Intrusion Detection With BASE And Snort - Page 3

Installing

Lets start with: LIBPCAP.
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the libcap map:

cd libpcap-0.9.4

and make / install LIBPCAP:

./configure
make
make install

Next is PCRE.
Again, make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the PCRE map:

cd pcre-6.3

and make / install pce-6.3

./configure
make
make install

Now it time for Snort:
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the snort map:

cd snort-2.6.0

and make / install Snort with some extra needed options!

./configure --enable-dynamicplugin --with-mysql
make
make install

Snort needs some maps, so let’s create them:

mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Moving the Snort files from the installation map to the just created maps.
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

and cd into snort-2.6.0:

cd snort-2.6.0

and into the rules

cd rules

now we copy all files from the /rules into /etc/snort/rules

cp * /etc/snort/rules

We will do the same for the files in the install /etc folder:

cd ../etc
cp * /etc/snort

Fixing the snort.conf

The /etc/snort/snort.conf needs some tuning to get it to work on your system!
So cd into /etc/snort:

cd /etc/snort

and open snort.conf with nano (or any other 'text' editor)

nano snort.conf

change "var HOME_NET any" to "var HOME_NET 192.168.0.5/32"
change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET"
change "var RULE_PATH ../rules" to "var RULE_PATH /etc/snort/rules"

As we made snort with the '--with-mysql' option and as BASE needs it, we also need to tell Snort what database to use.
Scroll down till you see "# output database", and remove the # in front of the line for the MySQL.
Now also change the "user", "password" and "dbname". hint Make a note of this as you will need it later!
Save the file and close 'nano'

Setting up the MySQL Database for Snort.

There are many ways to create the snort database.
The table layout can be found in the file create_mysql in the /root/snorttemp/snort-2.6.0/schemas directory.
Whichever way you create the database, make sure the 'user', 'password' and 'dbame' are the same as the one you set in the /etc/snort/snort.conf file!

After creating you can test snort and see if you get any errors with:

snort -c /etc/snort/snort.conf

Exit the test with Ctrl+C

If you get no error's Snort is setup correct.

Moving ADOdb and BASE

Moving ADOdb:
cd back to the download dir

cd /root/snorttemp/

and move adodb it to the root of the www map:

mv adodb /var/www

Next: BASE (Basic Analysis and Security Engine )
Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig.

mv base-1.2.5 /var/www/www.example.com/web

and cd into /var/www/www.example.com/web

cd /var/www/www.example.com/web

To enable BASE to write the setup file we need to chmod the base-1.2.5 folder to 757:

chmod 757 base-1.2.5

Share this page:

15 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-07-21 15:13:09

After editing the "user", "password" and "dbname" (on page 3) its time to make a new SQL database.

Login to your SQL server

mysql -u root -p
(Enter password)

mysql> create database snort;
mysql> exit

Now that you have a SQL database ready, we can use the SNORT schemas for the proper layout.

mysql -D snort -u root -p < /root/snorttemp/snort-2.6.0/schemas/create_mysql
(Enter password)

Finally we are ready to test snort.

snort -c /etc/snort/snort.conf

EXAMPLE: 

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.
 
Enjoy!

From: Anonymous at: 2013-05-13 18:27:47

what is you get an error that says parsing rules file "/etc/snort/snort.conf"

 error: /etc/snort/snort.conf(1) Invalid configuration line :FdF#..................................................

From: Anonymous at: 2006-08-10 16:56:58

If you get:
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
when running:

./configure --enable-dynamicplugin --with-mysql

You may need to install the gcc c++ compiler.

Just run:

apt-get install g++

...and when it's finished, rerun the configure command, and you should be sorted out.

From: at: 2007-04-26 03:53:09

if you running test snort.

snort -c /etc/snort/snort.conf

and get an error like this : 

ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi"
Fatal Error, Quitting..

Solution :

you must edit file /etc/snort/rules/web-misc.rules with your favorite text editor, on Line 452 . and :

change/add line above :
pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"

with :
pcre:"/fn=Eye\d{4}_\d{2}.log/Rmsi"

Just add '/' in front line. 

From: HomeSen at: 2009-08-03 09:22:57

Hi @ all,

 I ran into some issues with my snort install on Debain 5r2. And I thought, it might be helpful to post the solutions I found:

1.  While ./configure... I got mysql.h not found

You need to install the package libmysqlclient-dev

2. Loading dynamic detection library /usr/local/lib/snort_dynamicrules/bad-traffic.so... ERROR: Failed to load /usr/local/lib/snort_dynamicrules/bad-traffic.so: /usr/local/lib/snort_dynamicrules/bad-traffic.so: cannot open shared object file: No such file or directory
Fatal Error, Quitting..


This one can be fixed by copying all files from <snort_src_folder>/so_rules/precompiled/Debian-Lenny/i386/2.8.4/ to /usr/local/lib/snort_dynamicrules/

3. When trying to start snort, I also got the following: ERROR: ERROR /etc/snort/rules/exploit.rules(23): Couldn't resolve hostname HOME_NET
Fatal Error, Quitting..

 That was tricky one, since it wasn't that easy to localize the evil's root. In snort.conf you have to change the line:

var EXTERNAL_NET !HOME_NET

to

var EXTERNAL_NET !$HOME_NET

Because the Dollar-sign is missing there.

Hope this helps a few unlucky as I was ;-)

From: Anonymous at: 2009-05-19 18:29:29

thanks.....this tutorial helped me out a lot.

From: Anonymous at: 2006-07-10 21:30:13

Nice, easy to follow tutorial. Keep up the good work!

It's been a while that I've been meaning to get back to using snort. I think I'll give a try sometime this week. Never used BASE, I'll probably try it out this Wednesday.

Good Stuff.

--Jon Zhttp://jzencovich.blogspot.com/

From: Anonymous at: 2006-08-06 00:56:50

 Not bad actually, but the project still not grow up, if you use commercial variants you know this is nowhere comparing to them...

From: kav5 at: 2006-09-08 19:51:18

Looks good but it is not complete. It would be very nice to add snortsam installation to the tutorial because it implements IPS system. (to block attacker automatically) 

From: Anonymous at: 2009-04-15 19:05:35

 If u get these :

Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29

,...........................

 

 Try issuing these commands and see if it helps:

pear install Mail
pear install Mail_Mime

From: pevma at: 2010-02-26 11:16:57

Also folks,

to get the graphics working by country and world maps:

There are 2 files: 

1. world_map6.png

2. world_map6.txt

do a search:

find / -iregex ".*world_map6.png"

you will find the file...then copy it to where your "PEAR directory" is

You will find your "PEAR directory" after you execute :

pear config-show

Then copy the 2 files in the "PEAR directory" under /Image/Graph/Images/Maps/

so the FULL path should look something like this:

/usr/share/php/Image/Graph/Images/Maps/

 

That solevs one of the problems ...then you get an error like ".... couldn find...or not defined $GeoIPfree_file_ascii and $ip2cc"...something of the sort...for this purpose in your cmd execute:

perl -MCPAN -e 'install  Geography::Countries'

then

 perl -MCPAN -e 'install  IP::Country'

ok...almost there

then find your  base_conf.php  - should be somewhere in your /var/www/ directory  or the directories inder that

edit the file /base_conf.php/   towards the end you will find 

" $IP2CC..." uncomment that ...maybe restart your browser or clear the cahce of your browser and you are ready to go!!!

thats it

From: wisedud2u at: 2010-04-05 10:43:49

after you install the Geography::Countries do this

root@a3s:~#  cd /usr/lib/perl5/site_perl/5.8.8/Geo/

root@a3s:Geo#wget  http://cpansearch.perl.org/src/BRICAS/Geo-IPfree-0.6/misc/ipct2txt.pl

 root@a3s:Geo#perl ipct2txt.pl ./ipscountry.dat /path/to/your/htdocs/base/ips-ascii.txt


 

From: at: 2007-07-23 04:59:25

This guide is a pretty good start but I actually found Patrick Harper's guide to be more in-depth. His guide is available at www.internetsecurityguru.com which I've used to develop a Snort/Centos/BASE install cd that I'm calling EasyIDS.

From: at: 2008-01-14 10:59:27

Thanks a lot for your tutorial. It allowed me to get everything up and running in a very short time.

From: Bob at: 2015-03-11 21:22:52

Doesn't look like the latest version of snort contains the needed mysql plugin so it doesn't look like based can be used as it interfaces with mysql.  Can someone verify this?