Intrusion Detection With BASE And Snort - Page 2

LIBPCAP

Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the libpcap-0.9.4.tar.gz file:

wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz

Untar the file:

tar -xvzf libpcap-0.9.4.tar.gz

Remove the file:

rm libpcap-0.9.4.tar.gz

BASE (Basic Analysis and Security Engine )

Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah))
cd back to the snorttemp map:

cd /root/snorttemp

and download the base-1.2.5.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/secureideas/base-1.2.5.tar.gz

Untar the file:

tar -xvzf base-1.2.5.tar.gz

Remove the file:

rm base-1.2.5.tar.gz

ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).)

Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php)
cd back to the snorttemp map:

cd /root/snorttemp

and download the adodb490.tgz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/adodb/adodb490.tgz

Untar the file:

tar -xvzf adodb490.tgz

Remove the file:

rm adodb490.tgz

ls should now show the following directorys in /root/snorttemp:
adodb, base-1.2.5, libpcap-0.9.4, pcre-6.3 and snort-2.6.0

adodb, libpcap, base-1.2.5, pcre, snort

Share this page:

15 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-07-21 15:13:09

After editing the "user", "password" and "dbname" (on page 3) its time to make a new SQL database.

Login to your SQL server

mysql -u root -p
(Enter password)

mysql> create database snort;
mysql> exit

Now that you have a SQL database ready, we can use the SNORT schemas for the proper layout.

mysql -D snort -u root -p < /root/snorttemp/snort-2.6.0/schemas/create_mysql
(Enter password)

Finally we are ready to test snort.

snort -c /etc/snort/snort.conf

EXAMPLE: 

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.
 
Enjoy!

From: Anonymous at: 2013-05-13 18:27:47

what is you get an error that says parsing rules file "/etc/snort/snort.conf"

 error: /etc/snort/snort.conf(1) Invalid configuration line :FdF#..................................................

From: Anonymous at: 2006-08-10 16:56:58

If you get:
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
when running:

./configure --enable-dynamicplugin --with-mysql

You may need to install the gcc c++ compiler.

Just run:

apt-get install g++

...and when it's finished, rerun the configure command, and you should be sorted out.

From: at: 2007-04-26 03:53:09

if you running test snort.

snort -c /etc/snort/snort.conf

and get an error like this : 

ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi"
Fatal Error, Quitting..

Solution :

you must edit file /etc/snort/rules/web-misc.rules with your favorite text editor, on Line 452 . and :

change/add line above :
pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"

with :
pcre:"/fn=Eye\d{4}_\d{2}.log/Rmsi"

Just add '/' in front line. 

From: HomeSen at: 2009-08-03 09:22:57

Hi @ all,

 I ran into some issues with my snort install on Debain 5r2. And I thought, it might be helpful to post the solutions I found:

1.  While ./configure... I got mysql.h not found

You need to install the package libmysqlclient-dev

2. Loading dynamic detection library /usr/local/lib/snort_dynamicrules/bad-traffic.so... ERROR: Failed to load /usr/local/lib/snort_dynamicrules/bad-traffic.so: /usr/local/lib/snort_dynamicrules/bad-traffic.so: cannot open shared object file: No such file or directory
Fatal Error, Quitting..


This one can be fixed by copying all files from <snort_src_folder>/so_rules/precompiled/Debian-Lenny/i386/2.8.4/ to /usr/local/lib/snort_dynamicrules/

3. When trying to start snort, I also got the following: ERROR: ERROR /etc/snort/rules/exploit.rules(23): Couldn't resolve hostname HOME_NET
Fatal Error, Quitting..

 That was tricky one, since it wasn't that easy to localize the evil's root. In snort.conf you have to change the line:

var EXTERNAL_NET !HOME_NET

to

var EXTERNAL_NET !$HOME_NET

Because the Dollar-sign is missing there.

Hope this helps a few unlucky as I was ;-)

From: Anonymous at: 2009-05-19 18:29:29

thanks.....this tutorial helped me out a lot.

From: Anonymous at: 2006-07-10 21:30:13

Nice, easy to follow tutorial. Keep up the good work!

It's been a while that I've been meaning to get back to using snort. I think I'll give a try sometime this week. Never used BASE, I'll probably try it out this Wednesday.

Good Stuff.

--Jon Zhttp://jzencovich.blogspot.com/

From: Anonymous at: 2006-08-06 00:56:50

 Not bad actually, but the project still not grow up, if you use commercial variants you know this is nowhere comparing to them...

From: kav5 at: 2006-09-08 19:51:18

Looks good but it is not complete. It would be very nice to add snortsam installation to the tutorial because it implements IPS system. (to block attacker automatically) 

From: Anonymous at: 2009-04-15 19:05:35

 If u get these :

Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29

,...........................

 

 Try issuing these commands and see if it helps:

pear install Mail
pear install Mail_Mime

From: pevma at: 2010-02-26 11:16:57

Also folks,

to get the graphics working by country and world maps:

There are 2 files: 

1. world_map6.png

2. world_map6.txt

do a search:

find / -iregex ".*world_map6.png"

you will find the file...then copy it to where your "PEAR directory" is

You will find your "PEAR directory" after you execute :

pear config-show

Then copy the 2 files in the "PEAR directory" under /Image/Graph/Images/Maps/

so the FULL path should look something like this:

/usr/share/php/Image/Graph/Images/Maps/

 

That solevs one of the problems ...then you get an error like ".... couldn find...or not defined $GeoIPfree_file_ascii and $ip2cc"...something of the sort...for this purpose in your cmd execute:

perl -MCPAN -e 'install  Geography::Countries'

then

 perl -MCPAN -e 'install  IP::Country'

ok...almost there

then find your  base_conf.php  - should be somewhere in your /var/www/ directory  or the directories inder that

edit the file /base_conf.php/   towards the end you will find 

" $IP2CC..." uncomment that ...maybe restart your browser or clear the cahce of your browser and you are ready to go!!!

thats it

From: wisedud2u at: 2010-04-05 10:43:49

after you install the Geography::Countries do this

root@a3s:~#  cd /usr/lib/perl5/site_perl/5.8.8/Geo/

root@a3s:Geo#wget  http://cpansearch.perl.org/src/BRICAS/Geo-IPfree-0.6/misc/ipct2txt.pl

 root@a3s:Geo#perl ipct2txt.pl ./ipscountry.dat /path/to/your/htdocs/base/ips-ascii.txt


 

From: at: 2007-07-23 04:59:25

This guide is a pretty good start but I actually found Patrick Harper's guide to be more in-depth. His guide is available at www.internetsecurityguru.com which I've used to develop a Snort/Centos/BASE install cd that I'm calling EasyIDS.

From: at: 2008-01-14 10:59:27

Thanks a lot for your tutorial. It allowed me to get everything up and running in a very short time.

From: Bob at: 2015-03-11 21:22:52

Doesn't look like the latest version of snort contains the needed mysql plugin so it doesn't look like based can be used as it interfaces with mysql.  Can someone verify this?