This document was written and is being maintained by Joshua D. Abraham. It
assumes the user has a basic understanding of computers. This document
contains the steps for installing an IDS database on FreeBSD 5.4. This
document contains the small differences between FreeBSD 5.4 and
FreeBSD 6.0.
If you have any suggestions, comments or questions please feel free to
email me at jabra (-at-) ccs (dot) neu (dot) edu
--------------------------------------------------------------------
1) Install ntpdate
$ pkg_add -r ntp
$ ee /etc/rc.conf
ADD the following line
ntpd_enable="YES"
Save and Quit [ esc a a ]
-------------------------
2) Install Apache-modssl
$ cd /usr/ports/www/apache13-modssl
$ make
$ make certificate VIEW=1
$ make install clean
3) Install MYSQL
$ cd /usr/ports/databases/mysql41-server
$ make install clean
4) Install PHP 4
$ cd /usr/ports/lang/php4-extensions
$ make install clean
scroll to select GD [tab] select ok [ enter ]
Menu options for php4
[ tab ] select ok [ enter ]
Menu options for php4-gd
[ tab ] select ok [ enter ]
$ cd /usr/ports/databases/php4-mysql
$ make install clean
[ tab ] to select ok [ enter ]
** Note if there is an a menu option or if it ask if you want
apache 1.3 or apache 2.0 select apache 1.3
$ cd /usr/ports/graphics/php4-gd
$ make install
5) Install Acid
$ pkg_add -r jpgraph
$ cd /usr/ports/security/acid
$ make install clean
at the menu add mysql support then [tab] to select ok [enter]
at the adodb menu
select tests [space]
[tab] to select ok[enter]
6) Configure Host
$ ee /etc/hosts
CHANGE the following
127.0.0.1 localhost localhost.my.domain
to
127.0.0.1 localhost database database.domain.com
Save and Quit [ esc a a ]
-------------------------
7) ACID Configs
$ chmod 644 /usr/local/www/acid/acid_conf.php
$ ee /usr/local/www/acid/acid_graph_form.php
After the line with
2004
ADD
2005
2006
After the line with
2004
ADD
2005
2006
Save and Quit [ esc a a ]
-------------------------
$ ee /usr/local/www/acid/acid_conf.php
CHANGE the following
DBlib_path = "/usr/local/www/data.default/php/adodb";
to
DBlib_path = "/usr/local/share/adodb";
CHANGE the following
$alert_dbname = "snort_log"
to
$alert_dbname = "snortdb"
AND Change
$alert_user = "snort_log"
to
$alert_user = "snorter"
AND Change
$alert_password = "mypassword"
to
$alert_password = "iw@n+f00d"
AND Change
$ChartLib_path = ""
to
$ChartLib_path = "/usr/local/share/jpgraph"
AND Change
$portscan_file = ""
to
$portscan_file = "/var/log/snort/portscan.log"
Save and Quit [ esc a a ]
-------------------------
8) Configure MYSQL
$ /usr/local/bin/mysql_install_db
$ ee /etc/rc.conf
Add the following line to the bottom
mysql_enable="YES"
Save and Quit [ esc a a ]
-------------------------
$ cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf
$ chown -R mysql /var/db/mysql
$ /usr/local/etc/rc.d/mysql-server start
$ /usr/local/bin/mysql -u root
mysql> SET PASSWORD FOR root@localhost=PASSWORD('$n0rt');
mysql> FLUSH PRIVILEGES;
mysql> exit
$ /usr/local/bin/mysql -p
enter the password
# use whatever the current version of snort is
$ cd /usr/ports/security/snort/
$ make
$ cd /usr/ports/security/snort/work/snort-2.3-2/schemas
$ mysqlcreate -p create snortdb
$ /usr/local/bin/mysql -p < /root/create_mysql snortdb
$ /usr/local/bin/mysql -p
mysql> show databases;
verifty snortdb is listed
mysql> grant INSERT,SELECT on snortdb.* to snorter@127.0.0.1;
mysql> use snortdb;
Database changed
mysql> show tables;
verify it shows the following
+-----------------+
|Tables_in_snortdb|
+-----------------+
|data |
|detail |
...
...
mysql> quit;
9) Configure Stunnel
# make sure stunnel is installed
$ pkg_add -r stunnel
$ /usr/local/etc/stunnel
$ cp stunnel.conf-sample stunnel.conf
$ chmod 644 stunnel.conf
$ openssl req -new -out mail.pem -keyout -nodes -x509 -days 365
Country: US
State: MA
Locality: Boston
Org Name: Abraham Inc
Unit Name: Internet Security
Common Name: Snorting
Email: snort@domain.com
$ chown stunnel:stunnel mail.pem
$ chmod 600 mail.pem
$ cp /usr/local/etc/rc.d/stunnel.sh.sample stunnel.sh
$ mkdir /var/tmp/stunnel
$ chown stunnel:stunnel /var/tmp/stunnel
10) Setup firewall
$ ee /etc/rc.conf
Make sure this file contains the following lines
firewall_enable="YES"
firewall_script="/etc/ipfw.database"
firewall_logging="YES"
Save and Quit [ esc a a ]
-------------------------
$ ee /etc/ipfw.database
Add the following
################ Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
iif="fxp0" # Internal interface name of NIC
loop="lo0"
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via $loop
$cmd 00020 allow all from any to any out via $iif keep-state
$cmd 00100 allow tcp from any to me 22 in via $iif setup keep-state
$cmd 00200 allow tcp from any to me 80 in via $iif setup limit src-addr 2
$cmd 00300 allow tcp from any to me 443 in via $iif setup limit src-addr 2
$cmd 00400 allow tcp from any to me 3307 in via $iif setup limit src-addr 2
$cmd 00500 allow tcp from any to me 3306 in via $iif setup limit src-addr 2
Save and Quit [ esc a a ]
-------------------------
$ shutdown -r now
login: root
password: [password]
If the machines boots ok.
$ ping google.com
Should return something like
PING google.com (216.239.37.99) 56(84) bytes of data.
64 bytes from 216.239.37.99: icmp_seq=5 ttl=242 time=18.9 ms
64 bytes from 216.239.37.99: icmp_seq=6 ttl=242 time=19.5 ms
64 bytes from 216.239.37.99: icmp_seq=7 ttl=242 time=19.8 ms
--- google.com ping statistics ---
8 packets transmitted, 4 received, 50% packet loss, time 7005ms
rtt min/avg/max/mdev = 18.919/19.484/19.858/0.359 ms
$ cd /usr/src/
$ make clean
$ hostname database
$ ifconfig lnc0
find the [ip-address]
$ ee /etc/hosts
ADD the following under the line that says 127.0.0.1
[ip-address] localhost database
Save and Quit [ esc a a ]
-------------------------
11) Setup users for SSL login
$ /etc/netstart
$ cp -R /usr/local/www/acid /usr/local/www/acidviewer
$ cd /usr/local//www/acidviewer
$ ee acid_conf.php
CHANGE the following
$alert_user="acidguest"
$alert_password="@cidgu3st"
Save and Quit [ esc a a ]
-------------------------
$ cd /
$ mkdir /usr/local/etc/apache/passwords
$ htpasswd -c /usr/local/etc/apache/passwords/passwd admin
[ @dmin$n0rt ]
[ @dmin$n0rt ]
$ htpasswd /usr/local/etc/apache/passwords/passwd acidguest
[ gu3st ]
[ gu3st ]
$ mv /usr/local/www/acid/ /usr/local/www/data/acid/
12) Configure Apache
$ ee /usr/local/etc/apache/httpd.conf
CHANGE THE FOLLOWING
DocumentRoot "/usr/local/www/acid/"
to
DocumentRoot "/usr/local/www/data/"
AND Change
#ServerName www.example.com
to
ServerName database.domain.com
CHANGE the following
to
AND CHANGE
to
Then ADD the following before
AuthType Basic
AuthName "Monitoring"
AuthUserFile /usr/local/etc/apache/passwords/passwd
Require user noone
AllowOverride None
after
ADD THE FOLLOWING after
AuthType Basic
AuthName "Monitoring"
AuthUserFile /usr/local/etc/apache/passwords/passwd
Require user noone
AllowOverride None
CHANGED the following from
Listen 80
Listen 443
to
Listen 443
Listen 80
Add the following
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
GOTO VirtualHost SSL Section
Add the following
AuthType Basic
AuthName "CTF Monitoring"
AuthUserFile /usr/local/etc/apache/passwords/passwd
Require user snortuser
SSLCipherSuite HIGH:MEDIUM
AllowOverride None
AuthType Basic
AuthName "Monitoring"
AuthUserFile /usr/local/etc/apache/passwords/passwd
Require user acidguest
SSLCipherSuite HIGH:MEDIUM
AllowOverride None
Save and Quit [ esc a a ]
-------------------------
$ cd /usr/local/www
$ mv acid data/
$ cd data
$ mv index.html.en index.old
$ ee index.html
ADD the Following
< html >
< title >ACID Interface title >
< center >
Acid Admin ||||||
Acid Viewer
html >
Save and Quit [ esc a a ]
-------------------------
13) Finish setting up snortdb for both users
$ /usr/local/bin/mysql -u root -p
p@$$w0rd
# Remeber there is a ; at the end of each line
mysql> connect snortdb;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snortdb.* to snorter;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snortdb.* to snorter@localhost;
mysql> grant CREATE,INSERT,SELECT,UPDATE on snortdb.* to acidguest;
mysql> grant CREATE,INSERT,SELECT,UPDATE on snortdb.* to acidguest@localhost;
mysql> connect mysql;
mysql> set password for 'snorter'@'localhost'=password('iw@n+f00d');
mysql> set password for 'snorter'@'%'=password('iw@n+f00d');
mysql> set password for 'acidguest'@'localhost'=password('@cidgu3st');
mysql> set password for 'acidguest'@'%'=password('@cidgu3st');
mysql> flush privileges;
mysql> exit
14) Verify everything works
open brower and point it to the ip of the server
click Setup Page
click ACID AG on the right hand side
verify default page is loaded
$ cd /usr/local/www
$ mv acid data/
$ cd data
$ cp -Rf acid acidviewer
$ ee /etc/rc.conf
ADD the following
firewall_enable="YES"
firewall_script="/etc/ipfw.database"
firewall_logging="YES"
apache_enable="YES"
apache_flags="-DSSL"
apache_pidfile="/var/run/httpd.pid"
Save and Quit [ esc a a ]
-------------------------
$ /etc/netstart
Open acid page
loggin
click Setup page on the right hand side of the page
click Create ACID AG
Click Main Page link in the lower left side of the page
15) Extra custom stuff ######
$ cd /usr/local/www/data/acidviewer
$ ee acid_conf.php
$freq_num_uaddr_twentyfive = 25;
$freq_num_uports_twentyfive = 25;
$freq_num_uaddr_fifty = 50;
$freq_num_uports_fifty = 50;
$freq_num_uaddr_seventyfive = 75;
$freq_num_uports_seventyfive = 75;
Save and Quit [ esc a a ]
-------------------------
$ ee acid_main.php
AFTER the following
Most frequent addresses:
source ,
destination
ADD the following
Most frequent addresses:
source ,
destination
Most frequent addresses:
source ,
destination
Most frequent addresses:
source ,
destination
Save and Quit [ esc a a ]
-------------------------
$ cp acid_stat_uaddr.php acid_stat_uaddr_twentyfive.php
$ cp acid_stat_uaddr.php acid_stat_uaddr_fifty.php
$ cp acid_stat_uaddr.php acid_stat_uaddr_seventyfive.php
$ ee acid_stat_uaddr_twentyfive.php
CHANGE the following
$cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
TO
$cs = new CriteriaState("acid_stat_uaddr_twentyfive.php", "&addr_type=$addr_type");
AND CHANGE
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr, "Most Frequent IP addresses", "occur_d");
TO
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr_twentyfive, "Most Frequent IP addresses", "occur_d");
Save and Quit [ esc a a ]
-------------------------
$ ee acid_stat_uaddr_fifty.php
CHANGE the following
$cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
TO
$cs = new CriteriaState("acid_stat_uaddr_fifty.php", "&addr_type=$addr_type");
AND CHANGE
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr, "Most Frequent IP addresses", "occur_d");
TO
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr_fifty, "Most Frequent IP addresses", "occur_d");
Save and Quit [ esc a a ]
-------------------------
$ ee acid_stat_uaddr_seventyfive.php
CHANGE the following
$cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
TO
$cs = new CriteriaState("acid_stat_uaddr_seventyfive.php", "&addr_type=$addr_type");
AND CHANGE
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr, "Most Frequent IP addresses", "occur_d");
TO
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr_seventyfive, "Most Frequent IP addresses", "occur_d");
Save and Quit [ esc a a ]
-------------------------
----------------------------------------------
Written and maintained by Joshua D. Abraham
jabra at ccs dot neu dot edu
Copyright 2006 Joshua D. Abraham