|< Day Day Up >|
11.1 SnortCenter Console Installation
There are two parts to the SnortCenter installation, the console and the agent. The console runs on the management console and provides the web interface for managing all Snort sensors. As previously mentioned, it can be installed on the same system running ACID. The SnortCenter agent runs on all peripheral Snort sensors. They report all Snort-related alerts and configuration information to the console.
Download and install the SnortCenter console software. This application is used for a variety of purposes, including updating your list of signatures and rules, managing and customizing the different sensors in your networks, creating custom signatures, and adding pre-processors to the rule base. SnortCenter is a powerful program that can simplify the management of your Snort deployment. It also includes plug-in support for the SnortSAM application, which allows for automated blocking of IP addresses from a variety of firewalls. SnortSAM is discussed in Chapter 8.
The SnortCenter console prerequisites include:
18.104.22.168 Installing curl Binary
From the curl web site (http://curl.haxx.se):
From the download page, select an RPM that includes SSL support and install it using the following command line
# mkdir /usr/local/src/curl # cp curl-7.10.5-42.i586.rpm /usr/local/src/curl/. # cd /usr/local/src/curl # rpm -ivh curl-7.10.5-42.i586.rpm
11.1.2 Installing the Console Software
The URL for downloading the SnortCenter software is located at http://users.pandora.be/larc/download/.
Here is one possible method for downloading and installing the latest SnortCenter code.
# cp snortcenter-v1.0-RC1.tar.gz /usr/local/httpd/htdocs/ # cd /usr/local/httpd/htdocs/ # gunzip -c snortcenter-v1.0-RC1.tar.gz | tar xvf - # cd www/ # mkdir /usr/local/httpd/htdocs/snortcenter/ # cp -R * /usr/local/httpd/htdocs/snortcenter/ # cd /usr/local/httpd/htdocs/snortcenter/ # rm -rf /usr/local/httpd/htdocs/www
Convert the files back to Unix format within the snortcenter/ directory:
# dos2unix *
Edit the main configuration file:
# vim config.php
Modify the following lines in config.php. The $DB_password variable should be the root password on the default database; $hidden_key_num should just be a random number. $hidden_key_num is used in the authentication system to encrypt a value in the cookie. Since this is a text file containing sensitive data (passwords and so on), there should be some consideration given to protecting this file with strong access controls, etc. Of course, the same goes for any file that contains usernames and passwords in clear text, such as the snort.conf file.
$DBlib_path = "../adodb "; $DB_dbname = "snortcenter"; $DB_host = "localhost"; $DB_user = "root "; $DB_password = "xxxxxxx "; $DB_port = ""; $hidden_key_num = "2345678 "
There are other items that can be enabled or left disabled. Check the remaining options in the configuration file and decide what features should be enabled—for example, the notification of rule updates, a default mail server and email address, and a link to the main ACID interface. Here are additional variables that can be specified:
$alert_console = "http://<youracidhost>/acid/ "; $snortrules_url = "http://www.snort.org/dl/rules/snortrules-stable.tar.gz ";
Once the config.php file has been edited correctly, create the SnortCenter database in MySQL. I've chosen to call the database "snortcenter"—you could certainly choose something else. If you do, make certain that the config.php file reflects the change.
# mysql -u root -p mysql> create database snortcenter; mysql> exit
This database is used to store all the rules and updates needed to stay current with any new signatures.
|< Day Day Up >|