhost php-5.0.0]# cd /www/conf [root@localhost conf]# vi httpd.conf
Change the line:
DirectoryIndex index.html index.html.var
to:
DirectoryIndex index.php index.html index.html.var
Also, add the following line under the AddType section:
AddType application/x-httpd-php .php
Next, make the following changes to create links for startup scripts so that the web server starts when you boot up in run levels 3 and 5 (run level 3 is full multiuser mode, and run level 5 is the X Window System):
[root@localhost conf]# cd /www/bin [root@localhost bin]# cp apachectl /etc/init.d/httpd [root@localhost bin]# cd /etc/rc3.d [root@localhost rc3.d]# ln -s ../init.d/httpd S85httpd [root@localhost rc3.d]# ln -s ../init.d/httpd K85httpd [root@localhost rc3.d]# cd /etc/rc5.d [root@localhost rc5.d]# ln -s ../init.d/httpd S85httpd [root@localhost rc5.d]# ln -s ../init.d/httpd K85httpd
Next, test the configuration with the following commands:
[root@localhost rc5.d]# cd /www/htdocs [root@localhost htdocs]# echo "" > test.php [root@localhost htdocs]# /etc/rc5.d/S85httpd start
Open the web browser again and enter http://IPaddress/test.php or http://localhost/test.php. You should see a PHP table output of system information.
Next, install CURL with the following commands:
[root@localhost root]# tar zxvf curl-7.12.0.tar.gz [root@localhost root]# cd curl-7.12.0 [root@localhost curl-7.12.0]# ./configure [root@localhost curl-7.12.0]# make [root@localhost curl-7.12.0]# make install
Next, install the SnortCenter Management Console:
[root@localhost curl-7.12.0]# cd .. [root@localhost root]# tar zxvf snortcenter-v1.0-RC1.tar.gz this creates a directory called www [root@localhost root]# cd www [root@localhost www]# cp -R * /www/htdocs
Next install adodb. At the time of this writing, the latest version is 4.5.1:
[root@localhost root]# tar zxvf adodb451.tgz [root@localhost root]# cp -R ./adodb/ /www/htdocs
Next, create the MySQL database:
[root@localhost root]# echo "CREATE DATABASE snortcenter;" | /usr/local/mysql/bin/mysql -u root -p Enter password:
Make the following changes to the config.php file:
[root@localhost root]# cd /www/htdocs [root@localhost htdocs]# vi config.php
Change the line:
$hidden_key_num = "0";
to:
$hidden_key_num = "236785";
and:
$DB_password = "";
to:
$DB_password = "newpassword";
The database password is the one that you provided earlier when you installed MySQL.
Next, create the database tables by simply opening the web browser and going to the IP address of your host http://IPaddress or http://localhost. The browser displays a list of tables that are created. The login screen appears in a few seconds, and you can now log in with the username admin and the password change (Figure 5-14). Make sure that you change your password once you log in.
Figure 5-14. SnortCenter login
Now you are ready to install the SnortCenter Sensor Agent. This can be installed on the same system as the SnortCenter Management Console, or on other distributed Snort sensors throughout the network. For this example, we are installing it on the same system for simplicity. This install assumes that Snort is already installed.
To provide encryption of the traffic from the SnortCenter Management Console to the SnortCenter Sensor Agent, you must first install Perl and OpenSSL from source. Installing from the RPMs causes problems such as dependency issues and errors. Make sure that both are compiled with the same compiler or you will receive an error when you later install Net_SSLeay. The current version of Perl at the time of this writing is 5.8.5. (Perl 5.8.6 is due to be released soon, but has not yet been tested with SnortCenter.) Install Perl with the following commands:
[root@localhost root]# tar zxvf stable.tar.gz [root@localhost root]# cd perl-5.8.5/ [root@localhost perl-5.8.5]# rm -f config.sh Policy.sh [root@localhost perl-5.8.5]# sh Configure -de [root@localhost perl-5.8.5]# make [root@localhost perl-5.8.5]# make test [root@localhost perl-5.8.5]# make install
The current version of OpenSSL at the time of this writing is 0.9.7d. Install it with the following commands:
[root@localhost root]# tar zxvf openssl-0.9.7d.tar.gz [root@localhost root]# cd openssl-0.9.7d [root@localhost openssl-0.9.7d]# ./Configure [root@localhost openssl-0.9.7d]# make [root@localhost openssl-0.9.7d]# make install
Next, install the Net_SSLeay Perl module. The current version at the time of this writing is 1.21. Install it with the following commands:
[root@localhost root]# tar zxvf Net_SSLeay.pm-1.21.tar.gz [root@localhost root]# cd Net_SSLeay.pm-1.21 [root@localhost Net_SSLeay.pm-1.21]# perl Makefile.PL [root@localhost Net_SSLeay.pm-1.21]# make [root@localhost Net_SSLeay.pm-1.21]# make install
Next, test the SSL install by using the following command:
[root@localhost Net_SSLeay.pm-1.21]# perl -e 'use Net::SSLeay'
The SSL support that the Sensor Agent needs is properly installed if the command doesn't output an error message.
Next, create the OpenSSL certificate for communications by using the following commands and entering the appropriate information:
[root@localhost Net_SSLeay.pm-1.21]# cd .. [root@localhost root]# openssl req -new -x509 -days 3650 -nodes -out sensor.pem -keyout sensor.pem Generating a 1024 bit RSA private key ......++++++ ............................................++++++ writing new private key to 'sensor.pem' ----- You are about to be asked to enter information that will be Incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:DC Locality Name (eg, city) [Newbury]:DC Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) [ ]: Common Name (eg, your name or your server's hostname) [ ]:Buddha Email Address [ ]:
Next, install the Sensor Agent with the following commands:
[root@localhost root]# tar zxvf snortcenter-agent-v1.0-RC1.tar.gz [root@localhost root]# cd sensor
There is a bug in the setup.sh file that needs to be corrected before setup is run. Edit the setup.sh file and remove the $ from the following line:
$perl -e 'use Net::SSLeay' >/dev/null 2>/dev/null
Then run the setup.sh configuration file and answer the questions (you may accept the defaults for most of them):
[root@localhost sensor]# ./setup.sh
Now both the SnortCenter Management Console and the SnortCenter Sensor Agent are installed. You will need to open the management console with a web browser by going to http://IPAddress or http://localhost (Figure 5-14). Next, log in and add your sensor to the management console.
Discussion
SnortCenter provides a web-based method to manage distributed Snort sensors. It operates in a client-server mode where the management console is used to build configuration files and then send them to the remote sensors. There are several prerequisites that need to be installed and configured before installing SnortCenter. Please make sure that you have downloaded all of the following programs before you begin: MySQL, Apache, libxml2, PHP, Curl, ADODB, Perl, OpenSSL, SnortCenter Management Console, SnortCenter Sensor Agent, and Net_SSLeay. The solution example provides the necessary installation setups and configurations for Red Hat 9.
See Also
http://users.pandora.be/larc/
http://httpd.apache.org/download.cgi
http://www.php.net/downloads.php
http://xmlsoft.org/sources/
http://curl.haxx.se/download.html
http://adodb.sourceforge.net/
http://www.openssl.org/
http://www.perl.com/download.csp
Recipe 2.11
Recipe 2.12
Recipe 1.4
Recipe 1.2
Installing and Configuring Snortsnarf |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index