Intrusion Detection: Snort, Base, MySQL, And Apache2 On Ubuntu 7.10 (Gutsy Gibbon)

Want to support HowtoForge? Become a subscriber!
 
Submitted by DevilMan (Contact Author) (Forums) on Mon, 2007-11-19 18:06. :: Ubuntu | Monitoring | Security

Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon)

In this tutorial I will describe how to install and configure Snort (an intrusion detection system (IDS)) from source, BASE (Basic Analysis and Security Engine), MySQL, and Apache2 on Ubuntu 7.10 (Gutsy Gibbon). Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which BASE will use to display a graphical interface in a web browser.

1. Prerequisites

The first thing I like to do is grab all the dependant packages that I can from Synaptic.

From the Desktop go to System > Administration > Synaptic Package Manager. Enter your password and select Search.

Search for the following packages and install them:

  • Libpcap0.8-dev
  • libmysqlclient15-dev
  • mysql-client-5.0
  • mysql-server-5.0
  • bison
  • flex
  • apache2
  • libapache2-mod-php5
  • php5-gd
  • php5-mysql
  • libphp-adodb
  • php-pear

2. Gain root privileges

From the Desktop go to Applications > Accessories > Terminal and type:

$ sudo -i
$ Then your password.

We need to get one more package here,

# apt-get install libc6-dev g++ gcc

3. Time to download and untar packages

We want to create a temp directory to download and untar files. I'm going to use edge's structure here. In the terminal window type the following:

# cd /root
# mkdir snorttmp
# cd /root/snorttmp

Let's get snort. The latest version of snort at the time of writing is 2.8.0.

Open a web browser and navigate to http://www.snort.org/dl; right click on the most recent release and copy link location.

In the terminal type:

# wget http://www.snort.org/dl/current/snort-2.8.0.tar.gz

It's time to untar the Snort package and remove the tar file.

# tar -xzvf /root/snorttmp/snort-2.8.0.tar.gz
# rm /root/snorttmp/snort-2.8.0.tar.gz

4. Get some Snort rules.

Change directories into the new snort-2.8.0 folder.

# cd /root/snorttmp/snort-2.8.0

Open a web browser and navigate to http://www.snort.org/pub-bin/downloads.cgi.

Scroll down to the "Sourcefire VRT Certified Rules - The Official Snort Rule set (unregistered user release)" section. Right click on the most recent release and copy link location.

If you are a forum member you can get newer rules which are under the "registered user release".

In the terminal type:

# wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Untar the Snort Rules and remove the tar file.

# tar -xzvf /root/snorttmp/snort-2.8.0/snortrules-pr-2.4.tar.gz
# rm /root/snorttmp/snort-2.8.0/snortrules-pr-2.4.tar.gz

5. Get PCRE - Perl Compatible Regular Expressions.

Change directory back into the snorttmp folder.

# cd /root/snorttmp

Open a web browser and go to http://www.pcre.org.

Click on the link for the newest release, right click on the newest tar.gz package and select copy link (at the time of writing this is pcre-7.4).

In the terminal type:

# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.4.tar.gz

Untar PCRE and remove the tar file.

# tar -xzvf /root/snorttmp/pcre-7.4.tar.gz
# rm /root/snorttmp/pcre-7.4.tar.gz

6. Get BASE (Basic Analysis and Security Engine).

Change directory back into the snorttmp folder.

# cd /root/snorttmp

Open a web browser and go to http://sourceforge.net/project/showfiles.php?group_id=103348.

Click on download then right click on the newest tar.gz package and select copy link (at the time of writing this is base-1.3.8).

In the terminal type:

# wget http://downloads.sourceforge.net/secureideas/base-1.3.8.tar.gz?modtime=1183896336&big_mirror=0

Untar BASE and remove the tar file.

# tar -xzvf /root/snorttmp/base-1.3.8.tar.gz
# rm /root/snorttmp/base-1.3.8.tar.gz

7. Get ADOdb (database abstraction library for PHP).

Change directory back into the snorttmp folder.

# cd /root/snorttmp

Open a web browser and go to http://sourceforge.net/project/showfiles.php?group_id=42718.

Click on the download link for adodb-php5-only then right click on the adodb502a.tgz package and select copy link (adodb502a is the most recent package at the time of writing).

In the terminal type:

# wget http://downloads.sourceforge.net/adodb/adodb502a.tgz?modtime=1191343792&big_mirror=0

Untar ADOdb and remove the tar file.

# tar -xzvf /root/snorttmp/adodb502a.tgz
# rm /root/snorttmp/adodb502a.tgz

Do an ls to be sure you have all the packages.

# ls /root/snorttmp

You should see the following folders,

  • adodb5
  • base-1.3.8
  • pcre-7.4
  • snort-2.8.0

8. Installation.

a. PCRE install.

# cd /root/snorttmp/pcre-7.4

Here we will do a make/install

# ./configure
# make
# make install

b. Snort install.

# cd /root/snorttmp/snort-2.8.0

Here we will do a make/install

# ./configure -enable-dynamicplugin --with-mysql
# make
# make install

9. Copying files.

We need to create some folders in /etc for snort to function correctly and copy some files over to them.

# mkdir /etc/snort /etc/snort/rules /var/log/snort

Let's move some files.

# cd /root/snorttmp/snort-2.8.0/rules
# cp * /etc/snort/rules/

Let's get the /etc snort files also.

# cd /root/snorttmp/snort-2.8.0/etc
# cp * /etc/snort/

One more file.

# cp /usr/local/lib/libpcre.so.0 /usr/lib

10. Snort Configuration

We need to modify the snort.conf file to suite our needs.

Open /etc/snort/snort.conf with your favorite text editor (nano, vi, vim, etc.).

# vim /etc/snort/snort.conf

Change "var HOME_NET any" to "var HOME_NET 192.168.1.0/24" (your home network may differ from 192.168.1.0)
Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
Change "var RULE_PATE ../rules" to "var RULE_PATH /etc/snort/rules"

Scroll down the list to the section with "# output database: log, mysql, user=", remove the "#" from in front of this line.
Leave the "user=root", change the "password=password" to "password=YOUR_PASSWORD", "dbname=snort"
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

11. Setup the Mysql database.

Log into the mysql server.

# mysql -u root -p

Sometimes there is no password set so just hit enter.

If you get a failed logon, try the above command again and enter YOUR_PASSWORD.

If there is no password you need to create a password for the root account.

Note: Once you are in mysql the # is now a mysql>

mysql> SET PASSWORD FOR root@localhost=PASSWORD('YOUR_PASSWORD');

Create the snort database.

mysql> create database snort;
mysql> exit

We will use the snort schema for the layout of the database.

# mysql -D snort -u root -p < /root/snorttmp/snort-2.8.0/schemas/create_mysql

We need to comment out a few lines in the web rules before we can test snort, I am unsure if this has been fixed in the subscriber version.

Open up /etc/snort/rules/web-misc.rules with your favorite text editor.

# vim /etc/snort/rules/web-misc.rules

Comment out line's 97, 98, and 452 with a "#" (no quotes).

12. Time to test Snort

In the terminal type:

# snort -c /etc/snort/snort.conf

If everything went well you should see an ascii pig.

To end the test hit ctrl + c.

12. Base and Apache2

We have already installed both Apache2 and BASE, all we have to do now is move some files and modify a config file.
Create a file called test.php in /var/www/ with your favorite text editor.

# vim /var/www/test.php

write in it:

<?php
phpinfo();
?>

Save and close this file

We need to edit /etc/php5/apache2/php.ini file.

# vim /etc/php5/apache2/php.ini

You need to add the following under "Dynamic Extensions".

extension=mysql.so
extension=gd.so

Restart Apache2.

# /etc/init.d/apache2 restart

Get the ip address of the machine you are working on.

# ifconfig -a

Open a web browser and go to http://YOUR.IP.ADDRESS/test.php.

If everything went well, you will have PHP information displayed.

13. Moving more files.

We need to move ADOdb into the /var/www directory.

# mv /root/snorttmp/adodb5 /var/www/

Let's make a directory in www and move BASE.

# mkdir /var/www/web
# mv /root/snorttmp/base-1.3.8 /var/www/web/

We need to temporarily enable writing to the base-1.3.8 folder for setup.

# chmod 757 /var/www/web/base-1.3.8

We also need to modify a PHP setup file using your favorite text editor.

# vim /var/www/web/base-1.3.8/setup/setup1.php

Find the line that says "base_header" and change it to "header".

Save and exit.

We want the graphs in base to work so we need to install a few pear extensions.

# pear install Image_Color
# pear install Image_Canvas-alpha
# pear install Image_Graph-alpha

14. BASE Setup via the web.

Open a web browser and navigate to http://YOUR.IP.ADDRESS/web/base-1.3.8/setup.

Click continue on the first page.

  • Step 1 of 5: Enter the path to ADODB.
    This is /var/www/adodb5.
  • Step 2 of 5:
    Database type = MySQL, Database name = snort, Database Host = localhost, Database username = root, Database Password = YOUR_PASSWORD
  • Step 3 of 5: If you want to use authentication enter a username and password here.
  • Step 4 of 5: Click on Create BASE AG.
  • Step 5 of 5: one step 4 is done at the bottom click on Now continue to step 5.

Bookmark this page.

Change the permissions back on the /var/www/web/base-1.3.8 folder.

# chmod 775 /var/www/web/base-1.3.8

We are done. Congrats!!!

To start Snort in the terminal type:

# snort -c /etc/snort/snort.conf -i eth0 -D

This starts snort using eth0 interface in a daemon mode.

To make sure it is running you can check with the following command:

# ps aux | grep snort

If it's running you will see an entry similar to snort -c /etc/snort/snort.conf -i eth0 -D.

If you would like to learn how to write your own Snort rules there is a guide at http://www.snort.org/docs/snort_manual/node16.html.
Good luck.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Rob (not registered) on Tue, 2009-11-17 01:24.
Hi guys,

i was trying to install snort on Ubuntu 8.04 LST Server...but I am getting this error

omerta@ssp:/etc/snort$ sudo apt-get install snort
Reading package lists... Done
Building dependency tree
Reading state information... Done
snort is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

it says that it is installed...but there is nothing in the /etc/snort/ ... just a rules folder is no conf file or anything....nither in the init.d there is no snort

When I tried to remove it and installit again I got this:

omerta@ssp:/etc/snort$ sudo apt-get remove snort
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
snort-rules-default snort-common libprelude2 snort-common-libraries libltdl3
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
snort
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 1057kB disk space will be freed.
Do you want to continue [Y/n]? y
(Reading database ... 23667 files and directories currently installed.)
Removing snort ...
invoke-rc.d: unknown initscript, /etc/init.d/snort not found.
dpkg: error processing snort (--remove):
subprocess pre-removal script returned error exit status 100
postinst called with unknown argument `abort-remove'
Errors were encountered while processing:
snort
E: Sub-process /usr/bin/dpkg returned an error code (1)

Please could someone help me with this...cuz I need it for a school project which is due wendesday!

Thanks,

Rob
<!-- / message -->
Submitted by James Flockton (not registered) on Fri, 2009-08-14 15:47.

All worked perfectly apart from the base stuff, I used an earlier version, this seem to fix this issue.

 Thanks for writting this guide.

James

Submitted by jayy (not registered) on Wed, 2009-07-22 13:41.
One of the perfect things about ubuntu/debian is that you can just do aptitude/apt-get for almost anything. Why not just aptitude install for both snort, mysql-server and acidbase/acidlab-mysql?
Submitted by Roger Mudd (not registered) on Sun, 2008-10-05 14:09.

This was a really good howto, which I enjoyed setting up.  However I did run into the following similar errors: 

Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29

Warning: include_once() [function.include]: Failed opening 'Mail.php' for inclusion (include_path='.:/usr/share/php') in /var/www/web/base-php4/includes/base_action.inc.php on line 29

Warning: include_once(Mail/mime.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 30

Warning: include_once() [function.include]: Failed opening 'Mail/mime.php' for inclusion (include_path='.:/usr/share/php') in /var/www/web/base-php4/includes/base_action.inc.php on line 30

Warning: Cannot modify header information - headers already sent by (output started at /var/www/web/base-php4/includes/base_action.inc.php:29) in /var/www/web/base-php4/base_common.php on line 1077

It was resolve by installing the following:

pear install Mail

pear install Mail_Mime

Submitted by Anonymous (not registered) on Thu, 2008-10-16 21:10.

This Helped me alot i had the same error as above Just installed Pear Mail and Mail_Mime and it works

THANKS

Submitted by Bobb (not registered) on Thu, 2009-12-10 18:22.

Hey just FYI the snort download address format has changed.  I just downloaded it from

http://dl.snort.org/snort-current/snort-2.8.5.1.tar.gz

 Now for the rest of the install!