Building an IDS on a Raspberry Pi
My comments look like this (don’t cut and paste these)
Commands for the system look like this (you can cut and paste these)
(Warning this is a widely published configuration, when complete you should not be using these
passwords on a production/live system. If you are using the published image make a point of
changing loins and password and any security certificates etc.)
Hint: You can cut and paste commands for the system into a Raspberry Pi shell (command prompt)
or ssh into the Pi from a windows pc using the Putty program and cut and paste directly from this
document into the ssh window.
You can cut and paste commands from the document in right side window to the Pi ssh windiw on
the left
The password for everything at the moment is loonz0ne remember?
The host is localhost with the IP address of 192.168.0.20
Users are pi, root and snort
Groups are snort
Do this
On first boot the program raspi-config will start, use this to configure the Pi and when finished let it
re-start then login as
User pi
Password raspberry
Sudo passwd root
Enter l00nz0ne
And again l00nz0ne
Then login Enter
root then password l00nz0ne
You are now the most powerful administrator on this computer so pay attention to what you do.
From this point on you don’t need to use sudo but it does no harm.
sudo nano /etc/network/interfaces
And add
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.0.20
netmask 255.255.255.0
gateway 192.168.0.1
Then save
sudo apt-get update
sudo apt-get install apache2 apache2-utils apache2.2-bin apache2.2-common libapache2-mod-php5
sudo apt-get install mysql-client mysql-common mysql-server
sudo apt-get install g++ make autoconf automake libtool flex bison gcc libnet1 libnet1-dev libapache2mod-php5 libcrypt-ssleay-perl libpcre3 libpcre3-dev libmysqlclient-dev libphp-adodb libssl-dev libtool
libwww-perl libmysqlclient-dev ntp php5 php5-cli php5-gd php5-mysql php-pear synaptic phpmyadmin
sudo groupadd snort && useradd -g snort snort
For MySQL server, the database must be created. Connect to the database as root:
sudo mysql -u root –p
Password: l00nz0ne
mysql>
create database snort;
create database archive;
grant usage on snort.* to snort@localhost;
grant usage on archive.* to snort@localhost;
set password for snort@localhost =PASSWORD('l00nz0ne');
grant all privileges on snort.* to snort@localhost;
grant all privileges on archive.* to snort@localhost;
flush privileges;
mysql>
quit
Short build ends here, now snort begin.
sudo apt-get install snort-mysql
Then you need to create the database tables below is the common recommendation
cd /usr/share/doc/snort-mysql
zcat create_mysql.gz | mysql –u snort –h localhost –p snort
These commands may help if things don’t work
dpkg-reconfigure -plow snort-mysql'
remove /etc/snort/db-pending-config
Then
mysql -u root –p
mysql>
use snort;
show tables;
Should give you this
Paddys bit to set up Acid-BASE
mkdir /usr/src/acidbase
cd /usr/src/acidbase
This adds the deb source to the raspberry pi list of available software
echo "deb-src http://ftp.uk.debian.org/debian/ squeeze main" > /etc/apt/sources.list.d/sarge-src.list
apt-get update
apt-get build-dep acidbase
apt-get -b source acidbase
dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
echo "deb file:///usr/src/acidbase /" > /etc/apt/sources.list.d/acidbase.list
apt-get update
apt-get install acidbase
This tests acidbase
wget http://localhost/acidbase/ -O –
NOTE: Manual configuration is now required
You will need to go to http://localhost/acidbase to run the database set-up modifications for BASE.