This howto will describe how to setup a system running FreeBSD and PostgreSQL DBMS to act as a backend database for the Snort Intrusion Detection System (IDS). It is assumed that PostgreSQL has already been installed on the FreeBSD system. For more information on installing PostgreSQL DBMS on FreeBSD refer to the following post:
Install the Snort IDS from the FreeBSD ports collection. When configuring the port, be sure to enable the FLEXRESP2 and POSTGRESQL options.
# cd /usr/ports/security/snort # make config # make install clean # rehash
Setup a database and user for Snort in the PostgreSQL DBMS. The following will create a new database named snort owned by a new user named snortuser with a password of your choice.
# su pgsql $ createuser -P snortuser Enter password for new role: ****** Enter it again: ****** Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n $ createdb -O snortuser snort $ cd /usr/local/share/examples/snort $ cat create_postgresql | psql snort snortuser $ exit
Next, configure Snort to report to the new PostgreSQL database. Modify /usr/local/etc/snort/snort.conf configuration file to reflect the following settings. Replace YourPassword with the password you chose for the snortuser and replace YourHost with the host name of your system. Be sure to comment out the line containing include $RULE_PATH/local.rules.
output database: log, postgresql, user=snortuser password=YourPassword dbname=snort host=localhost sensor_name=YourHost #include $RULE_PATH/local.rules
Download a current copy of the Snort IDS signatures from www.snort.org and extract them to /usr/local/etc/snort/rules/.
Enable the Snort IDS to automatically start at system boot and start Snort for the first time.
# echo 'snort_enable="YES"' >> /etc/rc.conf # /usr/local/etc/rc.d/snort start
If the Snort IDS fails to start check /var/log/messages for any error messages. To verify that the Snort IDS is analyzing network traffic, ping the system running Snort from another system. Check the event table in the snort database for information that Snort is reporting.
# su pgsql $ psql snort psql (8.4.2) Type "help" for help. snort=# SELECT * FROM event; sid | cid | signature | timestamp ----+-----+-----------+----------- snort=# \q $ exit