SnortSMS Quick Installation Guide

SnortSMS Quick (and dirty) Setup Guide

Ver 1.4.6 - Last Updated 12/05/2006

System Requirements

This is a quick guide to help you setup SnortSMS. It will be assumed you have at least two servers available to fuction as the SnortSMS Collector and SnortSMS Sensor [although these could be technically the same system]. Here's what should be on each system:

SnortSMS Collector

Unix Operating System (FreeBSD, Linux, Solaris, etc...)
Apache - The extremely popular Apache http server
php4 (or php5) - PHP Scripting Language (Apache Module and CLI)
php-curl - The curl shared extension for php
php-pcre - The pcre shared extension for php
php-pcntl - The pcntl shared extension for php
php-mysql - The mysql shared extension for php
pear-DB - PEAR Database Abstraction Layer for php
tar (CLI)- create tape archives and add or extract files

Be sure include the CLI build option for PHP as SnortSMS requires some scripts to execute from the command line shell. Mysql, cURL, pcre, and pcntl should be compiled into PHP or available as a PHP module extention.

SnortSMS IDS Sensor

Unix Operating System (FreeBSD, Linux, Solaris, etc...)
Snort - Lightweight network intrusion detection system
Webmin - Web-based interface for system administration for Unix
Barnyard - (Optional)

The sensor Agent software is a custom Webmin module, so you will need to install Webmin on the sensor as a prerequisite. This shouldn't be an issue since Webmin is also a good administration tool for the sensor as well.

Barnyard is an optional tool which allows Snort alerts to be propagated to a central database in the background. Although Snort can write to the database directly, we recommend Barnyard as it is more reliable and frees Snort of latency and fail-over issues.

SnortSMS Collector Setup

Prerequisites

We assume you have an available server established with Apache, PHP (with above requirements), and MySQL client libraries (and MySQL server - if you plan to run the databases locally).

Installing the SnortSMS Collector Website

Extract the SnortSMS archive files to a preferred web-root location. ( For example: /usr/local/www/snortsms )
Insure that the subdirectory "conf/" and the file "conf/conf.php" are read/writeable by the webserver (www).
```
	# chown :www conf/ conf/conf.php
	# chmod 775 conf/
	# chmod 664 conf/conf.php
```

Important: Your PHP server configuration might need some tweaking. Here are a few settings for your 'php.ini' file:

	short_open_tag = On
	magic_quotes_gpc = Off
	magic_quotes_runtime = Off
	max_execution_time = 120
	max_input_time = 120
	memory_limit = 100M 
	post_max_size = 20M
	upload_max_filesize = 20M
	include_path = ".:/usr/local/share/pear"

SnortSMS needs a temporary place to write files. Take note of this location for your Global Configuration Settings. We suggest you create a subdirectory within your system's temp directory:
```
	# mkdir /var/tmp/snortsms
	# chmod 1777 /var/tmp/snortsms
```
Verify your Apache webserver settings are correct and pointing to this new web-root location. ( For example: /usr/local/www/snortsms )

Creating the SnortSMS Database

Create a new database, preferably called 'SNORTSMS'. Use the supplied MySQL dump to restore the database tables.
```
	# mysql -u root -p < {snortsms_source}/schema/SNORTSMS.mysql
```
Create a new database user 'snortsms' (or use an existing user) and grant permissions to the SNORTSMS database. Take note of the username and password for your Global Configuration Settings.

Creating the Snort Alert Database (optional)

If you would like a central database where all Snort sensors can send the Alert events to, you can create a Snort database on the SnortSMS collector or an alternate server.

Create a new database, preferably called 'SNORT'. The Snort distribution source files include an automated script which can build out the proper table structure.
Use the supplied MySQL script to create the database tables:
```
	# mysql -u root -p < {snort-x.x.x}/schemas/create_mysql
```
Create a new database user 'snortsms' (or use an existing user) and grant permissions to the SNORTSMS database. Take note of the username and password for your Global Configuration Settings.

Modify the Snort Event Database

Note: If you plan to use the SnortSMS Alert Browser to view incoming alerts, you will need to modify Snort's default database.

Modify the 'events' table in your SNORT central database by adding the 'viewed' field. Execute the following from your mysql console:
```
	mysql> use {your snort db name};
	mysql> alter table event add column viewed tinyint (1);
```
Or execute the script we've supplied with SnortSMS:
```
	# mysql -d {SnortDB} -u root -p < {snortsms_source}/schema/SNORT_DB_mod.mysql
	
```

SnortSMS IDS Sensor Setup

Prerequisites

We assume you have an available server established with a basic installation of Snort and Webmin (also Barnyard and MySQL Client libraries if you desire to propagate Snort Events to a central database).

Installing the SnortSMS Agent

The SnortSMS Agent is designed to reside on the remote Snort sensor and is packaged as a third-party Webmin Module. The Agent included with the SnortSMS Collector distribution under the 'Agent' directory path. This Agent allows the SnortSMS Collector server to communicate and remotely control the sensor.

With a web browser, browse and login to your sensor's Webmin interface.
Important: Be sure to select "Disable session authentication" in Webmin -> Webmin Configuration -> Authentication section. Otherwise SnortSMS Collector (cURL) will not be able to authenticate into your Webmin interface.
On the "Webmin" tab, click on the "Webmin Configuration" icon.
Click on the "Webmin Modules" icon.
In the "Install Module" box, enter the source of the "snortsms-agent-x.x.x.wbm.gz" module.
Click the "Install Module" button to install the agent.
Once installed, browse to the "Others" tab, and click on the "SnortSMS Agent" icon to verify the install. The agent itself has no configuration requirments from within Webmin (all options are governed by the collector).
Create a new Webmin user, preferably 'snortsms'. Allow only access to the "SnortSMS Agent" module for this user. Take note of the username and password you have chosen.

Testing

It is possible to test the Agent via the browser. Point your web browser to:

http://userid:password@<sensorip>:10000/snortsms/agent.cgi?ac=test

Be sure to use the correct protocol (http/https), the correct login/password, and sensor IP. If all is configured correctly, you should see a simple test page.

Configuring the SnortSMS Web Application

Prerequisites

At this juncture, you should have a SnortSMS Collector and at least one SnortSMS sensor established and functional. We will now walk you through a few steps required to get SnortSMS configured and start managing your Snort sensor(s).

Configure SnortSMS global settings

Browse to the SnortSMS web location. If all is well you should see the SnortSMS interface.
For your 1st time logging in, Userid -> 'admin' Password -> 'admin'.
On the top menu, under "Settings", click the "Global Settings".
Enter the database settings from the previous database section.
Verify the remainder of the settings insuring all paths are correct for your system.
On the top menu, under "Settings", click the "Test Configuration". Be sure to resolve any errors reported here before continuing.
Create a Snort Daemon Profile
You MUST create at least one Snort Daemon Profile. This is used to tell SnortSMS how to launch the snort process on the remote sensor.
Browse to Libraries -> Snort Daemon Profiles.
Click 'New Snort Profile' link.
Give it a name, set the interface snort will sniff, and path to where the snort.conf file will reside on the sensor (be sure this path exists).
Be sure you enter the correct path to the Snort executable on your sensors.
Also be sure the PID file and path are valid.
Provide the correct values foreach of the Snort command line switches (arguments).
Now save the profile.
Populating the libraries
Before you can assign configurations to your sensors, you must first populate the SnortSMS configuration libraries. The easiest way to fill up the libraries is to import the various Snort snapshot tarball files. The Snort source code tarball contains much of the default varaibles and config directives. There are also many VRT and Community rules now available in seperate files.

So start by importing the Snort source tarball (i.e. Snort-x.x.x.tar.gz). Don't worry, SnortSMS will only find what it needs. Next, import any of the Rule distribution tarballs (i.e. Community-Rules-x.x.tar.gz). You can either download it to your local desktop or import it from the web.
Click on the "Import" link under the "Libraries" menu.
Enter the URL or tarball file, then press "Import".
This will parse the tarball file, detecting any and all rules and directives, thus populating the SnortSMS libraries accordingly. Once this is done, you should be able to browse the libraries and verify the imported resources.

Create a Rule Profile
Now that your resource libraries are full, we suggest you 1st create at least one rule profile. You cannot assign rules directly to sensors, only rule profiles can be assigned to each sensor.
Browse to Libraries -> Rules -> Rule Profiles.
Click on the "New Profile" link, enter a profile name and save the new profile.
Now, click the "Pick" link on your profile to browse through the rule libraries and assign rules you want to this profile.
Adding Sensors
Now you are ready to start adding sensor profiles into the SnortSMS console.
Click on the Sensors -> Administration Console link.
Click "Add Sensor".
Enter the Sensor name and save. Note: Do not include special characters.
Click on the individual tabs to configure the rest of the sensor properties. Remember to 'Update' each tab settings before moving on to the next tab.
TIP: If you have multiple sensors to add which are similar, configure at least one sensor, then use the 'Clone Sensor' link on the Administration Console.
It might be a good idea to check communications between SnortSMS and the sensors. Click on the "Status" tab in Sensor Administration, and clicj on 'Refresh Status'. If everything is working correctly, you should get a green connection indication and Sensor statistics.
Verify communication to the sensor's Snort daemon by clicking on the 'info' link.
If communications are working, you may now start pushing out the configurations to the sensors.

Testing
At this point, SnortSMS should be properly configured. We also assume you have at least one functional Snort-base sensor defined. From the Administration Console, click anywhere on your sensor line. You should be able to get statistical data from the 'Status' tab. There is also a "Test Configuration" under the Settings menu. This is very helpful in determining common issues.

Troubleshooting - FAQ

Issue:	I get an error while trying to save the Global Settings.
Resolution:	Be sure the "conf.php" file has read/write permissions by the webserver. * This also applies to the parent directories as well.

Issue:	I cannot connect to the remote sensor agent.
Resolution:	Be sure to "Disable session authentication" in Webmin (refer to Quick Start Guide). Are you using the correct protocol (http/https)? Username exits within Webmin and the user has access granted to the SnortSMS Agent module. Test connectivity via the web browser (refer to Sensor Test method in Quick Start Guide). Are there any firewall or ACL issues between the Collector and the Sensor? Check the SnortSMS log file (if configured) for clues?

Issue:	I get a database connection error.
Resolution:	Verify your database server and table installation. Insure you have the correct username and password configured in SnortSMS Global Settings and in your database permissions section.

Issue:	I get an error "Missing DB.php".
Resolution:	Be sure the PEAR-DB abstraction layer is properly installed. Check that your PHP "include" path is correct and includes the path to the PEAR files.

Issue:	Importing Snort snapshot file failed.
Resolution:	Verify your path setting for temporary files in 'SnortSMS Global Settings'. Verify your temp path is read/writable by your web server userid (chmod 1777 /tmp/path). Verify correct path for 'tar' on your web server in 'SnortSMS Global Settings'. Verify your max upload, max memory, and max execution parameters in 'php.ini' config file (refer to Quick Start Guide).

Issue:	Snort Fails to start via SnortSMS.
Resolution:	In Snort Daemon Profiles section, verifiy path to snort executable for the sensor is correct. In Snort Daemon Profiles section, verifiy path to PID file on sensor. Take a look at the Snort command trace file. Should be located on the sensor in the snort config directory under the filename 'SMS_snort.<interface>.conf.CMD'. The contents of this file stores the command syntax used to start snort. For troubleshooting you should be able to execute this command line locally on the sensor.

Issue:	Barnyard Fails to start via SnortSMS.
Resolution:	In Barnyard Daemon Profiles section, verifiy path to barnyard executable for the sensor is correct. In Barnyard Daemon Profiles section, verifiy path to PID file on sensor. Take a look at the Barnyard command trace file. Should be located on the sensor in the snort config directory under the filename 'SMS_barnyard.<interface>.conf.CMD'. The contents of this file stores the command syntax used to start barnyard. For troubleshooting you should be able to execute this command line locally on the sensor.