This post describes the steps necessary to configure a system running Debian GNU/Linux as a Snort Intrusion Detection System (IDS) sensor. This post only covers the process of configuring a Snort IDS sensor that connects to a PostgreSQL database backend, for information on setting up a PostgreSQL backend for the Snort IDS and/or setting up a Snort IDS monitoring console refer to the following posts:
Install the PostgreSQL DBMS and Snort IDS using the aptitude software package management utility. When prompted for the address range for the local network, replace 10.0.1.0/24 with your LAN’s IP address range.
# aptitude install postgresql-client snort snort-pgsql snort-rules Address range for the local network: 10.0.1.0/24
Configure Snort to use your existing PostgreSQL database backend for reporting by adding the following to the /etc/snort/snort.conf configuration file. NOTE: Replace 10.0.1.1 with the IP address of your PostgreSQL DBMS server and replace Password with the password you chose for the snortuser.
output database: log, postgresql, user=snortuser password=Password dbname=snort host=10.0.1.1 sensor_name=Debian
Remove the /etc/snort/db-pending-config file and start the Snort IDS sensor for the first time. Be sure to check /var/log/daemons.log for any error messages.
# rm /etc/snort/db-pending-config # /etc/init.d/snort start Starting Network Intrusion Detection System: snort