Posted by: jasonk2600 | January 18, 2010

Debian GNU/Linux PostgreSQL Backend for Snort IDS

Synopsis

This post describes the steps necessary to configure a system running Debian GNU/Linux as a database backend using PostgreSQL for the Snort Intrusion Detection System (IDS).  This post only covers the process of creating the PostgreSQL backend, for information on setting up Snort IDS sensors and/or setting up a Snort IDS monitoring console refer to the following posts:

Installation

Install the PostgreSQL DBMS and Snort IDS using the aptitude software package management utility. When prompted for the address range for the local network, replace 10.0.1.0/24 with your LAN’s IP address range.

# aptitude install postgresql snort snort-pgsql

Address range for the local network:
10.0.1.0/24

 

Configuration

Create a PostgreSQL database and database user for the Snort IDS to use.  After creating the database and user, initialize the Snort database with the script provided by the Snort IDS software package.

# su postgres
$ createuser -P snortuser

Enter password for new role: *****
Enter it again: *****
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

$ createdb -O snortuser snort
$ cd /usr/share/doc/snort-pgsql
$ zcat create_postgresql.gz | psql snort snortuser
$ exit

 

Configure PostgreSQL to listen for database connections on all IP addresses by modifying /etc/postgresql/8.3/main/postgresql.conf to reflect the following setting.

listen_addresses = '*'

 

Configure PostgreSQL to use MD5 hashing for password authentication on any connections originating from the local network by modifying /etc/postgresql/8.3/main/pg_hba.conf to reflect the following setting. NOTE: Replace 10.0.1.0/24 with the IP address range of your LAN.

host  all  all  10.0.1.0/24  md5

 

Restart the PostgreSQL DBMS for the new settings to take effect.  The Debian GNU/Linux system has now successfully been configured as a PostgreSQL database backend for the Snort IDS.  Snort IDS sensors can now be configured to use this system.

# /etc/init.d/postgresql-8.3 restart

Restarting PostgreSQL 8.3 database server: main.

 

References

 

  [EoF]
Advertisements

Responses

  1. […] Debian GNU/Linux PostgreSQL Backend for Snort IDS. […]

  2. […] Debian GNU/Linux PostgreSQL Backend for Snort IDS. […]

  3. when i type first command:
    aptitude install postgresql snort snort-pgsql
    then it shows result:
    No candidate version found for snort-pgsql
    No candidate version found for snort-pgsql
    No packages will be installed, upgraded, or removed.
    0 packages upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
    Need to get 0B of archives. After unpacking 0B will be used.

    and after that things goes well.
    again when i type command : cd /usr/share/doc/snort-pgsql
    then it shows result: bash: cd: /usr/share/doc/snort-pgsql: No such file or directory
    so how can i solve this. i m new in this please help


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: