Setting up SNORT on Gentoo Part 2

The steps taken here where based on that from the Gentoo Wiki How-To?s. I had to change somethings as they were not working properly on 2007.0
HOWTO Use Snort, Acid, and MySQL Effectively and
HOWTO Apache2 with BASE

Install the packages needed

Yikes, took longer than expected to get this part working to my satisfaction.

The first thing to get working is Apache, PHP and MySQL

The use clause below should speed up compile times, but I only found that out afterwards so it may be a good idea to use it. It is found under /etc/make.conf

USE=?dynamicplugin gd gd-external mysql apache2 php openssl jpg png gif session ?X -gtk ?gnome ?alsa php session pcre hardenedphp gd pear apache2 *postgres *mysql ssl png gif jpeg cli xml?

Edit /etc/portage/package.keywords and add

net-analyzer/snort ~x86
net-analyzer/acid ~x86
dev-php4/jpgraph ~x86

Then do the emerge?s for the needed packages,

emerge php (will install Apache2 as needed)
emerge libnet
emerge mysql
emerge snort
emerge oinkmaster

Next set the services to start at boot

rc-update add snort default
rc-update add mysql default
rc-update add apache2 default

To prevent errors at first start

/usr/bin/mysql_install_db

Then start MySQL and Apache

/etc/init.d/apache start
/etc/init.d/mysql start

Setup MySQL

Next you need to setup MySQL

Set the password and permissions for root (don?t forget the ?;? and the end of the lines), and create the permissions for snort to use the database.

mysql
SET PASSWORD FOR ‘root’@’localhost’ = PASSWORD(‘new_password’);
create database snort;
grant INSERT,SELECT on snort.* to snort@localhost;
SET PASSWORD FOR ‘snort’@’localhost’ = PASSWORD(?new_password?);
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
exit

Import the Snort Database structure

bzcat /usr/share/doc/snort-<version>/schemas/create_mysql.bz2 | mysql -u snort -D snort -p

Setting up Snort

Edit /etc/snort/snort.conf (if this is not there copy it from /etc/snort/snort.conf.distrib)

Look for ?output database? and change as appropriate

output database: alert, mysql, user=snort password=password dbname=snort host=localhost

It is a good idea to request a ?oinkcode? from the Snort site as you can use it to do automatic updates of the Snort rules. Edit /etc/oinkmaster.conf and insert the oinkcode as applicable

E.g.
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.6.tar.gz

If you want to do an immediate update use

/usr/bin/oinkmaster.pl -i -o /etc/snort/rules

Edit /etc/conf.d/snort to set the listen interface

IFACE=br0

Start Snort watching /etc/var/log/message for errors

/etc/init.d/snort start

If snort fails to start use

/etc/init.d/snort stop
/etc/init.d/snort zap

to stop snort and fix the erros that have occurred under /var/log/messages. You may need to check the permissions , I only had to change the log directory

chown -R snort:snort /var/log/snort
chmod -R 770 /var/log/snort

Setup BASE

You will need to first insert ?net-analyzer/base? below into /etc/portage/package.keywords

Emerge base

Once the emerge is done edit /etc/base/base_conf.php

$alert_dbname = ?snort?;
$alert_host = ?localhost?; (localhost can be the IP if BASE is going to run on a different machine)
$alert_port = ??; (only necessary to change if the database is running on a different port)
$alert_user = ?snort?;
@alert_password = ?snortpassword?;

Once that is done open your browser to http://serveraddress/base/base_db_setup.php and click the Setup AG button.

It would be recommended to create a new Role and User with view only access.

You can then activate the authentication system by editing /etc/base/base_conf.php

@Use_Auth_System = 1;

This should have everything in working order, monitor the logs to make sure that no errors are coming up, and fix them as necessary.

The next part of this project will be to install a notification system, although I still an not sure what to use yet Prelude is looking to be an option.