SNORT and BASE on a CLEAN "The Perfect Setup - Debian Sarge (3.1)" with ISPconfig and one main website setup! 1) Make a download dir for all needed files: 2) Download the needed files. Get snort. The latest version at the time of writing this is snort-2.6.0 Now un-tar the file: And let’s remove the tar file: We also need the Snort rules! Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map and cd into snort-2.6.0 un-tar the snortrules-pr-2.4.tar.gz file: Remove the tar file: Get PCRE - Perl Compatible Regular Expressions Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download pcre (at time of writing this it is pcre-6.3.tar.gz) cd back to the snorttemp map and download the pcre-6.3.tar.gz file un-tar the file: Remove the tar: Get - LIBPCAP Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz) cd back to the snorttemp map and download the libpcap-0.9.4.tar.gz file un-tar the file: Remove the file: (That’s all the files we need to get snort to work.) Get - BASE (Basic Analysis and Security Engine ) Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah)) cd back to the snorttemp map and download the base-1.2.5.tar.gz file un-tar the file: Remove the file: Get - ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).) Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php) cd back to the snorttemp map and download the adodb490.tgz file un-tar the file: Remove the file: Your download dir (/root/snorttemp) should look like this with ls: 3) Let’s start installing. You will 1st need to install LIBPCAP. Make sure that you are in the directory that you downloaded all files. cd into the libcap map. Now we need to install PCRE Make sure that you are in the directory that you downloaded all files. cd into the PCRE map. Install SNORT: Make sure that you are in the directory that you downloaded all files. cd into the snort map. Now let’s create some needed Snort maps and move the files from the setup map in the correct maps The snort.conf file in /etc/snort needs some work. As we are using MySQL for Snort to log, we will also need to tell Sort to use it. Scroll down till "output database", and remove the # in front of the line for the MySQL. Now also change the "user", "password" and "dbname". Make a note of this as you will need it later! Save the file and close 'nano' Setting up the MySQL Database for snort. There are many ways to create the snort database. The table layout can be found in the file create_mysql in the "/root/snorttemp/snort-2.6.0/schemas" map whatever way you create the database, make sure the 'user', 'password' and 'dbame' are the same as the one you used in the snort.conf file! After creating the database with the needed tables, you can test Snort and see if you get any errors with: Exit the test with ctrl+C If you get no error's Snort is setup correct. Now we need to move the ADOdb cd back to the download dir and move adodb into the root of the www map. Next: BASE (Basic Analysis and Security Engine ) Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig. cd into /var/www/web1/web/ and chmod the base-1.2.5 folder to 757 now open a browser and go to: the 1st site that you created with ISPconfig /base-1.2.5/setup If all is okay you should see a Setup dir: Click on Continue step 1 of 5: Enter the path to ADODB (/var/www/adodb) click on Submit Query step 2 of 5: Enter the needed info on the next screen: (leave the Use Archive Database as is) click on Submit Query
step 3 of 5: If you want to Use Authentication for the Base page you can do so here. click on Submit Query step 4 of 5: Click on "Create BASE AG" to create the database. and after "Create BASE AG" Once done, click on "Now continue to step 5.." To make the Graph's work in BASE you will also need to install Image_Color, Image_Canvas and Image_Graph That it for base.. If you want you can chmod the base-1.2.5 dir back to 775: You can also delete the snorttemp directory, and all the files in it. Now let’s start SNORT and see if Base will show you the data loged by Snort. You will need to wait some minutes for data to be logged.
For MySQL: Code: cd /root/snorttemp/schemas Code: mysql -u MASTERUSER -pMASTERPASSWORD Code: mysql>create database snortdb; Code: mysql>use snortdb; Code: mysql>source create_mysql; Code: mysql>grant all on snortdb.* to snortuser@localhost identified by 'snortpassword'; Code: mysql>quit; That will use the installed sql file to populate the default 'snortdb' database and add the proper permissions for the 'snortuser' of your choice with the 'snortpassword' of your choice. FYI.
hello, Thank you for the tutorial, i do have a few questions though. I was able to install snort, and all the components you mentioned into suse10. i do not use ispconfig and my document root path is "/usr/local/apache2/htdocs" I have moved base-1.2.5 into htdocs, however im not sure where to move "adodb" to. could you please advise where would be the equivlent to "/var/www" as per your tut. (sorry, but i'm working on my newbness ) also, should base-1.2.5 and adodb be chmod to my apache user and group? thank you for any help !! i'll have a couple more questions regarding base, but i'd rather wait till i can get these first couple solved for sure. Thanks again btw, im not trying to hijack anyones post, just thought it would be a good place to start , considering, a topic is already started, if ya like i can start a new, just let me know.
