Snort Installation Manual
Introduction
The purpose of this guide is to document the installation and configuration of a complete Snort implementation. This guide contains all the necessary information for installing and understanding the architectural layout of the implementation.
The information in this guide was written for implementing Snort 1.8 using Redhat 7.3. You may find some discrepancies if you are installing different versions of Snort or using different versions of Redhat. This guide was written with the assumption that you understand how to run Snort and have a basic understanding of Linux. This includes editing files, making directories, compiling software and understanding general Unix commands. This guide does not explain how to use or configure Snort, but information on where to obtain this information can be found in the “Additional Information” section.
Required Software
The following is a list of required software and the versions that were used:
Redhat 7.3 ftp://ftp.redhat.com
Snort v1.8.7 http://www.snort.org/dl/
MySQL v3.23.52 http://www.mysql.com/downloads/mysql-3.23.html
Webmin v.99 http://www.webmin.com/
NetSSLeay v1.20 http://symlabs.com/Net_SSLeay/
ACID 0.9.6B21 http://acidlab.sourceforge.net/
PHP v4.1.* ftp://updates.redhat.com/7.3/en/os/i386/
ADODB v2.31 http://php.weblogs.com/adodb
PHPLOT v4.4.6 http://www.phplot.com/
GD v1.8.4 http://www.boutell.com/gd/
Snortd file http://home.earthlink.net/~sjscott007/snortd
Mozilla http://www.mozilla.org/
Snort Webmin Module v1.1 http://msbnetworks.net/snort/
Conceptual Topology
There are five primary software packages that produce this topology. The Apache web server, MySQL database server, Webmin, ACID and Snort. This topology assumes you will be running your sensors on dedicated hardware separate from your database and ACID console. Below is a brief description of each of the packages and their purpose in the topology.
Apache Web Server
This is the web server of choice for the majority of websites that are accessed on the Internet. The sole
purpose of Apacheya is for hosting the ACID web-based console.
MySQL Server
MySQL is a SQL based database server for a variety of platforms and is the most supported platform for storing Snort alerts. All of the IDS alerts that are triggered from our sensors are stored in the MySQL database.
Webmin
Webmin is a web-based interface for administrating Unix based servers. It provides a graphical interface to most of the services and configuration options that are available at the shell level. Webmin is written in Perl and new modules (plugins for administrating services. E.g. DNS, users & groups) are being created all the time. There is also a snort module that is installed which allows you to graphically administer Snort.
Analysis Console for Intrusion Databases (ACID)
ACID is a web-based application for viewing firewall logs and/or IDS alerts. This is where all the sensor information is consolidated for viewing.
Snort
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. This is the software package that is used to gather information from the network.
Download Snort Installation Manual
