OverviewWeasel consists of three parts which need to be installed seperately: - a database scheme - a GUI part written in PHP - an output-plugin for snort written in C Installation will take about 20-30 min, plus the time needed to setup and configure snort.
Preparation:Check that your setup provides the following prerequisites: - Sensor: a POSIX machine (Linux,BSD,Solaris) that can build snort: Usually that means that you need to install at minimum these packages: libpcap-dev, libpcre-dev, libmysqlclient-dev or libpg-dev plus build-essentials like gcc, make, etc... - DB Server: MySQL 5.x or PostgreSQL 8.x - Web Server: PHP 5.x with the mysqli and/or pgsql modules enabled The module mysql without the -i is not enough. Most Plug-Ins assume that the webserver is a *nix kind of machine The components can run on the same machine, or on three different machines. Platform-specific hints on how to install these requirements may be found in the file PLATFORM_HINTS. Get the latest version of weasel and copy it to some convenient place:# go to some convenient directory $ cd /tmp # get the sources $ firefox http://weasel.sf.net/ # copy the url of a weasel-0.0.5.tar.gz on a nearby sf.net mirror # then download $ wget http://.../.../weasel-0.0.5.tar.gz # untar sources $ tar -xzvf weasel-0.0.5.tar.gz
The DatabaseWeasel currently supports these RDBMS: - MySQL 5 (stable) - PostgreSQL 8.x (experimantal) For best performance, you should tune your database server for use with weasel, see TUNING_GUIDE for more information. Remember to change the username and password when you copy these commands. if you have mysql:# create new db # create new db and user # important: choose a more secure dbpassword and/or a better username $ mysql -u root -p mysql> CREATE DATABASE weaseldb; Query OK, 1 row affected (0.00 sec) # create user with local access rights (for the gui) # important: choose a more secure dbpassword and/or a better username mysql> GRANT ALL ON weaseldb.* TO weasel@localhost identified by 'dbpassword'; # create user with network access rights (for the sensors) # you might want to replace the wildcard % with the actual hostname / ip of the # sensor. mysql> GRANT ALL ON weaseldb.* TO weasel@'%' identified by 'dbpassword'; mysql> quit # import the schema $ mysql weaseldb -u root -p < weasel-0.0.5/db-schema/mysql.sql # import the extra data $ mysql weaseldb -u root -p < weasel-0.0.5/db-schema/inserts.sqlIf you have PostgreSQL:# become postgres super user $ su postgres # create user that has the right to create a database # note: chose a more secure dbpassword and/or a better username $ createuser -d -P weasel Enter Password for new Role: dbpassword Enter it again: dbpassword # create database $ createdb weaseldb $ createlang plpgsql weaseldb # import the schema $ psql -d weaseldb -f weasel-0.0.5/db-schema/postgres.sql # import the extra data $ psql -d weaseldb -f weasel-0.0.5/db-schema/inserts.sql # Note: You might need to change the access rights in your pg_hba.conf file. # so that you can access the database from the user under which apache is running. $ echo "local weaseldb weasel md5" >> /etc/postgres/8.2/pg_hba.conf
The Webbased GUI partYou need a machine with a Webserver and PHP5 installed. Its important that the PHP has support for your database system. In case of doubt, check the output of phpinfo(). Platform-specific hints on how to instal and configure php on your platform may be found in the PLATFORM_HINTS file. Now copy the gui somewhere into your DOCUMENT_ROOT:# create subdirectory in your document_root: $ mkdir /path/to/document_root/weasel # copy gui $ cp -r weasel-0.0.5/gui/* /path/to/document_root/weasel # configure gui $ vi /path/to/document_root/weasel/config_inc.phpIn config_inc.php you need to setup the connection to the database, aswell as some personal preferences. Then, at the end of the mandatory options block there is an important line that you need to uncomment. Point your browser at your fresh weasel installation and login asLogin: admin Pass: s3cr3tThe default password is choosen so lame on purpose: We want the user to instantly navigate to the Administration Section, click on 'Manage Users' and then change the admin password to something more apropriate ;-)
Snort and Snort-pluginFor now, you will need to recompile snort in order to use weasel. Your build system needs to have libpcap, libpcre and either libmysqlclient or libpg installed. Furthermore you need the GNU patch utility and a C compiler. These are fairly standard requirements, which are met by most systems nowadays, escpecially if you were already running snort before. Note however, that on some platforms, you need to install the developper packages (i.e. libpcap-dev) as well. Please have a look the PLATFORM_HINTS file for some pointers about which packages are needed.# go to the same directory where you un-tared the weasel-0.0.5.tar.gz $ cd /tmp # get the most current snort sources (in case you dont have them already) $ wget http://www.snort.org/dl/current/snort-2.8.0.tar.gz # untar sources (in case you dont have untared them already) $ tar -xzvf snort-2.8.0.tar.gz # apply patch (this adds the weasel output-plugin to snort) $ cd snort-2.8.0 $ patch -p1 < ../weasel-0.0.5/patches/weasel-0.0.5-for-snort.2.8.0.patch # configure and build snort in the usual way $ ./configure --enable-pthread --with-mysql=MYSQL_PATH --with-postgresql=POSTGRESQL_PATH $ make # If you want support for mysql, use --with-mysql or --with-mysql=PATH_TO_MYSQL # If you want support for postgres, use use --with-postgresql or # --with-postgresql=PATH_TO_POSTGRESQL # You can compile support for both db systems at the same time. # If your system supports posix threads (most do) then enable them # with --enable-pthread # if you compiled this on the sensor, you can now install, otherwise # package snort and deploy it on your sensors $ make installnote: if snort was not installed before on this machine, you now need to configure snort. This is a time consuming process and there are many tutorials on the net. In short, you need to download and install the latest snort rules from the snort website (
http://www.snort.org/vrt/ , they require registration). After that, you need to adapt /etc/snort/snort.conf to suite your environment. A easier solution might be to install the snort package of your distribution, they often come with some default configuration files installed to /etc/snort. Weasel has also an experimental rule manager that you might to try out. Simply Go to Administration, Manage Extensions and read the instructions for the RemoteSSH and Rulemanager Extensions. In order to load the weasel output plugin, you must edit your snort.conf file Add a line to your snort.conf similar to:output weasel: mysql host=dbhost dbname=weaseldb user=weasel password=...-OR-output weasel: postgres host=dbhost dbname=weaseldb user=weasel password=..Then restart snort. Weasel requires you to give the name of the interface on the command line when starting snort. It might look something like this: /usr/bin/snort -c /etc/snort/snort.conf -N -i eth0 Check the output of snort, you should see some debug messages from the weasel plugin. You should also be able to log into the weasel gui and see your alerts. Enjoy! Patrick & Thomas
And now ?You changed that default password, didn't you? Good. Have a look at the Quick Start Guide. Configure the GUI Options in Administration Panel. Enable and play around with the Extensions (Admin Panel -> Manage Extensions) Give us some Feedback! We have a forum and a mailinglist.