← Building an Intrusion Detection System (Snort) – Part 1
Once you have acquired the computer that you are going to use as your snort machine, the next step is to install the operating system. I will provide the step-by-step instructions that I used when installing Ubuntu Server 10.4 This is an open-source operating system that can be downloaded from http://www.ubuntu.com/server. I burned the downloaded software onto a CD so I could boot from it.
1. Boot from Ubuntu Server CD and Install OS.
a. Things to have ready:
i. ip address to use (if you are going to use a static ip)
ii. computer name
iii. computer password
iv. user name
v. user password
b. Do not encrypt the home directory when asked
c. Select to install updates automatically when prompted
d. Only choose to install OpenSSH server from Software Selection screen
e. Select “Yes” to install GRUB Boot Loader
As you go through the installation screens, it will ask you to choose your location (country), language, keyboard layout, and network settings. I am using a static ip address, but there is an option in the installation setup to select DHCP. There will also be partition questions. I chose the option “Guided – use entire disk and set up LVM”. For all other setup screens not mentioned here, I left the default selections.
After you complete the installation, it will prompt you to remove the disk and reboot. Once the server comes back up, you will log in using the user name and password that you entered during setup. All of the following commands must be run with root privileges, so that is the reason that each command starts with sudo. You could also log in as root, but this is frowned upon in the Linux world due to security concerns.
2. Install the following packages using the commands as shown:
a. sudo apt-get install nmap
b. sudo apt-get install nbtscan
c. sudo apt-get install apache2
d. sudo apt-get install php5
e. sudo apt-get install php5-mysql
f. sudo apt-get install php5-gd
g. sudo apt-get install libpcap0.8-dev
h. sudo apt-get install libpcre3-dev
i. sudo apt-get install g++
j. sudo apt-get install bison
k. sudo apt-get install flex
l. sudo apt-get install libpcap-ruby
m. sudo apt-get install mysql-server **
n. sudo apt-get install libmysqlclient16-dev
**You will be prompted to enter a user name and password for your mysql login so have this information ready. FYI – I orginally setup my mysql password with a $ in it, but this caused numerous problems. It seems that the $ is a “reserved” character in mysql.
3. Run following commands to get latest security patches:
a. sudo apt-get update
b. sudo apt-get upgrade
Please continue to Part 3 for detailed instructions on installing Snort and the Data Acquisition API (Part 3 coming in the next week or two).
——————————————————
These detailed instructions for setting up a snort machine are compiled from 5 different snort installation guides. Each of these articles contained pieces of what I needed. By using them all, I was able to get our snort machine up and running with every feature we wanted.
Gullet, David. Snort 2.9.0 and Snort Report 1.3.1 on Ubuntu 10.04 LTS Installation Guide. October 8, 2010. http://www.symmetrixtech.com/articles/008-snortinstallguide290.pdf
Krautter, Jonathan. Snorby on Ubuntu Server 9.04 (32-bit) with Multiple Interfaces on Apache. October 23, 2009. http://groups.google.com/group/snorby/browse_thread/thread/3ee0265d3de938a3
Ubuntu Community Documentation. Network Connection Bridge. Retrieved on November 4, 2010. https://help.ubuntu.com/community/NetworkConnectionBridge
Ubuntu Geek. Webmin Installation and Configuration in Ubuntu Linux. December 22, 2006.
http://www.ubuntugeek.com/webmin-installation-and-configuration-in-ubuntu-linux.html
Willis, Nathan. What can you do with a second Ethernet port? May 6, 2008.
http://www.linux.com/archive/feature/133849
Hi
you have wonderful post , Thanks for providing it was so informative .
I have installed & configure the same way u have posted . Now i have completed upto 5-part . I have encountered 2 errors
1st error –
i was able to access webmin before the bridging concept , after i configure the bridging network adapter , now when open the webmin using https://XXX.XXX.XXX:1XXXX . get – unable to connect
2nd Error –
when test run the snort i get the below error
/usr/local/snort/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: Error 20
can please help me on this
Hi Naresh – Thanks so much for taking the time to read my posts.
1st error – Do you have a firewall or other software that may be blocking the port that you assigned to webmin? Have you verified that you have internet connectivity on the snort machine?
These are the two thoughts that come to mind right now. I will keeping thinking about it, and I will also try to figure out what could be causing the 2nd error. I did not run into the 2nd error when I was setting up my machines.
Thanks for replying . regarding that 2 nd issue its working now. i have changed it as following
sudo ln -s /usr/local/lib/libdnet/1.0.1 /usr/lib/libdnet.1 – urs
sudo ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 – mine
Thanks once again for replying me …
Thank you so much! That was a typo. I will fix it right now.