I finally created a new guide for Feisty which is very similar but if anything easier.
http://ubuntuforums.org/showthread.php?t=483488
This guide will show you how to install the IDS system snort. Have snort log to a mysql database. Then be able to access the information in that database with Base which you can access through apache.
Most of the information from this guide I learned from Patrick Harper's Centos guide. I would recommend taking a look at it even if your installing snort on Ubuntu. http://www.snort.org/docs/setup_guid...t_base_SSL.pdf
First edit /etc/apt/sources.list and Uncomment these 2 lines. (My file actually has more uncommented so I'm not sure which sources you'll actually need. If you run into problems try uncommenting more. You can always change it back when your done.)
Next updatedeb http://us.archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu breezy-updates main restricted
Install snort with mysql supportsudo apt-get update
The ubuntu will bring up a configuration dialog and a network that you can use. I replaced this with any so it will log all traffic. Next it'll ask if you want to set snort to log to a mysql server. For now we'll say no because we haven't set mysql up yet.sudo apt-get install snort-mysql
Before testing snort I'm going to go ahead and install oinkmaster and get the latest rules. Oinkmaster is a program that you can use to automatically fetch snort rules.
Now you'll need to edit the oinkmaster config file which is located /etc/oinkmaster.conf I would recommend going to snort.org and registering so you can obtain an oinkcode.sudo apt-get install oinkmaster
Replace
with
just make sure you replace 5a08f649c16a278e1012e1c84bdc8fab9a70e2a4 with your oink code. Pay attention to the version of snort your using. To find out type snort -V. My example above is version 2.3.url =http://www.snort.org/pub-bin/oinkmaster.cgi/5a08f649c16a278e1012e1c84bdc8fab9a70e2a4/snortrules-snapshot-2.3.tar.gz
Now to test oinkmastser
The -o switch is for output directory. You should see several .rules files in /tmp now.sudo oinkmaster -o /tmp/
ls /tmp
If everything works out alright then update your snort rules
A good idea is to add oinkmaster to a cron job to update your rules automaticlly. I'm a bit rusty with crons so I'm gona leave that out of this how to until I read up on them again.sudo oinkmaster -o /etc/snort/rules/
Now edit the snort config file
In the begging there are a couple of variable you should check on. The default should work fine. Read over the config file, the comments provide more information about the preprocessors and other snort options.sudo vi /etc/snort/snort.conf
At the very end you'll find the rules list. Here you can uncomment additional rule sets depending on what rules you want to monitor.var HOME_NET any
var RULE_PATH /etc/snort/rules
Nows the time to fire snort up using the snort config file.
By default snort logs alerts to /var/log/snort/alertsudo snort -c /etc/snort/snort.conf
To test snort I used another computer and did a scan with nmap.
If you look through /var/log/snort/alert you should see some port can activity. Do a search on the file. If its empty then something is wrong.sudo nmap -sS Your_IP_Address
Now to install mysqlsudo cat /var/log/snort/alert
Theres a couple of questions apt asks for and I just used the default by pressing enter a couple of times.sudo apt-get install mysql-server
Edit the snort config file again so we can change where snort logs its outputs
Comment out so it looks like the following. Mine was line 512.sudo vi /etc/snort/snort.conf
Uncomment, line 529# output log_tcpdump: tcpdump.log
For this guide I'm going to use snort as my user, password and database. I would recommend you use something different, just note what it is. If you are logging to aother mysql server then change localhost to what ever ip the server is.output database: log, mysql, user=root password=test dbname=db host=localhost
I don't know anything about mysql. I followed Patrick's guide word for word. Download snort from snort.org and extract it. Since my version of snort was 2.3.2 thats what I downloaded from snort.org. Then we'll set up a database for snort.output database: log, mysql, user=snort password=snot dbname=snort host=localhost
Pay attention to the semicolons ;mysql -u root
set password for root@localhost=password('PICK_A_PASSWORD');
create database snort;
grant insert,select on root.* to snort@localhost;
set password for snort@localhost=password('PASSWORD_SNORT_CONF');
grant create,delete,insert,select,update on snort.* to snort@localhost;
grant create,delete,insert,select,update on snort.* to snort;
exit
Create the tables
Check the databasemysql -u root -p < ~/snort-2.3.2/schemas/create_mysql snort
You should be able to fire up snort with no problems.mysql -u root -p
show databases;
use snort
show tables;
exit
*I Updated this section and found adodb in the repositorysudo snort -c /etc/snort/snort.conf
Install apache our webserver and php with mysql & adodb
Download basesudo apt-get install apache2 php5-mysql libphp-adodb
http://sourceforge.net/project/showf...ease_id=384975
Move base to /var/www, extract and delete the archive.
Edit the base configurationsudo mv base-1.2.2.tar.gz
cd /var/www
sudo tar -xvzf base-1.2.2.tar.gz
sudo rm base-1.2.2.tar.gz
mv base-1.2.2 base
$Base_urlpath = “/base”sudo cp base/base_conf.php.dist base/base_conf.php
sudo vi base/base_conf.php
$Dblib_path = “/usr/share/adodb/”;
Change line 85 and so on to match your mysql database. Such as the username, password etc.
I was expecting this to work but for some reason it didn't. I fired up firefox and went to localhost and when I clicked the folder base it kept trying to download a file. I tried restarting apache but the only thing that actually worked was a reboot. Go figure.
If you goto http://localhost/base you should see a link to the setup page. Click it and then click Setup Base AG. Now click home and Base should be up an running.
Now in order to get the graph to work
Restart Apache and make sure snort is runningsudo apt-get install php5-gd php-pear
sudo pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha
For some reason when I was trying to install Image_Color it was missing a dependency that was already installed. If you get the same error try the following.sudo /etc/init.d/apache2 restart
sudo /etc/init.d/snort start
This is my first HOWTO. Good luck & have fun.sudo apt-get remove php5-gd
sudo apt-get install php5-gd
Bookmarks