How to install Snort and AcidBase GUI

I needed to install Snort and a nice GUI for it for one of my projects. I have used a virtual machine running Debian 7. I have followed some tutorials but none of helped me install everything succesfully. I ran into some weird errors but i managed to fix them.

Basically, all software needed to have a nice front-end to the IDS of choice (Snort) are:

– apache2 (webserver), php5(main backend programming language), mysql (databases), phpmyadmin (gui for databases)

– snort (what good is a front-end if we don’t have a backend), ACIDBASE (basic analysis and security engine)

Walkthrough

Installing  the base server (apache, php, mysql) and configure mysql

# login as root

  • su –

# install the server and all necessasary software

  • apt-get install apache2 php5 php5-mysql mysql-server phpmyadmin

# login to mysql as root

  • mysql -u root -p

# create the database that snort will be using

  • create database snort;

#  use the snort database in order to issue commands to it. The 2nd one will create a new mysql user that will have control over the snort database

  • use snort;
  • GRANT ALL PRIVILEGES ON snort.* TO ‘<user>’@’localhost’ IDENTIFIED BY ‘<password>’ WITH GRANT OPTION;
Linking Snort to the database using snort-mysql

# install the snort-mysql package

  • apt-get install snort-mysql

You will be prompted for you adress range. Enter yours. My snort machine IP is 10.165.1.29 so the range will be like below:

adress range

Next you will probably see something like “No database has been set up for Snort to log to”. Don’t worry about that we will do i later.

# edit the snort.conf file si that its communicates properly with the mysql server

  • nano /etc/snort/snort.conf

This is an example of how the DAQ is configured for me:

# Configure DAQ related options for inline operation. For more information, see README.daq
#
config daq: pcap
config daq_dir: /home/victor/test/
config daq_mode: passive
#config daq_var: <var>
#
# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
# <mode> ::= read-file | passive | inline
# <var> ::= arbitrary <name>=<value passed to DAQ
# <dir> ::= path as to where to look for DAQ module so’s

Next , this is the database setup. As you can see for debian systems we have to edit another file.

# database
# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host$
# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<$
#
# On Debian Systems, the database configuration is kept in a separate file:
# /etc/snort/database.conf.
# This file can be empty, if you are not using any database information
# If you are using databases, please edit that file instead of this one, to
# ensure smoother upgrades to future versions of this package.
include database.conf

  • nano /etc/snort/snort.conf

I have added the following line:

output database: log, mysql, user=snort password=snortpass dbname=snort host=localhost

# build database structure (that one that snort-mysql was talking about when you install snort-mysql)

cd /usr/share/doc/snort-mysql/

zcat create_mysql.gz | mysql -u snort -h localhost -p snort

# verify the snort database to see if tables are created

mysql -u root -p

use snort;

show tables;

Installing acidbase

# i couldn’t install the required packages directly so i had to add the debian squeeze repository. You should also do this if you’re installing on a ubuntu/debian machine. Edit the sources.list and add “deb http://ftp.dk.debian.org/debian squeeze main” without the quotations, on a separate line (instead of dk use your country code so you’ll be getting packages from a physical closer source)

# fetch repository info

  • apt-get update

# install acid base

  •  apt-get install libphp-adodb acidbase

# add acidbase to apache configuration. Add “Include /etc/acidbase/apache.conf” without the quotations, before the closing tag of virtualhost  (</VirtualHost>) after issuing the following command:

# restart PC or Apache in order for the modifications to take place

  • reboot

# the default settings disallow any connection except from 127.0.0.1 so let’s allow connecting from the network by editing the acidbase.conf file and adding our networks IP range and subnet mask.

  • nano /etc/acidbase/apache.conf

allow from network

# restart apache so that the changes will take place

  • /etc/init.d/apache2 restart

Open a browser and visit the following link http://127.0.0.1/acidbase/base_db_setup.php . Select the Create Base AG button. Now go to http://127.0.0.1/acidbase/base_main.php

Errors you may encounter

Access deniend for [email protected]

acid error

In this case the mysql user hasn’t been added correctly or doesn’t have the proper privileges over the database. Also, you can make sure that you have the correct credentials in /etc/acidbase/database.php . If everything seems ok, but you get the same error, change the user and password in the database.php file to root and root password. After that make sure to restart apache so that changes will take place.

Forbbiden when you try to access acidbase on localhost

forbiddenYou probably are trying to connect to localhost in your browser. Try using the loopback address (127.0.0.1) or your network address.

Nothing is happening in the acidbase GUI

Snort isn’t running or not logging properly to the database. Or both. Check your /etc/snort/snort.conf or /etc/snort/database.conf files to see if you have the proper credentials set. Run the folowing command to start snort, after which wait 1 min or so than try looking in the acidbase gui again :

/usr/sbin/snort -i eth0 -c /etc/snort/snort.conf &

Resources for this walkthrough: