Linux and Open Source Blog

  • Home
  • WordPress Plugins
  • About
  • Contact

Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon)

Posted on January 16, 2008 by Linewbie.com Posted in applications/software, guides, how to, howtoforge, security .

This tutorial is based on another howto written by DevilMan, however I didn’t like the idea of manually compiling every package or the use of a GUI to get the software installed. This howto will work on a Gutsy Server or Gutsy desktop. With that said some of this howto is a direct copy from the original.

In this tutorial I will describe how to install and configure Snort (an intrusion detection system (IDS)) from source, BASE (Basic Analysis and Security Engine), MySQL, and Apache2 on Ubuntu 7.10 (Gutsy Gibbon). Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which BASE will use to display a graphical interface in a web browser.

1. Gain root privileges

It is easiest to do this install as root user.

sudo su –

2. Install some packages

The following will install all the required packages to make this setup work:

apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep

3. Get and compile snort

The Snort package in the Gutsy repo’s are out of date. So I prefered to download the most current and install that. This is the only thing we will compile from scratch.

The latest version of snort at the time of writing is 2.8.0.1

First let’s go to a working directory:

cd /usr/src/

Open a web browser and navigate to http://www.snort.org/dl right click on the most recent release and copy link location.

a. Download snort and snort rules

wget http://www.snort.org/dl/current/snort-2.8.0.1.tar.gz

There are a couple options for rules. The following will download the public rules, however with a quick registration at the snort site you can get more current rules. Your choice but the next command is run the same way with the appropriate URL:

wget http://snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

b. Unpack and get them ready for compile

tar zxvf snort-2.8.0.1.tar.gz
cd snort-2.8.0.1
tar zxvf ../snortrules-pr-2.4.tar.gz

c. Now compile them

./configure -enable-dynamicplugin –with-mysql
make
make install

Keep this directory handy as you can simply run

make uninstall

To uninstall snort later if you choose

d. Move things into position

We now need to move the rules and config for snort into position

mkdir /etc/snort /etc/snort/rules /var/log/snort
cd /usr/src/snort-2.8.0.1/etc
cp * /etc/snort/
cd ../rules
cp * /etc/snort/rules

4. Configure Snort

We need to modify the snort.conf file to suite our needs.

Open /etc/snort/snort.conf with your favorite text editor (nano, vi, vim, etc.).

# vi /etc/snort/snort.conf

Change “var HOME_NET any” to “var HOME_NET 192.168.1.0/24” (your home network may differ from 192.168.1.0)
Change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET” (this is stating everything except HOME_NET is external)
Change “var RULE_PATE ../rules” to “var RULE_PATH /etc/snort/rules”

Scroll down the list to the section with “# output database: log, mysql, user=“, remove the “#” from in front of this line.
Change the “user=root” to “user=snort”, change the “password=password” to “password=snort_password“, “dbname=snort”
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

5. Setup the Mysql database.

Log into the mysql server.

# mysql -u root -p

Create the snort database. Make sure you change the ‘snort_password’ to something else!

mysql> create database snort;
grant all privileges on snort.* to ‘snort’@’localhost’ identified by ‘snort_password’; mysql> exit

We will use the snort schema for the layout of the database.

# mysql -D snort -u snort -p < /usr/src/snort-2.8.0.1/schemas/create_mysql

NOTE: Use your snort DB user password when prompted.

6. Time to test Snort

In the terminal type:

# snort -c /etc/snort/snort.conf

If everything went well you should see an ascii pig.

To end the test hit ctrl + c.

NOTE: If you get errors you may want to try commenting out lines 97,98 and 452 of /etc/snort/rules/web-misc.rules. This was an issue in the past but doesn’t seem to be anymore.

7. Get and install BASE

Open a web browser and go to http://sourceforge.net/project/showfiles.php?group_id=103348.

Click on download then right click on the newest tar.gz package and select copy link (at the time of writing this is base-1.3.9).

In the terminal type:

cd
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz

Now go to your web document root (by default this is /var/www), unpack the tarball and set the permissions needed to configure BASE:

cd /var/www/
tar zxvf ~/base-1.3.9.tar.gz cd .. chmod 757 base-1.3.9

We want to make sure that a couple of Pear modules are activated:

pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

8. Set up BASE

Open a web browser and navigate to http://YOUR.IP.ADDRESS/base-1.3.9/setup.

Click continue on the first page.

  • Step 1 of 5: Enter the path to ADODB.
    This is /usr/share/php/adodb.
  • Step 2 of 5:
    Database type = MySQL, Database name = snort, Database Host = localhost, Database username = snort, Database Password = snort_password
  • Step 3 of 5: If you want to use authentication enter a username and password here and check the box.
  • Step 4 of 5: Click on Create BASE AG.
  • Step 5 of 5: once step 4 is done at the bottom click on Now continue to step 5.

Bookmark this page.

Change the permissions back on the /var/www/base-1.3.9 folder.

# chmod 755 /var/www/base-1.3.9

We are done. Congrats!!!

To start Snort in the terminal type (make sure you change eth0 to the right interface for your machine:

# snort -c /etc/snort/snort.conf -i eth0 -D

This starts snort using eth0 interface in a daemon mode.

To make sure it is running you can check with the following command:

# ps aux | grep snort

If it’s running you will see an entry similar to snort -c /etc/snort/snort.conf -i eth0 -D.

If you would like to learn how to write your own Snort rules there is a guide at http://www.snort.org/docs/snort_manual/node16.html.
Good luck.

2 Comments
Tags: apache, base, intrusion detection, mysql, snort, ubuntu .
« The Long Awaited KDE 4 is Finally Here
KDE 4 vs KDE 3.5: KMix – Volume Control »

2 Responses

  1. Ada says
    August 26, 2014 at 4:29 pm

    I read a lot of interesting content here. Probably you spend a lot of
    time writing, i know how to save you a lot of time, there is an online tool that creates readable, google friendly posts in seconds, just
    type in google – laranitas free content source

    Reply
  2. Harachi says
    October 8, 2015 at 1:22 am

    July 21, 2012 at 9:43 amI donb4t understand where to or how to cghane the ebmail type optiona8. It seems if I donb4t set a type option mailchimp automatically sets it to HTML. This is the error message I get. Thanks in advance.There was an error creating your campaign. Oh snap! 311 Your list has an email type option, so the text part is required Reply

    Reply

Leave a comment

Leave a comment Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Does an un-confirmed Bitcoin transaction expire?
  • Looting of the Fox: The Story of Sabotage at ShapeShift
  • Decentralization, Scalability, and Fault Tolerance of Bitcoin
  • Stripe will soon accept Bitcoin payments
  • Zynga announces Bitcoin acceptance in game
  • How to import very large sql dump via phpmyadmin
  • How to compare the content of two folders automatically
  • Top 5 reasons to start experimenting with Linux
  • The day our mind became open sourced
  • Mark Shuttleworth wants to turn canonical (ubuntu) into the next Apple Inc.

Categories

  • applications/software (26)
    • browsers (2)
    • development (1)
    • information management (1)
    • Mobility (1)
    • multimedia (5)
    • office suites (2)
    • security (6)
    • servers (6)
    • system (2)
  • audio/video/pics (3)
  • Bitcoin (3)
  • books & literature (1)
  • cms/portals (1)
  • desktop environments (7)
    • gnome (2)
    • kde (5)
  • events/shows (3)
    • interviews (1)
    • people (1)
    • surveys (1)
  • games & gaming (2)
  • general topics (4)
  • guides (112)
    • how to (105)
    • tips (87)
    • tutorials (86)
  • hardware (8)
    • desktop & laptop pc (5)
    • gadgets & mobiles (2)
  • howtoforge (47)
  • internet/web (4)
    • design & development (2)
  • linux and open source blog (49)
  • linux.com (76)
  • linux/unix/os distros (113)
    • debian/ubuntu based (10)
    • mac/osx (2)
    • other distros (3)
  • news (217)
  • open source (8)
    • business & foss (2)
  • other (26)
    • uncategorized (26)
  • Programming (3)
    • PHP (2)
  • quotes & thoughts (10)
  • random stuff (4)
    • cool stuff (3)
    • funny stuff (1)
  • review/preview/tests (7)
  • wordpress/blogging (3)

Archives

  • July 2016
  • April 2016
  • January 2015
  • April 2014
  • January 2014
  • November 2013
  • February 2013
  • November 2012
  • April 2012
  • March 2012
  • January 2012
  • December 2011
  • August 2011
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2006

Recent Posts

  • Does an un-confirmed Bitcoin transaction expire?
  • Looting of the Fox: The Story of Sabotage at ShapeShift
  • Decentralization, Scalability, and Fault Tolerance of Bitcoin
  • Stripe will soon accept Bitcoin payments
  • Zynga announces Bitcoin acceptance in game
  • How to import very large sql dump via phpmyadmin
  • How to compare the content of two folders automatically
  • Top 5 reasons to start experimenting with Linux
  • The day our mind became open sourced
  • Mark Shuttleworth wants to turn canonical (ubuntu) into the next Apple Inc.

Categories

  • applications/software (26)
    • browsers (2)
    • development (1)
    • information management (1)
    • Mobility (1)
    • multimedia (5)
    • office suites (2)
    • security (6)
    • servers (6)
    • system (2)
  • audio/video/pics (3)
  • Bitcoin (3)
  • books & literature (1)
  • cms/portals (1)
  • desktop environments (7)
    • gnome (2)
    • kde (5)
  • events/shows (3)
    • interviews (1)
    • people (1)
    • surveys (1)
  • games & gaming (2)
  • general topics (4)
  • guides (112)
    • how to (105)
    • tips (87)
    • tutorials (86)
  • hardware (8)
    • desktop & laptop pc (5)
    • gadgets & mobiles (2)
  • howtoforge (47)
  • internet/web (4)
    • design & development (2)
  • linux and open source blog (49)
  • linux.com (76)
  • linux/unix/os distros (113)
    • debian/ubuntu based (10)
    • mac/osx (2)
    • other distros (3)
  • news (217)
  • open source (8)
    • business & foss (2)
  • other (26)
    • uncategorized (26)
  • Programming (3)
    • PHP (2)
  • quotes & thoughts (10)
  • random stuff (4)
    • cool stuff (3)
    • funny stuff (1)
  • review/preview/tests (7)
  • wordpress/blogging (3)

Archives

  • July 2016
  • April 2016
  • January 2015
  • April 2014
  • January 2014
  • November 2013
  • February 2013
  • November 2012
  • April 2012
  • March 2012
  • January 2012
  • December 2011
  • August 2011
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2006
Privacy Policy

Est. 2002

linewbie.com serving the linux and open source community since April 09, 2002

CyberChimps WordPress Themes

© Linux and Open Source Blog