Snort implementation on Debian

We’ve just completed the initial build for a new standalone IDS sensor running Snort. Having had previous experience (~1.5 years previously, manual source compile) I was amazed with the ease and speed with which the system was built, configured and operational.
I’ll spare most of the details as installation requirements will vary from environment to environment, but the basic steps are below:

  • Installed OS, latest Debian build via net install.
  • #apt-get install mysql-server
    • Added blank database and associated user for use later
  • #apt-get install snort-mysql
    • Debian Snort package with support for MySQL database back-end, which is required for the Acid/Base web front end
  • #apt-get install acidbase
    • Debian package for the Acid/Base web front end.

Each stage required some additional configuration steps but all were intuitive, or solvable with a couple of minutes Google-Fu. Only real (and still minor) stumbling block was the Base front end initially complaining about the ADODB modules, as one of the Apt steps stated that this file had moved and would need fixing in the configuration we spent some time trying to locate the location within our installation. Only to find that all prerequisites weren’t met with the package installs, a quick #apt-get install php5-mysql rapidly fixed the issue and all was good with the world again.
Only task still on the To-Do list is to install the Debian Oinkmaster package to ease Snort rule updates and allowing finer grain control over the process. The sensor is now fully functional but still in need of some tuning to reduce the noise ratio of alerts.
A useful addition to the security toolbox in less than a few hours, not bad for an afternoon’s work.
Andrew Waite
— Andy Rigby

Leave a comment

Your email address will not be published. Required fields are marked *