View previous topic :: View next topic |
Author |
Message |
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Mon Nov 07, 2005 10:14 pm Post subject: COMPLETE guide to Snort, MySQL, and BASE |
|
|
Ok here it is finally!
This is an updated version of this thread:
https://forums.gentoo.org/viewtopic-t-78718.html
Your guide to snort, mysql, apache, php, and BASE for Gentoo
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Edit your /etc/make.conf and include these options.
Code: | USE=gd jpeg png hardenedphp apache2 innodb php perl mysql hardened" |
Packages needed.
Snort
MYSQL
Mod_PHP (will also install PHP which is needed)
Apache
Base (http://secureideas.sourceforge.net/index.php)
Adodb
GD
(You might already have the ones below installed. Please double check )
Libpng
jpeg
zLib
\\Lets get all the needed packages
MySQL
dev-db/mysql-5.0.15
Code: | ACCEPT_KEYWORDS="~x86" emerge mysql |
Apache
net-www/apache-2.0.54-r31
Mod_php
dev-php/mod_php-4.4.0-r9
Snort
net-analyzer/snort-2.4.3
Code: | ACCEPT_KEYWORDS="~x86" emerge snort |
BASE
base-1.2.1.tar.gz
Download from http://secureideas.sourceforge.net/index.php
Adodb
dev-php/adodb-4.65
GD
media-libs/gd-2.0.32
Code: | emerge media-libs/gd |
Libpng
media-libs/libpng-1.2.8
Code: | emerge media-libs/libpng |
jpeg
media-libs/jpeg-6b-r5
Code: | emerge media-libs/jpeg |
zLib
sys-libs/zlib-1.2.3
\\Lets setup Apache and PHP
Edit your /etc/conf.d/apache file
Code: | nano -w /etc/conf.d/apache |
Edit the 'APACHE2_OPTS' line as shown below:
Code: | APACHE2_OPTS="-D PHP4 -D SSL -D DEFAULT_VHOST" |
This gives us PHP and SSL support.
Now start Apache:
Code: | /etc/init.d/apache2 start |
Watch /var/log/messages for errors.
Lets add apache to the default run level:
Code: | rc-update add apache default |
\\Lets get MySQL going
Important info for upgrading MySQL:
Code: | If you're upgrading from MySQL-3.x to 4.0, or 4.0.x to 4.1.x, you
must recompile the other packages on your system that link with
libmysqlclient after the upgrade completes. To obtain such a list
of packages for your system, you may use:
revdep-rebuild --library=libmysqlclient.so.14
from app-portage/gentoolkit.
the value of "innodb_log_file_size" into /etc/mysql/my.cnf file
has changed size from "8M" to "5M".
To start mysql either revert the value back to "8M" or backup and
remove the old ib_logfile* from the datadir |
Lets create the default tables etc in MySQL:
Code: | # /usr/bin/mysql_install_db |
Now lets start MySQL:
Code: | /etc/init.d/mysql start |
Need to set a root password for MySQL:
Code: | /usr/bin/mysqladmin -u root password 'passwordhere' |
Lets add Mysql to the default run level:
Code: | rc-update add mysql default |
\\Lets create the Snort database
First log into Mysql as root:
Now create the database, user, and security.
Code: | create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('passwordhere');
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
exit |
Now we need to create the database structure for snort by issuing this command:
Code: | zcat /usr/share/doc/snort-2.4.3/schemas/create_mysql.gz | mysql -p snort |
This will create the database structure in MySQL.
To double check that the structure was created:
Code: | mysql -u root -p snort |
Once logged in, issue this command:
You should see this:
Code: |
mysql> show tables;
+------------------+
| Tables_in_snort |
+------------------+
| data |
| detail |
| encoding |
| event |
| icmphdr |
| iphdr |
| opt |
| reference |
| reference_system |
| schema |
| sensor |
| sig_class |
| sig_reference |
| signature |
| tcphdr |
| udphdr |
+------------------+
16 rows in set (0.00 sec) |
Now your database has the correct table structure.
\\Ok now to get Snort logging to the newly created database
Now we need to configure Snort to report to the database and not to log files.
Edit the snort.conf file:
Code: | nano -w /etc/snort/snort.conf |
Find this line shown below (line 382 for me), uncomment it, and change it to reflect your setup:
Code: | output database: log, mysql, user=snort password=password dbname=snort host=localhost |
Now Snort will log all logs and alerts to the MySQL database.
Start Snort with:
Code: | /etc/init.d/snort start |
Add to default run level with:
Code: | rc-update add snort default |
Watch your /var/log/messages for errors.
First off I recieved the error in /var/log/messages:
Code: | snort[25905]: FATAL ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules
|
To fix this go to www.snort.org and register.
Download the latest rules and put them in /etc/snort/rules.
Then run Code: | /etc/init.d/snort zap |
This will zap the state of snort back to not running.
Start snort again, and watch /var/log/messages. You should see this:
Code: | snort[26024]: Snort initialization completed successfully (pid=26024) |
\\Lets get prepaired to install BASE
Here's where we use the Adodb we downloaded:
Code: | cp /usr/portage/distfiles/adodb465.tgz /var/www/localhost/htdocs/ |
Extract the source:
Code: | cd /var/www/localhost/htdocs |
Code: | tar -zxvf adodb465.tgz |
Install some Pear stuff:
Code: |
pear install Image_Color
pear install Log
pear install Numbers_Roman
pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz |
\\Lets get Base going
Extract the source in /var/www/localhost/htdocs/
Code: | mv base-1.2.1.tar.gz /var/www/localhost/htdocs/ |
Code: | cd /var/www/localhost/htdocs/ |
Code: | tar -zxvf base-1.2.1.tar.gz |
Rename folder to just 'base':
Lets edit the base config file, but first copying it to the correct name:
Code: | cp base_conf.php.dist base_conf.php |
Code: | nano -w base_conf.php |
Here is what you'll have to change:
Set your URL to your base installation:
DO NOT INCLUDE A TRAILING SLASH
Code: | $BASE_urlpath = "mybox.mydomain.com/base"; |
Adodb Path:
Code: | $DBlib_path = "/var/www/localhost/htdocs/adodb/"; |
Snort database info:
Change to what you need, should just have to change the password.
Code: | $alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "mypassword"; |
Save that file and open the base_main.php in your webbrowser.
For me the address was Code: | http://lappy.mydomain.com/base/ |
You will then be prompted to make specific changes to the Mysql database. Don't worry, base will do it all for you
After that page hit the "CREATE BASE AG" button to finish the database changes.
After that is all done, click on the link near the bottom that says "Goto main page to use the application".
Thats all you should need to get this up and running.
For good measure restart mysql, snort, and apache.
......................and its done.
I'm sure i missed something silly in this doc. Its such a pain trying to do the install and then document it.
please let me know if i missed anything.
Please post comments, suggestions, corrections, free beer etc here _________________ eXklusve
You do know that no one gives a shit about your system spec's right?
Last edited by exklusve on Mon Nov 14, 2005 10:59 pm; edited 1 time in total |
|
Back to top |
|
|
QuietStorm n00b
Joined: 02 Aug 2004 Posts: 44 Location: Texas
|
Posted: Wed Nov 09, 2005 2:47 am Post subject: |
|
|
Thanks for this cool guide, I have been wanting to setup snort but was looking for a nice step by step guide for it.
And here it is!! Thanks |
|
Back to top |
|
|
aamonten n00b
Joined: 27 Aug 2003 Posts: 72 Location: Chile
|
Posted: Sat Nov 12, 2005 9:47 pm Post subject: |
|
|
I'm going to install snort based on tis tutorial, but I'm in doubt if it is necessay mysql 5 or if I just can use mysql 4
EDITED:
Well it does work with MySQL 4
regards
aamonten
Last edited by aamonten on Sat Nov 12, 2005 10:40 pm; edited 1 time in total |
|
Back to top |
|
|
aamonten n00b
Joined: 27 Aug 2003 Posts: 72 Location: Chile
|
Posted: Sat Nov 12, 2005 10:39 pm Post subject: |
|
|
well it works nearly perfect, it took less than an hour installing everything.
The only addition I had to do, was to change the permissions on /var/log/snort/alerts
And there are a little typo where you specify the path to the Adodb, it says
Code: |
/usr/port/distfiles/adodb465.tgz should be /usr/[b]port[/b]/distfiles/adodb465.tgz
|
Regards and thank you. |
|
Back to top |
|
|
exklusve Apprentice
Joined: 23 Aug 2002 Posts: 270 Location: currently ~/
|
Posted: Mon Nov 14, 2005 11:00 pm Post subject: |
|
|
Corrected from /usr/port/distfiles to /usr/portage/distfiles
thanks _________________ eXklusve
You do know that no one gives a shit about your system spec's right? |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Wed Nov 16, 2005 10:19 am Post subject: |
|
|
(I'm not currently sitting on a gentoo box)
I have a problem with this step:
I have no executeable on my system called pear, where does it come from ? _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
takuan n00b
Joined: 13 Nov 2005 Posts: 6
|
Posted: Sun Nov 27, 2005 6:23 pm Post subject: |
|
|
Thanks for the how-to!
I've followed everything but am having problems with graphing
I know i installed all of the pear stuff but i get
Error loading the Graphing library:
Check your Pear::Image_Graph installation!
Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.
Is there anything you might have forgot to mention? |
|
Back to top |
|
|
emnii n00b
Joined: 29 Nov 2005 Posts: 1
|
Posted: Tue Nov 29, 2005 2:02 pm Post subject: |
|
|
I've followed each step to the letter and I've encountered no problems what-so-ever. But I'm running a strictly console-only installation. No X, Gnome, KDE, none of that. Is there a web browser that will properly display BASE's PHP files that is console-friendly? |
|
Back to top |
|
|
jrittenh Tux's lil' helper
Joined: 10 Feb 2005 Posts: 92
|
Posted: Tue Dec 06, 2005 8:30 pm Post subject: |
|
|
I've got everything up and running, and it seems to be functioning properly...but when I go to view the logs in BASE, under "Signature", all I get is a number referencing the Sig_ID. I'm currently in a class where we just installed and configured Snort and ACID, but we used 2.3.3 since that's what is "stable" in Gentoo (we didn't check to see if there was anything newer). I'm not sure if my groupmates did anything specific to fix this problem or not, but I think they may have had to edit part of ACID to fix this.
What I've done so far:
I originally installed ACID, but ran into this problem, so I thought maybe the database structure changed between 2.3.3 and 2.4.3 somehow. I tried uninstalling 2.4.3 and installing 2.3.3, and I tried installing 2.4.3 and BASE instead of ACID, but no matter what I do, I can't get it to display the Signature instead of the Sig_ID. I'd prefer not to have to take the time and go through the BASE PHP code to find where this is happening. Has anyone else seen this? |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Sat Dec 10, 2005 7:05 pm Post subject: |
|
|
jrittenh wrote: | I've got everything up and running, and it seems to be functioning properly...but when I go to view the logs in BASE, under "Signature", all I get is a number referencing the Sig_ID. I'm currently in a class where we just installed and configured Snort and ACID, but we used 2.3.3 since that's what is "stable" in Gentoo (we didn't check to see if there was anything newer). I'm not sure if my groupmates did anything specific to fix this problem or not, but I think they may have had to edit part of ACID to fix this.
What I've done so far:
I originally installed ACID, but ran into this problem, so I thought maybe the database structure changed between 2.3.3 and 2.4.3 somehow. I tried uninstalling 2.4.3 and installing 2.3.3, and I tried installing 2.4.3 and BASE instead of ACID, but no matter what I do, I can't get it to display the Signature instead of the Sig_ID. I'd prefer not to have to take the time and go through the BASE PHP code to find where this is happening. Has anyone else seen this? |
My first setup with this guide was fine, all the sid's was translated correctly. but then another system administrator on the snort computer upgraded PHP and MySQL (from 4.x to 5.x) and i can also only see the sid's now. _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
jrittenh Tux's lil' helper
Joined: 10 Feb 2005 Posts: 92
|
Posted: Sun Dec 11, 2005 8:27 am Post subject: |
|
|
GentooBox wrote: | My first setup with this guide was fine, all the sid's was translated correctly. but then another system administrator on the snort computer upgraded PHP and MySQL (from 4.x to 5.x) and i can also only see the sid's now. |
I've found the problem. MySQL 5.x apparently recognizes schema as a keyword. In the BASE code there is a file BASE/includes/base_db.inc.php with two lines (lines 95 and 155 in version 1.2.1) that look like this:
Code: | $sql = "SELECT vseq FROM schema"; |
They should look like this:
Code: | $sql = "SELECT vseq FROM `schema`"; |
I used the accent rather than a single quote, but only because I saw it like that somewhere else. I would assume MySQL would take single quotes as well, but I was in a hurry when I did it and didn't want to test both, so I just followed the example I saw. That should fix it for you too.
Last edited by jrittenh on Sun Dec 11, 2005 3:45 pm; edited 1 time in total |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Sun Dec 11, 2005 12:19 pm Post subject: |
|
|
jrittenh wrote: | GentooBox wrote: | My first setup with this guide was fine, all the sid's was translated correctly. but then another system administrator on the snort computer upgraded PHP and MySQL (from 4.x to 5.x) and i can also only see the sid's now. |
I've found the problem. MySQL 5.x apparently recognizes schema as a keyword. In the BASE code there is a file BASE/includes/base_db.inc.php with two lines (lines 95 and 155 in version 1.2.1) that look like this:
Code: | $sql = "SELECT vseq FROM schema"; |
They should look like this:
Code: | $sql = "SELECT vseq FROM `schema`"; |
I used the accent rather than a single quote, but only because I saw it like that somewhere else. I would assume MySQL would take single quotes as well, but I was in a hurry when I did it and didn't want to test both, so I just followed the example I saw. That should fix it for you too.[/code] |
Thanks, i will try it tomorrow _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
jrittenh Tux's lil' helper
Joined: 10 Feb 2005 Posts: 92
|
Posted: Sun Dec 18, 2005 5:43 pm Post subject: |
|
|
jrittenh wrote: | Code: | $sql = "SELECT vseq FROM `schema`"; |
I used the accent rather than a single quote, but only because I saw it like that somewhere else. I would assume MySQL would take single quotes as well, but I was in a hurry when I did it and didn't want to test both, so I just followed the example I saw. That should fix it for you too. |
Another note...using a regular single quote DOES NOT work. I tested a query (desc 'schema' and it threw the same error it throws without the quotes. If you're using MySQL 5.x and you can't see more than the SigIDs, make sure you put accents (`) around any occurrence of schema rather than single quotes ('). |
|
Back to top |
|
|
]Trix[ Apprentice
Joined: 27 Feb 2003 Posts: 184
|
Posted: Sun Dec 25, 2005 5:00 pm Post subject: |
|
|
This doesn't work for me!
I just nmaped myself from a remote host and nothing gets logged....
IPtables reports all scans but snort doesn't do anything. _________________ Frank Zappa: "A mind is like a parachute. It doesn't work if it's not open." |
|
Back to top |
|
|
]Trix[ Apprentice
Joined: 27 Feb 2003 Posts: 184
|
Posted: Sun Dec 25, 2005 7:55 pm Post subject: |
|
|
I really don't get it why doesn't it log any events? Everything should work according to many sources but it doesnt. What am I missing?
Anyone had the same experience? _________________ Frank Zappa: "A mind is like a parachute. It doesn't work if it's not open." |
|
Back to top |
|
|
thecooptoo Veteran
Joined: 27 Apr 2003 Posts: 1353 Location: UK
|
Posted: Mon Dec 26, 2005 6:16 pm Post subject: |
|
|
to get mine to wrok properly Code: | $BASE_urlpath = "mybox.mydomain.com/base"; |
hs to be just the realtive path
ie
Code: | $BASE_urlpath = "/base"; |
im having problems at this is stage
anyone know the answer ?
Code: |
grenada snort # pear install Image_Color
downloading Image_Color-1.0.2.tgz ...
Starting to download Image_Color-1.0.2.tgz (7,724 bytes)
.....done: 7,724 bytes
'gd' PHP extension is not installed
Image_Color: Dependencies failed
|
but ive got
Code: |
grenada snort # emerge -p media-libs/gd
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] media-libs/gd-2.0.33
grenada snort # |
_________________ join the optout - http://nhsconfidentiality.org |
|
Back to top |
|
|
kidgloves n00b
Joined: 13 Jan 2006 Posts: 2
|
Posted: Fri Jan 13, 2006 1:44 am Post subject: $BASE_urlpath = "/base" |
|
|
[quote="thecooptoo"]to get mine to wrok properly Code: | $BASE_urlpath = "mybox.mydomain.com/base"; |
hs to be just the realtive path
ie
Code: | $BASE_urlpath = "/base"; |
I had to make the same change, other than that, everything went smoothly. Thanks for the excellent doc. |
|
Back to top |
|
|
Suicidal l33t
Joined: 30 Jul 2003 Posts: 959 Location: /dev/null
|
Posted: Sun Jan 15, 2006 2:58 am Post subject: |
|
|
If you have a really busy network like I do BASE just like ACID can start to get really slow over time because of it trying to refresh the alert, ip and whois cache.
The following cron works real nice for me and keeps base running smoothly.
First copy base_maintennance.pl from the scripts directory and create the following cron.
Code: | /root/crons/base_maintenance.pl ualert
/root/crons/base_maintenance.pl uip
/root/crons/base_maintenance.pl uwhois
|
|
|
Back to top |
|
|
cshepherd n00b
Joined: 19 Oct 2004 Posts: 27 Location: /home/craig/
|
Posted: Thu Jan 19, 2006 10:32 pm Post subject: |
|
|
thecooptoo wrote: |
im having problems at this is stage
anyone know the answer ?
Code: |
grenada snort # pear install Image_Color
downloading Image_Color-1.0.2.tgz ...
Starting to download Image_Color-1.0.2.tgz (7,724 bytes)
.....done: 7,724 bytes
'gd' PHP extension is not installed
Image_Color: Dependencies failed
|
but ive got
Code: |
grenada snort # emerge -p media-libs/gd
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] media-libs/gd-2.0.33
grenada snort # |
|
You also need php compiled with the gd use flag.
Code: | emerge -pv dev-php/php |
(Replace with dev-lang/php if that's what you're using)
should show you if it's been compiled with gd, otherwise recompile.
Hopefully that fixes it. |
|
Back to top |
|
|
tukachinchila Apprentice
Joined: 11 Mar 2005 Posts: 274 Location: Oregon
|
Posted: Fri Jan 20, 2006 12:47 am Post subject: |
|
|
Thanks for the ACID and BASE guides. One correction you might consider is changing the old ACCEPT_KEYWORDS method. You shouldn't use ACCEPT_KEYWORDS on the command line anymore.
exklusve wrote: | Code: |
ACCEPT_KEYWORDS="~x86" emerge mysql |
|
If you have to use an unstable package, the newer solution is: Code: | echo "dev-db/mysql ~x86" >> /etc/portage/package.keywords
emerge mysql |
If anyone's interested, I've written a BASE ebuild that might help with the installation process. It installs all the dependencies for you (including all of the PEAR libraries like Image_Graph), so it will at least save you from having to type "pear install..." over and over. It also sets up the base_conf.php file for you, so all you have to do is change the default password to whatever you set your Snort password to. It should improve security a little as well, by moving base_conf.php from the web-root to /etc/base so it won't accidentally disiplay your database password to web visitors.
To use the ebuild, you have to first setup a portage overlay if you haven't already. Add the following to /etc/make.conf: Code: | PORTDIR_OVERLAY="/usr/local/portage" | Then: Code: | mkdir -p /usr/local/portage/net-analyzer/base
cd /usr/local/portage/net-analyzer/base
wget http://home.comcast.net/~travis.post/base-1.2.2.ebuild
ebuild base-1.2.2.ebuild digest
emerge base |
|
|
Back to top |
|
|
Vanquirius Retired Dev
Joined: 14 Jun 2002 Posts: 1297 Location: Ethereal plains
|
Posted: Sat Jan 28, 2006 8:22 pm Post subject: |
|
|
tukachinchila's ebuild is now available as net-analyzer/base. It's currently in package.mask. Please give it a try. _________________ Hello. |
|
Back to top |
|
|
Stino85 n00b
Joined: 23 Jan 2006 Posts: 7
|
Posted: Fri Feb 03, 2006 6:12 pm Post subject: |
|
|
Got it working using the ebuild, thanks for that one! |
|
Back to top |
|
|
czo Tux's lil' helper
Joined: 01 Sep 2004 Posts: 107 Location: Denmark
|
Posted: Fri Feb 03, 2006 9:28 pm Post subject: |
|
|
Great how-to... thx |
|
Back to top |
|
|
eroth n00b
Joined: 24 Feb 2005 Posts: 33 Location: Chicago
|
Posted: Sat Mar 18, 2006 8:51 pm Post subject: |
|
|
Great guide...it's helped me get everything up and running.
A few quick notes though, as the guide might be a bit dated:
1. The Pear libraries should be installed via portage (ie. emerge -av --oneshot dev-php/PEAR-Numbers_Roman) or pulled in directly from the packages requiring them, which i suppose is the new gentoo way rather than the pear command line. I had to add the following to /etc/portage/package.keywords:
Code: | dev-php/PEAR-Image_Canvas ~x86
dev-php/PEAR-Image_Color ~x86
dev-php/PEAR-Image_Graph ~x86
dev-php/PEAR-Numbers_Roman ~x86 |
2. Some users may need to edit /etc/conf.d/snort...as I had to. It defines eth0 as the listener interface, but in some cases this may not be true. As i've got to deal with pppoe, i needed to change that to ppp0. But I assume it would be the same for someone on wlan0, ath0, or whatever else...
3. When I emerged Base, i followed the instructions regarding base_conf.php. I assume there is a newer ebuild in portage than what you based your guide upon...as i've got net-analyzer/base-1.2.2-r1. In any case, this ebuild installed /etc/base.conf.php. So when i edited the one in the in htdocs and started getting errors loading the script...i was sent on a wild goose chase.
4. (*Optional*) After setting everything up, from the admin panel, you should really create a role and then a user. Then go back into /etc/base/base_conf.php and set $Use_Auth_System = 1;.
So anyway, hope that advise may be able to help anyone who might get stuck a bit. Thanks again for the great guide! |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Fri Mar 24, 2006 8:33 pm Post subject: |
|
|
hello, i have got into the habit of using package.use instead of make.conf for keywords, using make.conf only for very basic ones.
My question is of the use flags you gave which ones apply to which package?
Quote: |
USE=gd jpeg png hardenedphp apache2 innodb php perl mysql hardened" |
cheers _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
|