snort installation on freebsd issues

xyyz · February 4, 2003, 3:02pm

i'm following the, "How to setup and secure Snort, MySQL and Acid on FreeBSD 4.6 Release" off of the snort.org website.

in the documentation it says snort should be installed through the following:

-----
make -DWITH_MYSQL -DWITH_FLEXRESP ; make install
-----

later it says to do the following:

-----
/usr/local/bin/mysql -p < /usr/ports/security/snort/work/snort-1.8.6/control create_mysql snort
-----

the problem is this, there is no "work/snort-1.8.6/create_mysql snort" under "/usr/ports/security/snort".

does anyone know what to do about this?

Neo · February 4, 2003, 3:16pm

You simple find the file:

create_mysql_snort

or whatever the file name is and then do the same thing as instructed:

/usr/local/bin/mysql -p < /path/to/this/file/create_mysql_snort

xyyz · February 4, 2003, 4:14pm

I already tried that. The file can't be located anywhere.

I didn't know that the ports directory would have anything other than: Makefile, Distinfo, pkg-comment, pkg-descr, pkg-plist

Neo · February 5, 2003, 1:05pm

My suggestion would be to go to the Snort web site and join a Snort support group and ask for a copy of the file.

I assume you have seen this document on configuring Snort?

http://www.snort.org/docs/FreeBSD46RELEASE-Snort-MySQLVer1-2.pdf

Also,

Might be some clues here:

http://www.sans.org/rr/intrusion/ACID.php

Here is a link to the Snort support lists:

http://www.snort.org/lists.html

Here is a Snort support archives search result with keywords "configure mysql" :

http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=configure\+mysql&q=b

xyyz · February 6, 2003, 7:29pm

the resolution was a simple one.

i needed to enter the following command within /usr/ports/security/snort

make expand

this gave me all the directories that were needed.

how i'm having another issue.

when i try to start apache the way they want me to, apachectl start (or restart), i get the following error:

/usr/local/sbin/apachectl start: httpd could not be started

i have no clue where to begin. i checked the path in the script to see if it was pointing to the proper location for httpd, and it is. so i'm completely confused.

Neo · February 6, 2003, 7:52pm

The key to starting apache is a properly configured httpd.conf file, normally located in /usr/local/apache/etc

auswipe · February 7, 2003, 3:17pm

I just double checked on my FreeBSD 4.5 system and found http.conf under /usr/local/etc/apache/.

Neo · February 7, 2003, 4:07pm

Interesting, in the apache configs I've worked with they install under a single tree with the root at /usr/local/apache .... including configuration files, log files, documents, etc.

Thanks for clarifying on how your system has been configured.

xyyz · February 7, 2003, 6:35pm

alright... i took a look at the config file. i really don't know how to read it... but things seemed to be in order.

i then looked at the example again and noticed something in their hosts file.

i changed the generic alias of 127.0.0.1 to something else, re-ran apachectl and things worked.

but, now, another problem has arisen. do mozilla and ie 6 support php? because when i open the webpage, i don't get a webpage, i just get a list of code.

Neo · February 7, 2003, 6:46pm

PHP / HTML is supported in the Web server, not the browser/clients. You mujst to configure your server to work with PHP. That is not trivial and can take a lot of work!

I suggest a good book on PHP and Apache, or search the web with Google for step-by-step instructions.

xyyz · February 8, 2003, 4:25am

is this tutorual misleading then? it doesn't mention any complex configuration with php and apache.

it asks that you install the following: idled, mozilla, wget, phplot, adodb, libnet, snort, acid.

it also gives a very threadbare set of instructions for setup.

Neo · February 8, 2003, 7:35am

If Snort uses PHP, you need to configure Apache and PHP. I also think Snort might use a database like MySQL, is that right?

xyyz · February 9, 2003, 7:57pm

i got it working... there were a few things that needed to be done to get this working.

as for using MySQL, it's an added bonus i guess. you don't need to use snort with mysql... but then the vanilla configuration had it outputting everything into a single log file, which is about 10mb's right now.

first i needed to add/reinstall the following packages:

mod_perl-1.27 Embeds a Perl interpreter in the Apache server
mod_php3-3.0.18_3 PHP3 module for Apache
mod_php4-4.3.0 PHP4 module for Apache

i needed to add the php packages with mysql support (i used that gui-ish
interface to do it)

then i needed to to into the httpd.conf file and add the following:

AddModule mod_php.c
AddModule mod_php3.c
AddModule mod_perl.c

LoadModule php3_module modules/libphp3.so
LoadModule php4_module modules/libphp4.so
LoadModule perl_module modules/libperl.so

AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

things seem to be working now... however i do get the following error in the
webpage:

----
Warning: Unknown(): Your script possibly relies on a session side-effect which
existed until PHP 4.2.3. Please be advised that the session extension does not
consider global variables as a source of data, unless register_globals is
enabled. You can disable this functionality and this warning by setting
session.bug_compat_42 or session.bug_compat_warn to off, respectively. in
Unknown on line 0

Neo · February 9, 2003, 10:11pm

For future reference, check out the Apache Tool Box:

www.apachetoolbox.com