This post describes the steps necessary to configure a system running Debian GNU/Linux as a database backend using PostgreSQL for the Snort Intrusion Detection System (IDS). This post only covers the process of creating the PostgreSQL backend, for information on setting up Snort IDS sensors and/or setting up a Snort IDS monitoring console refer to the following posts:
Install the PostgreSQL DBMS and Snort IDS using the aptitude software package management utility. When prompted for the address range for the local network, replace 10.0.1.0/24 with your LAN’s IP address range.
# aptitude install postgresql snort snort-pgsql Address range for the local network: 10.0.1.0/24
Create a PostgreSQL database and database user for the Snort IDS to use. After creating the database and user, initialize the Snort database with the script provided by the Snort IDS software package.
# su postgres $ createuser -P snortuser Enter password for new role: ***** Enter it again: ***** Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n $ createdb -O snortuser snort $ cd /usr/share/doc/snort-pgsql $ zcat create_postgresql.gz | psql snort snortuser $ exit
Configure PostgreSQL to listen for database connections on all IP addresses by modifying /etc/postgresql/8.3/main/postgresql.conf to reflect the following setting.
listen_addresses = '*'
Configure PostgreSQL to use MD5 hashing for password authentication on any connections originating from the local network by modifying /etc/postgresql/8.3/main/pg_hba.conf to reflect the following setting. NOTE: Replace 10.0.1.0/24 with the IP address range of your LAN.
host all all 10.0.1.0/24 md5
Restart the PostgreSQL DBMS for the new settings to take effect. The Debian GNU/Linux system has now successfully been configured as a PostgreSQL database backend for the Snort IDS. Snort IDS sensors can now be configured to use this system.
# /etc/init.d/postgresql-8.3 restart Restarting PostgreSQL 8.3 database server: main.