Home

How to install Snort + BASE, a intrusion detection system for Debian/Ubuntu

Tue, 02/05/2008 - 13:51 — funk

This tutorial will describe how to install and configure Snort (intrusion detection system) from source, BASE (Basic Analysis and Security Engine) using MySQL, and Apache2 on Ubuntu 7.10 (Gutsy Gibbon). Snort will assist you in monitoring your network and alert you about possible threats. Snort will output its log files to a MySQL database which BASE will use to display a graphical interface in a web browser.

This tutorial is mainly a copy of http://www.howtoforge.com/intrusion-detection-with-snort-mysql-apache2-o... for my own reference and for the case the page goes offline.

1. Gain root privileges

su

enter the root password

2. Install all the required packages

apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev

3. Get and compile snort

The Snort package in the repo's are out of date. So we are going to download the latest package and install that.

The latest version of snort at the time of writing is 2.8.0.1

First let's go to a working directory:

cd /usr/src/

Open a web browser and navigate to http://www.snort.org/dl right click on the most recent release and copy link location.

a. Download snort and snort rules

wget http://www.snort.org/dl/current/snort-2.8.0.1.tar.gz

There are a couple options for rules. The following will download the public rules, however with a quick registration at the snort site you can get more current rules. Your choice but the next command is run the same way with the appropriate URL:

wget http://snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

b. Unpack and get them ready for compile

tar zxvf snort-2.8.0.1.tar.gz
cd snort-2.8.0.1
tar zxvf ../snortrules-pr-2.4.tar.gz

c. Now compile them

./configure -enable-dynamicplugin --with-mysql
make
make install

Keep this directory, handy as you can simply run

make uninstall

To uninstall snort later if you choose

d. Move things into position

We now need to move the rules and config for snort into position

mkdir /etc/snort /etc/snort/rules /var/log/snort
cd /usr/src/snort-2.8.0.1/etc
cp * /etc/snort/
cd ../rules
cp * /etc/snort/rules

4. Configure Snort

We need to modify the snort.conf file to suite our needs.

Open /etc/snort/snort.conf with your favorite text editor (nano, vi, vim, etc.).

nano /etc/snort/snort.conf

Change "var HOME_NET any" to "var HOME_NET 192.168.1.0/24" (your home network may differ from 192.168.1.0)
Change "var EXTERNAL_NET any" to "var EXTERNAL_NET !$HOME_NET" (this is stating everything except HOME_NET is external)
Change "var RULE_PATE ../rules" to "var RULE_PATH /etc/snort/rules"

Scroll down the list to the section with "# output database: log, mysql, user=", remove the "#" from in front of this line.
Change the "user=root" to "user=snort", change the "password=password" to "password=snort_password", "dbname=snort"
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

Change permissions on the conf file to keep things secure:

chmod 600 /etc/snort/snort.conf

5. Setup the Mysql database.

Log into the mysql server.

mysql -u root -p

Create the snort database. Make sure you change the 'snort_password' to something else!

create database snort;
grant all privileges on snort.* to 'snort'@'localhost' identified by 'snort_password';
exit

We will use the snort schema for the layout of the database.

mysql -D snort -u snort -p < /usr/src/snort-2.8.0.1/schemas/create_mysql

NOTE: Use your snort DB user password when prompted.

6. Time to test Snort

snort -c /etc/snort/snort.conf

If everything went well you should see an ascii pig.

To end the test hit ctrl + c.

NOTE: If you get errors you may want to try commenting out lines 97,98 and 452 of /etc/snort/rules/web-misc.rules. This was an issue in the past but doesn't seem to be anymore.

7. Get and install BASE

Open a web browser and go to http://sourceforge.net/project/showfiles.php?group_id=103348.

Click on download then right click on the newest tar.gz package and select copy link (at the time of writing this is base-1.3.9).

wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz

Now go to your web document root (by default this is /var/www), unpack the tarball and set the permissions needed to configure BASE:

cd /var/www/
tar zxvf ~/base-1.3.9.tar.gz
cd ..
chmod 757 base-1.3.9

We want to make sure that a couple of Pear modules are activated:

pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

8. Set up BASE

Open a web browser and navigate to http://YOUR.IP.ADDRESS/base-1.3.9/setup.

Click continue on the first page.

* Step 1 of 5: Enter the path to ADODB.
This is /usr/share/php/adodb.
* Step 2 of 5:
Database type = MySQL, Database name = snort, Database Host = localhost, Database username = snort, Database Password = snort_password
* Step 3 of 5: If you want to use authentication enter a username and password here and check the box.
* Step 4 of 5: Click on Create BASE AG.
* Step 5 of 5: once step 4 is done at the bottom click on Now continue to step 5.

Bookmark this page.

Change the permissions back on the /var/www/base-1.3.9 folder.

chmod 755 /var/www/base-1.3.9

We are done. Congrats!!!

To start Snort in the terminal type (make sure you change eth0 to the right interface for your machine:

snort -c /etc/snort/snort.conf -i eth0 -D

This starts snort using eth0 interface in a daemon mode. You can add this to your /etc/rc.local file so that it starts after a reboot.

To make sure it is running you can check with the following command:

ps aux | grep snort

If it's running you will see an entry similar to snort -c /etc/snort/snort.conf -i eth0 -D.

That's all folks

Comments

Tue, 07/22/2008 - 18:42 — Anonymous (not verified)

i cant connect my mysql with snort....please help me out with this..

Thu, 07/24/2008 - 08:08 — funk

Can you give more details about your problem?

Fri, 11/14/2008 - 01:19 — Swetha (not verified)

swetharaghav@Raghavendra-PC:~$ sudo apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package libpcap0.8-dev
swetharaghav@Raghavendra-PC:~$

Can you please tell what the error is???? :(

Fri, 11/14/2008 - 01:44 — funk

you probably need to enable the Universe repository, which can be easily done with Synaptic

Mon, 11/17/2008 - 22:34 — Swetha (not verified)

Please help me out....

I enabled the universal repository and I got the below results....

swetharaghav@Raghavendra-PC:~$ sudo apt-get install libpcap0.8-dev libmysqlclient15-dev mysql-client-5.0 mysql-server-5.0 bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libphp-adodb php-pear libc6-dev g++ gcc pcregrep libpcre3-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
gcc is already the newest version.
You might want to run `apt-get -f install' to correct these:
The following packages have unmet dependencies:
apache2: Depends: apache2-mpm-worker (>= 2.2.3-3.2ubuntu2.1) but it is not going to be installed or
apache2-mpm-prefork (>= 2.2.3-3.2ubuntu2.1) but it is not going to be installed or
apache2-mpm-event (>= 2.2.3-3.2ubuntu2.1) but it is not going to be installed
bison: Depends: m4 but it is not going to be installed
flex: Depends: m4 but it is not going to be installed
g++-4.1: Depends: gcc-4.1-base (= 4.1.2-16ubuntu2) but 4.1.2-0ubuntu4 is to be installed
Depends: gcc-4.1 (= 4.1.2-16ubuntu2) but 4.1.2-0ubuntu4 is to be installed
Depends: libstdc++6-4.1-dev (= 4.1.2-16ubuntu2) but it is not going to be installed
Depends: libc6 (>= 2.6-1) but 2.5-0ubuntu14 is to be installed
libapache2-mod-php5: Depends: libpcre3 (>= 4.5) but it is not going to be installed
Depends: apache2-mpm-prefork (> 2.0.52) but it is not going to be installed or
apache2-mpm-itk but it is not going to be installed
Depends: apache2.2-common but it is not going to be installed
Depends: php5-common (= 5.2.1-0ubuntu1.6) but it is not going to be installed
libc6-dev: Depends: linux-libc-dev but it is not going to be installed
libmysqlclient15-dev: Depends: libmysqlclient15off (>= 5.0.38-0ubuntu1.4) but it is not going to be installed
Depends: zlib1g-dev but it is not going to be installed
libpcre3-dev: Depends: libpcre3 (= 7.4-0ubuntu0.7.04.3) but it is not going to be installed
Depends: libpcrecpp0 (= 7.4-0ubuntu0.7.04.3) but it is not going to be installed
libphp-adodb: Depends: php5 but it is not going to be installed or
php5-cli but it is not going to be installed or
php4 but it is not installable or
php4-cli but it is not installable
mysql-client-5.0: Depends: libdbi-perl but it is not going to be installed
Depends: libdbd-mysql-perl (>= 1.2202) but it is not going to be installed
Depends: mysql-common (>= 5.0.38-0ubuntu1.4) but it is not going to be installed
Depends: libmysqlclient15off (>= 5.0.38-0ubuntu1.4) but it is not going to be installed
Depends: libmysqlclient15off (>= 5.0.27-1) but it is not going to be installed
mysql-server-5.0: Depends: libdbi-perl but it is not going to be installed
Depends: libmysqlclient15off (>= 5.0.27-1) but it is not going to be installed
PreDepends: mysql-common (>= 5.0.38-0ubuntu1.4) but it is not going to be installed
pcregrep: Depends: libpcre3 (>= 4.5) but it is not going to be installed
php-pear: Depends: php5-cli but it is not going to be installed or
php4-cli but it is not installable
Depends: php5-common (>= 5.2.1-0ubuntu1.6) but it is not going to be installed
php5-gd: Depends: libgd2-xpm (>= 2.0.34~rc1) but it is not going to be installed
Depends: libt1-5 (>= 5.0.2) but it is not going to be installed
Depends: php5-common (= 5.2.1-0ubuntu1.6) but it is not going to be installed
php5-mysql: Depends: libmysqlclient15off (>= 5.0.27-1) but it is not going to be installed
Depends: php5-common (= 5.2.1-0ubuntu1.6) but it is not going to be installed
E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).
swetharaghav@Raghavendra-PC:~$ sudo apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
Correcting dependencies... Done
The following packages will be REMOVED:
g++-4.1
0 upgraded, 0 newly installed, 1 to remove and 217 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 5898kB disk space will be freed.
Do you want to continue [Y/n]?

When I tried to install snort...got this error

swetharaghav@Raghavendra-PC:/usr/src$ cd snort-2.8.3.1/
swetharaghav@Raghavendra-PC:/usr/src/snort-2.8.3.1$ ./ configure
bash: ./: is a directory
swetharaghav@Raghavendra-PC:/usr/src/snort-2.8.3.1$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for style of include used by make... GNU
checking for gcc... gcc
checking for C compiler default output file name...
configure: error: C compiler cannot create executables
See `config.log' for more details.

Tue, 11/18/2008 - 04:40 — swetha (not verified)

Thanks!! I could install snort but when I run the command snort -c /etc/snort/snort.conf

I get the below error...any help would be appreciated.

swetharaghav@Raghavendra-PC:/usr/src/snort-2.8.3.1/etc$ snort -c /etc/snort/snort.conf
The program 'snort' can be found in the following packages:
* snort-pgsql
* snort-mysql
* snort
Try: sudo apt-get install
Make sure you have the 'universe' component enabled
bash: snort: command not found
swetharaghav@Raghavendra-PC:/usr/src/snort-2.8.3.1/etc$ sudo snort -c /etc/snort/snort.conf
Password:
sudo: snort: command not found
swetharaghav@Raghavendra-PC:/usr/src/snort-2.8.3.1/etc$

Mon, 01/12/2009 - 12:34 — nima chavoshi (not verified)

thanks a lot for your goooooooooooooooooooooooood document ;)

Mon, 05/25/2009 - 14:06 — LordAzuzu (not verified)

Double check the presence of the executable "snort" in the directory /usr/sbin/
If not present, make a symbolic link from its actual path (locate snort|grep bin and you should see something like /usr/local/bin/snort)
to /usr/sbin (ln -s /usr/local/bin/snort /usr/sbin).

Wed, 11/18/2009 - 16:10 — hoover (not verified)

thanks for the nice page; however I got 2 errors;
the first when I start snort with the command : "snort -c /etc/snort/snort.conf"
I get the error: "plugbase.c(911) Snort config for parsing is NULL. Fatal Error, Quitting.."

the second when I set up the BASE (I installed 1.4.4): I get no webpage ..

can you please help me out?

Thx
regards

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.
RSS feed