a> install and configure snort.
b> configure snort to give binary output.
a> install and configure barnyard.
b> run two instences of barnyard to get output in local as well as remort machine.
a> install and configure mysql.
b> install mysql on both local as well as remote machine.
c> configure remote mysql to get data from more than 1 machine.
a> install and configure base on the remort machine.
b> configure it to generate report of data got from several machines.
a> install and configure rrd-snort.
b> configure rrd to generate graph of mysql-snort data.
To start witth install snort depending on the machine you are running.
1> tar -xvzf snort*.tar.gz
2> rpm -ivh snort*.rpm
mkdir /var/log/snort ----------> for snort to log snort.log files.
Edit these lines of your snort.conf file.
var HOME_NET (your ip)
var RULE_PATH (TO THE DIR. WHERE YOU HAVE YOUR RULES FILES)
# unified: Snort unified binary format alerting and logging
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort
-c -----> for snort to look into this configuration file.
-i -----> for snort to look into the packages comming from this intrphase.
-l ----> for snort to log the alert file into this dir.
To start with barnyard install barnyard .
Comile it either with mysql or get a pre compiled rpm or deb package(compiled with mysql).
1> tar -xvzf barnyard*.tar.gz
cp barnyard.conf to 2 places ---------> to run 2 instences of barnyard.
Edit these lines in barnyard.conf file to give data to mysql on local machine
output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password root
output log_acid_db: mysql, database snort, server localhost, user root, password root
Edit second barnyard.conf file to give data to mysql on remote machine.
output alert_acid_db: mysql, sensor_id 1, database snort, server remorthost, user root, password root
output log_acid_db: mysql, database snort, server remotehost, user root, password root
barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo
-c -----> for barnyard to look into this configuration file.
-g -----> for barnyard to look into this gen.map file.
-s -----> for barnyard to look into this sid.map file.
-d -----> for barnyard to look into dir. for the alert files logged by snort.
-f -----> for barnyard to look for files with name starting with.
-w -----> for barnyard to log the temp. dta into the file.
Install mysql using apropriate package.
Configure mysql. (on both machines)
1> mysql -u root -p
2> create database snort;
3> grant all on snort.* to ***@***** identified by 'password'
zcat (make_mysql file) | mysql -u root -p snort
1> mysql -u root -p
2> use snort;
3> show tables;
(FOR REMOTE MACHINE)
you can make more than 1 database as required
1> either to get data in a single database from diff. machines.
2> or to get dat from diff. machines into diff. databases.
To make base working first install php, adodb, apache, libapache-mod-php, php-pear. php-mysql, php-gd, libphp-adodb.(look for compatible versions for your machine)
Install base using appropriate version.
cp base_conf.php.dist base_conf.php
Edit these lines in your base_conf.php file.
$BASE_urlpath = '/base'; (path where apache server look for files ex. ->http://localhost/base)
$DBlib_path = '/var/www/adodb5'; (path to adodb libraries)
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'mysql-snort-user';
$alert_password = 'mysql-snort-password';
go to a browser----->
and type the ip of your system.
There after you can see diff. files to choose from---> click on the base.
To get rrd-snort working first install rrdtool.
Then get rd-snort.pl file.
always run rrd-snort in the dir where you want it to place the resulting graph.
perl rrd-snort.pl -H hostip -u (mysql-snort-user) -p(snort-user-password)