Multi Sensor Intrusion Detection System
Version 2.5
Written by Graham Mead
Click here to read in wide screen!
Abstract
This guide will be a multi sensor snort set up with central logging and an administrative front end. Snort will be implemented in this manner to aid the scalability issue of large networks. The guide is split into these segments:
Server Installation, a mandatory stage that forms the central core of the installation. This stage must be performed first.
- Setting up MySQL
- Allowing MySQL Network Access
- Apache and PHP
- Apache SSL
- Basic Analysis and Security Engine
- BASE database Schema
- Securing BASE with User Login
- Installing Oinkmaster
- Bleeding Edge Rules
- SSH server
Sensor Installation, a mandatory stage that is used to create each Snort sensor
- Setting up SSH
- Installing Snort (from source)
- Installing Snort (Ubuntu binary version)
- Configuring Snort
- Installing Oinkmaster
System Testing, an optional stage that tests that the implemented system is operational.
Software Used
Base system: Ubuntu 8.10
Installed from the Ubuntu package manager:
MySQL, Apache HTTP Server, PHP, Oinkmaster, OpenSSH, Snort and Dia (for diagrams).
Downloaded from sites as source.
BASE and Snort.
How it works
The clients would be connected to the network switch as normal, then a mirror port on the switch would configured to send a copy of the data to the Snort sensor. The Snort sensor would then process the traffic it receives and send any alerts through to the alerts interface on the server. The server would then store the alerts in the database so they can be accessed by BASE. The network administrators or the security response team would login to the web server and access BASE to manage the alerts.
Each Snort sensor has two network interfaces, one listening interface for Snort and the other as the alerts interface for the uploading of alerts and general management of the sensor. The management server also has two interfaces, one for allowing connections from the Snort sensors and the second for accessing the web interface.
Server Installation
The first stage is to set up the database server so both Snort and BASE can connect and store/retrieve alerts.
Set up MySQL
First we have to install the MySQL server (which in Ubuntu is MySQL 5). The input is marked as bold text.
$ sudo apt-get install mysql-server mysql-client
This section is a little ugly as I don't really speak SQL very well. We will be setting up two databases, the 'snort' and the 'archive' database. For the Snort alerts database the username is 'snort', the password is 'snortconfpasswd' and the database name is also 'snort'. For the archive database the username is 'archive', the password is 'archiveconfpasswd' and the database name is again also 'archive'.
Snort Database
$ mysql -u root -p
mysql> CREATE DATABASE snort;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on snort.* to snort;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on snort.* to snort@localhost;
mysql> SET PASSWORD FOR snort=PASSWORD('snortconfpasswd');
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('snortconfpasswd');
mysql> flush privileges;
mysql> exit
Archive Database
$ mysql -u root -p
mysql> CREATE DATABASE archive;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on archive.* to archive;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on archive.* to archive@localhost;
mysql> SET PASSWORD FOR archive=PASSWORD('archiveconfpasswd');
mysql> SET PASSWORD FOR archive@localhost=PASSWORD('archiveconfpasswd');
mysql> flush privileges;
mysql> exit
We then install the schema from the Snort download, the schema file is located in the schema folder of the downloaded archive. Then we import the database schema by issuing the following command in the schema directory.
$ cat create_mysql mysql -u snort -D snort -p
Or if Snort (snort-mysql) was downloaded from the Ubuntu package system.
$ zcat /usr/share/doc/snort-mysql/create_mysql.gz mysql -u snort -D snort -p
Check Database was created correctly.
$ mysql -u root -p
mysql> show databases;
mysql> use snort
A fast way of checking that the schema was imported is to check the tables were created in the Snort database, naturally this only works for a new install. You should see something like this if was successful.
mysql> show tables;
+------------------+
Tables_in_snort
+------------------+
data
detail
encoding
event
icmphdr
iphdr
opt
reference
reference_system
schema
sensor
sig_class
sig_reference
signature
tcphdr
udphdr
+------------------+
16 rows in set (0.00 sec)
Then we check that the Snort user has a password set and has the correct permissions by issuing the below command. Its worth noting that the percentage symbol is a wildcard in MySQL, so snort@% would be accepted from anywhere on the network interface.
mysql> show grants for 'snort';
+------------------------------------------------------------------------------------------------------+
Grants for snort@%
+------------------------------------------------------------------------------------------------------+
GRANT USAGE ON *.* TO 'snort'@'%' IDENTIFIED BY PASSWORD '*461162D3DA0A6C03D88954BE694A7D05FC8AB884'
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `snort`.* TO 'snort'@'%'
+------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
mysql> exit
Allowing MySQL network access
Allowing any service access to connect to the network is a security risk. MySQL by default binds to port 3306 on the local host (127.0.0.1) as a security/compatibility feature rather than using 'skip-networking' as in the past. Before it can be used across the network this security feature must be disabled or have some other way to access the service.
$ sudo lsof -igrep mysqld
mysqld 6987 mysql 13u IPv4 26244 TCP localhost:mysql (LISTEN)
One way to fix this we would be to open the MySQL configuration file and change the loopback address to a reachable network address. One point to bear in mind by setting an IP address for MySQL to bind, if the interface that owns that address goes down (the cable gets pulled out for example) the MySQL server will fail to start.
When we changed the network address we would rerun the command to check if it has bound to the IP address.
$ sudo lsof -igrep mysqld
mysqld 7349 mysql 10u IPv4 30769 TCP 192.168.58.133:mysql (LISTEN)
However we are going to leave it bound to the loopback interface because it never goes down and we can use SSH as authentication for the MySQL server.
$ sudo nano /etc/mysql/my.cnf
bind-address = 127.0.0.1
After changing the configuration we need to restart the MySQL service.
$ sudo /etc/init.d/mysql restart
Apache and PHP
BASE requires a PHP capable web server, Apache will be used in this example. The following installs the apache2 web server, PHP5 (the apache module), the ADOdb database abstraction library and the PHP PEAR mail modules for BASE to work properly.
$ sudo apt-get install apache2 php5-mysql libphp-adodb php-mail-mime php-mail
First we change into the web server root directory and delete the default "It Works!" page and replace it with a PHP version.
$ cd /var/www/
$ sudo rm index.html
$ sudo nano index.php
Then we enter this PHP test code into the newly created file:
<?php echo "PHP WORKS";?>
To enable the PHP module on Debain/Ubuntu you would run the following:
$ a2enmod php5
Module php5 already enabled
If you get the above message about the PHP module already being enabled all you need to do is to restart Apache.
$ sudo /etc/init.d/apache2 restart
Then use a web browser and browse to the web server at 127.0.0.1, "PHP WORKS" should be displayed if PHP is working.
Finally we set the Apache bind address to the eth1 address of 192.168.69.1 so that the web server is only visible on admin's network.
$ sudo nano /etc/apache2/ports.conf
Listen 192.168.69.1:80
<IfModule mod_ssl.c>
Listen 192.168.69.1:443
</IfModule>
We have just changed the normal HTTP port and just to be safe we have also change the SSL port so if we accidentally enable SSL, BASE will not exposed.
Apache SSL
SSL would be used to protect traffic from being sniffed off the wire and to protect login details.
We first we enable the SSL module.
$ sudo a2enmod ssl
Then we enable the default SSL site.
$ sudo a2ensite default-ssl
We can then verify that SSL is operational (with a default certificate) by browsing to the web server using the https protocol. You would enter 'https://ipaddress/' into the address bar of your web browser.
The SSL documentation can be found by using the following command.
$ zcat /usr/share/doc/apache2.2-common/README.Debian.gz less
The first command we use is to generate a new certificate.
$ sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/snortserver-file.crt
$ ls -l /etc/ssl/certs/grep snort
lrwxrwxrwx 1 root root 20 2009-02-20 17:53 01d3db93 -> snortserver-file.crt
-rw------- 1 root root 1514 2009-02-20 17:53 snortserver-file.crt
Then after this we backup the default-ssl virtual host.
$ sudo cp /etc/apache2/sites-enabled/default-ssl /root/apache2.default-ssl.back
We then edit the virtual host to use the new certificate file.
$ sudo nano /etc/apache2/sites-enabled/default-ssl
We add this line to the default virtual host above the default lines shown below.
SSLCertificateFile /etc/ssl/certs/snortserver-file.crt
Then we comment out the two default certificate lines.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Then finally we need to restart the web server so it will load the new configuration file.
$ sudo /etc/init.d/apache2 restart
Basic Analysis and Security Engine
BASE is the PHP script that is used to monitor and manage Snort alerts. We will be downloading BASE from the web because Ubuntu's version is often out of date.
This command will copy BASE into the web server root overwriting the old 'index.php' file.
$ sudo cp -R ~/base-php4/* /var/www/
We change the web server root so that it is owned (thus writable) by the web server user so the configuration file for BASE can be written to disk. After the setup has finished and the configuration is installed don't forget to change back the permissions.
$ sudo chown www-data /var/www/
Browse to the web server and follow the on screen instructions to start the setup process. The first part of the setup is where BASE checks the settings are fine for BASE to operate with any problems being displayed in red.
The second page of the setup is where BASE asks for the path of the ADodb library that was installed along side Apache. The next page is where the database connection information is entered.
After the SQL information has been entered we have the option to enable an authentication system build into BASE.
BASE database Schema
Once BASE can connect to the Snort database, there will be an error saying that the BASE tables are not installed.
The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB.
Click on the setup page and then click the button to create the BASE tables. After this is done there will be another message. In order to support Alert purging (the selective ability to permanently delete alerts from the database) and DNS/whois lookup caching, the DB user "snort" must have the DELETE and UPDATE privilege on the database. We have set up the Snort user with update and delete privileges.
Once BASE is installed you would see something like this.
Securing BASE with User Login
There are two ways in which BASE can be secured with a user login. First is a web server configured authentication and the second way is to use the built-in authentication of BASE. The Second method is setup at BASE install time and requires less administrative overhead but increases the visibility of the script.
First we create a password file for the apache authentication. It's important not to include the -c switch if the file is already created because it will wipe the file and start a new file.
$ sudo htpasswd -c /etc/apache2/htpasswd snortuser
Then we add the following to the apache configuration
$ sudo nano /etc/apache2/sites-enabled/base.conf
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory “/var/www/”>
AuthType Basic
AuthName "Protected Area"
AuthUserFile /etc/apache2/htpasswd
Require user snortuser
</Directory>
This configuration will protect the script from being seen by unauthorized users. The directory's may change depending on how BASE was installed. The above configuration is for BASE installed by the package downloaded from the website.
The apache.conf included with the Ubuntu package of BASE must be loaded into Apache so that it can be accessed from the web browser. If installed by apt-get on Ubuntu by default it is only accessible from the local host.
$ sudo cp /etc/acidbase/apache.conf /etc/apache2/sites-enabled/
These lines in /etc/apache2/sites-enabled/apache.conf should be commented out to allow access to any external computers or you could enable access per IP address by adding the address/netmask pair to the list. This only affects BASE installed by the package manager.
#order deny,allow
#deny from all
#allow from 192.168.58.0/255.255.255.0, 127.0.0.0/255.0.0.0
$ sudo /etc/init.d/apache2 restart
After these stages you should be able to access BASE via a web browser by entering 'http://<IPAddress>/' into the address bar or https://IPaddress/ if you have SSL enabled.
SSH Server
We will be using the Secure Shell port forwarding to provide an additional layer of security to the MySQL traffic coming from the Snort sensors. We will also be using SSH to remotely access the Snort sensors from the management network. First we must install the server before the sensors can send any data via SSH or we can login remotely.
$ sudo apt-get install openssh-server openssh-client
We add the 'snortssh' to the server as it will be used for the SSH connections.
$ sudo adduser snortssh
Installing Oinkmaster
Oinkmaster is a Perl script that helps administrators update and manage Snort rules. An Oinkcode can be obtained by registering on the Snort website and entering your profile, here there will be an option to generate your Oinkcode.
First we install Oinkmaster.
$ sudo apt-get install oinkmaster
Then we edit the Oinkmaster config file to use an Oinkcode.
$ sudo nano /etc/oinkmaster.conf
We then must comment out any 'url=' lines like the one below and add a line for the Oinkcode.
#url = http://www.snort.org/dl/rules/snortrules-snapshot-*.tar.gz
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.8.tar.gz
Or add this this line if you want to install the current rule snapshot.
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz
This is how the URL is formed.
http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-<major version>.<minor version>.tar.gz
Then we add this line to the oinkmaster.conf file so Oinkmaster will manage both the official Snort rules and the emerging edge rules.
url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz
We make the directory for the Snort rules and backups to be stored in.
$ sudo mkdir -p /etc/snort/rules
$ sudo mkdir -p /etc/snort/backup
Then we change the owner of the Snort directory to the 'snort' user.
$ sudo chown -R snortssh:snort /etc/snort/
Emerging Threats Rules
The emerging threats rules are a set of Snort rules developed by the community.
Create the emerging.conf in the same directory as the rules so Oinkmaster can update it.
Add the following to the rules section of snort.conf
include $RULE_PATH/emerging.conf
Add the following to the emerging rules conf file to enable the rules. Make sure there are no BLOCK or .xml files listed or enabled.
include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-dos.rules
include $RULE_PATH/emerging-exploit.rules
include $RULE_PATH/emerging-game.rules
include $RULE_PATH/emerging-inappropriate.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
include $RULE_PATH/emerging-policy.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-virus.rules
include $RULE_PATH/emerging-voip.rules
include $RULE_PATH/emerging-web.rules
include $RULE_PATH/emerging-web_sql_injection.rules
include $RULE_PATH/emerging.rules
include $RULE_PATH/emerging-drop.rules
include $RULE_PATH/emerging-rbn.rules
include $RULE_PATH/emerging-compromised.rules
include $RULE_PATH/emerging-botcc.rules
include $RULE_PATH/emerging-dshield.rules
Rules would be enabled and disabled via Oinkmaster with the 'enablesid' and 'disablesid' statements.
disablesid 1,3,4
enablesid 2
Finally we run Oinkmaster manually to install the rules. We use the snortssh user to run Oinkmaster because Oinkmaster shouldn't be run as root.
$ su snortssh -c oinkmaster -o /etc/snort/rules/
We then set up a cron job to run these commands once a day.
$ sudo crontab -u snortssh -e
6 0 * * * /usr/sbin/oinkmaster -o /etc/snort/rules/ -b /etc/snort/backup >/dev/null 2>&1
12 0 * * * /bin/tar -C /etc/snort -czf ../rules.tar.gz rules/
Emailing the output of Oinkmaster's updates to the rules is possible but its outside the scope of this guide, It may be added in a future version.
Sensor Installation
Setting up SSH
We need to install the SSH server so that the sensor can be remotely managed.
$ sudo apt-get install openssh-server openssh-client
Then we add a user to the system that will be used for the connections.
$ sudo adduser snortssh
We change into the snortssh user that we will be setting up the connections.
$ su snortssh
Then we generate the key used for authentication. This command generates two files the private key 'id_rsa' and the public key 'id_dsa.pub'.
$ ssh-keygen -t rsa
Finally we copy the public part of the key to the server.
$ ssh-copy-id ~/.ssh/id_rsa.pub snortssh@192.168.58.133
We will be using AutoSSH to automatically reconnect the SSH connections to the server.
$ sudo apt-get install autossh
First we set up the connection to the server to do this manually with SSH.
$ ssh -N -f -L 3306:192.168.58.133:3306 snortssh@192.168.58.133
So that autossh starts at boot time we add the following autossh line to the /etc/rc.local file above the 'exit 0' line.
$ sudo nano /etc/rc.local
autossh -L 3306:192.168.58.133:3306 snortssh@192.168.58.133 &
Then we check the connection is established.
$ sudo lsof -i grep ssh
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
ssh 7006 snortssh 3u IPv4 28179 TCP snortsensor:48670->snortserver:ssh (ESTABLISHED)
ssh 7006 snortssh 4u IPv4 28182 TCP localhost:mysql (LISTEN)
ssh 7006 snortssh 5u IPv6 28183 TCP ip6-localhost:mysql (LISTEN)
After this we test connectivity.
$ mysql -u snort -p -h 127.0.0.1
Finally we check that the connection is encrypted by using a packet capture utility. If the SSH connection was not correctly configured you would see some raw data being sent to the MySQL server but with SSH it would all be encrypted. We will be using key based authentication for the sensors, this allows password-less logins.
SSH Works!
Installing Snort from source (Recommended)
First thing we have to do is install the software that we need to build Snort from the source code.
$ sudo apt-get install build-essential libpcap0.8-dev libmysqlclient15-dev bison flex libc6-dev g++ gcc pcregrep libpcre3-dev
Then we obtain the latest stable version (which was snort-2.8.3.2 at time of writing) and extract the archive.
$ wget http://www.snort.org/dl/snort-2.8.3.2.tar.gz
$ tar zxvf snort-2.8.3.2.tar.gz
The install notes for Snort are held in the doc sub directory and lists all the configure options. All these commands are run from the Snort source code directory.
$ ./configure --enable-dynamicplugin --with-mysql
Then we compile the software and install it to the system.
$ make
$ sudo make install
I had a compile time error with Ubuntu 8.10 but a quick trip to the linuxforums.org I managed to fix the problem.
Next we add a user account for Snort so that it's not running as the root user. Any password can be used as the account will be locked anyway. We need to set the shell to '/bin/true' which does nothing.
$ sudo adduser snort
$ sudo chsh snort
$ sudo passwd snort -l
Finally we create some of the directories that Snort need to run and assign the correct permissions.
$ sudo mkdir -p /etc/snort/rules /etc/snort/backup /var/log/snort
$ sudo chown -R root:snort /var/log/snort
$ sudo chmod -R 770 /var/log/snort
We need to copy the etc directory from the source tarball to the local install's config directory.
$ sudo cp <snortSRC>/etc/* /etc/snort/
Then we need to write/install a boot script. I'm using the script written by bodhi.zazen from the Ubuntu forums. Then after the boot script is installed to the system we add the following line to the /etc/rc.local file before any 'exit 0' statements so Snort will be started at boot time. We also need to make the script executable before it can be run.
$ sudo cp ubuntu.snort.init.txt /etc/init.d/snort
$ sudo chmod +x /etc/init.d/snort
$ sudo nano /etc/rc.local
exec /etc/init.d/snort boot
We have to make sure that bodhi.zazen's script has the correct interface to start snort with. The IFACE="eth0" would have to be changed to IFACE="eth1".
Installing Snort (Ubuntu's binary version)
Ubuntu installed from the package manager. This should only be used if the Install from source fails and you can't fix it.
$ sudo apt-get install snort-mysql
After you run this, the installer will ask you to configure the HOME_NET, this should be set to your network mask. Apport will most likely pop up telling you that Snort has crashed, this is unlikely the case as the Snort (with MySQL) version in Ubuntu comes with a block that stops it from starting until an output source has been configured. To see the error message, you would try to start Snort with the init script that comes with the Ubuntu package.
$ sudo /etc/init.d/snort start
Configuring Snort
We will be using eth1 in this example to enable Snort to listen on an interface without an IP address. We need to add this special configuration to the interfaces configuration file.
$ sudo nano /etc/network/interfaces
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
We need to copy the config file in case we make a lot of mistakes.
$ sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.org
Then we edit the main Snort configuration file.
$ sudo nano /etc/snort/snort.conf
We set the HOME_NET variable to the network address with network mask.
var HOME_NET [192.168.58.0/24]
var EXTERNAL_NET !$HOME_NET
This line sets the base path for the rules files which are listed at the bottom of the config file.
var RULE_PATH /etc/snort/rules
This is an important option to uncomment if your computer has low memory, as with all most of the standard rules and the emerging threats rules on my test computer it used 558.78 Mbytes of memory on one interface. However with this option enabled it used about 15 Mbytes. On a system with large amounts of memory like a dedicated Sensor higher performance can be gained by keeping it commented out.
config detection: search-method lowmem
The output database line should be configured for now, so we can see that everything is working.
output database: log, mysql, user=snort password=snortconfpasswd dbname=snort host=<ServerIP>
These following options are only used by Debian systems (Ubuntu packages). Most of these are defaults and they should stay that way. However you should configure the HOME_NET line and make sure that Snort is listening on the correct interface if you have more than one.
$ sudo nano /etc/snort/snort.debian.conf
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.58.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth1"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
Once the basic configuration has been done we check to see if Snort has any problems with it by running the following command. If all goes well you should see something similar to the output below.
$ sudo snort -c /etc/snort/snort.conf
....
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.7.0 (Build 35)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>
Preprocessor Object: SF_SMTP Version 1.0 <Build 7>
Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>
Preprocessor Object: SF_SSH Version 1.0 <Build 1>
Preprocessor Object: SF_DNS Version 1.0 <Build 2>
...
If Snort does find any errors in the configuration, it will exit to the user prompt with the error just above it. The following example is when the MySQL logging is configured but the MySQL server has not been started or can't be contacted.
ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.58.13' (113)
Fatal Error, Quitting..
Restart Snort every 6 hours
We have to restart Snort every few hours because the database connection can timeout if no traffic has been received for a while. Yes this is a bad thing and is a big problem with a well tuned sensor that has few false positives (normal traffic being detected as an attack). It's also used to automatically get Snort to reload the rules so any new ones will be loaded.
$ sudo crontab -e
20 0,6,12,18 * * * /etc/init.d/snort restart >/dev/null 2>&1
Installing Oinkmaster
We will be using Oinkmaster on the sensors to pull the Snort rules from the master copy on the server.
First we install Oinkmaster.
$ sudo apt-get install oinkmaster
Then we edit the Oinkmaster config file to specify the URL of the server.
$ sudo nano /etc/oinkmaster.conf
Then we add this line to the oinkmaster.conf file so Oinkmaster will download the rules from the server and not from the Internet.
url = scp://snortssh@192.168.58.133:/etc/snort/rules.tar
scp_key = /home/snortssh/.ssh/id_rsa
Testing
Once any errors have been fixed, we move on to test that Snort will generate alerts and it is in fact working properly. From one of your other computers you can simulate an attacker scanning your system with the popular tool nmap.
Disclaimer: You are responsible for your own actions. Testing of any security settings should only be done on your own equipment in your own lab, unless you have written permission from the owner of the equipment.
If you are having problems first thing to do is to restart all the service so that all changes have taken affect.
$ sudo /etc/init.d/apache2 restart
$ sudo /etc/init.d/snort restart
$ sudo /etc/init.d/mysql restart
If Snort fails to start this command can be used to check Snort config for errors.
$ sudo snort -i eth1 -c /etc/snort/snort.conf -T
Further Improvements
OSSEC in a Client/Server installation could be used to monitor and report the condition of the sensors. This would also alert the administrators to a possible compromise of a sensor.
Emailing the output of the Oinkmaster rule updating process so administrators can keep up to date about the newly installed rules. This would require an email server and some simple scripting.
Barnyard fast output system.
References
http://ubuntuforums.org/showthread.php?t=919472 (bodhi.zazen's IDS sticky)
Thanks to Andreios for checking this HOWTO.
Linksys WRE54G Wireless Range Expander
