COMPLETE guide to Snort, MySQL, and BASE

[jhybinette]

I though if you are going to use the hardened flag, you have to build a hardened system first. like setting the flags using ufed

hardened erandom pic

then reemerge gcc and glibc
then emerge -e world
then rebuild the kernel and enable pax etc etc etc

If you dont do this the hardened flag may back fire on you

Johan

[Khan]

Trying this only resulted in blocks due to mod_php and php. And using "pear install Log" only produces the following error: PEAR_Remote: authorization required, please log in first

Does anyone have any idea how to get the Pear modules installed so that I can generate graphing? Thanks.

Great guide...it's helped me get everything up and running.

A few quick notes though, as the guide might be a bit dated:
1. The Pear libraries should be installed via portage (ie. emerge -av --oneshot dev-php/PEAR-Numbers_Roman) or pulled in directly from the packages requiring them, which i suppose is the new gentoo way rather than the pear command line. I had to add the following to /etc/portage/package.keywords:

Code: Select all

dev-php/PEAR-Image_Canvas ~x86
dev-php/PEAR-Image_Color ~x86
dev-php/PEAR-Image_Graph ~x86
dev-php/PEAR-Numbers_Roman ~x86

[atmat]

when I start snort I get this weird error

Apr 11 19:26:22 [snort] FATAL ERROR: unknown preprocessor "http_decode"_

I did not look at the docs yet. No time, anyone knows what's this http_decode" thing? Sorry for asking no time to look around google I'll be on line again tonight.. if someone posts here the answer ok, otherwise I'll take a deeper look at snort.

thnx and sorry for the quick post.

bye

[blackcell]

use http_inspect instead of http_decode

[carpman]

Hello, ok going to go ahead and try this using following package.use

Code: Select all

media-libs/gd jpeg png
dev-lang/php -* apache2 dba cgi cli ctype crypt curl gd jpeg mysql pear pcre pcntl png pdo-external session sockets sockets  spell session tiff truetype xml xml2 xsl zlib
net-www/apache apache2 mpm-prefork
net-analyzer/snort mysql
net-analyzer/base apache2 gd mysql vhosts
dev-db/mysql innodb session

Not using hardened setup so don't need harden use flag.


Anyone see any problems with this setup?

cheers

[wschalk]

Hi,

I am trying to install BASE on PHP5 but here's the error message I am getting:

# emerge -vp net-analyzer/base

These are the packages that I would merge, in order:

Calculating dependencies \
!!! All ebuilds that could satisfy ">=dev-php4/jpgraph-1.19" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-php4/jpgraph-1.20.2 (masked by: ~x86 keyword)
- dev-php4/jpgraph-1.19 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or
refer to the Gentoo Handbook.
!!! (dependency required by "net-analyzer/base-1.2.4" [ebuild])

So my problem is if I unmask jpgraph in dev-php4 he wants to install PHP4 which I don't use. Any ideas how to
stick with PHP5 but install BASE successfully?

Thank you.

Best regards,
Werner

[carpman]

Hi,

I am trying to install BASE on PHP5 but here's the error message I am getting:

# emerge -vp net-analyzer/base

These are the packages that I would merge, in order:

Calculating dependencies \
!!! All ebuilds that could satisfy ">=dev-php4/jpgraph-1.19" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-php4/jpgraph-1.20.2 (masked by: ~x86 keyword)
- dev-php4/jpgraph-1.19 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or
refer to the Gentoo Handbook.
!!! (dependency required by "net-analyzer/base-1.2.4" [ebuild])

So my problem is if I unmask jpgraph in dev-php4 he wants to install PHP4 which I don't use. Any ideas how to
stick with PHP5 but install BASE successfully?

Thank you.

Best regards,
Werner

Here is my package.keywords that i use to install with php5

Code: Select all

dev-php5/pecl-apc
www-apps/phpsysinfo
dev-php/smarty
dev-php5/jpgraph ~x86
dev-php5/pecl-pdo
dev-php/PEAR-Image_Canvas ~x86
dev-php/PEAR-Image_Color ~x86
dev-php/PEAR-Image_Graph ~x86
dev-php/PEAR-Numbers_Roman ~x86
net-analyzer/base

[emily87]

Great how-to

Thnak you

[wschalk]

Hi,

thanks for the instructions on base and PHP5. When I try to install it on my system I get the following
error message during the installation of PEAR_Image_Color:

>>> Install PEAR-Image_Color-1.0.2 into /var/tmp/portage/PEAR-Image_Color-1.0.2/image/ category dev-php
/usr/portage/eclass/php-pear-r1.eclass: line 68: pear: command not found

!!! ERROR: dev-php/PEAR-Image_Color-1.0.2 failed.
!!! Function php-pear-r1_src_install, Line 68, Exitcode 127
!!! Unable to install PEAR package
!!! If you need support, post the topmost build error, NOT this status message.

In which package is the "pear" command?

Cheers,
Werner.

[iverasp]

I cant seem to get remote logging working. The plan is to use my linux router as the snort host, and my main server as the web- and mysqlserver. Been working on it for a while now. First snort complained about missing libmysqlclient* libraries, so I finally had to emerge mysql on the router. Then I had to change the my.cnf on the main server to allow other IPs to connect to the mysqlserver. Then the authentication method was outdated or something on the router, so I had to figure that out. Now I can connect with mysql -h 192.168.1.40 -u snort -p and get access to the remote mysqlserver, but snort still wont work. Heres the line I changed in snort.conf:

output database: log, mysql, user=snort password=secretpass dbname=snort host=192.168.1.40

When running /etc/init.d/snort start it says [ OK ], but the program doesnt run. When doing snort -i eth0 -c /etc/snort/snort.conf I get the following:

(..lots of text..)
X-Link2State Config:
Ports: 25 691
database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = 192.168.1.40
database: sensor name = 192.168.1.1
Illegal instruction

mysql is running on the default port btw.

Does anyone have a clue of what needs to be fixed?
Thanks

[phoric]

I used this guide but am getting the following error when trying to access http://localhost/base ...

Code: Select all

Database ERROR:Database ERROR:Table 'snort.base_users' doesn't exist

I doubled-checked the MQSql tables as suggested in the guide:

Code: Select all

mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

[phoric]

The tutorial must be a little out of date now, as I am using base 1.2.5. I solved my own problem by browsing to:

http://localhost/base/setup/

This loaded a setup wizard of sorts, that will create the necessary tables for you. After that BASE seems to be working now for me. Probably should add this to the tutorial.

[kare]

My snort database becomes very big. Is there a script to delete old records?

[echo6]

This howto is getting dated, there is a Wiki which may be of assistance http://gentoo-wiki.com/HOWTO_Apache2_with_BASE

[kernelOfTruth]

This howto is getting dated, there is a Wiki which may be of assistance http://gentoo-wiki.com/HOWTO_Apache2_with_BASE

that wiki, this howto & the tips mentioned above helped me install it successfully thanks to everyone involved

I got error-messages in the beginning but re-emerging php, adodb, apache2 1-2 times & etc-update made it finally work

[[ToXiC]]

This post has been quiet for a while but for anyone still out there reading this:

When I started base and then went to configure the backend I got this message:

"Fatal error: Call to undefined function session_start() in /var/www/localhost/htdocs/base/base_conf.php on line 20"

Anyone?

[sLumpia]

^have you try to enable session USE flag for dev-lang/php?

[guinness.stout]

Just wanted to add an update for those trying to follow this howto today.

Snort
net-analyzer/snort-2.4.3
Code:
ACCEPT_KEYWORDS="~x86" emerge snort

Should be

Code: Select all

EXTRA_ECONF="--enable-dynamicplugin" emerge snort

Dynamic plugins did not seem to emerge when I ran the other command. If these are not installed you will see something similiar to the errors below in your /var/log/messages.

Code: Select all

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(573) unknown dynamic preprocessor "ftp_telnet"
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(577) unknown dynamic preprocessor "ftp_telnet_protocol"
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(591) unknown dynamic preprocessor "ftp_telnet_protocol"
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(596) unknown dynamic preprocessor "ftp_telnet_protocol"
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(622) unknown dynamic preprocessor "smtp"
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(777) unknown dynamic preprocessor "dcerpc"
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(795) unknown dynamic preprocessor "dns"

Now we need to create the database structure for snort by issuing this command:
Code:
zcat /usr/share/doc/snort-2.4.3/schemas/create_mysql.gz | mysql -p snort

Should be

Code: Select all

bzcat /usr/share/doc/snort-2.6.1.3-r1/schemas/create_mysql.bz2 | mysql -p snort

Additionally I had to edit my /etc/snort/snort.conf to point to the dynamicplugins directory. This was line 197 for me. You should be able to run ls on /usr/lib/snort_dynamicpreprocessor and see several lib files.

Code: Select all

dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/

BASE

To get BASE up and running I had to edit the following files.

This must point to your base_conf.php file which is in /var/www/localhost/htdocs/base

Code: Select all

base_path.php

This must contain your snort DB and your snort archive DB, make sure you set the password for both, this got me hung up for a minute until I scrolled further down the conf file and saw another DB config to set.

Code: Select all

base_conf.php

[yoosty69]

Another update for those interested in setting this up..
I just installed snort-2.8.3.1 (needs to be unmasked) and base-1.4.1 and it seems to be working fine. A few notes about USE flags for the packages:
*) snort-2.8.3.1 doesn't like having ipv6 enabled
*) snort-2.8.3.1 has a USE flag for dynamic plugins
*) base-1.4.1 uses the ctype functions from php for graphing, so php should have the ctype USE flag enabled

Here's the relevant part of my /etc/make.conf (I doubt kerberos is strictly necessary):

Code: Select all

USE="-X -gtk apache2 ctype dynamicplugin gd kerberos mysql xml"

I disabled ipv6 for snort in /etc/portage/package.use:

Code: Select all

net-analyzer/snort   -ipv6

Other than that, following the 1st post and the notes from guinness.stout got me through the setup! Thanks guys!

[indica]

thx mate,

took a little tweaking with the versions of PEAR apps but it was a great HOWTO!

got everything up and running in about an hour, now to just to get snort tweaked and some more of the rules running!

thx again!

-Todd

[Killerchronic]

Pearl packages are installed via portage now once base was unmasked.
Already had apache, php and mysql setup and running fine so can't comment on the guide for that.

Only thing i really had to change was the path in base_path.php as it wasn't pointing to any base_conf.php.

Other than that were no obvious flaws, surprised me really, most gentoo Guides go out of date in no time

Thanks.