Archive for the ‘IT’ Category

Installing Snort with Mysql and ACID BASE

Location: Somewhere in a fan noise filled and brightly lit room…

Date: Jan 3, 2010

Time: 2314 UTC

“Hey John come look at this spike in traffic on port 1434 going to!” ,Tony exclaimed.

“Yeah, I saw that on as well, looks like a SQL injection attack to me.”

“This one looks like it got through though, I see some outbound traffic on 6667 on that database server as well. There shouldn’t be any traffic on that port, that is IRC chat. The firewall should block it”.

John quickly SSH’ed into the firewall and checked the output of ipchains to determine the  default deny and any IRC rules. Much to his surprise all outbound traffic was allowed.

“What!!” John screamed out.

It just occurred to him that the firewall guys had just replaced the aging firewall that was attached to the DMZ. John  frantically searched for the binder that contained the installation and configuration for the firewall installation. Just has he suspected, the binder’s last date was  Dec 18, 2009. That was before the firewall was swapped out.

“No documentation, that’s great. How may times do I have to emphasize documentation! This will look great on the incident report” John said to himself.

Meanwhile Tony was setting up tcpdumps to capture the data for later forensics analysis.

Tony yelled to John from across the room “John, get the web database folks on the phone to see if they can start locking that system down”

John replied, “Dude it’s almost midnight, and we don’t have a good standby number for anybody.”

“Well there is only one thing to do then, we need to contain the problem and start documenting it. We need to close those ports to stop the leak.”

“But that means no one will be able to login to the ecommerce site, that means lost revenue”

“We better call the boss, and he won’t be happy”,  Tony stated solemnly after some thought.

“Well maybe he can call the database folks and find out why that server wasn’t locked down correctly”

“Why do you think it was their problem? It could have been a zero-day attack, I checked Dshield and there are huge spikes in 1434. Could be the underground is exploiting a flaw that isn’t public yet”

“Well either way, this isn’t good. Let’s lock it down before anymore data leaks out.”

“Ok, its your call until the boss gets here”

“Do it!”

This is a fictional scenario that could happen in the real world. Poor documentation, configuration errors, zero-days and slow response time could plague any business network and create opportunities for breaches. Here is where a  post analysis tool comes into to play. An intrusion detection system is not designed to stop attacks, but they make the watchful administrator aware of potential breaches or configuration problems. It also provides information to create  a more accurate  incident report that can identify the progression of the attack and which attack vector was used. This can be of tremendous value to help thwart attacks against other systems.

Enter SNORT.

With the constant attacks against networks it is essential to have a Intrusion Detection System (IDS) in place and functional. The IDS needs to be robust and easy to read the mountains of data that comes pouring in. Snort is an Open Source product that is free to use and is very customizable.

Snort charges for the rules subscription called “VRT Certified Rules”. If you are serious about keeping your IDS systems the most up to date you must pay for the rules set. You can receive the rules free of charge by registering. However, the free rules are 30 days old. If you manage a network you know that a lot can change in 30 days.

Snort on Ubuntu


  1. Use apt-get to retrieve the snort-mysql (Use your host network for the listen address range, e.g
  2. Use apt-get to retrieve the mysql-server package. Follow prompts for passwords (use your own password!! do not leave blank)
  3. Follow the instructions below to setup the database

———-Snippets taken from the snort-mysql debian package README—————–


In order for the above to work you need to create first
a database.

Consider that you have defined the following information when asked
to in the Debconf dialogs when installing the package:

Database User: snort
Database Password:  (Use your own password here)
Database name: snort

For Mysql you can do this:

[ running as an mysql user with admin privileges ]
$  mysql -u root -p

(Type in the password you just created during the mysql-server installation)

mysql> CREATE DATABASE snort;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql> flush privileges;
mysql> show grants for ‘snort’@’localhost’;


Run the command below:

$ zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -u snort -D snort -pYOUR OWN PASSWORD HERE

To do this remove the file ‘/etc/snort/db-pending-configuration’ and then do ‘/etc/init.d/snort start’. Confirm that snort is working and up
by running ‘/etc/init.d/snort status’ and reviewing the messages in the /var/log/daemon.log syslog file.

Before starting snort you will have to edit the /etc/snort/snort.conf  file.

Find the lines

output database: log, mysql,
# (#DBEND#)

Change the output line to: output database: log, mysql, user=snort password=YOUR OWN PASSWORD HERE dbname=snort host=localhost

4. Install apache2  web server (apt-get install apache2)

5. Install acidbase application (apt-get install acidbase)

The package manager will walk you through the setup. You will need to enter the root database password, the database user (snort), the database name (snort) and the database password. It will also ask if you want it to install the configs for apache2. Select Apache2 for autoconfiguration. By default only the localhost has access to the apache site. “http://localhost/acidbase”

You will have to connect and have acidbase create the required fields for the snort database. This can be accomplished by hitting the button listed on the main page to create the tables.

Additionally you will have to edit the /etc/apache2/conf.d/acidbase.conf file and add any additional ip addresses or ip ranges that you want remote access from.

Visit the snort website for more information on updating rules and registering for your own “oinkcode”


Dell PowerEdge Server Administration – Using Dell OpenManage Server Administrator

Dell PowerEdge Server Administration – Using Dell OpenManage Server Administrator

Important Links

Dell’s OpenManagement server administration tool is a powerful hardware monitoring and reporting tool. You are able to view virtually all of the hardware and bios information with a few simple commands.

I use it to collect system information and keep track of installed hardware and the current state of the hardware.

For example if you want to know how many physical disks are installed and what their capacities are you can type the command at the command prompt:

>omreport storage pdisk controller=0 (Change to 1 if you want to view the second controller)

and what virtual RAID containers are on the server

> omreport storage vdisk controller=0 (Change to 1 if you want to view the second controller)

To view a summary of the Server you type

>omreport system summary

View Chassis temperatures:

>omreport chassis temps

These commands will display the results in the console window but that is not very useful when filing for future reference. To send these commands to a file you would:

>omreport system summary -fmt cdv -outc Summary.csv

This will output the file in a semi-colon delimited file, which is not every excel friendly. To change it to a comma delimited file you must first type:

>omconfig preferences cdvformat delimiter=comma

Any files outputted with a –fmt cdv will then be delimited by a comma, which can be directly opened with excel without having to import data and manually selecting semi-colon as the delimiter.

These are just a few example of the Open Manage Server Administrators reporting and configuration tool. It is a powerful tool that will help you keep track of any server information or changes performed on the server.

To make my life easier (and hopefully yours) I have created a menu driven tool that will automatically run a most reports. I use this tool to run reports on all my dell servers and archive them to a secure share. This helps with any support issues or track hardware changes performed on the servers. I would recommend that this be performed upon the installation of any new server and when any significant hardware changes are made. If you need any help please feel free to post a comment.