Linux Tomorrow: 3/30/08

Configure Snort to log packets to MySQL

Labels: How To Posted by EdGe on Wednesday, April 2, 2008 at 11:02 PM

Author : Vincent Danen, ZDNet Asia

Administrators can take advantage of the Snort facility to to detect intrusions to the network.

Snort, a network intrusion detection system, can be configured to log packets to a remote MySQL server. A graphical Web interface can be used to view captured packets and statistics.

To begin on the MySQL server, the database must first be created.

In this scenario, the Snort server is “snort.host” and the MySQL server is "mysql.host".

Connect to the database as root:

# mysql -u root -p

mysql> create database snort;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.*
to snort@snort.host;

mysql> set password for snort@snort.host=PASSWORD('snortpass');

mysql> flush privileges;

mysql> q

With the Snort documentation comes a file called create_mysql, which has the schema for the database.

On a typical Linux install, this file would be found in /usr/share/doc/snort-[version]/create_mysql.

Load this file as root:

# mysql -u root -p snort

Next, on the system where Snort will be running, edit the /etc/snort/snort.conf configuration file and tell it to log to the database:

output database: log, mysql, user=snort password=snortpass
dbname=snort host=mysql.host

Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned root:snort:

# chown root:snort /etc/snort/snort.conf

# chmod 0640 /etc/snort/snort.conf

The next step is to start Snort; a supplied initscript will start Snort monitoring or you can launch it to the background:

# /usr/sbin/snort -c /etc/snort/snort.conf &

Starting Snort once without sending it to the background is a good idea to ensure the connection takes. You can also look on the MySQL server to ensure that logging is active:

# echo "SELECT hostname FROM sensor;" | mysql -u root -p snort

The IP address that Snort is listening on should be displayed.

Now that Snort is logging data to MySQL, using BASE (Basic Analysis and Security Engine) is a great way to view the data via a Web interface. BASE requires a Web server and PHP. Once you have unarchived it where it needs to be, copy the base_conf.php.dist file to base_conf.php and edit it, in particular, setting the $alert_dbname and related variables to point to the Snort log database.

You will also want to add a snort@localhost user with privileges to the MySQL database if you did not do so earlier (i.e., if your Snort and MySQL servers are physically separate).

Once that is done, navigate to the BASE install that you just set up and follow the instructions presented to set up the caching table for BASE. When that is complete, BASE is now available to view and graph the logged Snort data.

How To Install The Openbravo ERP On Debian Etch

Labels: How To Posted by EdGe on Sunday, March 30, 2008 at 1:54 AM

Author: Oliver Meyer
Last edited 03/07/2008

This document describes how to set up Openbravo ERP (enterprise management system) on Debian Etch. Taken from the Openbravo page: "Openbravo is an open source ERP solution designed specifically for the SME (small to midsize firm). Developed in a web based environment, it includes many robust functionalities which are considered part of the extended ERP: procurement and warehouse management, project and service management, production management, and financial management."

I can't list all the features here - please have a look at http://www.openbravo.com/product/product-features/.

This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.

1 Preparation

1.1 Debian Backports

This repository provides Sun's JDK that we need for this setup.

vi /etc/apt/sources.list

Add the following lines.

# Debian Backports
deb http://www.backports.org/debian etch-backports main contrib non-free

Afterwards refresh apt ...

apt-get update

... and import the gpg-key.

apt-get install debian-backports-keyring

1.2 Needed Packages

Now let's install and configure the needed packages.

1.2.1 PostgreSQL

Install it via:

apt-get install postgresql-8.2

Afterwards we have to set the PostgreSQL admin password.

sed -i 's/ident sameuser$/trust/' /etc/postgresql/8.2/main/pg_hba.conf
/etc/init.d/postgresql-8.2 restart

Open a PostgreSQL shell.

psql -U postgres
alter role postgres with password '%new_PostgreSQL_admin_passowrd%';
\q

sed -i 's/trust$/md5/' /etc/postgresql/8.2/main/pg_hba.conf
/etc/init.d/postgresql-8.2 reload

1.2.2 Java JDK

Install it via:

apt-get install sun-java6-jdk

Afterwards make it systemwide available.

update-java-alternatives -s java-6-sun
echo 'JAVA_HOME="/usr/lib/jvm/java-6-sun"' | tee -a /etc/environment

After that log out and in again to take the changes effect.

1.2.3 Apache Tomcat

Install it via:

apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps

Afterwards we have to configure it.

rm /var/log/tomcat5.5/catalina.out
vi /etc/init.d/tomcat5.5

Change:

TOMCAT5_SECURITY=yes

To:

TOMCAT5_SECURITY=no

Restart Tomcat.

/etc/init.d/tomcat5.5 restart

Now let's look if all went well.

netstat -tap | grep java

Tomcat should be listening on port 8180.

tcp6 0 0 *:8180 *:* LISTEN 3571/java

As a last resort make it systemwide available.

echo 'CATALINA_HOME="/usr/share/tomcat5.5"' | tee -a /etc/environment
echo 'CATALINA_BASE="/var/lib/tomcat5.5"' | tee -a /etc/environment
echo 'CATALINA_OPTS="-server -Xms384M -Xmx512M"' | tee -a /etc/environment

After that log out and in again to take the changes effect.

1.2.4 Apache Ant

Apache ant has already been installed as dependency at the step before - so only the configuration is left.

echo 'ANT_HOME="/usr/share/ant"' | tee -a /etc/environment

After that log out and in again to take the changes effect.

2 Openbravo

2.1 Get It

Please have a look at http://sourceforge.net/projects/openbravo/ to find out which is the latest version. When I was writing this howto it was version 2.35mp1.

cd /tmp/
wget http://mesh.dl.sourceforge.net/sourceforge/openbravo/OpenbravoERP-2.35-MP1-linux-installer.bin
chmod +x OpenbravoERP-2.35-MP1-linux-installer.bin

2.2 Installation

A text based installer will guide you through the installation.

./OpenbravoERP-2.35-MP1-linux-installer.bin

First press a few times "Enter" to read the single parts of the license agreement. Type in "yes" at the end if you agree with it.

Before the installation begins you'll be asked a few questions - answer them as follows.

Hit "Enter" to choose the default (/opt/OpenbravoERP) when you're asked for the installation directory.
Hit "Enter" to choose the default (/opt/OpenbravoERP/AppsOpenbravo/attach) when you're asked for the attachments directory.
Hit "Enter" to choose the default (Full (standard) installation) when you're asked for the installation type.
Hit "Enter" to choose the default (Full) when you're asked again for the installation type.
Choose PostgreSQL as database to use.
Hit "Enter" to choose the default (/usr/lib/jvm/java-6-sun) when you're asked for the java home directory.
Hit "Enter" to choose the default (/usr/share/ant) when you're asked for the Apache ant home directory.
Hit "Enter" to choose the default (/var/lib/tomcat5.5) when you're asked for the Tomcat installation directory.
Type in your web server's domain (e.g.: server1.example.com) when you're asked for it.
Enter "8180" when you're asked for the http port.
Hit "Enter" to choose the default (openbravo) when you're asked for the context name.
Enter "/usr/bin" when you're asked for the directory that contains the PostgreSQL binaries.
Hit "Enter" to choose the default (localhost) when you're asked for the database server parameters.
Hit "Enter" to choose the default (4532) when you're asked for PostgreSQL's listening port.
Hit "Enter" to choose the default (openbravo) when you're asked for the database name.
Next enter the PostgreSQL admin password (twice) that you created earlier at step 1.2.1.
Hit "Enter" to choose the default (tad) when you're asked for the openbravo database user.
Next type in a password (twice) for the new user.
Now type in "y" to start the installation - this will take a while...