Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Suggest HOWTO

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th June 2006, 15:59
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)"

SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)" with ISPconfig and one main website setup!

1) Make a download dir for all needed files:

Quote:
cd /root
mkdir snorttemp
cd snorttemp
2) Download the needed files.

Get snort.
The latest version at the time of writing this is snort-2.6.0
Now un-tar the file:
Quote:
tar -xvzf snort-2.6.0.tar.gz
And let’s remove the tar file:
Quote:
rm snort-2.6.0.tar.gz
We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map
Quote:
mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0
and cd into snort-2.6.0
Quote:
cd snort-2.6.0
un-tar the snortrules-pr-2.4.tar.gz file:
Quote:
tar -xvzf snortrules-pr-2.4.tar.gz
Remove the tar file:
Quote:
rm snortrules-pr-2.4.tar.gz
Get PCRE - Perl Compatible Regular Expressions
Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download pcre (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the pcre-6.3.tar.gz file
un-tar the file:
Quote:
tar -xvzf pcre-6.3.tar.gz
Remove the tar:
Quote:
rm pcre-6.3.tar.gz

Get - LIBPCAP
Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz)
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the libpcap-0.9.4.tar.gz file
un-tar the file:
Quote:
tar -xvzf libpcap-0.9.4.tar.gz
Remove the file:
Quote:
rm libpcap-0.9.4.tar.gz
(That’s all the files we need to get snort to work.)

Get - BASE (Basic Analysis and Security Engine )
Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah))
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the base-1.2.5.tar.gz file
un-tar the file:
Quote:
tar -xvzf base-1.2.5.tar.gz
Remove the file:
Quote:
rm base-1.2.5.tar.gz

Get - ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).)
Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php)
cd back to the snorttemp map
Quote:
cd /root/snorttemp
and download the adodb490.tgz file
un-tar the file:
Quote:
tar -xvzf adodb490.tgz
Remove the file:
Quote:
rm adodb490.tgz
Your download dir (/root/snorttemp) should look like this with ls:




3) Let’s start installing.


You will 1st need to install LIBPCAP.
Make sure that you are in the directory that you downloaded all files.
Quote:
cd /root/snorttemp
cd into the libcap map.
Quote:
cd libpcap-0.9.4
./configure
make
make install

Now we need to install PCRE
Make sure that you are in the directory that you downloaded all files.
Quote:
cd /root/snorttemp
cd into the PCRE map.
Quote:
cd pcre-6.3
./configure
make
make install

Install SNORT:
Make sure that you are in the directory that you downloaded all files.
Quote:
cd /root/snorttemp
cd into the snort map.
Quote:
cd snort-2.6.0
./configure --enable-dynamicplugin --with-mysql
make
make install
Now let’s create some needed Snort maps

Quote:
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
and move the files from the setup map in the correct maps

Quote:
cd rules
cp * /etc/snort/rules
cd ../etc
cp * /etc/snort
The snort.conf file in /etc/snort needs some work.

Quote:
cd /etc/snort
nano snort.conf
Quote:
change "var HOME_NET any" to "var HOME_NET your_ip/32"
change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET"
change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"
As we are using MySQL for Snort to log, we will also need to tell Sort to use it.
Scroll down till "output database", and remove the # in front of the line for the MySQL.
Now also change the "user", "password" and "dbname". Make a note of this as you will need it later!
Save the file and close 'nano'

Setting up the MySQL Database for snort.
There are many ways to create the snort database.
The table layout can be found in the file create_mysql in the "/root/snorttemp/snort-2.6.0/schemas" map

whatever way you create the database, make sure the 'user', 'password' and 'dbame' are the same as the one you used in the snort.conf file!

After creating the database with the needed tables, you can test Snort and see if you get any errors with:

Quote:
snort -c /etc/snort/snort.conf
Exit the test with ctrl+C

If you get no error's Snort is setup correct.


Now we need to move the ADOdb

cd back to the download dir

Quote:
cd /root/snorttemp/
and move adodb into the root of the www map.

Quote:
mv adodb /var/www
Next: BASE (Basic Analysis and Security Engine )

Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig.

Quote:
mv base-1.2.5 /var/www/web1/web
cd into /var/www/web1/web/
Quote:
cd /var/www/web1/web
and chmod the base-1.2.5 folder to 757

Quote:
chmod 757 base-1.2.5
now open a browser and go to: the 1st site that you created with ISPconfig /base-1.2.5/setup
If all is okay you should see a Setup dir:



Click on Continue

step 1 of 5:
Enter the path to ADODB (/var/www/adodb)


click on Submit Query

step 2 of 5:
Enter the needed info on the next screen: (leave the Use Archive Database as is)


click on Submit Query

Last edited by edge; 27th June 2006 at 13:42.
Reply With Quote
Sponsored Links
  #2  
Old 26th June 2006, 15:59
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

step 3 of 5:
If you want to Use Authentication for the Base page you can do so here.


click on Submit Query

step 4 of 5:
Click on "Create BASE AG" to create the database.


and after "[b]Create BASE AG"



Once done, click on "Now continue to step 5.."


To make the Graph's work in BASE you will also need to install Image_Color, Image_Canvas and Image_Graph

Quote:
pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

That it for base..

If you want you can chmod the base-1.2.5 dir back to 775:
Quote:
chmod 775 base-1.2.5
You can also delete the snorttemp directory, and all the files in it.

Now let’s start SNORT and see if Base will show you the data loged by Snort.

Quote:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D
You will need to wait some minutes for data to be logged.
Reply With Quote
  #3  
Old 26th June 2006, 16:03
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Reply With Quote
  #4  
Old 27th June 2006, 12:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Wow, that's a nice one!
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 19th July 2006, 08:11
StupidScript StupidScript is offline
Junior Member
 
Join Date: Jul 2006
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
There are many ways to create the snort database.
For MySQL:

Code:
cd /root/snorttemp/schemas
Code:
mysql -u MASTERUSER -pMASTERPASSWORD
Code:
mysql>create database snortdb;
Code:
mysql>use snortdb;
Code:
mysql>source create_mysql;
Code:
mysql>grant all on snortdb.* to snortuser@localhost identified by 'snortpassword';
Code:
mysql>quit;
That will use the installed sql file to populate the default 'snortdb' database and add the proper permissions for the 'snortuser' of your choice with the 'snortpassword' of your choice.

FYI.
Reply With Quote
  #6  
Old 10th September 2006, 01:07
reddog reddog is offline
Junior Member
 
Join Date: May 2006
Location: Chicago, IL. USA
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

hello,

Thank you for the tutorial, i do have a few questions though. I was able to install snort, and all the components you mentioned into suse10. i do not use ispconfig and my document root path is "/usr/local/apache2/htdocs" I have moved base-1.2.5 into htdocs, however im not sure where to move "adodb" to. could you please advise where would be the equivlent to "/var/www" as per your tut. (sorry, but i'm working on my newbness )

also, should base-1.2.5 and adodb be chmod to my apache user and group?

thank you for any help !!

i'll have a couple more questions regarding base, but i'd rather wait till i can get these first couple solved for sure. Thanks again

btw, im not trying to hijack anyones post, just thought it would be a good place to start , considering, a topic is already started, if ya like i can start a new, just let me know.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
req: Snort + BASE setup for Debian edge Suggest HOWTO 3 18th June 2006 21:09


All times are GMT +2. The time now is 05:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.