Comments on Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated)

This How-To works with BASE 1.4.2, Ubuntu 9.04, and Snort 2.8.4.1.

 Thanks so much.

 

 

There are a few changes I'd recommend.

• libpcre3-dev is also required, but is not automatically installed with the other packages (at least on Debian Etch, anyway).
• Step 4, you should add "chmod 600 /etc/snort/snort.conf" since snort.conf contains a plaintext password. 
• Step 7, the second code block needs some line breaks.
• A note to add "snort -c /etc/snort/snort.conf -i eth0 -D" to /etc/rc.local couldn't hurt either.
  

Otherwise, these instructions test successfully on Debian Etch as well.  Very nice job.

Thanks Rojo.  I've added your recommendations to the howto.  I will leave the oinkmaster mini-howto as a comment for those that want it... :)

Just wanted to thank you for the tutorial.  It didn't work until I did

pear install Mail

pear install Mail_Mime

per the user forums.  Before I did this, I received several errors on step 4 of the BASE web-based configuration.

Install and configure Oinkmaster to update snort's ruleset daily.

apt-get install oinkmaster

modify /etc/oinkmaster.conf so that:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<your registered key>/snortrules-snapshot-CURRENT.tar.gz

Then:

groupadd snort
useradd -g snort snort -s /bin/false
chmod 640 /etc/oinktmaster.conf
chown root:snort /etc/oinkmaster.conf
nano -w /usr/local/bin/oinkdaily

In /usr/local/bin/oinkdaily, include the following, uncommenting the appropriate line:

#!/bin/bash

## if you have "mail" installed, uncomment this to have oinkmaster mail you reports:
# /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules 2>&1 | mail -s "oinkmaster" [email protected]

## otherwise, use this one:
# /usr/sbin/oinkmaster -C /etc/oinkmaster.conf -o /etc/snort/rules >/dev/null 2>&1

Finally:

chmod 700 /usr/local/bin/oinkdaily
chown -R snort:snort /usr/local/bin/oinkdaily /etc/snort/rules
crontab -u snort -e

In user snort's crontab, to launch the update on the 30th minute of the 5th hour of every day, add the following:

30 5 * * *     /usr/local/bin/oinkdaily

But you should randomize those times (for instance, 2:28 or 4:37 or 6:04) to reduce the impact on snort.org's servers.

Cheers for the great tutorial you made.

Just thought to add, that if people run into trouble running snort in daemonmode(like me), and dont see any details in /var/log/snort/alert.

You can run the same command without  -D and snort will report what went wrong!!

snort -c /etc/snort/snort.conf -i eth0

 In my case i made an error in the config for the rule_path. And when u can see whats wrong, u can fix it!

 Thanks again volksman.

 

swetharaghav@Raghavendra-PC:~$ sudo apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package libpcap0.8-dev
swetharaghav@Raghavendra-PC:~$ sudo apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev

 

Can someone please tell me what the error is??? 

i want just to thank you for the article that you posted about the intrusion detection,it helps me very well to install snort,there are some problems but i likes what i got so far.

Oueriach Amor

Thanx for the tutorial!

I did install snort, base, and mysql edhe everything is running...but nothing is being logged...base or to the the /var/log/snort!!

could anybody help me with this plz