11.1 SnortCenter Console Installation

There are two parts to the SnortCenter installation, the console and the agent. The console runs on the management console and provides the web interface for managing all Snort sensors. As previously mentioned, it can be installed on the same system running ACID. The SnortCenter agent runs on all peripheral Snort sensors. They report all Snort-related alerts and configuration information to the console.

Download and install the SnortCenter console software. This application is used for a variety of purposes, including updating your list of signatures and rules, managing and customizing the different sensors in your networks, creating custom signatures, and adding pre-processors to the rule base. SnortCenter is a powerful program that can simplify the management of your Snort deployment. It also includes plug-in support for the SnortSAM application, which allows for automated blocking of IP addresses from a variety of firewalls. SnortSAM is discussed in Chapter 8.

11.1.1 Prerequisites

The SnortCenter console prerequisites include:

Apache

You can find Apache intallation instructions in Chapter 10.

PHP

Instructions for installing PHP are located in Chapter 10.

ADODB

ADODB installation instructions are also in Chapter 10.

cURL Binary

Can be found at http://curl.haxx.se/download.html. Installation details below.

OpenSSL library

Most Unix-based systems these days have OpenSSL installed. It is necessary for SSH support. If you do not have it installed, it can be found at http://www.openssl.org.

11.1.1.1 Installing curl Binary

From the curl web site (http://curl.haxx.se):

Curl is a command-line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE, and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling, and a busload of other useful tricks.

From the download page, select an RPM that includes SSL support and install it using the following command line

# mkdir /usr/local/src/curl

# cp curl-7.10.5-42.i586.rpm /usr/local/src/curl/.

# cd /usr/local/src/curl

# rpm -ivh curl-7.10.5-42.i586.rpm

11.1.2 Installing the Console Software

The URL for downloading the SnortCenter software is located at http://users.pandora.be/larc/download/.

Be sure to download the correct version for your Snort release. Version 1.0-RC1 is the latest release for Snort-2.1.x. Previous versions of SnortCenter work only with Snort-1.9.1 and earlier.

Here is one possible method for downloading and installing the latest SnortCenter code.

# cp snortcenter-v1.0-RC1.tar.gz /usr/local/httpd/htdocs/

# cd /usr/local/httpd/htdocs/

# gunzip -c snortcenter-v1.0-RC1.tar.gz | tar xvf -

# cd www/

# mkdir /usr/local/httpd/htdocs/snortcenter/

# cp -R * /usr/local/httpd/htdocs/snortcenter/

# cd /usr/local/httpd/htdocs/snortcenter/

# rm -rf /usr/local/httpd/htdocs/www

The files in this directory may need to be converted to Unix format. This was the case for earlier versions; it may have been rectified by the time you read this book. I recommend using the dos2unix conversion program for converting these files back to Unix format. The dos2unix program is available in RPM format and comes with Red Hat Linux. Select it during the initial install or download the source code from the dos2unix home page at http://www.megaloman.com/~hany/software/hd2u/ or from an open source repository, such as Freshmeat (http://freshmeat.net).

Convert the files back to Unix format within the snortcenter/ directory:

# dos2unix *

Edit the main configuration file:

# vim config.php

Modify the following lines in config.php. The $DB_password variable should be the root password on the default database; $hidden_key_num should just be a random number. $hidden_key_num is used in the authentication system to encrypt a value in the cookie. Since this is a text file containing sensitive data (passwords and so on), there should be some consideration given to protecting this file with strong access controls, etc. Of course, the same goes for any file that contains usernames and passwords in clear text, such as the snort.conf file.

$DBlib_path = "../adodb

";

$DB_dbname = "snortcenter";

$DB_host = "localhost";

$DB_user = "root

";

$DB_password = "xxxxxxx

";

$DB_port = "";

$hidden_key_num = "2345678

"

There are other items that can be enabled or left disabled. Check the remaining options in the configuration file and decide what features should be enabled—for example, the notification of rule updates, a default mail server and email address, and a link to the main ACID interface. Here are additional variables that can be specified:

$alert_console = "http://<youracidhost>/acid/

";



$snortrules_url = "http://www.snort.org/dl/rules/snortrules-stable.tar.gz

";

Once the config.php file has been edited correctly, create the SnortCenter database in MySQL. I've chosen to call the database "snortcenter"—you could certainly choose something else. If you do, make certain that the config.php file reflects the change.

# mysql -u root -p

mysql> create database snortcenter;

mysql> exit

This database is used to store all the rules and updates needed to stay current with any new signatures.