# COMPLETE guide to Snort, MySQL, and BASE

## exklusve

Ok here it is finally!

This is an updated version of this thread: 

https://forums.gentoo.org/viewtopic-t-78718.html

Your guide to snort, mysql, apache, php, and BASE for Gentoo  :Smile: 

------------------------------------------------------------------------------------

------------------------------------------------------------------------------------

Edit your /etc/make.conf  and include these options.

```
USE=gd jpeg png hardenedphp apache2 innodb php perl mysql hardened"
```

Packages needed. 

Snort 

MYSQL 

Mod_PHP (will also install PHP which is needed)

Apache 

Base (http://secureideas.sourceforge.net/index.php)

Adodb

GD

(You might already have the ones below installed.  Please double check  :Very Happy: )

Libpng

jpeg

zLib

\\Lets get all the needed packages

MySQL 

dev-db/mysql-5.0.15

```
ACCEPT_KEYWORDS="~x86" emerge mysql
```

Apache

net-www/apache-2.0.54-r31

```
emerge apache
```

Mod_php

dev-php/mod_php-4.4.0-r9

```
emerge mod_php
```

Snort

net-analyzer/snort-2.4.3

```
ACCEPT_KEYWORDS="~x86" emerge snort
```

BASE

base-1.2.1.tar.gz

Download from http://secureideas.sourceforge.net/index.php

Adodb

dev-php/adodb-4.65

```
emerge -f adodb
```

GD

media-libs/gd-2.0.32

```
emerge media-libs/gd
```

Libpng

media-libs/libpng-1.2.8

```
emerge media-libs/libpng
```

jpeg

media-libs/jpeg-6b-r5

```
emerge media-libs/jpeg
```

zLib

sys-libs/zlib-1.2.3

```
emerge zlib
```

\\Lets setup Apache and PHP

Edit your /etc/conf.d/apache file

```
 nano -w /etc/conf.d/apache 
```

Edit the 'APACHE2_OPTS' line as shown below:

```
APACHE2_OPTS="-D PHP4 -D SSL -D DEFAULT_VHOST"
```

This gives us PHP and SSL support.

Now start Apache:

```
/etc/init.d/apache2 start
```

Watch /var/log/messages for errors.

Lets add apache to the default run level:

```
rc-update add apache default
```

\\Lets get MySQL going

Important info for upgrading MySQL:

```
If you're upgrading from MySQL-3.x to 4.0, or 4.0.x to 4.1.x, you

must recompile the other packages on your system that link with

libmysqlclient after the upgrade completes.  To obtain such a list

of packages for your system, you may use:

revdep-rebuild --library=libmysqlclient.so.14

from app-portage/gentoolkit.

the value of "innodb_log_file_size" into /etc/mysql/my.cnf file

has changed size from "8M" to "5M".

To start mysql either revert the value back to "8M" or backup and

remove the old ib_logfile* from the datadir
```

Lets create the default tables etc in MySQL:

```
# /usr/bin/mysql_install_db
```

Now lets start MySQL:

```
/etc/init.d/mysql start
```

Need to set a root password for MySQL: 

```
/usr/bin/mysqladmin -u root password 'passwordhere'
```

Lets add Mysql to the default run level:

```
rc-update add mysql default
```

\\Lets create the Snort database

First log into Mysql as root:

```
mysql -u root -p
```

Now create the database, user, and security.

```
create database snort;

grant INSERT,SELECT on root.* to snort@localhost; 

SET PASSWORD FOR snort@localhost=PASSWORD('passwordhere');

grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;

grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;

exit
```

Now we need to create the database structure for snort by issuing this command:

```
zcat /usr/share/doc/snort-2.4.3/schemas/create_mysql.gz | mysql -p snort
```

This will create the database structure in MySQL. 

To double check that the structure was created:

```
 mysql -u root -p snort 
```

Once logged in, issue this command:

```
show tables;
```

You should see this:

```

mysql> show tables;

+------------------+

| Tables_in_snort  |

+------------------+

| data             |

| detail           |

| encoding         |

| event            |

| icmphdr          |

| iphdr            |

| opt              |

| reference        |

| reference_system |

| schema           |

| sensor           |

| sig_class        |

| sig_reference    |

| signature        |

| tcphdr           |

| udphdr           |

+------------------+

16 rows in set (0.00 sec)
```

Now your database has the correct table structure. 

\\Ok now to get Snort logging to the newly created database

Now we need to configure Snort to report to the database and not to log files. 

Edit the snort.conf file: 

```
nano -w /etc/snort/snort.conf 
```

Find this line shown below (line 382 for me), uncomment it, and change it to reflect your setup:

```
output database: log, mysql, user=snort password=password dbname=snort host=localhost
```

Now Snort will log all logs and alerts to the MySQL database. 

Start Snort with: 

```
  /etc/init.d/snort start 
```

Add to default run level with:

```
rc-update add snort default
```

Watch your /var/log/messages for errors. 

First off I recieved the error in /var/log/messages:

```
snort[25905]: FATAL ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules

```

To fix this go to www.snort.org and register.

Download the latest rules and put them in /etc/snort/rules.

Then run 

```
/etc/init.d/snort zap
```

This will zap the state of snort back to not running.

Start snort again, and watch /var/log/messages.  You should see this:

```
 snort[26024]: Snort initialization completed successfully (pid=26024)
```

\\Lets get prepaired to install BASE

Here's where we use the Adodb we downloaded:

```
cp /usr/portage/distfiles/adodb465.tgz /var/www/localhost/htdocs/
```

Extract the source:

```
cd /var/www/localhost/htdocs
```

```
 tar -zxvf adodb465.tgz
```

Install some Pear stuff:

```

     pear install Image_Color

     pear install Log

     pear install Numbers_Roman

     pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz

     pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
```

\\Lets get Base going

Extract the source in /var/www/localhost/htdocs/

```
mv base-1.2.1.tar.gz /var/www/localhost/htdocs/
```

```
cd /var/www/localhost/htdocs/
```

```
tar -zxvf base-1.2.1.tar.gz
```

Rename folder to just 'base':

```
mv base-1.2.1 base 
```

```
cd base
```

Lets edit the base config file, but first copying it to the correct name:

```
 cp base_conf.php.dist base_conf.php
```

```
nano -w base_conf.php
```

Here is what you'll have to change:

Set your URL to your base installation:

DO NOT INCLUDE A TRAILING SLASH

```
$BASE_urlpath = "mybox.mydomain.com/base";
```

Adodb Path:

```
$DBlib_path = "/var/www/localhost/htdocs/adodb/"; 
```

Snort database info:

Change to what you need, should just have to change the password.

```
$alert_dbname   = "snort";

$alert_host     = "localhost";

$alert_port     = "";

$alert_user     = "snort";

$alert_password = "mypassword";
```

Save that file and open the base_main.php in your webbrowser.  

For me the address was 

```
http://lappy.mydomain.com/base/
```

You will then be prompted to make specific changes to the Mysql database. Don't worry, base will do it all for you  :Wink: 

After that page hit the "CREATE BASE AG" button to finish the database changes.

After that is all done, click on the link near the bottom that says "Goto main page to use the application".

Thats all you should need to get this up and running. 

For good measure restart mysql, snort, and apache.  

......................and its done.   :Cool: 

I'm sure i missed something silly in this doc.  Its such a pain trying to do the install and then document it.  :Razz: 

please let me know if i missed anything. 

Please post comments, suggestions, corrections, free beer etc here  :Smile: 

----------

## QuietStorm

Thanks for this cool guide, I have been wanting to setup snort but was looking for a nice step by step guide for it.

And here it is!!  :Shocked:   :Surprised:   :Smile:   :Very Happy:   :Idea:   :Wink:   :Razz:   :Twisted Evil:   :Evil or Very Mad:     Thanks

----------

## aamonten

I'm going to install snort based on tis tutorial, but I'm in doubt if it is necessay mysql 5 or if I just can use mysql 4

EDITED:

Well it does work with MySQL 4

regards

aamontenLast edited by aamonten on Sat Nov 12, 2005 10:40 pm; edited 1 time in total

----------

## aamonten

well it works nearly perfect,  it took less than an hour installing everything.

The only addition I had to do, was to change the permissions on /var/log/snort/alerts

And there are a little typo where you specify the path to the Adodb, it says

```

/usr/port/distfiles/adodb465.tgz  should be  /usr/[b]port[/b]/distfiles/adodb465.tgz

```

Regards and thank you.

----------

## exklusve

Corrected from /usr/port/distfiles to /usr/portage/distfiles

thanks

----------

## GentooBox

(I'm not currently sitting on a gentoo box)

I have a problem with this step:

 *Quote:*   

> Install some Pear stuff:
> 
>      pear install Image_Color
> 
>      pear install Log
> ...

 

I have no executeable on my system called pear, where does it come from ?

----------

## takuan

Thanks for the how-to!

I've followed everything but am having problems with graphing

I know i installed all of the pear stuff but i get 

Error loading the Graphing library: 

Check your Pear::Image_Graph installation!

Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.

Is there anything you might have forgot to mention?

----------

## emnii

I've followed each step to the letter and I've encountered no problems what-so-ever. But I'm running a strictly console-only installation. No X, Gnome, KDE, none of that. Is there a web browser that will properly display BASE's PHP files that is console-friendly?

----------

## jrittenh

I've got everything up and running, and it seems to be functioning properly...but when I go to view the logs in BASE, under "Signature", all I get is a number referencing the Sig_ID.  I'm currently in a class where we just installed and configured Snort and ACID, but we used 2.3.3 since that's what is "stable" in Gentoo (we didn't check to see if there was anything newer).  I'm not sure if my groupmates did anything specific to fix this problem or not, but I think they may have had to edit part of ACID to fix this.

What I've done so far:

I originally installed ACID, but ran into this problem, so I thought maybe the database structure changed between 2.3.3 and 2.4.3 somehow.  I tried uninstalling 2.4.3 and installing 2.3.3, and I tried installing 2.4.3 and BASE instead of ACID, but no matter what I do, I can't get it to display the Signature instead of the Sig_ID.  I'd prefer not to have to take the time and go through the BASE PHP code to find where this is happening.  Has anyone else seen this?

----------

## GentooBox

 *jrittenh wrote:*   

> I've got everything up and running, and it seems to be functioning properly...but when I go to view the logs in BASE, under "Signature", all I get is a number referencing the Sig_ID.  I'm currently in a class where we just installed and configured Snort and ACID, but we used 2.3.3 since that's what is "stable" in Gentoo (we didn't check to see if there was anything newer).  I'm not sure if my groupmates did anything specific to fix this problem or not, but I think they may have had to edit part of ACID to fix this.
> 
> What I've done so far:
> 
> I originally installed ACID, but ran into this problem, so I thought maybe the database structure changed between 2.3.3 and 2.4.3 somehow.  I tried uninstalling 2.4.3 and installing 2.3.3, and I tried installing 2.4.3 and BASE instead of ACID, but no matter what I do, I can't get it to display the Signature instead of the Sig_ID.  I'd prefer not to have to take the time and go through the BASE PHP code to find where this is happening.  Has anyone else seen this?

 

My first setup with this guide was fine, all the sid's was translated correctly. but then another system administrator on the snort computer upgraded PHP and MySQL (from 4.x to 5.x) and i can also only see the sid's now.

----------

## jrittenh

 *GentooBox wrote:*   

> My first setup with this guide was fine, all the sid's was translated correctly. but then another system administrator on the snort computer upgraded PHP and MySQL (from 4.x to 5.x) and i can also only see the sid's now.

 

I've found the problem.  MySQL 5.x apparently recognizes schema as a keyword.  In the BASE code there is a file BASE/includes/base_db.inc.php with two lines (lines 95 and 155 in version 1.2.1) that look like this:

```
$sql = "SELECT vseq FROM schema";
```

They should look like this:

```
$sql = "SELECT vseq FROM `schema`";
```

I used the accent rather than a single quote, but only because I saw it like that somewhere else.  I would assume MySQL would take single quotes as well, but I was in a hurry when I did it and didn't want to test both, so I just followed the example I saw.  That should fix it for you too.Last edited by jrittenh on Sun Dec 11, 2005 3:45 pm; edited 1 time in total

----------

## GentooBox

 *jrittenh wrote:*   

>  *GentooBox wrote:*   My first setup with this guide was fine, all the sid's was translated correctly. but then another system administrator on the snort computer upgraded PHP and MySQL (from 4.x to 5.x) and i can also only see the sid's now. 
> 
> I've found the problem.  MySQL 5.x apparently recognizes schema as a keyword.  In the BASE code there is a file BASE/includes/base_db.inc.php with two lines (lines 95 and 155 in version 1.2.1) that look like this:
> 
> ```
> ...

 

Thanks, i will try it tomorrow

----------

## jrittenh

 *jrittenh wrote:*   

> 
> 
> ```
> $sql = "SELECT vseq FROM `schema`";
> ```
> ...

 

Another note...using a regular single quote DOES NOT work.  I tested a query (desc 'schema' :Wink:  and it threw the same error it throws without the quotes.  If you're using MySQL 5.x and you can't see more than the SigIDs, make sure you put accents (`) around any occurrence of schema rather than single quotes (').

----------

## ]Trix[

This doesn't work for me!

I just nmaped myself from a remote host and nothing gets logged....

IPtables reports all scans but snort doesn't do anything.

----------

## ]Trix[

I really don't get it why doesn't it log any events? Everything should work according to many sources but it doesnt. What am I missing?

Anyone had the same experience?

----------

## thecooptoo

to get mine to wrok properly 

```
$BASE_urlpath = "mybox.mydomain.com/base";
```

hs to be just the realtive path 

ie

```
$BASE_urlpath = "/base";
```

im having problems at this  is stage 

anyone know the answer ?

```

grenada snort # pear install Image_Color

downloading Image_Color-1.0.2.tgz ...

Starting to download Image_Color-1.0.2.tgz (7,724 bytes)

.....done: 7,724 bytes

'gd' PHP extension is not installed

Image_Color: Dependencies failed

```

but ive got 

```

grenada snort # emerge -p media-libs/gd

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] media-libs/gd-2.0.33

grenada snort #                                                         
```

----------

## kidgloves

[quote="thecooptoo"]to get mine to wrok properly 

```
$BASE_urlpath = "mybox.mydomain.com/base";
```

hs to be just the realtive path 

ie

```
$BASE_urlpath = "/base";
```

I had to make the same change, other than that, everything went smoothly.  Thanks for the excellent doc.

----------

## Suicidal

If you have a really busy network like I do BASE just like ACID can start to get really slow over time because of it trying to refresh the alert, ip and whois cache. 

The following cron works real nice for me and keeps base running smoothly.

First copy base_maintennance.pl from the scripts directory and create the following cron.

```
/root/crons/base_maintenance.pl ualert

/root/crons/base_maintenance.pl uip

/root/crons/base_maintenance.pl uwhois

```

----------

## cshepherd

 *thecooptoo wrote:*   

> 
> 
> im having problems at this  is stage 
> 
> anyone know the answer ?
> ...

 

You also need php compiled with the gd use flag.

```
emerge -pv dev-php/php
```

(Replace with dev-lang/php if that's what you're using)

should show you if it's been compiled with gd, otherwise recompile.

Hopefully that fixes it.

----------

## tukachinchila

Thanks for the ACID and BASE guides. One correction you might consider is changing the old ACCEPT_KEYWORDS method. You shouldn't use ACCEPT_KEYWORDS on the command line anymore.

 *exklusve wrote:*   

> 
> 
> ```
> 
> ACCEPT_KEYWORDS="~x86" emerge mysql
> ...

 

If you have to use an unstable package, the newer solution is: 

```
echo "dev-db/mysql ~x86" >> /etc/portage/package.keywords

emerge mysql
```

If anyone's interested, I've written a BASE ebuild that might help with the installation process. It installs all the dependencies for you (including all of the PEAR libraries like Image_Graph), so it will at least save you from having to type "pear install..." over and over. It also sets up the base_conf.php file for you, so all you have to do is change the default password to whatever you set your Snort password to. It should improve security a little as well, by moving base_conf.php from the web-root to /etc/base so it won't accidentally disiplay your database password to web visitors.

To use the ebuild, you have to first setup a portage overlay if you haven't already.  Add the following to /etc/make.conf: 

```
PORTDIR_OVERLAY="/usr/local/portage"
```

 Then: 

```
mkdir -p /usr/local/portage/net-analyzer/base

cd /usr/local/portage/net-analyzer/base

wget http://home.comcast.net/~travis.post/base-1.2.2.ebuild

ebuild base-1.2.2.ebuild digest

emerge base
```

----------

## Vanquirius

tukachinchila's ebuild is now available as net-analyzer/base. It's currently in package.mask. Please give it a try.

----------

## Stino85

Got it working using the ebuild, thanks for that one!

----------

## czo

Great how-to... thx

----------

## eroth

Great guide...it's helped me get everything up and running.

A few quick notes though, as the guide might be a bit dated:

1.  The Pear libraries should be installed via portage (ie. emerge -av --oneshot dev-php/PEAR-Numbers_Roman) or pulled in directly from the packages requiring them, which i suppose is the new gentoo way rather than the pear command line.  I had to add the following to /etc/portage/package.keywords:

```
dev-php/PEAR-Image_Canvas ~x86

dev-php/PEAR-Image_Color ~x86

dev-php/PEAR-Image_Graph ~x86

dev-php/PEAR-Numbers_Roman ~x86
```

2.  Some users may need to edit /etc/conf.d/snort...as I had to.  It defines eth0 as the listener interface, but in some cases this may not be true.  As i've got to deal with pppoe, i needed to change that to ppp0.  But I assume it would be the same for someone on wlan0, ath0, or whatever else...

3.  When I emerged Base, i followed the instructions regarding base_conf.php.  I assume there is a newer ebuild in portage than what you based your guide upon...as i've got net-analyzer/base-1.2.2-r1.  In any case, this ebuild installed /etc/base.conf.php.  So when i edited the one in the in htdocs and started getting errors loading the script...i was sent on a wild goose chase.

4.  (*Optional*)  After setting everything up, from the admin panel, you should really create a role and then a user.  Then go back into /etc/base/base_conf.php and set $Use_Auth_System = 1;.  

So anyway, hope that advise may be able to help anyone who might get stuck a bit.  Thanks again for the great guide!

----------

## carpman

hello, i have got into the habit of using package.use instead of make.conf for keywords, using make.conf only for very basic ones.

My question is of the use flags you gave which ones apply to which package?

 *Quote:*   

> 
> 
> USE=gd jpeg png hardenedphp apache2 innodb php perl mysql hardened"

 

cheers

----------

## jhybinette

I though if you are going to use the hardened flag, you have to build a hardened system first. like setting the flags using ufed

hardened erandom pic

then reemerge gcc and glibc

then emerge -e world 

then rebuild the kernel and enable pax etc etc etc

If you dont do this the hardened flag may back fire on you

Johan

----------

## Khan

Trying this only resulted in blocks due to mod_php and php. And using "pear install Log" only produces the following error: PEAR_Remote: authorization required, please log in first

Does anyone have any idea how to get the Pear modules installed so that I can generate graphing? Thanks.

 *eroth wrote:*   

> Great guide...it's helped me get everything up and running.
> 
> A few quick notes though, as the guide might be a bit dated:
> 
> 1.  The Pear libraries should be installed via portage (ie. emerge -av --oneshot dev-php/PEAR-Numbers_Roman) or pulled in directly from the packages requiring them, which i suppose is the new gentoo way rather than the pear command line.  I had to add the following to /etc/portage/package.keywords:
> ...

 

----------

## atmat

when I start snort I get this weird error

Apr 11 19:26:22 [snort] FATAL ERROR:  unknown preprocessor "http_decode"_     

I did not look at the docs yet. No time, anyone knows what's this http_decode" thing? Sorry for asking no time to look around google  :Sad:  I'll be on line again tonight.. if someone posts here the answer ok, otherwise I'll take a deeper look at snort.

thnx and sorry for the quick post.

bye

----------

## blackcell

use http_inspect instead of http_decode

----------

## carpman

Hello, ok going to go ahead and try this using following package.use

```

media-libs/gd jpeg png

dev-lang/php -* apache2 dba cgi cli ctype crypt curl gd jpeg mysql pear pcre pcntl png pdo-external session sockets sockets  spell session tiff truetype xml xml2 xsl zlib

net-www/apache apache2 mpm-prefork

net-analyzer/snort mysql

net-analyzer/base apache2 gd mysql vhosts

dev-db/mysql innodb session

```

Not using hardened setup so don't need harden use flag.

Anyone see any problems with this setup?

cheers

----------

## wschalk

Hi,

I am trying to install BASE on PHP5 but here's the error message I am getting:

# emerge -vp net-analyzer/base

These are the packages that I would merge, in order:

Calculating dependencies \

!!! All ebuilds that could satisfy ">=dev-php4/jpgraph-1.19" have been masked.

!!! One of the following masked packages is required to complete your request:

- dev-php4/jpgraph-1.20.2 (masked by: ~x86 keyword)

- dev-php4/jpgraph-1.19 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or

refer to the Gentoo Handbook.

!!!    (dependency required by "net-analyzer/base-1.2.4" [ebuild])

So my problem is if I unmask jpgraph in dev-php4 he wants to install PHP4 which I don't use. Any ideas how to

stick with PHP5 but install BASE successfully?

Thank you.

Best regards,

Werner

----------

## carpman

 *wschalk wrote:*   

> Hi,
> 
> I am trying to install BASE on PHP5 but here's the error message I am getting:
> 
> # emerge -vp net-analyzer/base
> ...

 

Here is my package.keywords that i use to install with php5

```

dev-php5/pecl-apc

www-apps/phpsysinfo

dev-php/smarty

dev-php5/jpgraph ~x86

dev-php5/pecl-pdo

dev-php/PEAR-Image_Canvas ~x86

dev-php/PEAR-Image_Color ~x86

dev-php/PEAR-Image_Graph ~x86

dev-php/PEAR-Numbers_Roman ~x86

net-analyzer/base

```

----------

## emily87

Great how-to

Thnak you  :Smile: 

----------

## wschalk

Hi,

thanks for the instructions on base and PHP5. When I try to install it on my system I get the following

error message during the installation of PEAR_Image_Color:

>>> Install PEAR-Image_Color-1.0.2 into /var/tmp/portage/PEAR-Image_Color-1.0.2/image/ category dev-php

/usr/portage/eclass/php-pear-r1.eclass: line 68: pear: command not found

!!! ERROR: dev-php/PEAR-Image_Color-1.0.2 failed.

!!! Function php-pear-r1_src_install, Line 68, Exitcode 127

!!! Unable to install PEAR package

!!! If you need support, post the topmost build error, NOT this status message.

In which package is the "pear" command?

Cheers,

Werner.

----------

## iverasp

I cant seem to get remote logging working. The plan is to use my linux router as the snort host, and my main server as the web- and mysqlserver. Been working on it for a while now. First snort complained about missing libmysqlclient* libraries, so I finally had to emerge mysql on the router. Then I had to change the my.cnf on the main server to allow other IPs to connect to the mysqlserver. Then the authentication method was outdated or something on the router, so I had to figure that out. Now I can connect with mysql -h 192.168.1.40 -u snort -p and get access to the remote mysqlserver, but snort still wont work. Heres the line I changed in snort.conf:

output database: log, mysql, user=snort password=secretpass dbname=snort host=192.168.1.40

When running /etc/init.d/snort start it says [ OK ], but the program doesnt run. When doing snort -i eth0 -c /etc/snort/snort.conf I get the following:

(..lots of text..)

X-Link2State Config:

    Ports: 25 691

database: compiled support for ( mysql )

database: configured to use mysql

database:          user = snort

database: password is set

database: database name = snort

database:          host = 192.168.1.40

database:   sensor name = 192.168.1.1

Illegal instruction

mysql is running on the default port btw.

Does anyone have a clue of what needs to be fixed?

Thanks

----------

## phoric

I used this guide but am getting the following error when trying to access http://localhost/base ...

```
Database ERROR:Database ERROR:Table 'snort.base_users' doesn't exist
```

I doubled-checked the MQSql tables as suggested in the guide:

```
mysql> show tables;

+------------------+

| Tables_in_snort  |

+------------------+

| data             |

| detail           |

| encoding         |

| event            |

| icmphdr          |

| iphdr            |

| opt              |

| reference        |

| reference_system |

| schema           |

| sensor           |

| sig_class        |

| sig_reference    |

| signature        |

| tcphdr           |

| udphdr           |

+------------------+

16 rows in set (0.00 sec)
```

----------

## phoric

The tutorial must be a little out of date now, as I am using base 1.2.5. I solved my own problem by browsing to:

http://localhost/base/setup/

This loaded a setup wizard of sorts, that will create the necessary tables for you. After that BASE seems to be working now for me. Probably should add this to the tutorial.

----------

## kare

My snort database becomes very big. Is there a script to delete old records?

----------

## echo6

This howto is getting dated,  there is a Wiki which may be of assistance http://gentoo-wiki.com/HOWTO_Apache2_with_BASE

----------

## kernelOfTruth

 *echo6 wrote:*   

> This howto is getting dated,  there is a Wiki which may be of assistance http://gentoo-wiki.com/HOWTO_Apache2_with_BASE

 

that wiki, this howto & the tips mentioned above helped me install it successfully thanks to everyone involved   :Very Happy: 

I got error-messages in the beginning but re-emerging php, adodb, apache2 1-2 times & etc-update made it finally work   :Rolling Eyes: 

----------

## [ToXiC]

This post has been quiet for a while but for anyone still out there reading this:

When I started base and then went to configure the backend I got this message:

"Fatal error: Call to undefined function session_start() in /var/www/localhost/htdocs/base/base_conf.php on line 20"

Anyone?

----------

## sLumpia

^have you try to enable session USE flag for dev-lang/php?

----------

## guinness.stout

Just wanted to add an update for those trying to follow this howto today.

 *Quote:*   

> 
> 
> Snort
> 
> net-analyzer/snort-2.4.3
> ...

 

Should be

```
EXTRA_ECONF="--enable-dynamicplugin" emerge snort
```

Dynamic plugins did not seem to emerge when I ran the other command.  If these are not installed you will see something similiar to the errors below in your /var/log/messages.

```
Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(573) unknown dynamic preprocessor "ftp_telnet"

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(577) unknown dynamic preprocessor "ftp_telnet_protocol"

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(591) unknown dynamic preprocessor "ftp_telnet_protocol"

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(596) unknown dynamic preprocessor "ftp_telnet_protocol"

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(622) unknown dynamic preprocessor "smtp"

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(777) unknown dynamic preprocessor "dcerpc"

Dec 29 12:07:50 copper snort[27286]: /etc/snort/snort.conf(795) unknown dynamic preprocessor "dns"
```

 *Quote:*   

> 
> 
> Now we need to create the database structure for snort by issuing this command:
> 
> Code:
> ...

 

Should be

```
bzcat /usr/share/doc/snort-2.6.1.3-r1/schemas/create_mysql.bz2 | mysql -p snort
```

Additionally I had to edit my /etc/snort/snort.conf to point to the dynamicplugins directory.  This was line 197 for me.  You should be able to run ls on /usr/lib/snort_dynamicpreprocessor and see several lib files.

```
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
```

BASE

To get BASE up and running I had to edit the following files.

This must point to your base_conf.php file which is in /var/www/localhost/htdocs/base

```
base_path.php
```

This must contain your snort DB and your snort archive DB, make sure you set the password for both, this got me hung up for a minute until I scrolled further down the conf file and saw another DB config to set.

```
base_conf.php
```

----------

## yoosty69

Another update for those interested in setting this up..

I just installed snort-2.8.3.1 (needs to be unmasked) and base-1.4.1 and it seems to be working fine. A few notes about USE flags for the packages:

*) snort-2.8.3.1 doesn't like having ipv6 enabled 

*) snort-2.8.3.1 has a USE flag for dynamic plugins

*) base-1.4.1 uses the ctype functions from php for graphing, so php should have the ctype USE flag enabled

Here's the relevant part of my /etc/make.conf (I doubt kerberos is strictly necessary):

```
USE="-X -gtk apache2 ctype dynamicplugin gd kerberos mysql xml"

```

I disabled ipv6 for snort in /etc/portage/package.use:

```
net-analyzer/snort   -ipv6
```

Other than that, following the 1st post and the notes from guinness.stout got me through the setup! Thanks guys!

----------

## indica

thx mate,

took a little tweaking with the versions of PEAR apps but it was a great HOWTO!

got everything up and running in about an hour, now to just to get snort tweaked and some more of the rules running!

thx again!

-Todd

----------

## Killerchronic

Pearl packages are installed via portage now once base was unmasked. 

Already had apache, php and mysql setup and running fine so can't comment on the guide for that.

Only thing i really had to change was the path in base_path.php as it wasn't pointing to any base_conf.php.

Other than that were no obvious flaws, surprised me really, most gentoo Guides go out of date in no time  :Smile: 

Thanks.

----------

