The steps taken here where based on that from the Gentoo Wiki How-To?s. I had to change somethings as they were not working properly on 2007.0
HOWTO Use Snort, Acid, and MySQL Effectively and
HOWTO Apache2 with BASE
Install the packages needed
Yikes, took longer than expected to get this part working to my satisfaction.
The first thing to get working is Apache, PHP and MySQL
The use clause below should speed up compile times, but I only found that out afterwards so it may be a good idea to use it. It is found under /etc/make.conf
USE=?dynamicplugin gd gd-external mysql apache2 php openssl jpg png gif session ?X -gtk ?gnome ?alsa php session pcre hardenedphp gd pear apache2 *postgres *mysql ssl png gif jpeg cli xml?
Edit /etc/portage/package.keywords and add
Then do the emerge?s for the needed packages,
emerge php (will install Apache2 as needed)
Next set the services to start at boot
rc-update add snort default
rc-update add mysql default
rc-update add apache2 default
To prevent errors at first start
Then start MySQL and Apache
Next you need to setup MySQL
Set the password and permissions for root (don?t forget the ?;? and the end of the lines), and create the permissions for snort to use the database.
SET PASSWORD FOR ‘root’@’localhost’ = PASSWORD(‘new_password’);
create database snort;
grant INSERT,SELECT on snort.* to [email protected];
SET PASSWORD FOR ‘snort’@’localhost’ = PASSWORD(?new_password?);
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to [email protected];
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
Import the Snort Database structure
bzcat /usr/share/doc/snort-<version>/schemas/create_mysql.bz2 | mysql -u snort -D snort -p
Setting up Snort
Edit /etc/snort/snort.conf (if this is not there copy it from /etc/snort/snort.conf.distrib)
Look for ?output database? and change as appropriate
output database: alert, mysql, user=snort password=password dbname=snort host=localhost
It is a good idea to request a ?oinkcode? from the Snort site as you can use it to do automatic updates of the Snort rules. Edit /etc/oinkmaster.conf and insert the oinkcode as applicable
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.6.tar.gz
If you want to do an immediate update use
/usr/bin/oinkmaster.pl -i -o /etc/snort/rules
Edit /etc/conf.d/snort to set the listen interface
Start Snort watching /etc/var/log/message for errors
If snort fails to start use
to stop snort and fix the erros that have occurred under /var/log/messages. You may need to check the permissions , I only had to change the log directory
chown -R snort:snort /var/log/snort
chmod -R 770 /var/log/snort
You will need to first insert ?net-analyzer/base? below into /etc/portage/package.keywords
Once the emerge is done edit /etc/base/base_conf.php
$alert_dbname = ?snort?;
$alert_host = ?localhost?; (localhost can be the IP if BASE is going to run on a different machine)
$alert_port = ??; (only necessary to change if the database is running on a different port)
$alert_user = ?snort?;
@alert_password = ?snortpassword?;
Once that is done open your browser to http://serveraddress/base/base_db_setup.php and click the Setup AG button.
It would be recommended to create a new Role and User with view only access.
You can then activate the authentication system by editing /etc/base/base_conf.php
@Use_Auth_System = 1;
This should have everything in working order, monitor the logs to make sure that no errors are coming up, and fix them as necessary.
The next part of this project will be to install a notification system, although I still an not sure what to use yet Prelude is looking to be an option.