Multi Sensor Intrusion Detection System

Multi Sensor Intrusion Detection System
Version 2.5
Written by Graham Mead

Click here to read in wide screen!

Abstract
This guide will be a multi sensor snort set up with central logging and an administrative front end. Snort will be implemented in this manner to aid the scalability issue of large networks. The guide is split into these segments:

Server Installation, a mandatory stage that forms the central core of the installation. This stage must be performed first.

• Setting up MySQL
  
• Allowing MySQL Network Access
  
• Apache and PHP
  
• Apache SSL
  
• Basic Analysis and Security Engine
  
• BASE database Schema
  
• Securing BASE with User Login
  
• Installing Oinkmaster
  
• Bleeding Edge Rules
  
• SSH server

Sensor Installation, a mandatory stage that is used to create each Snort sensor

• Setting up SSH
  
• Installing Snort (from source)
  
• Installing Snort (Ubuntu binary version)
  
• Configuring Snort
  
• Installing Oinkmaster

System Testing, an optional stage that tests that the implemented system is operational.

Software Used
Base system: Ubuntu 8.10
Installed from the Ubuntu package manager:
MySQL, Apache HTTP Server, PHP, Oinkmaster, OpenSSH, Snort and Dia (for diagrams).

Downloaded from sites as source.
BASE and Snort.

How it works
The clients would be connected to the network switch as normal, then a mirror port on the switch would configured to send a copy of the data to the Snort sensor. The Snort sensor would then process the traffic it receives and send any alerts through to the alerts interface on the server. The server would then store the alerts in the database so they can be accessed by BASE. The network administrators or the security response team would login to the web server and access BASE to manage the alerts.

Each Snort sensor has two network interfaces, one listening interface for Snort and the other as the alerts interface for the uploading of alerts and general management of the sensor. The management server also has two interfaces, one for allowing connections from the Snort sensors and the second for accessing the web interface.

Server Installation

The first stage is to set up the database server so both Snort and BASE can connect and store/retrieve alerts.

Set up MySQL
First we have to install the MySQL server (which in Ubuntu is MySQL 5). The input is marked as bold text.
$ sudo apt-get install mysql-server mysql-client

This section is a little ugly as I don't really speak SQL very well. We will be setting up two databases, the 'snort' and the 'archive' database. For the Snort alerts database the username is 'snort', the password is 'snortconfpasswd' and the database name is also 'snort'. For the archive database the username is 'archive', the password is 'archiveconfpasswd' and the database name is again also 'archive'.

Snort Database

$ mysql -u root -p

mysql> CREATE DATABASE snort;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on snort.* to snort;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on snort.* to snort@localhost;

mysql> SET PASSWORD FOR snort=PASSWORD('snortconfpasswd');

mysql> SET PASSWORD FOR snort@localhost=PASSWORD('snortconfpasswd');

mysql> flush privileges;

mysql> exit

Archive Database

$ mysql -u root -p

mysql> CREATE DATABASE archive;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on archive.* to archive;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE on archive.* to archive@localhost;

mysql> SET PASSWORD FOR archive=PASSWORD('archiveconfpasswd');

mysql> SET PASSWORD FOR archive@localhost=PASSWORD('archiveconfpasswd');

mysql> flush privileges;

mysql> exit

We then install the schema from the Snort download, the schema file is located in the schema folder of the downloaded archive. Then we import the database schema by issuing the following command in the schema directory.

$ cat create_mysql mysql -u snort -D snort -p

Or if Snort (snort-mysql) was downloaded from the Ubuntu package system.

$ zcat /usr/share/doc/snort-mysql/create_mysql.gz mysql -u snort -D snort -p

Check Database was created correctly.

$ mysql -u root -p

mysql> show databases;

mysql> use snort

A fast way of checking that the schema was imported is to check the tables were created in the Snort database, naturally this only works for a new install. You should see something like this if was successful.

mysql> show tables;

+------------------+

Tables_in_snort

+------------------+

data

detail

encoding

event

icmphdr

iphdr

opt

reference

reference_system

schema

sensor

sig_class

sig_reference

signature

tcphdr

udphdr

+------------------+

16 rows in set (0.00 sec)

Then we check that the Snort user has a password set and has the correct permissions by issuing the below command. Its worth noting that the percentage symbol is a wildcard in MySQL, so snort@% would be accepted from anywhere on the network interface.

mysql> show grants for 'snort';
+------------------------------------------------------------------------------------------------------+

Grants for snort@%

+------------------------------------------------------------------------------------------------------+

GRANT USAGE ON *.* TO 'snort'@'%' IDENTIFIED BY PASSWORD '*461162D3DA0A6C03D88954BE694A7D05FC8AB884'

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `snort`.* TO 'snort'@'%'

+------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

mysql> exit

Allowing MySQL network access

Allowing any service access to connect to the network is a security risk. MySQL by default binds to port 3306 on the local host (127.0.0.1) as a security/compatibility feature rather than using 'skip-networking' as in the past. Before it can be used across the network this security feature must be disabled or have some other way to access the service.

$ sudo lsof -igrep mysqld

mysqld 6987 mysql 13u IPv4 26244 TCP localhost:mysql (LISTEN)

One way to fix this we would be to open the MySQL configuration file and change the loopback address to a reachable network address. One point to bear in mind by setting an IP address for MySQL to bind, if the interface that owns that address goes down (the cable gets pulled out for example) the MySQL server will fail to start.

When we changed the network address we would rerun the command to check if it has bound to the IP address.

$ sudo lsof -igrep mysqld

mysqld 7349 mysql 10u IPv4 30769 TCP 192.168.58.133:mysql (LISTEN)

However we are going to leave it bound to the loopback interface because it never goes down and we can use SSH as authentication for the MySQL server.

$ sudo nano /etc/mysql/my.cnf

bind-address = 127.0.0.1

After changing the configuration we need to restart the MySQL service.

$ sudo /etc/init.d/mysql restart
Apache and PHP
BASE requires a PHP capable web server, Apache will be used in this example. The following installs the apache2 web server, PHP5 (the apache module), the ADOdb database abstraction library and the PHP PEAR mail modules for BASE to work properly.

$ sudo apt-get install apache2 php5-mysql libphp-adodb php-mail-mime php-mail

First we change into the web server root directory and delete the default "It Works!" page and replace it with a PHP version.

$ cd /var/www/

$ sudo rm index.html

$ sudo nano index.php


Then we enter this PHP test code into the newly created file:

<?php echo "PHP WORKS";?>


To enable the PHP module on Debain/Ubuntu you would run the following:

$ a2enmod php5

Module php5 already enabled

If you get the above message about the PHP module already being enabled all you need to do is to restart Apache.

$ sudo /etc/init.d/apache2 restart


Then use a web browser and browse to the web server at 127.0.0.1, "PHP WORKS" should be displayed if PHP is working.

Finally we set the Apache bind address to the eth1 address of 192.168.69.1 so that the web server is only visible on admin's network.

$ sudo nano /etc/apache2/ports.conf

Listen 192.168.69.1:80

<IfModule mod_ssl.c>

Listen 192.168.69.1:443

</IfModule>

We have just changed the normal HTTP port and just to be safe we have also change the SSL port so if we accidentally enable SSL, BASE will not exposed.

Apache SSL

SSL would be used to protect traffic from being sniffed off the wire and to protect login details.



We first we enable the SSL module.

$ sudo a2enmod ssl



Then we enable the default SSL site.

$ sudo a2ensite default-ssl



We can then verify that SSL is operational (with a default certificate) by browsing to the web server using the https protocol. You would enter 'https://ipaddress/' into the address bar of your web browser.



The SSL documentation can be found by using the following command.

$ zcat /usr/share/doc/apache2.2-common/README.Debian.gz less



The first command we use is to generate a new certificate.

$ sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/snortserver-file.crt

$ ls -l /etc/ssl/certs/grep snort

lrwxrwxrwx 1 root root 20 2009-02-20 17:53 01d3db93 -> snortserver-file.crt

-rw------- 1 root root 1514 2009-02-20 17:53 snortserver-file.crt



Then after this we backup the default-ssl virtual host.

$ sudo cp /etc/apache2/sites-enabled/default-ssl /root/apache2.default-ssl.back



We then edit the virtual host to use the new certificate file.

$ sudo nano /etc/apache2/sites-enabled/default-ssl



We add this line to the default virtual host above the default lines shown below.

SSLCertificateFile /etc/ssl/certs/snortserver-file.crt



Then we comment out the two default certificate lines.

#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key



Then finally we need to restart the web server so it will load the new configuration file.

$ sudo /etc/init.d/apache2 restart

Basic Analysis and Security Engine

BASE is the PHP script that is used to monitor and manage Snort alerts. We will be downloading BASE from the web because Ubuntu's version is often out of date.



This command will copy BASE into the web server root overwriting the old 'index.php' file.

$ sudo cp -R ~/base-php4/* /var/www/



We change the web server root so that it is owned (thus writable) by the web server user so the configuration file for BASE can be written to disk. After the setup has finished and the configuration is installed don't forget to change back the permissions.

$ sudo chown www-data /var/www/



Browse to the web server and follow the on screen instructions to start the setup process. The first part of the setup is where BASE checks the settings are fine for BASE to operate with any problems being displayed in red.

The second page of the setup is where BASE asks for the path of the ADodb library that was installed along side Apache. The next page is where the database connection information is entered.

After the SQL information has been entered we have the option to enable an authentication system build into BASE.

BASE database Schema

Once BASE can connect to the Snort database, there will be an error saying that the BASE tables are not installed.

The database version is valid, but the BASE DB structure (table: acid_ag)is not present. Use the Setup page to configure and optimize the DB.



Click on the setup page and then click the button to create the BASE tables. After this is done there will be another message. In order to support Alert purging (the selective ability to permanently delete alerts from the database) and DNS/whois lookup caching, the DB user "snort" must have the DELETE and UPDATE privilege on the database. We have set up the Snort user with update and delete privileges.

Once BASE is installed you would see something like this.

Securing BASE with User Login

There are two ways in which BASE can be secured with a user login. First is a web server configured authentication and the second way is to use the built-in authentication of BASE. The Second method is setup at BASE install time and requires less administrative overhead but increases the visibility of the script.



First we create a password file for the apache authentication. It's important not to include the -c switch if the file is already created because it will wipe the file and start a new file.



$ sudo htpasswd -c /etc/apache2/htpasswd snortuser

Then we add the following to the apache configuration

$ sudo nano /etc/apache2/sites-enabled/base.conf

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>



<Directory “/var/www/”>

AuthType Basic

AuthName "Protected Area"

AuthUserFile /etc/apache2/htpasswd

Require user snortuser

</Directory>



This configuration will protect the script from being seen by unauthorized users. The directory's may change depending on how BASE was installed. The above configuration is for BASE installed by the package downloaded from the website.



The apache.conf included with the Ubuntu package of BASE must be loaded into Apache so that it can be accessed from the web browser. If installed by apt-get on Ubuntu by default it is only accessible from the local host.

$ sudo cp /etc/acidbase/apache.conf /etc/apache2/sites-enabled/



These lines in /etc/apache2/sites-enabled/apache.conf should be commented out to allow access to any external computers or you could enable access per IP address by adding the address/netmask pair to the list. This only affects BASE installed by the package manager.

#order deny,allow

#deny from all

#allow from 192.168.58.0/255.255.255.0, 127.0.0.0/255.0.0.0



$ sudo /etc/init.d/apache2 restart



After these stages you should be able to access BASE via a web browser by entering 'http://<IPAddress>/' into the address bar or https://IPaddress/ if you have SSL enabled.

SSH Server

We will be using the Secure Shell port forwarding to provide an additional layer of security to the MySQL traffic coming from the Snort sensors. We will also be using SSH to remotely access the Snort sensors from the management network. First we must install the server before the sensors can send any data via SSH or we can login remotely.

$ sudo apt-get install openssh-server openssh-client



We add the 'snortssh' to the server as it will be used for the SSH connections.

$ sudo adduser snortssh

Installing Oinkmaster

Oinkmaster is a Perl script that helps administrators update and manage Snort rules. An Oinkcode can be obtained by registering on the Snort website and entering your profile, here there will be an option to generate your Oinkcode.



First we install Oinkmaster.

$ sudo apt-get install oinkmaster



Then we edit the Oinkmaster config file to use an Oinkcode.

$ sudo nano /etc/oinkmaster.conf



We then must comment out any 'url=' lines like the one below and add a line for the Oinkcode.

#url = http://www.snort.org/dl/rules/snortrules-snapshot-*.tar.gz

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.8.tar.gz



Or add this this line if you want to install the current rule snapshot.

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz



This is how the URL is formed.

http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-<major version>.<minor version>.tar.gz



Then we add this line to the oinkmaster.conf file so Oinkmaster will manage both the official Snort rules and the emerging edge rules.

url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz



We make the directory for the Snort rules and backups to be stored in.

$ sudo mkdir -p /etc/snort/rules

$ sudo mkdir -p /etc/snort/backup



Then we change the owner of the Snort directory to the 'snort' user.

$ sudo chown -R snortssh:snort /etc/snort/

Emerging Threats Rules

The emerging threats rules are a set of Snort rules developed by the community.

Create the emerging.conf in the same directory as the rules so Oinkmaster can update it.



Add the following to the rules section of snort.conf

include $RULE_PATH/emerging.conf



Add the following to the emerging rules conf file to enable the rules. Make sure there are no BLOCK or .xml files listed or enabled.

include $RULE_PATH/emerging-attack_response.rules

include $RULE_PATH/emerging-dos.rules

include $RULE_PATH/emerging-exploit.rules

include $RULE_PATH/emerging-game.rules

include $RULE_PATH/emerging-inappropriate.rules

include $RULE_PATH/emerging-malware.rules

include $RULE_PATH/emerging-p2p.rules

include $RULE_PATH/emerging-policy.rules

include $RULE_PATH/emerging-scan.rules

include $RULE_PATH/emerging-virus.rules

include $RULE_PATH/emerging-voip.rules

include $RULE_PATH/emerging-web.rules

include $RULE_PATH/emerging-web_sql_injection.rules

include $RULE_PATH/emerging.rules

include $RULE_PATH/emerging-drop.rules

include $RULE_PATH/emerging-rbn.rules

include $RULE_PATH/emerging-compromised.rules

include $RULE_PATH/emerging-botcc.rules

include $RULE_PATH/emerging-dshield.rules



Rules would be enabled and disabled via Oinkmaster with the 'enablesid' and 'disablesid' statements.

disablesid 1,3,4

enablesid 2



Finally we run Oinkmaster manually to install the rules. We use the snortssh user to run Oinkmaster because Oinkmaster shouldn't be run as root.

$ su snortssh -c oinkmaster -o /etc/snort/rules/

We then set up a cron job to run these commands once a day.

$ sudo crontab -u snortssh -e

6 0 * * * /usr/sbin/oinkmaster -o /etc/snort/rules/ -b /etc/snort/backup >/dev/null 2>&1

12 0 * * * /bin/tar -C /etc/snort -czf ../rules.tar.gz rules/



Emailing the output of Oinkmaster's updates to the rules is possible but its outside the scope of this guide, It may be added in a future version.

Sensor Installation

Setting up SSH

We need to install the SSH server so that the sensor can be remotely managed.

$ sudo apt-get install openssh-server openssh-client



Then we add a user to the system that will be used for the connections.

$ sudo adduser snortssh



We change into the snortssh user that we will be setting up the connections.

$ su snortssh



Then we generate the key used for authentication. This command generates two files the private key 'id_rsa' and the public key 'id_dsa.pub'.

$ ssh-keygen -t rsa



Finally we copy the public part of the key to the server.

$ ssh-copy-id ~/.ssh/id_rsa.pub snortssh@192.168.58.133



We will be using AutoSSH to automatically reconnect the SSH connections to the server.

$ sudo apt-get install autossh



First we set up the connection to the server to do this manually with SSH.

$ ssh -N -f -L 3306:192.168.58.133:3306 snortssh@192.168.58.133



So that autossh starts at boot time we add the following autossh line to the /etc/rc.local file above the 'exit 0' line.

$ sudo nano /etc/rc.local

autossh -L 3306:192.168.58.133:3306 snortssh@192.168.58.133 &



Then we check the connection is established.

$ sudo lsof -i grep ssh

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

ssh 7006 snortssh 3u IPv4 28179 TCP snortsensor:48670->snortserver:ssh (ESTABLISHED)

ssh 7006 snortssh 4u IPv4 28182 TCP localhost:mysql (LISTEN)

ssh 7006 snortssh 5u IPv6 28183 TCP ip6-localhost:mysql (LISTEN)



After this we test connectivity.

$ mysql -u snort -p -h 127.0.0.1

Finally we check that the connection is encrypted by using a packet capture utility. If the SSH connection was not correctly configured you would see some raw data being sent to the MySQL server but with SSH it would all be encrypted. We will be using key based authentication for the sensors, this allows password-less logins.

SSH Works!

Installing Snort from source (Recommended)

First thing we have to do is install the software that we need to build Snort from the source code.

$ sudo apt-get install build-essential libpcap0.8-dev libmysqlclient15-dev bison flex libc6-dev g++ gcc pcregrep libpcre3-dev



Then we obtain the latest stable version (which was snort-2.8.3.2 at time of writing) and extract the archive.

$ wget http://www.snort.org/dl/snort-2.8.3.2.tar.gz

$ tar zxvf snort-2.8.3.2.tar.gz



The install notes for Snort are held in the doc sub directory and lists all the configure options. All these commands are run from the Snort source code directory.



$ ./configure --enable-dynamicplugin --with-mysql



Then we compile the software and install it to the system.

$ make

$ sudo make install



I had a compile time error with Ubuntu 8.10 but a quick trip to the linuxforums.org I managed to fix the problem.



Next we add a user account for Snort so that it's not running as the root user. Any password can be used as the account will be locked anyway. We need to set the shell to '/bin/true' which does nothing.

$ sudo adduser snort

$ sudo chsh snort

$ sudo passwd snort -l



Finally we create some of the directories that Snort need to run and assign the correct permissions.

$ sudo mkdir -p /etc/snort/rules /etc/snort/backup /var/log/snort

$ sudo chown -R root:snort /var/log/snort

$ sudo chmod -R 770 /var/log/snort

We need to copy the etc directory from the source tarball to the local install's config directory.

$ sudo cp <snortSRC>/etc/* /etc/snort/

Then we need to write/install a boot script. I'm using the script written by bodhi.zazen from the Ubuntu forums. Then after the boot script is installed to the system we add the following line to the /etc/rc.local file before any 'exit 0' statements so Snort will be started at boot time. We also need to make the script executable before it can be run.

$ sudo cp ubuntu.snort.init.txt /etc/init.d/snort

$ sudo chmod +x /etc/init.d/snort

$ sudo nano /etc/rc.local

exec /etc/init.d/snort boot

We have to make sure that bodhi.zazen's script has the correct interface to start snort with. The IFACE="eth0" would have to be changed to IFACE="eth1".

Installing Snort (Ubuntu's binary version)

Ubuntu installed from the package manager. This should only be used if the Install from source fails and you can't fix it.

$ sudo apt-get install snort-mysql



After you run this, the installer will ask you to configure the HOME_NET, this should be set to your network mask. Apport will most likely pop up telling you that Snort has crashed, this is unlikely the case as the Snort (with MySQL) version in Ubuntu comes with a block that stops it from starting until an output source has been configured. To see the error message, you would try to start Snort with the init script that comes with the Ubuntu package.

$ sudo /etc/init.d/snort start

Configuring Snort

We will be using eth1 in this example to enable Snort to listen on an interface without an IP address. We need to add this special configuration to the interfaces configuration file.

$ sudo nano /etc/network/interfaces

auto eth1

iface eth1 inet manual

up ifconfig $IFACE 0.0.0.0 up

up ip link set $IFACE promisc on

down ip link set $IFACE promisc off

down ifconfig $IFACE down

We need to copy the config file in case we make a lot of mistakes.

$ sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.org



Then we edit the main Snort configuration file.

$ sudo nano /etc/snort/snort.conf



We set the HOME_NET variable to the network address with network mask.

var HOME_NET [192.168.58.0/24]

var EXTERNAL_NET !$HOME_NET



This line sets the base path for the rules files which are listed at the bottom of the config file.

var RULE_PATH /etc/snort/rules



This is an important option to uncomment if your computer has low memory, as with all most of the standard rules and the emerging threats rules on my test computer it used 558.78 Mbytes of memory on one interface. However with this option enabled it used about 15 Mbytes. On a system with large amounts of memory like a dedicated Sensor higher performance can be gained by keeping it commented out.

config detection: search-method lowmem



The output database line should be configured for now, so we can see that everything is working.

output database: log, mysql, user=snort password=snortconfpasswd dbname=snort host=<ServerIP>



These following options are only used by Debian systems (Ubuntu packages). Most of these are defaults and they should stay that way. However you should configure the HOME_NET line and make sure that Snort is listening on the correct interface if you have more than one.

$ sudo nano /etc/snort/snort.debian.conf

DEBIAN_SNORT_STARTUP="boot"

DEBIAN_SNORT_HOME_NET="192.168.58.0/24"

DEBIAN_SNORT_OPTIONS=""

DEBIAN_SNORT_INTERFACE="eth1"

DEBIAN_SNORT_SEND_STATS="true"

DEBIAN_SNORT_STATS_RCPT="root"

DEBIAN_SNORT_STATS_THRESHOLD="1"



Once the basic configuration has been done we check to see if Snort has any problems with it by running the following command. If all goes well you should see something similar to the output below.

$ sudo snort -c /etc/snort/snort.conf

....

--== Initialization Complete ==--



,,_ -*> Snort! <*-

o" )~ Version 2.7.0 (Build 35)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html

(C) Copyright 1998-2007 Sourcefire Inc., et al.



Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11>

Preprocessor Object: SF_SMTP Version 1.0 <Build 7>

Preprocessor Object: SF_DCERPC Version 1.0 <Build 4>

Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10>

Preprocessor Object: SF_SSH Version 1.0 <Build 1>

Preprocessor Object: SF_DNS Version 1.0 <Build 2>

...



If Snort does find any errors in the configuration, it will exit to the user prompt with the error just above it. The following example is when the MySQL logging is configured but the MySQL server has not been started or can't be contacted.

ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.58.13' (113)

Fatal Error, Quitting..



Restart Snort every 6 hours

We have to restart Snort every few hours because the database connection can timeout if no traffic has been received for a while. Yes this is a bad thing and is a big problem with a well tuned sensor that has few false positives (normal traffic being detected as an attack). It's also used to automatically get Snort to reload the rules so any new ones will be loaded.

$ sudo crontab -e

20 0,6,12,18 * * * /etc/init.d/snort restart >/dev/null 2>&1





Installing Oinkmaster

We will be using Oinkmaster on the sensors to pull the Snort rules from the master copy on the server.



First we install Oinkmaster.

$ sudo apt-get install oinkmaster



Then we edit the Oinkmaster config file to specify the URL of the server.

$ sudo nano /etc/oinkmaster.conf



Then we add this line to the oinkmaster.conf file so Oinkmaster will download the rules from the server and not from the Internet.

url = scp://snortssh@192.168.58.133:/etc/snort/rules.tar

scp_key = /home/snortssh/.ssh/id_rsa

Testing

Once any errors have been fixed, we move on to test that Snort will generate alerts and it is in fact working properly. From one of your other computers you can simulate an attacker scanning your system with the popular tool nmap.

Disclaimer: You are responsible for your own actions. Testing of any security settings should only be done on your own equipment in your own lab, unless you have written permission from the owner of the equipment.



If you are having problems first thing to do is to restart all the service so that all changes have taken affect.

$ sudo /etc/init.d/apache2 restart

$ sudo /etc/init.d/snort restart

$ sudo /etc/init.d/mysql restart



If Snort fails to start this command can be used to check Snort config for errors.

$ sudo snort -i eth1 -c /etc/snort/snort.conf -T

Further Improvements

OSSEC in a Client/Server installation could be used to monitor and report the condition of the sensors. This would also alert the administrators to a possible compromise of a sensor.



Emailing the output of the Oinkmaster rule updating process so administrators can keep up to date about the newly installed rules. This would require an email server and some simple scripting.

Barnyard fast output system.

References

http://ubuntuforums.org/showthread.php?t=919472 (bodhi.zazen's IDS sticky)

Thanks to Andreios for checking this HOWTO.