View Single Post
  #1  
Old 26th June 2006, 14:59
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 150 Times in 130 Posts
Default SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)"

SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)" with ISPconfig and one main website setup!

1) Make a download dir for all needed files:

Quote:
cd /root
mkdir snorttemp
cd snorttemp
2) Download the needed files.

Get snort.
The latest version at the time of writing this is snort-2.6.0
Now un-tar the file:
Quote:
tar -xvzf snort-2.6.0.tar.gz
And let’s remove the tar file:
Quote:
rm snort-2.6.0.tar.gz
We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map
Quote:
mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0
and cd into snort-2.6.0
Quote:
cd snort-2.6.0
un-tar the snortrules-pr-2.4.tar.gz file:
Quote:
tar -xvzf snortrules-pr-2.4.tar.gz
Remove the tar file:
Quote:
rm snortrules-pr-2.4.tar.gz
Get PCRE - Perl Compatible Regular Expressions
Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download pcre (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the pcre-6.3.tar.gz file
un-tar the file:
Quote:
tar -xvzf pcre-6.3.tar.gz
Remove the tar:
Quote:
rm pcre-6.3.tar.gz

Get - LIBPCAP
Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz)
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the libpcap-0.9.4.tar.gz file
un-tar the file:
Quote:
tar -xvzf libpcap-0.9.4.tar.gz
Remove the file:
Quote:
rm libpcap-0.9.4.tar.gz
(That’s all the files we need to get snort to work.)

Get - BASE (Basic Analysis and Security Engine )
Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah))
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the base-1.2.5.tar.gz file
un-tar the file:
Quote:
tar -xvzf base-1.2.5.tar.gz
Remove the file:
Quote:
rm base-1.2.5.tar.gz

Get - ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).)
Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php)
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the adodb490.tgz file
un-tar the file:
Quote:
tar -xvzf adodb490.tgz
Remove the file:
Quote:
rm adodb490.tgz
Your download dir (/root/snorttemp) should look like this with ls:




3) Let’s start installing.


You will 1st need to install LIBPCAP.
Make sure that you are in the directory that you downloaded all files.
Quote:
cd /root/snorttemp
cd into the libcap map.
Quote:
cd libpcap-0.9.4
./configure
make
make install

Now we need to install PCRE
Make sure that you are in the directory that you downloaded all files.
Quote:
cd /root/snorttemp
cd into the PCRE map.
Quote:
cd pcre-6.3
./configure
make
make install

Install SNORT:
Make sure that you are in the directory that you downloaded all files.
Quote:
cd /root/snorttemp
cd into the snort map.
Quote:
cd snort-2.6.0
./configure --enable-dynamicplugin --with-mysql
make
make install
Now let’s create some needed Snort maps

Quote:
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
and move the files from the setup map in the correct maps

Quote:
cd rules
cp * /etc/snort/rules
cd ../etc
cp * /etc/snort
The snort.conf file in /etc/snort needs some work.

Quote:
cd /etc/snort
nano snort.conf
Quote:
change "var HOME_NET any" to "var HOME_NET your_ip/32"
change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET"
change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
As we are using MySQL for Snort to log, we will also need to tell Sort to use it.
Scroll down till "output database", and remove the # in front of the line for the MySQL.
Now also change the "user", "password" and "dbname". Make a note of this as you will need it later!
Save the file and close 'nano'

Setting up the MySQL Database for snort.
There are many ways to create the snort database.
The table layout can be found in the file create_mysql in the "/root/snorttemp/snort-2.6.0/schemas" map

whatever way you create the database, make sure the 'user', 'password' and 'dbame' are the same as the one you used in the snort.conf file!

After creating the database with the needed tables, you can test Snort and see if you get any errors with:

Quote:
snort -c /etc/snort/snort.conf
Exit the test with ctrl+C

If you get no error's Snort is setup correct.


Now we need to move the ADOdb

cd back to the download dir

Quote:
cd /root/snorttemp/
and move adodb into the root of the www map.

Quote:
mv adodb /var/www
Next: BASE (Basic Analysis and Security Engine )

Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig.

Quote:
mv base-1.2.5 /var/www/web1/web
cd into /var/www/web1/web/
Quote:
cd /var/www/web1/web
and chmod the base-1.2.5 folder to 757

Quote:
chmod 757 base-1.2.5
now open a browser and go to: the 1st site that you created with ISPconfig /base-1.2.5/setup
If all is okay you should see a Setup dir:



Click on Continue

step 1 of 5:
Enter the path to ADODB (/var/www/adodb)


click on Submit Query

step 2 of 5:
Enter the needed info on the next screen: (leave the Use Archive Database as is)


click on Submit Query

Last edited by edge; 27th June 2006 at 12:42.
Reply With Quote
Sponsored Links