Hi everyone,

I'm new to the forums. I found this site after looking for a good how-to on installing snort, base, etc.... After searching, I found this article, http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10. I followed it to the letter and I'm still unable to get it going. BASE doesn't show anything at all after snort has been running for a while. Is there anyone out there that could possibly help me out or is experiencing the same issues as I am?

Thank you,
Erik

Any errors in your logs?

I've also just installed it, but I don't know if it works. How do I check if it works?

to check if snort is running, do "snort -c /etc/snort/snort.conf -i eth0 -v"

stick your machine out directly on the internet, not behind your router. then run snort with the -D option as mentioned in the article, go to sleep, then wake up in the morning with attacks logged in BASE.

if you want me to send some traffic your way to test it out, let me know. you can PM me with your IP.

cheers,
Erik

Hehe, so snort is useless when using a router? :O

to check if snort is running, do "snort -c /etc/snort/snort.conf -i eth0 -v"

stick your machine out directly on the internet, not behind your router. then run snort with the -D option as mentioned in the article, go to sleep, then wake up in the morning with attacks logged in BASE.

if you want me to send some traffic your way to test it out, let me know. you can PM me with your IP.

cheers,
Erik



snort is running ok for me
BASE however does NOT log anything at all
what is messed up ?

i use this command
snort -c /etc/snort/snort.conf -u _snort -g _snort & sleep 2

open up the first 1024 ports on the router to your linux box
and than
goto this URL and it will run an port check on the first 1024 ports on your IP https://www.grc.com/x/ne.dll?bh0bkyd2

and see if its shows up

also
check the pear to see if its installed
coz the first 3 or 4 times i try it myself i didn't get the pear installed right (
Image_Color / Image_Canvas-alpha / Image_Graph-alpha )

just rerun the
pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

i will try what you told me later

the server is connected directly to the internet , i ssh in from work all the time ..

i get these

pear install Image_Color
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/gd.so' - /usr/lib/php5/20060613+lfs/gd.so: undefined symbol: gdImageCreateFromJpeg in Unknown on line 0
Ignoring installed package pear/Image_Color
Nothing to install
root@f00:/home/dimgr# pear install Image_Graph-alpha
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/gd.so' - /usr/lib/php5/20060613+lfs/gd.so: undefined symbol: gdImageCreateFromJpeg in Unknown on line 0
Ignoring installed package pear/Image_Graph
Nothing to install
root@f00:/home/dimgr# pear install Image_Canvas-alpha
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/gd.so' - /usr/lib/php5/20060613+lfs/gd.so: undefined symbol: gdImageCreateFromJpeg in Unknown on line 0
Ignoring installed package pear/Image_Canvas
Nothing to install






the Graph alerts on BASE do not work
PHP ERROR: PHP build incomplete: the prerequisite GD support required to generate graphs was not built into PHP. Please recompile PHP with the necessary library (--with-gd)

Please try
sudo apt-get install php5-gd
sudo /etc/init.d/apache2 restart

no luck



apt-get install php5-gd
Reading package lists... Done
Building dependency tree
Reading state information... Done
php5-gd is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

What's in /etc/php5/conf.d/gd.ini?

here it is



cat /etc/php5/conf.d/gd.ini
# configuration for php GD module
extension=gd.so
dimgr@f00:~$

Looks good. Have you tried to restart Apache?

many times always with the same result :(

i reinstalled BASE hoping to fix this problem
but
same results:(

i kind of figured it out
with iptables firewalling on , base won't log shit...
turn iptables off and you can see it logging some of my nmap scans;)

but is this normal?

Hi Everyone,

I'm New to this forum but i found that their is an issue regarding Base is not working after complete installation of snort. This problem i faced too and with little modification i made it working.

I hope its work for those who need it.

Follow the steps of below url

http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10

----------------------------------------------------------
Now the changes u need to implement while installing.
----------------------------------------------------------
After finishing the step: 1. Pre-requistes

Install: libpcap-0.9.8.tar.gz & tcpdump-3.9.8.tar.gz

----------

download "snortdb-extra.gz" file before installing snort. Later this file is required at the time of Mysql configuration.

----------

After finishing the step : 10. Snort Configuration

Follow the steps below to configure mysql

mysql -u root -p

mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
>Query OK, 0 rows affected (0.25 sec)

mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)

mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)

mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf ');
>Query OK, 0 rows affected (0.25 sec)

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)

mysql> exit

>Bye

Execute the following commands to create the tables
example: mysql -u root -p < /usr/share/doc/snort-2.2.0/contrib/create_mysql snort

* the text is in red indicates to specify the "create_mysql" file path

Enter password: the mysql root password

Then install the extra DB tables using the following command
example: zcat /usr/share/doc/snort-2.2.0/contrib/snortdb-extra.gz |mysql -p snort

* the text is in red indicates to specify the "snortdb-extra.gz" file path
Enter password: the mysql root password

--------------------------------

Login in mysql and cross check the Snort database containing 19 tables or not.

if yes then proceed.

--------------------------------

once these modifications are done.. you can use Base.


Zaka.

OK, I know how noob this is going to look, but... I followed the instructions verbatim I thought, other than using base-1.4.1 rather than 1.3.8, and snort-2.8.2.2 rather then snort-2.8.0.

This is embarassing.. should I use the URL http://localhost/web/base-php4/index.php ? if so, I am getting what looks liike perm problems:

Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29

Suggestions please? I looked for BASE docs, to no real avail.

What's the value of include_path in your php.ini?

well, I have 2 php.ini's, /etc/php5/cli/php.ini and /etc/php5/apache2/php.ini, both seem to be the same for include_path. Lemme guess, I need to uncomment something??


root@host;~# grep include_path /etc/php5/apache2/php.ini

; (directory must also be in include_path or full path must
;include_path = ".:/usr/share/php"
;include_path = ".;c:\php\includes"

root@host;~#

Yes, try
include_path = ".:/usr/share/php"
and restart Apache.

same thing. I go to:
http://localhost/web/base-php4/

and get:

Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29

Warning: include_once() [function.include]: Failed opening 'Mail.php' for inclusion (include_path='.:/usr/share/php') in /var/www/web/base-php4/includes/base_action.inc.php on line 29

Warning: include_once(Mail/mime.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 30

Warning: include_once() [function.include]: Failed opening 'Mail/mime.php' for inclusion (include_path='.:/usr/share/php') in /var/www/web/base-php4/includes/base_action.inc.php on line 30

Warning: Cannot modify header information - headers already sent by (output started at /var/www/web/base-php4/includes/base_action.inc.php:29) in /var/www/web/base-php4/base_common.php on line 1077

What's the output of
updatedb
locate Mail.php
locate mime.php?

This is where I reveal the egg on my face.
Those files are not found, which makes me think I left something major out.

Fri Aug 8 10:03:38 CDT 2008
root@localhost:~# updatedb
root@localhost:~# locate Mail.php
root@localhost:~# locate mime.php
root@localhost:~# date
Fri Aug 8 10:03:48 CDT 2008
localhost:~#

The only place i divirged from the steps at http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10, (I think) is that my version of Base is 1.4.1, which give me a /var/www/web/base-php4 rather than a /var/www/web/base-1.3.8 directory

Try issuing these commands and see if it helps.

pear install Mail
pear install Mail_Mime

That did it. Thank you. Did I miss something in the instructions??

Glad it helped. Honestly I am not sure if something was missed in the instructions or not as I haven't read them. I was actually helping a friend build out a Snort server this weekend and came across this post while searching for some other info. I had seen this before, so I knew what the problem was.