Here’s a little tip to get munin integrated with snort on an Ubuntu box
Assumptions
I assume you have snort running with acidbase. There are some steps needed to make sure mysql is set up. I’m not covering this at this time. If there are questions, I’ve cover it later
So make sure the following are installed
- snort-mysql
- acidbase – although this is not necessary
- munin
Snort changes
In the /etc/snort/snort.conf file, you need to add/uncomment the following line
preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
Then you need to make this directory.
mkdir /var/snort
chown adm /var/snort
chmgrp adm /var/adm
chmod 750 /var/snort
This is needed because you need a directory to store munin stats in, and this should not be /var/log/snorts which should have greater protection.
Munin changes
Munin should be in the “adm” group as part of the install.
Next, go to /etc/munin/plugins
and type
cp -i /usr/share/munin/plugins/snort* /etc/munin/plugins/.
I first used a symbolic link, but I found that these files had a bug in them. I tested them using
sudo munin-run snort_alerts
and the response was
EOF: command not found
To fix this, you have to use a text editor to remove the line that says “EOF” in these files.
Now I could write a script to do this, or couse
cd /usr/share/munin/plugins
for i in snort_*
do
sed ‘/EOF/d’ <$i >/etc/munin/plugins/$i
done
Test munin runs by runing (with sudo)
munin-run snort_alerts
you should get a value and a number, like
alerts.value 0.414
Then you need to restart snort, and munin. If your normal userid is in the group munin, then you can use munin-run yourself.
If all is working, you should have the file /var/snort/snort.stats – note that it takes a few minutes before data starts to appear.
and when you visit your server’s web page http://127.0.0.1/munin/
you should see a snort category. Enjoy
