SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)"

Discussion in 'Suggest HOWTO' started by edge, Jun 26, 2006.

  1. edge

    edge Active Member HowtoForge Supporter

    SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)" with ISPconfig and one main website setup!

    1) Make a download dir for all needed files:

    2) Download the needed files.

    Get snort.
    The latest version at the time of writing this is snort-2.6.0
    Now un-tar the file:
    And let’s remove the tar file:
    We also need the Snort rules!
    Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
    Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map
    and cd into snort-2.6.0
    un-tar the snortrules-pr-2.4.tar.gz file:
    Remove the tar file:
    Get PCRE - Perl Compatible Regular Expressions
    Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download pcre (at time of writing this it is pcre-6.3.tar.gz)
    cd back to the snorttemp map
    and download the pcre-6.3.tar.gz file
    un-tar the file:
    Remove the tar:

    Get - LIBPCAP
    Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz)
    cd back to the snorttemp map
    and download the libpcap-0.9.4.tar.gz file
    un-tar the file:
    Remove the file:
    (That’s all the files we need to get snort to work.)

    Get - BASE (Basic Analysis and Security Engine )
    Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah))
    cd back to the snorttemp map
    and download the base-1.2.5.tar.gz file
    un-tar the file:
    Remove the file:

    Get - ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).)
    Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php)
    cd back to the snorttemp map
    and download the adodb490.tgz file
    un-tar the file:
    Remove the file:
    Your download dir (/root/snorttemp) should look like this with ls:

    [​IMG]


    3) Let’s start installing.


    You will 1st need to install LIBPCAP.
    Make sure that you are in the directory that you downloaded all files.
    cd into the libcap map.

    Now we need to install PCRE
    Make sure that you are in the directory that you downloaded all files.
    cd into the PCRE map.

    Install SNORT:
    Make sure that you are in the directory that you downloaded all files.
    cd into the snort map.
    Now let’s create some needed Snort maps

    and move the files from the setup map in the correct maps

    The snort.conf file in /etc/snort needs some work.

    As we are using MySQL for Snort to log, we will also need to tell Sort to use it.
    Scroll down till "output database", and remove the # in front of the line for the MySQL.
    Now also change the "user", "password" and "dbname". Make a note of this as you will need it later!
    Save the file and close 'nano'

    Setting up the MySQL Database for snort.
    There are many ways to create the snort database.
    The table layout can be found in the file create_mysql in the "/root/snorttemp/snort-2.6.0/schemas" map

    whatever way you create the database, make sure the 'user', 'password' and 'dbame' are the same as the one you used in the snort.conf file!

    After creating the database with the needed tables, you can test Snort and see if you get any errors with:

    Exit the test with ctrl+C

    If you get no error's Snort is setup correct.


    Now we need to move the ADOdb

    cd back to the download dir

    and move adodb into the root of the www map.

    Next: BASE (Basic Analysis and Security Engine )

    Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig.

    cd into /var/www/web1/web/
    and chmod the base-1.2.5 folder to 757

    now open a browser and go to: the 1st site that you created with ISPconfig /base-1.2.5/setup
    If all is okay you should see a Setup dir:

    [​IMG]

    Click on Continue

    step 1 of 5:
    Enter the path to ADODB (/var/www/adodb)
    [​IMG]

    click on Submit Query

    step 2 of 5:
    Enter the needed info on the next screen: (leave the Use Archive Database as is)
    [​IMG]

    click on Submit Query
     
    Last edited: Jun 27, 2006
  2. edge

    edge Active Member HowtoForge Supporter

    step 3 of 5:
    If you want to Use Authentication for the Base page you can do so here.
    [​IMG]

    click on Submit Query

    step 4 of 5:
    Click on "Create BASE AG" to create the database.
    [​IMG]

    and after "Create BASE AG"
    [​IMG]


    Once done, click on "Now continue to step 5.."
    [​IMG]

    To make the Graph's work in BASE you will also need to install Image_Color, Image_Canvas and Image_Graph


    That it for base..

    If you want you can chmod the base-1.2.5 dir back to 775:
    You can also delete the snorttemp directory, and all the files in it.

    Now let’s start SNORT and see if Base will show you the data loged by Snort.

    You will need to wait some minutes for data to be logged.
     
  3. edge

    edge Active Member HowtoForge Supporter

  4. falko

    falko Super Moderator Howtoforge Staff HowtoForge Supporter

    Wow, that's a nice one! :)
     
  5. StupidScript

    StupidScript New Member

    For MySQL:

    Code:
    cd /root/snorttemp/schemas
    Code:
    mysql -u MASTERUSER -pMASTERPASSWORD
    Code:
    mysql>create database snortdb;
    Code:
    mysql>use snortdb;
    Code:
    mysql>source create_mysql;
    Code:
    mysql>grant all on snortdb.* to snortuser@localhost identified by 'snortpassword';
    Code:
    mysql>quit;
    That will use the installed sql file to populate the default 'snortdb' database and add the proper permissions for the 'snortuser' of your choice with the 'snortpassword' of your choice.

    FYI. :)
     
  6. reddog

    reddog New Member

    hello,

    Thank you for the tutorial, i do have a few questions though. I was able to install snort, and all the components you mentioned into suse10. i do not use ispconfig and my document root path is "/usr/local/apache2/htdocs" I have moved base-1.2.5 into htdocs, however im not sure where to move "adodb" to. could you please advise where would be the equivlent to "/var/www" as per your tut. (sorry, but i'm working on my newbness:D )

    also, should base-1.2.5 and adodb be chmod to my apache user and group?

    thank you for any help !!

    i'll have a couple more questions regarding base, but i'd rather wait till i can get these first couple solved for sure. Thanks again

    btw, im not trying to hijack anyones post, just thought it would be a good place to start , considering, a topic is already started, if ya like i can start a new, just let me know.
     

Share This Page