Ubuntu 7.10 + Snort, Apache, Mysql....

Discussion in 'HOWTO-Related Questions' started by g0tb00st, Jan 23, 2008.

  1. g0tb00st

    g0tb00st New Member

    Hi everyone,

    I'm new to the forums. I found this site after looking for a good how-to on installing snort, base, etc.... After searching, I found this article, http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10. I followed it to the letter and I'm still unable to get it going. BASE doesn't show anything at all after snort has been running for a while. Is there anyone out there that could possibly help me out or is experiencing the same issues as I am?

    Thank you,
    Erik
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Any errors in your logs?
     
  3. j_hj

    j_hj New Member

    I've also just installed it, but I don't know if it works. How do I check if it works?
     
  4. g0tb00st

    g0tb00st New Member

    to check if snort is running, do "snort -c /etc/snort/snort.conf -i eth0 -v"

    stick your machine out directly on the internet, not behind your router. then run snort with the -D option as mentioned in the article, go to sleep, then wake up in the morning with attacks logged in BASE.

    if you want me to send some traffic your way to test it out, let me know. you can PM me with your IP.

    cheers,
    Erik
     
  5. j_hj

    j_hj New Member

    Hehe, so snort is useless when using a router? :O
     
  6. dimgr

    dimgr New Member



    snort is running ok for me
    BASE however does NOT log anything at all
    what is messed up ?
     
  7. zcworld

    zcworld New Member

    i use this command
    snort -c /etc/snort/snort.conf -u _snort -g _snort & sleep 2

    open up the first 1024 ports on the router to your linux box
    and than
    goto this URL and it will run an port check on the first 1024 ports on your IP https://www.grc.com/x/ne.dll?bh0bkyd2

    and see if its shows up

    also
    check the pear to see if its installed
    coz the first 3 or 4 times i try it myself i didn't get the pear installed right (
    Image_Color / Image_Canvas-alpha / Image_Graph-alpha )

    just rerun the
    pear install Image_Color
    pear install Image_Canvas-alpha
    pear install Image_Graph-alpha
     
  8. dimgr

    dimgr New Member

    i will try what you told me later

    the server is connected directly to the internet , i ssh in from work all the time ..
     
  9. dimgr

    dimgr New Member

    i get these

    pear install Image_Color
    PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/gd.so' - /usr/lib/php5/20060613+lfs/gd.so: undefined symbol: gdImageCreateFromJpeg in Unknown on line 0
    Ignoring installed package pear/Image_Color
    Nothing to install
    [email protected]:/home/dimgr# pear install Image_Graph-alpha
    PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/gd.so' - /usr/lib/php5/20060613+lfs/gd.so: undefined symbol: gdImageCreateFromJpeg in Unknown on line 0
    Ignoring installed package pear/Image_Graph
    Nothing to install
    [email protected]:/home/dimgr# pear install Image_Canvas-alpha
    PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613+lfs/gd.so' - /usr/lib/php5/20060613+lfs/gd.so: undefined symbol: gdImageCreateFromJpeg in Unknown on line 0
    Ignoring installed package pear/Image_Canvas
    Nothing to install






    the Graph alerts on BASE do not work
    PHP ERROR: PHP build incomplete: the prerequisite GD support required to generate graphs was not built into PHP. Please recompile PHP with the necessary library (--with-gd)
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Please try
    Code:
    sudo apt-get install php5-gd
    sudo /etc/init.d/apache2 restart
     
  11. dimgr

    dimgr New Member

    no luck



    apt-get install php5-gd
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    php5-gd is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
     
  12. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/php5/conf.d/gd.ini?
     
  13. dimgr

    dimgr New Member

    here it is



    cat /etc/php5/conf.d/gd.ini
    # configuration for php GD module
    extension=gd.so
    [email protected]:~$
     
  14. falko

    falko Super Moderator ISPConfig Developer

    Looks good. Have you tried to restart Apache?
     
  15. dimgr

    dimgr New Member

    many times always with the same result :(
     
  16. dimgr

    dimgr New Member

    i reinstalled BASE hoping to fix this problem
    but
    same results:(
     
  17. dimgr

    dimgr New Member

    i kind of figured it out
    with iptables firewalling on , base won't log shit...
    turn iptables off and you can see it logging some of my nmap scans;)

    but is this normal?
     
  18. Zaka

    Zaka New Member

    Hi Everyone,

    I'm New to this forum but i found that their is an issue regarding Base is not working after complete installation of snort. This problem i faced too and with little modification i made it working.

    I hope its work for those who need it.

    Follow the steps of below url

    http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-on-ubuntu-7.10

    ----------------------------------------------------------
    Now the changes u need to implement while installing.
    ----------------------------------------------------------
    After finishing the step: 1. Pre-requistes

    Install: libpcap-0.9.8.tar.gz & tcpdump-3.9.8.tar.gz

    ----------

    download "snortdb-extra.gz" file before installing snort. Later this file is required at the time of Mysql configuration.

    ----------

    After finishing the step : 10. Snort Configuration

    Follow the steps below to configure mysql

    mysql -u root -p

    mysql> SET PASSWORD FOR [email protected]=PASSWORD('password');
    >Query OK, 0 rows affected (0.25 sec)

    mysql> create database snort;
    >Query OK, 1 row affected (0.01 sec)

    mysql> grant INSERT,SELECT on root.* to [email protected];
    >Query OK, 0 rows affected (0.02 sec)

    mysql> SET PASSWORD FOR [email protected]=PASSWORD('password_from_snort.conf');
    >Query OK, 0 rows affected (0.25 sec)

    mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to [email protected];
    >Query OK, 0 rows affected (0.02 sec)

    mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
    >Query OK, 0 rows affected (0.02 sec)

    mysql> exit

    >Bye

    Execute the following commands to create the tables
    example: mysql -u root -p < /usr/share/doc/snort-2.2.0/contrib/create_mysql snort

    * the text is in red indicates to specify the "create_mysql" file path

    Enter password: the mysql root password

    Then install the extra DB tables using the following command
    example: zcat /usr/share/doc/snort-2.2.0/contrib/snortdb-extra.gz |mysql -p snort

    * the text is in red indicates to specify the "snortdb-extra.gz" file path
    Enter password: the mysql root password

    --------------------------------

    Login in mysql and cross check the Snort database containing 19 tables or not.

    if yes then proceed.

    --------------------------------

    once these modifications are done.. you can use Base.


    Zaka.
     
  19. Joe Mama

    Joe Mama New Member

    OK, I know how noob this is going to look, but... I followed the instructions verbatim I thought, other than using base-1.4.1 rather than 1.3.8, and snort-2.8.2.2 rather then snort-2.8.0.

    This is embarassing.. should I use the URL http://[I]localhost[/I]/web/base-php4/index.php ? if so, I am getting what looks liike perm problems:

    Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29

    Suggestions please? I looked for BASE docs, to no real avail.
     
    Last edited: Aug 5, 2008
  20. falko

    falko Super Moderator ISPConfig Developer

    What's the value of include_path in your php.ini?
     

Share This Page