How to install the Snort intrusion detection system on Ubuntu

As an excellent open-source host intrusion detection system, Snort can be installed and run on both windows and Linux platforms. As a Linux operating system based on desktop applications, Ubuntu can also install Snort. During the Snort installation process, [install LAMP, Snort and some software libraries] Ubuntu is a Debian Linux system, which is very simple to install software and Ubuntu has images at the University of Science and Technology of China, download speed on CERNET and tech network is very fast (2 ~

As an excellent open-source host intrusion detection system, Snort can be installed and run on both windows and Linux platforms. As a Linux operating system based on desktop applications, Ubuntu can also install Snort.

Install Snort

[Install LAMP, Snort and some software libraries]

Because Ubuntu is a Debian Linux system, the installation of software is very simple, and Ubuntu has images at the University of Science and Technology of China, the download speed is very fast (2 ~ 6 M/s), saving the trouble of downloading the installation package abroad. You only need one command to install all the software in dozens of seconds. Use the default Ubuntu command line Package Manager apt for installation.

$ Sudo apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear pcregrep snort-rules-default

Note that the page for setting the MySQL Root User Password is displayed when you install the MySQL database, and it is set as "test" temporarily ".

[Create a database for Snort in the MySQL database]

The Ubuntu software warehouse has a default Software Package snort-mysql to provide auxiliary functions. Use the Software Package Manager to download and install the software package.

$ Sudo apt-get install snort-mysql

After installation, view the help documentation:

$ Less/usr/share/doc/snort-mysql/README-database.Debian.

Create an Snort database user and database in MySQL according to the instructions in the help document. The command used is as follows:

$ Mysql-u root-p

Enter the above password test at the prompt.

Mysql> create database snort;
Mysql> grant CREATE, INSERT, SELECT, UPDATE on snort. * to snort @ localhost;
Mysql> grant CREATE, INSERT, SELECT, UPDATE on snort. * to snort;
Mysql> set password for snort @ localhost = PASSWORD ('snort-db ');
Mysql> exit

The above command is used to create an snort database in the MySQL database, create an snort user to manage the database, and set the snort user password to snort-db.

Then build the structure of the snort database based on the instructions in the README-database.Debian.

$ Cd/usr/share/doc/snort-mysql
$ Zcat create_mysql.gz | mysql-u snort-D snort-psnort-db

In this way, the database structure is created for snort in MySQL, including the tables required by each snort.

[Set snort to output log files to the MySQL database]

Modify the Snort configuration file:/etc/snort. conf

$ Sudo vim/etc/snort. conf

Comment out HOME_NET related items in the configuration file, set HOME_NET to the network where the local IP is located, comment out EXTERNAL_NET related items, and set it to a non-local network, as shown below:

# Var HOME_NET any
Var HOME_NET 192.168.0.0/16
# Var EXTERNAL_NET any
Var EXTERNAL_NET! $ HOME_NET

Comment out related items of the output database and set the log output to the MySQL database, as shown below:

Output database: log, mysql, user = snort password = snort-db dbname = snort host = localhost
# Output database: log, mysql

In this way, snort no longer writes records to files in the/var/log/snort directory, instead stores records in the MySQL snort database. At this time, you can test whether the Snort works properly:

$ Sudo snort-c/etc/snort. conf

If a piglet drawn with ASCII characters appears, the Snort works normally. You can use Ctrl-C to exit. If the Snort exits abnormally, you need to check whether the above configuration is correct.