# BASE ebuild (upgrade from ACID)

## hanj

Hello All

I know I've seen some discussion about BASE (Basic Analysis and Security Engine) and requests for ebuilds and the like. I've put together an ebuild.. basically modifiying the ACID ebuild. I'm no ebuild.guru so please feel to mention improvements fixes, etc.

For those that don't know what BASE is:

 *Quote:*   

> BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
> 
> BASE is a web interface to perform analysis of intrusions that snort has detected on your network. It uses a user authentication and role-base system, so that you as the security admin can decide what and how much information each user can see. It also has a simple to use, web-based setup program for people not comfortable with editing files directly.
> 
> BASE is supported by a group of volunteers. They are available to answer any questions you may have or help you out in setting up your system. They are also skilled in intrusion detection systems and make use of that knowledge in the development of BASE.
> ...

 

http://secureideas.sourceforge.net/

For those that don't know what ACID is.. ACID is used to view Snort alert data. It is a web based application to manage all Snort alerts. Graphs and queries can be easily generated. ACID has NOT been in active development for some time.. and the guys at BASE picked it up recently.. and have been doing an awesome job!

I'll include a small how to for those who do not know how to use custom ebuilds:

1. edit /etc/make.conf and add this value:

```
PORTDIR_OVERLAY=/usr/local/portage
```

2. create the following directories

```
mkdir -p /usr/local/portage/net-analyzer/base
```

3. create the ebuild.. which is below:

```
vi /usr/local/portage/net-analyzer/base/base-1.1.2.ebuild
```

4. create a digest

```
cd /usr/local/portage/net-analyzer/base/

ebuild base-1.1.2.ebuild digest
```

5. edit /etc/portage/package.keywords (if you don't have it.. please create it) and add the following:

```
net-analyzer/base ~x86
```

6. edit /etc/portage/package.use (if you don't have it.. please create it) and add the following:

```
net-analyzer/base adodb
```

7. emerge it

```
emerge -pv base
```

Here is my ebuild:

```
# Copyright 1999-2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-analyzer/base/base-1.1.2,v 1 2005/04/15 12:05:49 hanji Exp $

inherit webapp versionator eutils

MY_P=${P}

S=${WORKDIR}/${MY_P}

DESCRIPTION="Snort BASE - Basic Analysis and Security Engine (BASE) Project"

HOMEPAGE="http://secureideas.sourceforge.net/"

SRC_URI="http://easynews.dl.sourceforge.net/sourceforge/secureideas/${MY_P}.tar.gz"

LICENSE="GPL-2"

KEYWORDS="~x86"

IUSE="apache2 adodb"

RDEPEND="apache2? ( >=net-www/apache-2 )

    !apache2? ( =net-www/apache-1* )

    >=dev-php/adodb-4.55

    media-libs/gd

    =dev-php/mod_php-4*"

DEPEND="${RDEPEND}

    >=sys-apps/sed-4"

pkg_setup() {

    webapp_pkg_setup

    built_with_use dev-php/mod_php gd || \

        die "dev-php/mod_php must be built with USE=gd"

    # If mod_php used is >= 5.0.0, it has to have session useflag enabled.

    local ver_modphp=$(best_version dev-php/mod_php)

    ver_modphp="${ver_modphp/dev-php\/mod_php-/}"

    if [[ $(get_major_version ${ver_modphp}) -ge 5 ]] ; then

        built_with_use dev-php/mod_php session || \

            die "dev-php/mod_php must be built with USE=session"

    fi

}

src_unpack() {

        

    unpack ${A}

    cd ${S}

    sed -i '12s:^$DBlib_path =.*:$DBlib_path = "/usr/lib/php/adodb";:' \

        base_conf.php.dist || die "sed base_conf.php failed"

    sed -i '67s/($version\[0\] >= 4)/($version[0] >= 5) || &/' \

        base_db_common.php || die "sed base_db_common.php failed"

}

src_install () {

    webapp_src_preinst

    insinto ${MY_HTDOCSDIR}

    doins *

    webapp_src_install

}

pkg_postinst() {

    webapp_pkg_postinst

    einfo ""

    einfo "Note: BASE is installed as a webapp."

    einfo "The BASE database is an extension of the SNORT database."

    einfo "To setup the BASE database look in the README"

    einfo ""

}
```

Hope this helps someone.

thanks!

hanji

----------

## tukachinchila

That looks good. I have a couple of suggetions: 'gd' shouldn't technically be required (I'm sure most people will want it for graphing), but BASE will work without it. Maybe have a "gd" use flag that installs it if the user has USE="gd" or USE="gd-external". Also, base will install all documents in the "docs" directory, and webapp-config will then install these docs in every virtual host. It might be better to install the docs in the usual /usr/share/docs directory instead so they're only installed once. I also like to have all of my config files in /etc, so you could move base_conf.php there too.

I've also written an ebuild for BASE, so maybe we can colloborate on this? I'd also appreciate any constructive criticism:

```
# Copyright 1999-2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

inherit webapp versionator eutils

NW_VERSION="0.13.1"

IG_VERSION="0.4.0"

CONF_DIR="/etc/${PN}"

CONF_OLD="base_conf.php.dist"

CONF_NEW="base_conf.php"

WWW_GRP="apache"

MIDDLEMAN="base_path.php"

DESCRIPTION="A web-based front-end to the Snort IDS."

HOMEPAGE="http://base.secureideas.net"

SRC_URI="mirror://sourceforge/secureideas/${P}.tar.gz"

LICENSE="GPL-2"

KEYWORDS="~x86 ~amd64"

# SLOT is intentionally omitted because this package uses webapp-config

IUSE="apache2 mysql postgres mssql oracle gd"

DEPEND=">=app-arch/tar-1.14

   >=sys-libs/zlib-1.2.1-r3

   >=app-arch/gzip-1.3.5-r4

   >=sys-apps/coreutils-5.2.1-r2

   >=sys-apps/sed-4.0.9

   >=net-www/apache-1.3

      apache2? ( >=net-www/apache-2 )

   mysql? ( >=dev-db/mysql-3.23.0 )

   postgres? ( >=dev-db/postgresql-7.1.0 )"

   # A local database isn't necessary, so we only upgrade to a DB supported

   # by BASE when the user has USE flags set for one of these DBs.

   # Snort can also be installed on a remote system, so we don't require it.

RDEPEND="${DEPEND}

   gd? ( >=media-libs/gd-1.8.0 )

   >=virtual/httpd-php-4.0.4

   gd? ( >=dev-php/php-4.0.4 )

   >=dev-php/adodb-1.2

   gd? ( >=dev-php/jpgraph-1.12.2 )"

   # NOTE: jpgraph is currently marked for testing (~).

   # gd and jpgraph are only required for graphing support

pkg_setup() {

   webapp_pkg_setup

   if use gd; then

      built_with_use dev-php/mod_php gd || \

         die "dev-php/mod_php must be built with USE=gd"

      built_with_use dev-php/php gd || \

         die "dev-php/php must be built with USE=gd"

   fi

}

src_unpack() {

   unpack ${A}

   cd ${S}

   # Here we help the user configure ${CONF_NEW} so BASE works out of the

   # box in most environments. The user will still be warned to edit the

   # file manually at the pkg_postinst() stage.

   sed -i -e 's,$BASE_urlpath.*,$BASE_urlpath = "/base";,g' \

      ${CONF_OLD}

   sed -i -e 's,$DBlib_path.*,$DBlib_path = "/usr/lib/php/adodb";,g' \

      ${CONF_OLD}

   if use postgres; then

      sed -i -e 's,$DBtype.*,$DBtype = "postgres";,g' \

         ${CONF_OLD}

   fi

   if use mssql; then

      sed -i -e 's,$DBtype.*,$DBtype = "mssql";,g' \

         ${CONF_OLD}

   fi

   if use oracle; then

      sed -i -e 's,$DBtype.*,$DBtype = "oci8";,g' \

         ${CONF_OLD}

   fi

   # Change the source to recognize the new ${MIDDLEMAN} file we are about to

   # create.

   for PHP in *.php */*.php; do

      sed -i -e "s,${CONF_NEW},${MIDDLEMAN},g" \

         ${CONF_OLD} "${PHP}"

   done

   # Create the file ${MIDDLEMAN} to determine the web root directory

   # and redirect "include" to the new ${CONF_DIR}/${CONF_NEW} location.

   echo "<?php" > ${MIDDLEMAN}

   echo '  $BASE_path = dirname(__FILE__);' >> ${MIDDLEMAN}

   echo "  include(\"${CONF_DIR}/${CONF_NEW}\");" >> ${MIDDLEMAN}

   echo "?>" >> ${MIDDLEMAN}

   # Delete the $BASE_path constant from ${CONF_NEW} because we

   # now handle it with the ${MIDDLEMAN} file we created above.

   sed -i -e 's,$BASE_path =.*,,g' ${CONF_OLD}

   # Modify the HTML headers so search engines don't index BASE.

   sed -i -e \

      's:<HEAD>:<HEAD>\n  <META name="robots" content="noindex,nofollow">:g' \

         index.php

   sed -i -e \

      's:<HEAD>:<HEAD>\n  <META name="robots" content="noindex,nofollow">:g' \

         base_main.php

}

src_install() {

   webapp_src_preinst

   # Install the docs once in the standard /usr/share/doc/${PF}/DOCDESTREE

   # location instead of installing them in every virtual host directory.

   cd docs

   dodoc *

   cd ${S}

   rm -rf docs

   # Install the config files in the usual location (/etc/${PN}).

   insinto ${CONF_DIR}

   doins ${CONF_OLD}

   newins ${CONF_OLD} ${CONF_NEW}

   # Install BASE for webapp-config

   insinto ${MY_HTDOCSDIR}

   doins -r *

   # Tighten the security a little since BASE uses plain-text passwords.

   # This could use some future modifications to account for the fact that

   # some users may use a different web server than Apache.

   # fperms 640 ${CONF_DIR}/${CONF_NEW}

   fowners root:${WWW_GRP} ${CONF_DIR}/${CONF_NEW}

   # ewarn \

#      "Please modify the permissions of ${CONF_DIR}/${CONF_NEW} as the file \

#      stores plain-text passwords for connecting to your database."

   webapp_src_install

}

pkg_postinst() {

   if use gd; then

      /usr/bin/pear install Image_Color

      /usr/bin/pear install Log

      /usr/bin/pear install Numbers_Roman

      /usr/bin/pear install \

         http://pear.php.net/get/Numbers_Words-${NW_VERSION}.tgz

      /usr/bin/pear install \

         http://pear.php.net/get/Image_Graph-${IG_VERSION}.tgz

   fi

   webapp_pkg_postinst

   einfo ""

   einfo "For BASE to work properly, your web browser must have cookie"

   einfo "support enabled."

   einfo "Since the reports generated by BASE can contain sensitive"

   einfo "information, it is recommended that you implement (SSL/TLS). It is"

   einfo "also recommended that your php.ini have \"display_errors\""

   einfo "set to \"off.\""

   ewarn "You may need to edit \"${CONF_DIR}/${CONF_NEW}\" before using BASE."

   einfo "To setup your initial database, direct your web browser to the"

   einfo "location you installed BASE/base_db_setup.php."

   einfo ""

}

```

I'll post any updates to the ebuild here: http://home.comcast.net/~travis.post/base-1.1.3.ebuild.

I'm also working on a howto: http://gentoo-wiki.com/HOWTO_Setup_BASE_with_Apache%2C_Snort%2C_and_PostgreSQL.

Moderators might want to move this thread to "Unsupported software."Last edited by tukachinchila on Thu Jun 16, 2005 5:27 am; edited 3 times in total

----------

## toster

Hi All!  :Smile: 

I installed BASE but I couldn't made graph allert data:( BASE said "Error loading the Graphing library: Check your Pear::Image_Graph installation!"  but I already have Image_Graph. 

```

root@help pear install Image_Graph-devel

Package 'Image_Graph' already installed, skipping

```

What do I wrong?

----------

## hanj

try...

```

pear install Image_Color
```

Image_Color is a dependency of Image_Graph

HTH

hanji

----------

## tukachinchila

I've had the same problem here. It looks like PEAR is installing things in /usr/lib/php/php, and BASE is looking for Image_Graph in /usr/lib/php.  The problem seems to be with the file "base_graph_common.php." I'm still working on a fix. 

This is the segment of the file that is causing the problem (if someone knows of a good way to fix it, please let me know): 

```
// We have to locate Image/Graph.php -- Alejandro

    $file = "Image/Graph.php";

    $found = false;

    // Will search in Path   

    $paths = explode(PATH_SEPARATOR, ini_get('include_path'));

    foreach ($paths as $path) {

        $fullpath = $path . DIRECTORY_SEPARATOR . $file; 

        if (file_exists($fullpath)) {

            $found = true;

           break;         

        }

    }

    

    if ( $found ) {

            // Cool, file was found, so you have Image_Graph installed. -- Alejandro

            include($file);

            return true;

    } else {

            // Sorry dude, you haven't finished your home work. -- Alejandro

      echo "<P><B>Error loading the Graphing library: </B>".

           "<P>Check your Pear::Image_Graph installation!".

            "<P>".

            "Image_Graph can be found here:".

            "at <A HREF=\"http://pear.veggerby.dk/\">http://pear.veggerby.dk/</A>.  Without this".

            "library no graphing operations can be performed.";

      die();

    }      
```

As far as I understand, the 'include_path' is found in the php.ini file, so I would think that adding "/usr/lib/php/php" to that line would fix it, but it doesn't. I've tried changing the php.ini file to: 

```
include_path = ".:/usr/lib/php:/usr/lib/php/php"
```

 with no luck. I'm obviously misunderstanding what's going on with base_graph_common.php.

The other problem is BASE expects JPGraph to be installed inside the BASE directory (which it's not). I can fix that pretty easily by adding the variable $ChartLib_path = "/var/lib/php/jpgraph" to the base_conf.php file, and by adding $ChartLib_path to the base_graph_common.php file so BASE is aware of the correct location.

----------

## hanj

Hello tukachinchila

I had the same problem on one of my servers there seems to be an issue with php and sapi-php.eclass. This post provides the fix while the bugs is attended to.

https://forums.gentoo.org/viewtopic-t-312957-highlight-.html

HTH

hanji

----------

## tukachinchila

Thanks hanji. I thought the /usr/lib/php/php path looked a little strange. It would be nice to see that get fixed.

I did figure out that appending '/usr/lib/php/php' to '/etc/php/apache2-php4/php.ini' actually works (I just neglected to restart apache). So another temporary work-around is to edit php.ini and restart apache: 

```
include_path = ".:/usr/lib/php:/usr/lib/php/php"

/etc/init.d/apache2 restart
```

That gets BASE working perfectly for me.

----------

## doidoniel

Hi, i use debian, but i'm having the same problem. like other the only think i done as modify the /etc/php4/apache2/php.ini and uncoment the line "include_path = ".:/usr/lib/php:/usr/lib/php/php"

----------

