| View previous topic :: View next topic |
| Author |
Message |
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
 Posted: Fri Apr 15, 2005 7:02 pm Post subject: BASE ebuild (upgrade from ACID) |
 |
|
Hello All
I know I've seen some discussion about BASE (Basic Analysis and Security Engine) and requests for ebuilds and the like. I've put together an ebuild.. basically modifiying the ACID ebuild. I'm no ebuild.guru so please feel to mention improvements fixes, etc.
For those that don't know what BASE is:
| Quote: | BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.
BASE is a web interface to perform analysis of intrusions that snort has detected on your network. It uses a user authentication and role-base system, so that you as the security admin can decide what and how much information each user can see. It also has a simple to use, web-based setup program for people not comfortable with editing files directly.
BASE is supported by a group of volunteers. They are available to answer any questions you may have or help you out in setting up your system. They are also skilled in intrusion detection systems and make use of that knowledge in the development of BASE.
You can contact them through this website or by emailing them at base@secureideas.net |
http://secureideas.sourceforge.net/
For those that don't know what ACID is.. ACID is used to view Snort alert data. It is a web based application to manage all Snort alerts. Graphs and queries can be easily generated. ACID has NOT been in active development for some time.. and the guys at BASE picked it up recently.. and have been doing an awesome job!
I'll include a small how to for those who do not know how to use custom ebuilds:
1. edit /etc/make.conf and add this value:
| Code: | | PORTDIR_OVERLAY=/usr/local/portage |
2. create the following directories
| Code: | | mkdir -p /usr/local/portage/net-analyzer/base |
3. create the ebuild.. which is below:
| Code: | | vi /usr/local/portage/net-analyzer/base/base-1.1.2.ebuild |
4. create a digest
| Code: | cd /usr/local/portage/net-analyzer/base/
ebuild base-1.1.2.ebuild digest |
5. edit /etc/portage/package.keywords (if you don't have it.. please create it) and add the following:
| Code: | | net-analyzer/base ~x86 |
6. edit /etc/portage/package.use (if you don't have it.. please create it) and add the following:
| Code: | | net-analyzer/base adodb |
7. emerge it
Here is my ebuild:
| Code: | # Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-analyzer/base/base-1.1.2,v 1 2005/04/15 12:05:49 hanji Exp $
inherit webapp versionator eutils
MY_P=${P}
S=${WORKDIR}/${MY_P}
DESCRIPTION="Snort BASE - Basic Analysis and Security Engine (BASE) Project"
HOMEPAGE="http://secureideas.sourceforge.net/"
SRC_URI="http://easynews.dl.sourceforge.net/sourceforge/secureideas/${MY_P}.tar.gz"
LICENSE="GPL-2"
KEYWORDS="~x86"
IUSE="apache2 adodb"
RDEPEND="apache2? ( >=net-www/apache-2 )
!apache2? ( =net-www/apache-1* )
>=dev-php/adodb-4.55
media-libs/gd
=dev-php/mod_php-4*"
DEPEND="${RDEPEND}
>=sys-apps/sed-4"
pkg_setup() {
webapp_pkg_setup
built_with_use dev-php/mod_php gd || \
die "dev-php/mod_php must be built with USE=gd"
# If mod_php used is >= 5.0.0, it has to have session useflag enabled.
local ver_modphp=$(best_version dev-php/mod_php)
ver_modphp="${ver_modphp/dev-php\/mod_php-/}"
if [[ $(get_major_version ${ver_modphp}) -ge 5 ]] ; then
built_with_use dev-php/mod_php session || \
die "dev-php/mod_php must be built with USE=session"
fi
}
src_unpack() {
unpack ${A}
cd ${S}
sed -i '12s:^$DBlib_path =.*:$DBlib_path = "/usr/lib/php/adodb";:' \
base_conf.php.dist || die "sed base_conf.php failed"
sed -i '67s/($version\[0\] >= 4)/($version[0] >= 5) || &/' \
base_db_common.php || die "sed base_db_common.php failed"
}
src_install () {
webapp_src_preinst
insinto ${MY_HTDOCSDIR}
doins *
webapp_src_install
}
pkg_postinst() {
webapp_pkg_postinst
einfo ""
einfo "Note: BASE is installed as a webapp."
einfo "The BASE database is an extension of the SNORT database."
einfo "To setup the BASE database look in the README"
einfo ""
} |
Hope this helps someone.
thanks!
hanji |
|
| Back to top |
|
 |
tukachinchila
Apprentice
Joined: 11 Mar 2005
Posts: 274
Location: Oregon
|
| Posted: Sat Apr 16, 2005 8:28 pm Post subject: |
|
|
That looks good. I have a couple of suggetions: 'gd' shouldn't technically be required (I'm sure most people will want it for graphing), but BASE will work without it. Maybe have a "gd" use flag that installs it if the user has USE="gd" or USE="gd-external". Also, base will install all documents in the "docs" directory, and webapp-config will then install these docs in every virtual host. It might be better to install the docs in the usual /usr/share/docs directory instead so they're only installed once. I also like to have all of my config files in /etc, so you could move base_conf.php there too.
I've also written an ebuild for BASE, so maybe we can colloborate on this? I'd also appreciate any constructive criticism:
| Code: | # Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
inherit webapp versionator eutils
NW_VERSION="0.13.1"
IG_VERSION="0.4.0"
CONF_DIR="/etc/${PN}"
CONF_OLD="base_conf.php.dist"
CONF_NEW="base_conf.php"
WWW_GRP="apache"
MIDDLEMAN="base_path.php"
DESCRIPTION="A web-based front-end to the Snort IDS."
HOMEPAGE="http://base.secureideas.net"
SRC_URI="mirror://sourceforge/secureideas/${P}.tar.gz"
LICENSE="GPL-2"
KEYWORDS="~x86 ~amd64"
# SLOT is intentionally omitted because this package uses webapp-config
IUSE="apache2 mysql postgres mssql oracle gd"
DEPEND=">=app-arch/tar-1.14
>=sys-libs/zlib-1.2.1-r3
>=app-arch/gzip-1.3.5-r4
>=sys-apps/coreutils-5.2.1-r2
>=sys-apps/sed-4.0.9
>=net-www/apache-1.3
apache2? ( >=net-www/apache-2 )
mysql? ( >=dev-db/mysql-3.23.0 )
postgres? ( >=dev-db/postgresql-7.1.0 )"
# A local database isn't necessary, so we only upgrade to a DB supported
# by BASE when the user has USE flags set for one of these DBs.
# Snort can also be installed on a remote system, so we don't require it.
RDEPEND="${DEPEND}
gd? ( >=media-libs/gd-1.8.0 )
>=virtual/httpd-php-4.0.4
gd? ( >=dev-php/php-4.0.4 )
>=dev-php/adodb-1.2
gd? ( >=dev-php/jpgraph-1.12.2 )"
# NOTE: jpgraph is currently marked for testing (~).
# gd and jpgraph are only required for graphing support
pkg_setup() {
webapp_pkg_setup
if use gd; then
built_with_use dev-php/mod_php gd || \
die "dev-php/mod_php must be built with USE=gd"
built_with_use dev-php/php gd || \
die "dev-php/php must be built with USE=gd"
fi
}
src_unpack() {
unpack ${A}
cd ${S}
# Here we help the user configure ${CONF_NEW} so BASE works out of the
# box in most environments. The user will still be warned to edit the
# file manually at the pkg_postinst() stage.
sed -i -e 's,$BASE_urlpath.*,$BASE_urlpath = "/base";,g' \
${CONF_OLD}
sed -i -e 's,$DBlib_path.*,$DBlib_path = "/usr/lib/php/adodb";,g' \
${CONF_OLD}
if use postgres; then
sed -i -e 's,$DBtype.*,$DBtype = "postgres";,g' \
${CONF_OLD}
fi
if use mssql; then
sed -i -e 's,$DBtype.*,$DBtype = "mssql";,g' \
${CONF_OLD}
fi
if use oracle; then
sed -i -e 's,$DBtype.*,$DBtype = "oci8";,g' \
${CONF_OLD}
fi
# Change the source to recognize the new ${MIDDLEMAN} file we are about to
# create.
for PHP in *.php */*.php; do
sed -i -e "s,${CONF_NEW},${MIDDLEMAN},g" \
${CONF_OLD} "${PHP}"
done
# Create the file ${MIDDLEMAN} to determine the web root directory
# and redirect "include" to the new ${CONF_DIR}/${CONF_NEW} location.
echo "<?php" > ${MIDDLEMAN}
echo ' $BASE_path = dirname(__FILE__);' >> ${MIDDLEMAN}
echo " include(\"${CONF_DIR}/${CONF_NEW}\");" >> ${MIDDLEMAN}
echo "?>" >> ${MIDDLEMAN}
# Delete the $BASE_path constant from ${CONF_NEW} because we
# now handle it with the ${MIDDLEMAN} file we created above.
sed -i -e 's,$BASE_path =.*,,g' ${CONF_OLD}
# Modify the HTML headers so search engines don't index BASE.
sed -i -e \
's:<HEAD>:<HEAD>\n <META name="robots" content="noindex,nofollow">:g' \
index.php
sed -i -e \
's:<HEAD>:<HEAD>\n <META name="robots" content="noindex,nofollow">:g' \
base_main.php
}
src_install() {
webapp_src_preinst
# Install the docs once in the standard /usr/share/doc/${PF}/DOCDESTREE
# location instead of installing them in every virtual host directory.
cd docs
dodoc *
cd ${S}
rm -rf docs
# Install the config files in the usual location (/etc/${PN}).
insinto ${CONF_DIR}
doins ${CONF_OLD}
newins ${CONF_OLD} ${CONF_NEW}
# Install BASE for webapp-config
insinto ${MY_HTDOCSDIR}
doins -r *
# Tighten the security a little since BASE uses plain-text passwords.
# This could use some future modifications to account for the fact that
# some users may use a different web server than Apache.
# fperms 640 ${CONF_DIR}/${CONF_NEW}
fowners root:${WWW_GRP} ${CONF_DIR}/${CONF_NEW}
# ewarn \
# "Please modify the permissions of ${CONF_DIR}/${CONF_NEW} as the file \
# stores plain-text passwords for connecting to your database."
webapp_src_install
}
pkg_postinst() {
if use gd; then
/usr/bin/pear install Image_Color
/usr/bin/pear install Log
/usr/bin/pear install Numbers_Roman
/usr/bin/pear install \
http://pear.php.net/get/Numbers_Words-${NW_VERSION}.tgz
/usr/bin/pear install \
http://pear.php.net/get/Image_Graph-${IG_VERSION}.tgz
fi
webapp_pkg_postinst
einfo ""
einfo "For BASE to work properly, your web browser must have cookie"
einfo "support enabled."
einfo "Since the reports generated by BASE can contain sensitive"
einfo "information, it is recommended that you implement (SSL/TLS). It is"
einfo "also recommended that your php.ini have \"display_errors\""
einfo "set to \"off.\""
ewarn "You may need to edit \"${CONF_DIR}/${CONF_NEW}\" before using BASE."
einfo "To setup your initial database, direct your web browser to the"
einfo "location you installed BASE/base_db_setup.php."
einfo ""
}
|
I'll post any updates to the ebuild here: http://home.comcast.net/~travis.post/base-1.1.3.ebuild.
I'm also working on a howto: http://gentoo-wiki.com/HOWTO_Setup_BASE_with_Apache%2C_Snort%2C_and_PostgreSQL.
Moderators might want to move this thread to "Unsupported software."
Last edited by tukachinchila on Thu Jun 16, 2005 5:27 am; edited 3 times in total |
|
| Back to top |
|
|
toster
n00b
Joined: 19 Apr 2005
Posts: 4
|
| Posted: Tue Apr 19, 2005 12:35 pm Post subject: |
|
|
Hi All! 
I installed BASE but I couldn't made graph allert data:( BASE said "Error loading the Graphing library: Check your Pear::Image_Graph installation!" but I already have Image_Graph.
| Code: |
root@help pear install Image_Graph-devel
Package 'Image_Graph' already installed, skipping
|
What do I wrong? |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
| Posted: Tue Apr 19, 2005 5:43 pm Post subject: |
|
|
try...
| Code: |
pear install Image_Color |
Image_Color is a dependency of Image_Graph
HTH
hanji |
|
| Back to top |
|
|
tukachinchila
Apprentice
Joined: 11 Mar 2005
Posts: 274
Location: Oregon
|
| Posted: Wed Apr 20, 2005 12:54 am Post subject: |
|
|
I've had the same problem here. It looks like PEAR is installing things in /usr/lib/php/php, and BASE is looking for Image_Graph in /usr/lib/php. The problem seems to be with the file "base_graph_common.php." I'm still working on a fix.
This is the segment of the file that is causing the problem (if someone knows of a good way to fix it, please let me know): | Code: | // We have to locate Image/Graph.php -- Alejandro
$file = "Image/Graph.php";
$found = false;
// Will search in Path
$paths = explode(PATH_SEPARATOR, ini_get('include_path'));
foreach ($paths as $path) {
$fullpath = $path . DIRECTORY_SEPARATOR . $file;
if (file_exists($fullpath)) {
$found = true;
break;
}
}
if ( $found ) {
// Cool, file was found, so you have Image_Graph installed. -- Alejandro
include($file);
return true;
} else {
// Sorry dude, you haven't finished your home work. -- Alejandro
echo "<P><B>Error loading the Graphing library: </B>".
"<P>Check your Pear::Image_Graph installation!".
"<P>".
"Image_Graph can be found here:".
"at <A HREF=\"http://pear.veggerby.dk/\">http://pear.veggerby.dk/</A>. Without this".
"library no graphing operations can be performed.";
die();
} |
As far as I understand, the 'include_path' is found in the php.ini file, so I would think that adding "/usr/lib/php/php" to that line would fix it, but it doesn't. I've tried changing the php.ini file to: | Code: | | include_path = ".:/usr/lib/php:/usr/lib/php/php" |
with no luck. I'm obviously misunderstanding what's going on with base_graph_common.php.
The other problem is BASE expects JPGraph to be installed inside the BASE directory (which it's not). I can fix that pretty easily by adding the variable $ChartLib_path = "/var/lib/php/jpgraph" to the base_conf.php file, and by adding $ChartLib_path to the base_graph_common.php file so BASE is aware of the correct location. |
|
| Back to top |
|
|
hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
|
| Back to top |
|
|
tukachinchila
Apprentice
Joined: 11 Mar 2005
Posts: 274
Location: Oregon
|
| Posted: Wed Apr 20, 2005 8:45 am Post subject: |
|
|
Thanks hanji. I thought the /usr/lib/php/php path looked a little strange. It would be nice to see that get fixed.
I did figure out that appending '/usr/lib/php/php' to '/etc/php/apache2-php4/php.ini' actually works (I just neglected to restart apache). So another temporary work-around is to edit php.ini and restart apache: | Code: | include_path = ".:/usr/lib/php:/usr/lib/php/php"
/etc/init.d/apache2 restart |
That gets BASE working perfectly for me. |
|
| Back to top |
|
|
doidoniel
n00b
Joined: 11 Jul 2006
Posts: 1
|
| Posted: Tue Jul 11, 2006 8:42 pm Post subject: |
|
|
| Hi, i use debian, but i'm having the same problem. like other the only think i done as modify the /etc/php4/apache2/php.ini and uncoment the line "include_path = ".:/usr/lib/php:/usr/lib/php/php" |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
