Snort + Base en OpenBSD

# pkg_add -r ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/snort-2.4.3-mysql.tgz
snort-2.4.3-mysql:pcre-6.4p1: complete
snort-2.4.3-mysql: complete
--- snort-2.4.3-mysql -------------------
An up-to-date set of rules is needed for Snort to be useful as an IDS.
These can be downloaded manually or net/oinkmaster can be used to
download the latest rules from several different sources.

It is recommended that snort be run as an unprivileged chrooted user.
An _snort user/group and log directory has been created for this
purpose.  You should start snort with the following options to take
advantage of this:
        -u _snort -g _snort -t /var/snort
and if you want to log:
        -l /var/snort/log
#

# wget -c http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
# mkdir -p /etc/snort/rules
# mv snortrules-pr-2.4.tar.gz /etc/snort/rules/
# tar xfvvz snortrules-pr-2.4.tar.gz  

# mysql -u root --socket=/var/www/var/run/mysql/mysql.sock -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> CREATE DATABASE snort;
Query OK, 1 row affected (0.29 sec)

mysql> GRANT INSERT, SELECT ON snort.* to snort@localhost;
Query OK, 0 rows affected (0.53 sec)

mysql> SET PASSWORD FOR snort@localhost = PASSWORD('password');
Query OK, 0 rows affected (0.05 sec)

mysql> GRANT CREATE, UPDATE, INSERT, DELETE, SELECT ON snort.* TO snort@localhost;
Query OK, 0 rows affected (0.00 sec)

# gunzip -d create_mysql.gz
# mysql -u root --socket=/var/www/var/run/mysql/mysql.sock -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> USE snort;
Database changed
mysql> source create_mysql;
Query OK, 0 rows affected (0.27 sec)
Query OK, 1 row affected (0.11 sec)
Query OK, 0 rows affected (0.04 sec)
Query OK, 0 rows affected (0.02 sec)
Query OK, 0 rows affected (0.00 sec)
...
mysql>

var HOME_NET 192.168.0.0/24

var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

var RULE_PATH ../rules/rules

output database: log, mysql, user=snort password=password dbname=snort host=localhost
output database: alert, mysql, user=snort password=password dbname=snort host=localhost

# snort -bDI -A fast -c /etc/snort/snort.conf

# snort -bDI -A fast -c /etc/snort/snort.conf

# wget -c http://kent.dl.sourceforge.net/sourceforge/secureideas/base-1.3.5.tar.gz
# tar xvvz base-1.3.5.tar.gz

# cat sql/create_base_tbls_mysql.sql | mysql -u root --socket=/var/www/var/run/mysql/mysql.sock  -D snort -p
# mysql -u root --socket=/var/www/var/run/mysql/mysql.sock -p
...
   mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| acid_ag          |
| acid_ag_alert    |
| acid_event       |
| acid_ip_cache    |
| base_roles       |
| base_users       |
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+

# wget -c http://puzzle.dl.sourceforge.net/sourceforge/adodb/adodb494.tgz
# tar xfvvz adodb494.tgz

# wget -c http://download.pear.php.net/package/Image_Graph-0.7.2.tgz
# wget -c http://pear.php.net/get/Image_Canvas-0.3.0.tgz
# wget http://pear.php.net/get/Image_Color-1.0.2.tgz

 base/
   |- Images/
   |- Canvas/
   |- Graph/
   |- docs/
   |- tests/
   |- Canvas.php
   |- Color.php
   |- Graph.php