System Requirements

• Unix Operating System (FreeBSD, Linux, Solaris, etc...)
• curl - Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
• Apache - The extremely popular Apache http server
• php4 - PHP Scripting Language (Apache Module and CLI)
• php4-pcre - The pcre shared extension for php
• php4-pcntl - The pcntl shared extension for php
• php4-mysql - The mysql shared extension for php
• pear-DB - PEAR Database Abstraction Layer for php
• Fusebox - PHP API framework (Already included)
• *Webmin - Web-based interface for system administration for Unix
• *Snort - Lightweight network intrusion detection system
• *Barnyard - (Optional)

  * SnortSMS Agent sensor side.

  The biggest concerns are that you have curl support for the remote connections to the sensor, PEAR support for the database, and PCRE support in PHP.

Installing the SnortSMS Website

1. Extract the SnortSMS archive files to a preferred web-root location.
2. Insure that the subdirectory "conf/" and the file "conf/conf.php" are read/writeable by the webserver (www).
   # chown :www conf/ conf/conf.php
   # chmod 775 conf/
   # chmod 664 conf/conf.php
3. PHP configuration might need some tweaking. Adjust a few settings in your 'php.ini' file:
   max_execution_time = 120
   max_input_time = 120
   memory_limit = 100M 
   post_max_size = 20M
   upload_max_filesize = 20M
   include_path = ".:/usr/local/share/pear"
4. SnortSMS needs a temporary place to write file. Remember this location for your Global Configuration Settings. We suggest you create a subdirectory within your system's temp directory:
   # mkdir /var/tmp/snortsms
   # chmod 1777 /var/tmp/snortsms
   

Creating the SnortSMS Database

1. Create a new database, preferably 'SNORTSMS'.
2. Create the DB tables. Use the supplied MySQL dump to restore the tables.
   # mysql -u root -p < ./contrib/SNORTSMS.mysql
3. Create a new database user 'snortsms' (or use an existing user) and grant permissions to the SNORTSMS database. Take note of the username and password you have choosen.

Installing the SnortSMS Agent Module (Remote Sensor)

The SnortSMS Agent is designed to reside on the remote Snort sensor. It allows the SnortSMS website server to communicate and remotely control the sensor.

Prerequsite: The SnortSMS Agent is written in the Webmin API, which means you must have Webmin installed on the remote sensor. You should have also installed Snort and Barnyard (optional) prior to installing the Agent Module.

1. With a web browser, browse and login to your sensor's Webmin interface.
2. On the "Webmin" tab, click on the "Webmin Configuration" icon.
3. Click on the "Webmin Modules" icon.
4. In the "Install Module" box, enter the source of the "snortsms-agent.tgz" module.
5. Click the "Install Module" button to install the agent.
6. Once installed, browse to the "Servers" tab, and click on the "SnortSMS Agent" icon.
7. Under "Module Config" please enter the full path to the local snort binary, and save.
8. Create a new Webmin user, preferably 'snortsms'. Allow only access to the "SnortSMS Agent" module for this user. Take note of the username and password you have choosen.
9. Important: Be sure to select "Disable session authentication" in Webmin -> Webmin Configuration -> Authentication section. Otherwise SnortSMS CURL will not be able to authenticate into your Webmin interface.

Configuring SnortSMS

Configure SnortSMS global settings

1. Browse to the SnortSMS web location. If all is well you should see the SnortSMS interface.
2. On the top menu, under "Settings", click the "SnortSMS Global Settings".
3. Enter the database settings from the previous database section.
4. Verify the remainder of the settings insuring all paths are correct for your system.

   Create a Snort Daemon Profile
   You MUST create at least one Snort Daemon Profile. This is used to tell SnortSMS how to launch the snort process on the remote sensor.

5. Browse to Libraries -> Snort Daemon Profiles.
6. Click 'New Snort Profile' link.
7. Give it a name, set the interface snort will sniff, and path to where the snort.conf file will reside on the sensor (be sure this path exists).
8. Now save the profile.

   Populating the libraries
   Before you can assign configurations to your sensors, you must populate the SnortSMS libraries. The easiest way is to import the Snort default rule snapshot file. You can either download it to your local desktop or import it from the web.

9. Click on the "Import" link under the "Libraries" menu.
10. Enter the URL or Snapshot file, then press "Import".

    This will parse the snapshot file, finding all rules and directives, and populate the SnortSMS libraries accordingly. Once this is done, you should be able to browse the libraries and verify the imported resources. You may have to manually add the "Variables" manually.

    Create a Rule Profile
    Now that your resource libraries are full, we suggest you 1st create at least one rule profile. You cannot assign rules directly to sensors, only rule profiles can be assigned to each sensor.

11. Browse to Libraries -> Rules -> Rule Profiles.
12. Click on the "New Profile" link, enter a profile name and save the new profile.
13. Now, click the "Pick" link on your profile to browse through the rule libraries and assign rules to the current profile.

    Adding Sensors
    Now you are ready to add sensors into the system. If you are managing multiple sen

14. Click on the Sensors -> Administration Console link.
15. Click "Add Sensor".
16. Enter the Sensor name and save. Note: Do not include special characters.
17. Click on the individual tabs to configure the rest of the sensor properties.
18. TIP: If you have multiple sensors to add which are similar, configure at least one sensor, then use the 'Clone Sensor' link on the Administration Console.

Testing
At this point, SnortSMS should be properly configured. We also assume you have at least one functional Snort-base sensor defined. From the Administration Console, click anywhere on your sensor line. You should be able to get statistical data from the 'Status' tab.

Troubleshooting