Installing Snort, ACID, and Barnyard on OpenBSD 3.3

By Chris Paul
Last edited 7/17/2003

• Snort and the Analysis Console for Intrusion Databases (ACID) provide a graphical representation of potential malicious network traffic. All sorts of totally free and semi-free software are used in presenting this data. The presentation of this data is only a presentation of data. ACID isn't even version 1.0 yet so don't rely on it or snort or any one tool by itself for network security. Assuming that the snort data presented to ACID is valid and worthy of attention, ACID provides excellent viewing and graphing capabilities. From the official ACID installation page (Section IV, Security) created by the author of ACID, Roman Danyliw:

"ACID is currently _beta_! No real work has been done in validating any input. This means that the code may allow arbitrary access to the underlying database. Exercise extreme caution in deploying this application in a public area."

• Despite the fact that you should not rely totally on any "Intrusion Detection System", great pain has been given to making this solution the most trustable and secure.
• This document is for a user with intermediate to advanced UNIX skills. To use these instructions successfully, you probably need to know how to install a UNIX OS, edit text files, uncompress tar files, build software from source using "make", and maybe read a log file to troubleshoot one of your typos (or mine), and lastly, if it still doesn't work, you must read the appropriate FAQ and know how to google.
• OpenBSD was chosen as a platform for its track-record in security and because it seems to be the cleanest, most secure, and most well-documented OS.
• Sensor number and placement philosophy will not be discussed. For the purposes of these instructions, let's just say we just want one sensor on our ISP link and one ACID console.
• Both the console and sensor machine must have a working installation of OpenBSD 3.3 – stable (please see http://www.openbsd.org/stable.html).
• On the sensor, you will want one network interface for the connection to the database and one network interface for each network the sensor will analyze.

General Recommendations

• Change root shell to /bin/sh (if you prefer ksh-like or bash-like command behavior).
• Configure syslogd to log to a remote logserver.
• Install and configure NTP. (You'll have to add this from ports/packages as it doesn't come in the base system.)
• Add a user account for yourself.
• Copy your ssh public key to ~user/.ssh/authorized_keys.
• Configure sudo.
• Dis-allow remote root access in /etc/ssh/sshd_config.
• Dis-allow SSH Protocol 1 in /etc/ssh_sshd_config.
• Dis-allow password sshd authentication (/etc/ssh_sshd_config).
• /etc/motd – change to legal warning.
• Take a look at cron and adjust according to users' timezone (so jobs run when users are sleeping).
• Put your email address in /root/.forward and ~user/.forward
• Configure sendmail as null client.
• Disable inetd and other unnecessary daemons.
• Update to –stable (http://www.openbsd.org/stable.html).
• At the end of everything, once everything works, use nmap or some other portscan against the boxes to re-check to see what's listening and to verify that you can view the alerts in ACID.

ACID Console Machine

Requirements:

• Download from the nearest mirror's OpenBSD 3.3 packages collection (or build from ports if you like):
• mysql-server-3.23.55 (MySQL Server)
• p5-DBI-1.30 (unified perl interface for database access)
• p5-DBD-Msql-Mysql-1.22.19 (MySQL drivers for the Perl DBI)
• freetype-1.3.1 (TrueType font rendering engine)
• gettext-0.10.40p1 (GNU gettext)
• libiconv-1.8 (character set conversion library)
• recode-3.6 (convert files between character sets and usages)
• tiff-3.5.7 (tools and library routines for working with TIFF images)
• mysql-client-3.23.55 (MySQL Client)
• php4-core-4.2.3p1 (the PHP scripting language upon which ACID is based)
• php4-gd-4.2.3 (image manipulation extensions for php4)
• php4-mysql-4.2.3 (MySQL database access extensions for php4)
• gd-1.8.3 (graphics library for fast PNG creation)
• png-1.2.5p1 (library for manipulating PNG images)
• jpeg-6b (IJG's JPEG compression utilities)
• You will also need these easily-built PHP extensions (which are not part of the ports/packages collection):
• ADODB v 0.9.6b2+ --the PHP database abstraction library-- http://php.weblogs.com/adodb/
• PHPlot (0.9.6b9 - 0.9.6b21) -- PHP chart library -- http://www.phplot.com
• JPGraph (v. >= 0.9.6b22) -- PHP chart library – http://www.aditus.nu/jpgraph
• mini-sendmail-1.3.2 -- https://www.acme.com/software/mini_sendmail/

Steps to configure ACID console

• First we'll create a "snort" user which will be needed for the SSH tunnel from the sensor. Notice this user doesn't get a login shell.

  # useradd -c "The Pig" -m -s /sbin/nologin snortman
  # mkdir ~snortman/.ssh
  # groupadd snortman
  # chown snortman.snortman ~snortman/.ssh
  # chmod 700 ~snortman/.ssh
  

• Enable HTTPD on ACID console by editing /etc/rc.conf. Replace:

httpd_flags=NO

with

httpd_flags="-DSSL"

• Add MySQL client and server packages:

# pkg_add mysql-server-3.23.55.tgz
# pkg_add mysql-client-3.23.55.tgz

• Copy the MySQL control script to /usr/local/sbin:

# cp /usr/local/share/mysql/mysql.server /usr/local/sbin/

• Copy the MySQL configuration file:

# cp /usr/local/share/mysql/my-large.cnf /etc/my.cnf

• Start MySQL database server:

# /usr/local/sbin/mysql.server start

• Add the following to rc.local so MySQL starts automatically:

	if [ -x /usr/local/sbin/mysql.server ]; then
	   . /usr/local/sbin/mysql.server start
	   mkdir -p /var/www/var/run/mysql 
	   ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock 
	fi

• Set password for the database root user (not to be confused with the UNIX root password)

# /usr/local/bin/mysqladmin -p -u root -h <hostname> password 'password';

• Create snort and archive databases:

$ echo "CREATE DATABASE snort;" | mysql -u root -p
$ echo "CREATE DATABASE archive;" | mysql -u root -p


• Obtain a copy of the "create_mysql" script from the contrib directory of the snort source tarball.
NOTE: Once you have build snort from OpenBSD ports (see below), then it will be in the following directory on your sensors:

/usr/ports/net/snort/w-snort-2.0.0-mysql/snort-2.0.0/contrib

Otherwise, download Snort 2.0 and you will find it in the contrib directory of the package.
• Execute mysql commands to create snort database:

$ mysql -u root -p
mysql> connect snort
mysql> source /path/to/create_mysql;
mysql> show tables;
mysql> connect archive
mysql> source /path/to/create_mysql;
mysql> show tables;

• Create "snort" database user:

$ mysql -u root -D mysql -p -D mysql
mysql>GRANT INSERT, SELECT on snort.* to snort@sensor IDENTIFIED BY 'snort_password';
mysql>quit;

NOTE: from http://www.snort.org/docs/snortdb/snortdb_install.html on setting passwords:

"Note on assigning password: There are known issues with using certain special characters such as "$" (dollar sign) in the passwords when passed from Snort. If everything appears to be configured correctly, but authentication always fails, trying testing with a password without these characters."

ALSO NOTE: The "snort" mysql user gets no access to the archive database for obvious reasons.

• Quick snort db connectivity test on the sensor:
• On the sensor, run:

$nohup sudo snort -c /etc/snort/snort.conf -i fxp1-u snortman -g snortman -t /var/log/snortman

• On the ACID console run:

$ mysql -u root -p -D snort -e 'select * from sensor;'


The database should have returned at least one record if your sensor had connected properly.


• Grant the ACID console permissions:

$ mysql -u root -p
mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to acid@localhost IDENTIFIED BY 'acid_password';
mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON archive.* to acid@localhost IDENTIFIED BY 'acid_password';


• Install and activate PHP

# pkg_add -v php4-core-4.2.3p1.tgz
# /usr/local/sbin/phpxs -s


• Add the following to /var/www/conf/httpd.conf:

AddType application/x-httpd-php .php

• Copy the php.ini file from the distribution:

# cp /usr/local/share/doc/php4/php.ini-dist /var/www/conf/php.ini

• Install and activate PHP extensions:

# pkg_add -v php4-gd-4.2.3.tgz
# /usr/local/sbin/phpxs -a gd
# pkg_add -v php4-mysql-4.2.3.tgz
# /usr/local/sbin/phpxs -a mysql


• Install ADODB:

# cd /var/www/htdocs
# tar xzvf /tmp/adodb350.tgz


• Install PHPlot 4.4.6:

# tar xzvf /tmp/phplot-4.4.6.tar.gz

• Install JPGraph 1.8+:

# tar xzvf /tmp/jpgraph-1.12.2.tar.gz
# ln -s jpgraph-1.12.2 jpgraph
# mv /var/www/htdocs/jpgraph-1.12.2/src/* /var/www/htdocs/jpgraph/

• Install ACID:

# tar xzvf /tmp/acid-0.9.6b23.tar.gz

• Couple links to make life easier:

# ln -s jpgraph-1.12.2 jpgraph
# ln -s phplot-4.4.6 phplot


• Configure /var/www/htdocs/acid/acid_conf.php:
• Replace:

$DBlib_path = "";

with

$DBlib_path = "../adodb";

• Replace:

$ChartLib_path = "";

with

$ChartLib_path = "../jpgraph";

• Replace:

$alert_user = "root";

with

$alert_user = "acid";

• Edit the $alert_password parameter with the ACID database password.
• Make similar modifications for the archive database parameters in the acid_conf.php file.



• Create password for ACID scripts using Apache authentication

# mkdir /var/www/etc
# htpasswd -c /var/www/etc/.htpasswd admin


• Add the following to /var/www/conf/httpd.conf

<Directory "/var/www/htdocs/acid">
SSLRequireSSL
Authtype Basic
AuthName "ACID Console"
AuthUserFile /etc/.htpasswd
Require user admin
AllowOverride None
</Directory>


• If you do not have a CA-signed SSL certificate, you can create and sign your own (see the OpenBSD FAQ for more information on this.):

# openssl genrsa -out /etc/ssl/private/server.key 1024
# openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
# openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

• Create link to mysql socket and a chroot /tmp for apache:

# mkdir -p /var/www/var/run/mysql
# ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock
# mkdir /var/www/tmp
# chmod 1777 /var/www/tmp


• Install mini_sendmail in apache chroot so ACID can mail alerts:

(Please note that this involves copying /bin/sh to your chroot which is much less secure than a chroot without a shell. You just may want to skip this step.)

# tar xzvf mini_sendmail-1.3.2.tar.gz
# cd mini_sendmail-1.3.2
# make install
# cp /usr/local/sbin/mini_sendmail /var/www/bin/mini_sendmail
# cp /bin/sh /var/www/bin/sh
# cp /etc/resolv.conf /var/www/etc/resolv.conf

• Use a cookie-enabled web-browser and open https://acidconsole/acid/acid_main.php.
You should get an error message:
"The underlying database snort@localhost appears to be incomplete/invalid."
"The database version is valid, but the ACID DB structure (table: acid_ag) is not present. Use the Setup page to configure and optimize the DB.

• NOTE: This is OK. Click "Setup page"
This will take you to another page entitled "DB Setup"

• Click "Create ACID AG"
• The ACID console installation is complete.

Sensor Machine

Requirements:

• Snort 2.0 (these instructions are based on using the Snort port in /usr/ports/net/snort)

Note: You must cvs update ports to "stable" for Snort 2.0.

• Barnyard 0.1.0 (from http://sourceforge.net/projects/barnyard/)
NOTE: On my example sensor, my management interface configured with an ip address on my DMZ is fxp0. I will use fxp1 as my un-addressed snort interface. Replace the device names with the appropriate device names on your system.

Steps to configure Sensor:

• Create user "snortman" with home in /var/log/snort

# useradd -c "The Pig" -m -s /sbin/nologin -d /var/log/snort snortman

• Fix permissions on /var/log/snort

# chown snortman.snortman /var/log/snort
# chmod 700 /var/log/snort


• Create SSH key for database tunnel

# ssh-keygen -t dsa # (no password)
(Accept the default and save the key in /root/.ssh/id_dsa)

• Copy the public key (/root/.ssh/id_dsa.pub) from the sensor to the file "/var/log/snort/.ssh/authorized_keys" on the ACID console.
(You could scp the file or copy/paste between xterms.)
• Add the following to the /etc/rc.local:

ifconfig hme1 up # replace with your interface device name


NOTE: Make sure you set the correct media settings (10BaseT vs 100BaseTX).

ssh -f -N -L 3306:acidconsole:3306 snortman@acidconsole # replace "acidconsole" with the correct hostname

• Install MySQL client:

# pkg_add -v mysql-client-3.23.55.tgz


• Install Snort 2.0 with MySQL support (you'll have to do this from "ports" - see "man ports(7)"):

# cd /usr/ports/net/snort
# export FLAVOR=mysql
# make install
# mkdir -p /etc/snort/rules
# cp /usr/local/share/examples/snort/* /etc/snort
# mv /etc/snort/*.rules /etc/snort/rules/


• Install Barnyard 0.1.0:

# tar xzvf barnyard-0.1.0.tar.gz
# cd barnyard-0.1.0
# ./configure --enable-mysql
# make install
# cp barnyard-0.1.0/etc/barnyard.conf /etc/snort/


• Configure Snort 2.0:
• Edit /etc/snort/snort.conf
• Set your HOME_NET for the network(s) you are protecting (see snort.org for more).
• Find the RULE_PATH parameter and set it to "/etc/snort/rules".
• Uncomment the two lines:

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

• Add the following to /etc/rc.local:

if [ -x /usr/local/bin/snort ]; then
   /usr/local/bin/snort -i hme1 -t /var/log/snort \
   -c /etc/snort/snort.conf -u snortman -g snortman -D
fi

• Configure Barnyard 0.1.0:
• Copy gen-msg.map to /etc/snort/gen-msg.map

# cp /usr/ports/net/snort/w-snort-2.0.0/snort-2.0.0/etc/gen-msg.map /etc/snort/gen-msg.map

• Edit /etc/snort/barnyard.conf
• Replace "config hostname" parameter with correct value (the hostname)
• Replace "config interface" parameter with correct value (the interface name)
• Comment out "output alert_fast"
• Comment out "output log_dump"
• Add the following lines (using your snort database account's password of course):

output alert_acid_db: mysql, sensor_id 1, database snort, server 127.0.0.1, user snort, password snortpassword
output log_acid_db: mysql, sensor_id 1, database snort, server 127.0.0.1, user snort, password snortpassword, detail full

• Add the following to /etc/rc.local:

if [ -x /usr/local/bin/barnyard]; then
   /usr/local/bin/barnyard -D -w barn.waldo -c /etc/snort/barnyard.conf -d /var/log/snort \
   -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map  -f snort.log
fi

• That should be it. You can start snort and barnyard manually or reboot now.
• Remember to use https:// as the ACID console is SSL-ified.
• And remember. A blinking and bleeping light is only a blinking and bleeping light.

More Information

Todo

• Script in a test to make sure that tunnel to MySQL stays open and to reconnect if it drops.

Legal Stuff

This document is ©2003 by Rex Consulting, Inc.

Many thanks to the developers of this great software and to the help of countless googling of helpful posts from misc@openbsd.org and other mail lists.

If you get your system working, please send me an email with your name, how many users your system supports, its hardware specs, and any comments. I'll repost them here.