QUICKSTART - installation for the impatience -------------------------------------------- Here we use only the PostgreSQL database, the MySQL part is similar. 1. Download and install postgresql, use the file contrib/create_postgresql to setup the database. Do not forget to create a user and grant him access to the database. 2. unpack and untar FLoP and snort: $ tar xvzf FLoP-1.5.1.tar.gz $ tar xvzf snort-2.4.3.tar.gz 3. change to snort directory and apply patch: $ cd snort-2.4.3 $ patch -p1 < ../FLoP-1.5.1/patches/snort-2.4.3_patch 4. run configure and build snort $ ./configure $ make 5. change to FLoP and run configure and make: $ cd ../FLoP-1.5.1 $ ./configure --prefix=/usr/local/FLoP/ \ --with-snort=/{full}/{path}/{to}/snort-2.4.3 \ --with-postgres=/usr/local/pgsql --enable-getpacket $ make $ make install 6. per default the configuration files are installed as: $ ls /usr/local/FLoP/etc/flop/ total 236 -rw-r--r-- 1 root staff 1439 Jan 14 13:48 alert.conf -rw-r--r-- 1 root staff 1437 Jan 14 13:48 drop.conf -rw-r--r-- 1 root staff 906 Jan 14 13:48 getpacket.conf -rw-r--r-- 1 root staff 3572 Jan 14 13:48 servsock.conf -rw-r--r-- 1 root staff 221392 Jan 14 13:48 vendor.map 7. Edit the configuration files and adjust them to your needs, "vendor.map" is used by getpacket to map the ARP addresses to the vendor. The files are good commeted so it should be easy to adjust them. Important are the database settings. 8. copy snort and sockserv to the remote sensors, activate the output plugin in snort.conf: output alert_unixsock_db: /tmp/snort, all (don't forget to create /var/log/snort) 9. Start servsock, drop and alert on the central server $ drop -b ; alert -b ; servsock (Note: -b is for background aka daemon mode. This can also be set via the configuration files.) 10. start drop, sockserv and snort: $ drop -b $ sockserv -S {serveraddress} -p {port} -N {sensorname} -b $ snort -Y Now all is up and running, you should now receive alerts in the database