Installing Snort with BASE support,Mysql and ADODB
June 8th, 2010 — 9:35pm
Requirement
* GNU C Compiler
debian:~# apt-get install build-essential
* Support modules
debian:~# apt-get install libpcap0.8-dev libpcre3-dev
debian:~# apt-get install snort-mysql ( just need create_mysql file script from /usr/share/snort-mysql/ )
debian:~# apt-get install checkinstall
* PHP,Web Server and Database Server
- PHP
- Apache2
- MySQL
* PHP Pear
debian:~# apt-get install php-pear debian:~# pear install --force Image_Color debian:~# pear install --force Image_Canvas debian:~# pear install --force Image_Graph
Package
debian:~# wget http://dl.snort.org/snort-current/snort-2.8.6.tar.gz debian:~# wget http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz?use_mirror=waix debian:~# wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-511-for-php5/adodb511.tgz?use_mirror=waix debian:~# tar -zxvf snort-2.8.6.tar.gz debian:~# tar -zxvf base-1.4.5.tar.gz debian:~# tar -zxvf adodb511.tgz
Snort Installation
debian:~# cd snort-2.8.6 debian:~/snort-2.8.6# mkdir /etc/snort debian:~/snort-2.8.6# mkdir /etc/snort/rules debian:~/snort-2.8.6# mkdir /var/log/snort debian:~/snort-2.8.6# chmod 777 /var/log/snort debian:~/snort-2.8.6# useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS debian:~/snort-2.8.6# chown -R snort /var/log/snort debian:~/snort-2.8.6# cp etc/classification.config /etc/snort/ debian:~/snort-2.8.6# cp etc/reference.config /etc/snort/ debian:~/snort-2.8.6# cp -r etc/* /etc/snort/ debian:~/snort-2.8.6# ./configure --with-mysql=/usr/local/mysql debian:~/snort-2.8.6# make && make install debian:~/snort-2.8.6# checkinstall
Snort Configuration
debian:~/snort-2.8.6# nano /etc/snort/snort.conf output database: log, mysql, user=snortuser password=snortpassword dbname=snortdb host=localhost
Database setup
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 427 Server version: 5.1.47 Source distribution mysql> create database snort; mysql> grant all on snort.* to snortuser@localhost identified by 'snortpassword'; mysql> flush privileges; mysql> exit Bye
debian:~# gzip -d /usr/share/doc/snort-mysql/create_mysql.gz debian:~# /usr/local/mysql/bin/mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql
BASE Installation and Configuration
debian:~# mv base-1.4.5/ /usr/local/apache2/htdocs/base
debian:~# mv adodb5/ /usr/local/apache2/htdocs/base/
debian:~# chmod 777 /usr/local/apache2/htdocs/base/*
debian:~# chmod 777 /usr/local/apache2/htdocs/base/adodb5/*
debian:~# cd /usr/local/apache2/htdocs/base/
debian:/usr/local/apache2/htdocs/base# cp base_conf.php.dist base_conf.php
debian:/usr/local/apache2/htdocs/base# nano base_conf.php
##Change the following lines##
---------------------------------
$DBlib_path="./adodb5";
$DBtype = 'mysql';
$alert_dbname = 'snortdb';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snortusername';
$alert_password = 'snortpassword';
---------------------------------
debian:/usr/local/apache2/htdocs/base# /usr/local/mysql/bin/mysql -u snort -p -D snort < sql/create_base_tbls_mysql.sql
Run Snort and BASE
debian:~# /usr/local/bin/snort -u snort -c /etc/snort/snort.conf debian:~# /usr/local/apache2/bin/apachectl restart
Open your Web Browser http://your_ip or your domain/base
Debugging with gdb
debian:~# apt-get install gdb debian:~# gdb snort (gdb) r -u snort -c /etc/snort/snort.conf