Posted by: jasonk2600 | January 18, 2010

FreeBSD PostgreSQL Backend for Snort IDS

Synopsis

This howto will describe how to setup a system running FreeBSD and PostgreSQL DBMS to act as a backend database for the Snort Intrusion Detection System (IDS).  It is assumed that PostgreSQL has already been installed on the FreeBSD system.  For more information on installing PostgreSQL DBMS on FreeBSD refer to the following post:

Installation

Install the Snort IDS from the FreeBSD ports collection.  When configuring the port, be sure to enable the FLEXRESP2 and POSTGRESQL options.

# cd /usr/ports/security/snort
# make config
# make install clean
# rehash

 

Configuration

Setup a database and user for Snort in the PostgreSQL DBMS.  The following will create a new database named snort owned by a new user named snortuser with a password of your choice.

# su pgsql
$ createuser -P snortuser
Enter password for new role: ******
Enter it again: ******
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

$ createdb -O snortuser snort
$ cd /usr/local/share/examples/snort
$ cat create_postgresql | psql snort snortuser

$ exit

 

Next, configure Snort to report to the new PostgreSQL database.  Modify /usr/local/etc/snort/snort.conf configuration file to reflect the following settings. Replace YourPassword with the password you chose for the snortuser and replace YourHost with the host name of your system.  Be sure to comment out the line containing include $RULE_PATH/local.rules.

output database: log, postgresql, user=snortuser
   password=YourPassword dbname=snort host=localhost sensor_name=YourHost

#include $RULE_PATH/local.rules

 

Download a current copy of the Snort IDS signatures from www.snort.org and extract them to /usr/local/etc/snort/rules/.

Enable the Snort IDS to automatically start at system boot and start Snort for the first time.

# echo 'snort_enable="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/snort start

 

Testing

If the Snort IDS fails to start check /var/log/messages for any error messages.  To verify that the Snort IDS is analyzing network traffic, ping the system running Snort from another system.  Check the event table in the snort database for information that Snort is reporting.

# su pgsql
$ psql snort

psql (8.4.2)
Type "help" for help.

snort=# SELECT * FROM event;

sid | cid | signature | timestamp
----+-----+-----------+-----------

snort=# \q
$ exit

 

References

 

  [EoF]
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: