Greetings,

After successfully installing BT3f to my HDD I began playing with the new tools, the first tool I went for was Snort. Below is a text dump of my CL whilst running Snort:


***********************************************
* Snort / MySQL / Base Setup and Initialization
* muts@offensive-security.com
* Please Read Instructions Carefully
***********************************************\n
Please enter desired MySQL root password:
'PASSWORD REMOVED'
Please enter desired MySQL snort user password:
USERNAME REMOVED
Installing all prepared tables
Fill help tables

To start mysqld at boot time you have to copy support-files/mysql.server
to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h bt password 'new-password'
See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with the benchmarks in the 'sql-bench' directory:
cd sql-bench ; perl run-all-tests

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at
http://www.mysql.com
Support MySQL by buying support/licenses at http://shop.mysql.com
Setting up Snort...Please be patient.
* Setting up permissions on MySQL.
* Starting MySQL server.
nohup: redirecting stderr to stdout
Starting mysqld daemon with databases from /var/lib/mysql
* Setting a Mysql root password.
* Creating a MySQL Snort User.
* Importing Snort Database into MySQL.
* Starting Apache Web Server - CGI Mode.
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
* Setting up snort.conf
* Starting Snort.
Bringing up interface eth0...
Starting Snort...
Done! - Please read the instructions to come...
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The BASE web-frontend has been setup and is now running.

Please visit: http://192.168.1.64/base/base_db_setup.php
to complete the configuration.

1) Click Create BASE AG on the far right side
2) Click Main Page link above Alert Group Maintenance

* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
bt ~ # pear config-show | grep "PEAR directory"
PEAR directory php_dir /usr/lib/php
bt ~ # php -i | grep "include_path"
include_path => .:/usr/lib/php => .:/usr/lib/php



As I loaded Firefox and surfed to http://192.168.1.64/base/base_graph_main.php, B.A.S.E. loaded successfully. I clicked on 'Graph Alert Data' and the following text was displayed:


Error loading the Graphing library:

Check your Pear::Image_Graph installation!

* Image_Graph can be found here:at http://pear.veggerby.dk/. Without this library no graphing operations can be performed.
* Make sure PEAR libraries can be found by php at all:

pear config-show | grep "PEAR directory"
PEAR directory php_dir /usr/share/pear

This path must be part of the include path of php (cf. /etc/php.ini):

php -i | grep "include_path"
include_path => .:/usr/share/pear:/usr/share/php => .:/usr/share/pear:/usr/share/php


Now, as you can see I previously entered the PEAR commands all correctly. The PEAR libraries seem to be already within B|T3f, I do know that my next step on the problem would be to check my php.ini to see if the path has been included. I am asking if this is correct? Or do I need to download the PEAR libs again and reinstall them over the current lib?

The graphs are eye candy, but I have a sweet tooth...and the graphs are not working.

Cheers :)
streaker69: If you see this thread, I would be thankful if you could supply your advice since you have been using B.A.S.E & Snort for a long time. Cheers.

LOL!

I just went through that myself the other day getting the image graphs to work. I'm guessing you want to see where your alerts are coming from on the World Map.

There's a bunch of dependencies that you'll need to install. Let me do some quickie research and I'll get back to you on what you'll need to make it work.

Ok. You'll need to install Image_Canvas and Image_Graph, as well as the MSTrueType fonts package.

The first two you should be able to get through any popular package manager, I think I got mine on CentOS 5.1 via Yum.

You'll have to find the RPM for the MSTruetype fonts and install those and then update the fontmap.txt file in /usr/share/pear/Image/Canvas/Fonts and point the Verdana font to wherever the MSTruetype fonts got installed.

You'll need to turn your logging level back in PHP.INI as well, it should bitch about that setting the first time you go into the graphing section.

That should get you started, let me know if you run into trouble.

LOL!

I just went through that myself the other day getting the image graphs to work. I'm guessing you want to see where your alerts are coming from on the World Map.

There's a bunch of dependencies that you'll need to install. Let me do some quickie research and I'll get back to you on what you'll need to make it work.

Ok. You'll need to install Image_Canvas and Image_Graph, as well as the MSTrueType fonts package.

The first two you should be able to get through any popular package manager, I think I got mine on CentOS 5.1 via Yum.

You'll have to find the RPM for the MSTruetype fonts and install those and then update the fontmap.txt file in /usr/share/pear/Image/Canvas/Fonts and point the Verdana font to wherever the MSTruetype fonts got installed.

You'll need to turn your logging level back in PHP.INI as well, it should bitch about that setting the first time you go into the graphing section.

That should get you started, let me know if you run into trouble.

hahaha :D - Perfect timing heh

Whoa what a coincidence, thanks for the seriously fast reply streaker which is filled with a lot of useful information. Yeh I think I seen a post of yours [maybe it was a PM] about the world map and when I found out Snort was in BT3f I filled up with excitement and from our previous thread you know how interested I was in Snort&BASE :)

Okay, so Image_Graph and Image_Canvas along with MSTrueType fonts. The beauty about the MS-Fonts is that I think I saved a tutorial on how to get them installed somewhere on my datastick. You mentioned getting the 'Image_' files from CentOS 5.1 via yum? Do you mean, download CentOS 5.1 and extract them with yum? I got a URL [http://wiki.centos.org/PackageManagement/Yum] that might help me, not sure but I will Google around and find what needs to be found :)

Thanks a million streaker :cool: - You really know your Snort/BASE/CentOS stuff. Thanks again!

EDIT: I think I may have to use slapt-get rather than yum since slackware uses this, I am not sure as I have not done this before. What do you think?

EDIT2:
Okay I haven't tested to see if it works yet as I think I have to restart apache for it to work correctly. I didn't have to use yum or get anything from CentOS. Everything was already included in BackTrack3final [Thanks to M&Ms] :cool: Below are the commands I used to download and install the following files: Image_Color-1.0.2, Image_Canvas-alpha and Image_Graph-alpha.


bt ~ # pear install Image_Color
WARNING: channel "pear.php.net" has updated its protocols, use "channel-update pear.php.net" to update
downloading Image_Color-1.0.2.tgz ...
Starting to download Image_Color-1.0.2.tgz (7,724 bytes)
.....done: 7,724 bytes
install ok: channel://pear.php.net/Image_Color-1.0.2
bt ~ # pear install Image_Canvas-alpha
WARNING: channel "pear.php.net" has updated its protocols, use "channel-update pear.php.net" to update
downloading Image_Canvas-0.3.1.tgz ...
Starting to download Image_Canvas-0.3.1.tgz (46,329 bytes)
.............done: 46,329 bytes
install ok: channel://pear.php.net/Image_Canvas-0.3.1
bt ~ # pear install Image_Graph-alpha
WARNING: channel "pear.php.net" has updated its protocols, use "channel-update pear.php.net" to update
Did not download dependencies: pear/Numbers_Roman, pear/Numbers_Words, use --alldeps or --onlyreqdeps to download automatically
pear/Image_Graph can optionally use package "pear/Numbers_Roman"
pear/Image_Graph can optionally use package "pear/Numbers_Words"
downloading Image_Graph-0.7.2.tgz ...
Starting to download Image_Graph-0.7.2.tgz (368,056 bytes)
.................................................. .........................done: 368,056 bytes
install ok: channel://pear.php.net/Image_Graph-0.7.2



Ran into this error after the above process :

ERROR: The worldmap function is not available, because world_map6.png and world_map6.txt could not be found. Go into the "PEAR directory", as can be found by "pear config-show", and then into the subdirectory Image/Graph/Images/Maps/. This is the location where world_map6.png and world_map6.txt must be installed.


I changed directory to see where the files should be:
bt / # cd usr/lib/php/Image/Graph/Images/Maps
There was 1 file, a README. I read it and it stated at the bottom:
No maps are released by default due to we want to avoid possible copyright issues.

Thanks to streaker, I got the maps which where within the BASE directory. I copied them over doing the following:
bt / # cp opt/snort/base/world_map6.* usr/lib/php/Image/Graph/Images/Maps

The Map will not show just yet as streaker69 stated that I still need an odd dependency called: GeoIP. You will be displayed the following error from BASE if you continue without installing GeoIP [keep in mind I still haven't install the fonts]:
ERROR: Neither $Geo_IPfree_file_ascii nor $IP2CC has been configured in base_conf.php.

GeoIP & GeoIP Perl API Installation:

bt base # mkdir GeoIP-Download-File
bt GeoIP-Download-File # wget http://www.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
bt GeoIP-Download-File # tar -zxvf GeoIP.tar.gz
bt GeoIP-Download-File # cd GeoIP-1.4.4
bt GeoIP-1.4.4 # ./configure
bt GeoIP-1.4.4 # make
bt GeoIP-1.4.4 # make check
bt GeoIP-1.4.4 # make install

bt GeoIP-1.4.4 # mkdir GeoIP-Perl-API-Download
bt GeoIP-Perl-API-Download # wget http://www.maxmind.com/download/geoip/api/perl/Geo-IP-1.33.tar.gz
bt GeoIP-Perl-API-Download # tar -zxvf Geo-IP-1.33.tar.gz
bt GeoIP-Perl-API-Download # cd Geo-IP-1.33
bt Geo-IP-1.33 # perl Makefile.PL
bt Geo-IP-1.33 # make
bt Geo-IP-1.33 # make test
bt Geo-IP-1.33 # make install


Configuring Awstats (Taken from itkb.org and edited to fit my needs and the layout of this post)

Awstats

Now you need to go to the config file of your website and alter the Plugin: GeoIP part.
Change /pathto/GeoIP.dat to where this database actually is. You can quicky find it by
Doing a locate. Well quickly you’ll have to do a locate –u first of course which will take some time.

locate –u


locate GeoIP.dat


On my system it returns: (Not mine, the author of itkb.org)

/usr/local/share/GeoIP/GeoIP.dat

Mine [The_Denv] showed this output, its just an extra copy:

bt Geo-IP-1.33 # locate GeoIP.dat
/opt/snort/GeoIP-Download-File/GeoIP-1.4.4/data/GeoIP.dat
/usr/local/share/GeoIP/GeoIP.dat


Now I replace/update 3 plugins:
LoadPlugin=”geoip GEOIP_STANDARD /pathto/GeoIP.dat”,
LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /usr/local/share/GeoIP/GeoLiteCity.dat"
LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /usr/local/share/GeoIP/GeoIPASNum.dat"

By

bt Geo-IP-1.33 # LoadPlugin="geoip GEOIP_STANDARD /usr/local/share/GeoIP/GeoIP.dat"
bt Geo-IP-1.33 # LoadPlugin="geoip_city_maxmind GEOIP_STANDARD /usr/local/share/GeoIP/GeoLiteCity.dat"
bt Geo-IP-1.33 # LoadPlugin="geoip_org_maxmind GEOIP_STANDARD /usr/local/share/GeoIP/GeoIPASNum.dat"


We need to install GeoIPfree now:

bt GeoIP-1.4.4 # mkdir GeoIPfree
bt GeoIP-1.4.4 # cd GeoIPfree
bt GeoIPfree # wget http://search.cpan.org/CPAN/authors/id/G/GM/GMPASSOS/Geo-IPfree-0.2.tar.gz
bt GeoIPfree # tar -zxvf Geo-IPfree-0.2.tar.gz
bt GeoIPfree # cd Geo-IPfree-0.2
bt Geo-IPfree-0.2 # perl Makefile.PL
bt Geo-IPfree-0.2 # make
bt Geo-IPfree-0.2 # make test
bt Geo-IPfree-0.2 # make install


Load GeoIPfree:


LoadPlugin="geoipfree"


Install AWstats: (latest version stable release is 6.7)

bt / # cd /usr/local
bt local # mkdir awstats
bt local # cd awstats
bt awstats # wget http://prdownloads.sourceforge.net/awstats/awstats-6.7.tar.gz
bt awstats # tar -zxvf awstats-6.7.tar.gz
bt awstats # cd awstats-6.7/tools
bt tools # perl awstats_configure.pl

[b][You will be prompted the following]: (I choose y)
-----> Running OS detected: Linux, BSD or Unix
Warning: AWStats standard directory on Linux OS is '/usr/local/awstats'.
If you want to use standard directory, you should first move all content
of AWStats distribution from current directory:
/usr/local/awstats/awstats-6.7
to standard directory:
/usr/local/awstats
And then, run configure.pl from this location.
Do you want to continue setup from this NON standard directory [yN] ? y

-----> Need to create a new config file ?
Do you want me to build a new AWStats config/profile
file (required if first install) [y/N] ? y

Then name your profile, use default directory path /etc/awstats, I was then prompted with the following:

-----> Add update process inside a scheduler
Sorry, configure.pl does not support automatic add to cron yet.
You can do it manually by adding the following command to your cron:
/usr/local/awstats/awstats-6.7/wwwroot/cgi-bin/awstats.pl -update -config=My_Profile_Name
Or if you have several config files and prefer having only one command:
/usr/local/awstats/awstats-6.7/tools/awstats_updateall.pl now
Press ENTER to continue

A SIMPLE config file has been created: /etc/awstats/awstats.My_Profile_Name.conf
You should have a look inside to check and change manually main parameters.
You can then manually update your statistics for 'My_Profile_Name' with command:
> perl awstats.pl -update -config=My_Profile_Name
You can also read your statistics for 'My_Profile_Name' with URL:
> http://localhost/awstats/awstats.pl?config=My_Profile_Name

Press ENTER to finish...



Post is continued 2 posts ahead of this one!..

It does not download the fonts. If you have a tough time finding them, let me know, I can probably email you the archive.

It does not download the fonts. If you have a tough time finding them, let me know, I can probably email you the archive.

Thanks man, much appreciated. I will try and find the fonts first on Google and if I cant I will let you know. Thanks again streaker! :)

I am going to have to use this post to extend my project information

....continued from my last post:

Now lets edit the .conf file that we just created during awstats setup:


bt tools # nano /etc/awstats/awstats.My_Project_Name.conf

You need to set the permissions of the awstats folder because apache will complain about it:

bt ~ # chmod 775 /usr/local/awstats

Change the 'apache log' path and 'DirData' path. Create a new folder for the logs:

bt ~ # mkdir /usr/local/awstats/data

Now we have to generate the country database in readable ASCII format:

bt / # cd /usr/lib/perl5/site_perl/5.8.8/Geo/
bt Geo # perl ipct2txt.pl ./ipscountry.dat /var/www/html/ips-ascii.txt

It should say: Saving...OK! /var/www/html/ips-ascii.txt created!

We now need the Country::IP module and the City module:

bt Geo # wget http://search.cpan.org/dist/IP-Country/lib/IP/Country.pm
bt Geo # wget http://search.cpan.org/src/MSCHLUE/Class-Classgen-classgen-3.03/examples/associations/one_to_one/City.pm


ip2cc

bt Geo # wget http://search.cpan.org/src/NWETTERS/IP-Country-2.24/bin/ip2cc.PL



- I am stuck at this point, especially because its past 7:23am and I have not went to bed yet...Im still trying though. Snort wont work and neither will BASE lol! Im still working on it, this is the support thread afterall :D. Any help with the below error found on BASE's Graph page would be helpful:

ERROR: $mycountry has not been set as expected. - I think its the ipct2txt.pl file, but I do not know what to do. Google seems to store nothing helpful for this.
------------------------------------------------
I think I may be installing programs before or after they are meant to be installed, after I get this setup I will edit any errors and post this as a tutorial if it succeeds.
Also make sure that DNSLookup look up is turned off, some people on various forums say that it needs to be turned on - Its up to you I guess.

bt / # DNSLookup=0



Don't forget to edit the base_conf.php:
bt / # nano var/www/htdocs/base/base_conf.php

Im still [b]in the process of getting this working, I will update as I go along. Fonts are next to get installed and I need to get $mycountry error sorted out. Excluding the editing process of snort.conf and securing the BASE directory there are many other steps to take for you to have Snort&BASE setup nice, tight and customized for your network.

References:
Snort_BASE_SSL.pdf (http://www.snort.org/docs/setup_guides/snort_base_SSL.pdf)
itkb.org (http://www.itkb.org/date/2006/10)

You'll also need to install GeoIP and have it compile the list that it needs to create the world map. I think it has an odd dependency as well.

Oh, don't forget to copy world_map.* from the BASE directory to /usr/share/pear/Image/Graph/Images/Maps

You'll also need to install GeoIP and have it compile the list that it needs to create the world map. I think it has an odd dependency as well.

Oh, don't forget to copy world_map.* from the BASE directory to /usr/share/pear/Image/Graph/Images/Maps

Cheers man, your using CentOS for that right? I had to find the base directory in BT. I added my actions to a post a few above this, I will add to that post as I go along. Thanks again for the map location and GeoIP info :)

Cheers man, your using CentOS for that right? I had to find the base directory in BT. I added my actions to a post a few above this, I will add to that post as I go along. Thanks again for the map location and GeoIP info :)

Yeah, I was on CentOS 4.6 for a while, but I ended up trashing that box last monday and spent the past week getting a CentOS 5.1 server running. If you haven't played with CentOS 5.1 I highly recommend it as a good stable server platform that it seems everything just works on. I haven't had a problem installing packages or compiling from source with it. I have the Gnome desktop running, which I use for general administration, but I'm still spending most of my time at CLI via SSH.

I have Driftnet running as a 'screensaver' on the desktop, and it's looking at the same interface the Snort is using which sits between the DSL router and my firewall. The box itself is going to become my consolidated Network Management Station running Cacti, Snort, OpenAudIT and whatever other tools I end up needing to track the network.

I'm currently working on a plugin for Cacti that allows viewing of a webcam directly in cacti and if it detects motion it will send out alerts. Good for watching for entry into the server room.

Yeah, I was on CentOS 4.6 for a while, but I ended up trashing that box last monday and spent the past week getting a CentOS 5.1 server running. If you haven't played with CentOS 5.1 I highly recommend it as a good stable server platform that it seems everything just works on. I haven't had a problem installing packages or compiling from source with it. I have the Gnome desktop running, which I use for general administration, but I'm still spending most of my time at CLI via SSH.

I have Driftnet running as a 'screensaver' on the desktop, and it's looking at the same interface the Snort is using which sits between the DSL router and my firewall. The box itself is going to become my consolidated Network Management Station running Cacti, Snort, OpenAudIT, CLI [never heard of this until now] and whatever other tools I end up needing to track the network.

I'm currently working on a plugin for Cacti that allows viewing of a webcam directly in cacti and if it detects motion it will send out alerts. Good for watching for entry into the server room.

Ahh, CentOS 5.1. I tried to download a CentOS version before and the download died and now I just have a .part file. I will be looking into CentOS/Cacti and OpenAudIT they sound like a really good combination. Gnome, Nice...last time I was using Gnome I think it was RedHat 7.0, I liked that desktop enviroment and at the time I actually think it had a cool matrix screensaver built-in. So you have Driftnet as your screensaver? thats interesting, haven't heard of that being done; another thing to looked into.

That plugin sounds like a pretty nifty plugin. What hardware [Camera, motion detection] are you using? Just a basic webcam? I would love to have a copy of that plugin once your finished with it. :cool: ...I would love your job man seriously, even tag a long with you for a week lol; what is your job title anyway? [BSMFH ;)]

EDIT: streaker69, ignore that PM I sent you - Got it sorted and I am moving onto the next section. :)

Ahh, CentOS 5.1. I tried to download a CentOS version before and the download died and now I just have a .part file. I will be looking into CentOS/Cacti and OpenAudIT they sound like a really good combination. Gnome, Nice...last time I was using Gnome I think it was RedHat 7.0, I liked that desktop enviroment and at the time I actually think it had a cool matrix screensaver built-in. So you have Driftnet as your screensaver? thats interesting, haven't heard of that being done; another thing to looked into.

That plugin sounds like a pretty nifty plugin. What hardware [Camera, motion detection] are you using? Just a basic webcam? I would love to have a copy of that plugin once your finished with it. :cool: ...I would love your job man seriously, even tag a long with you for a week lol; what is your job title anyway? [BSMFH ;)]

CentOS5.1 is 6 CD's and yes, you need all 6 of them to install it. Driftnet doesn't really function as a 'real' screensaver, just I have it open full screen with the ever changing mosaic of pictures that people are seeing on the intertubes. It's also saving all the pictures to a directory, just in case someone is looking at something they shouldn't be.

The plugin when it's done, should work with any Webcam or Netcam, but right now I haven't been able to get it started, because apparently V4L has an issue with USB 1.1 devices and the only camera I have to work with is a 1.1 device. I need to get a 2.0 device to even begin testing it out.

BSMFH? Hmm, last I checked I wasn't a Sado-Masochist, but BoFH is fine with me, been following the antics of Simon for many years. Lately life at work hasn't been terribly exciting. You would have wanted to be around last summer when we were converting our SCADA/HMI system from ModBus+ over to Ethernet, that was a fun time of hardware upgrades, systems crashing and potential environmental disasters. Hopefully later this summer I'll be moving forward with converting our phone system to VoIP, so far, it's not looking good because we need a cordless phone on the system that is able to cover the 10 acres the plant sits on without using standard Wifi.

But hey, if you ever make it to Central PA, drop me a line, you'd be welcome to stop in, I've had a couple members from this forum stop out and see me at the office.

CentOS5.1 is 6 CD's and yes, you need all 6 of them to install it. Driftnet doesn't really function as a 'real' screensaver, just I have it open full screen with the ever changing mosaic of pictures that people are seeing on the intertubes. It's also saving all the pictures to a directory, just in case someone is looking at something they shouldn't be.

The plugin when it's done, should work with any Webcam or Netcam, but right now I haven't been able to get it started, because apparently V4L has an issue with USB 1.1 devices and the only camera I have to work with is a 1.1 device. I need to get a 2.0 device to even begin testing it out.

BSMFH? Hmm, last I checked I wasn't a Sado-Masochist, but BoFH is fine with me, been following the antics of Simon for many years. Lately life at work hasn't been terribly exciting. You would have wanted to be around last summer when we were converting our SCADA/HMI system from ModBus+ over to Ethernet, that was a fun time of hardware upgrades, systems crashing and potential environmental disasters. Hopefully later this summer I'll be moving forward with converting our phone system to VoIP, so far, it's not looking good because we need a cordless phone on the system that is able to cover the 10 acres the plant sits on without using standard Wifi.

But hey, if you ever make it to Central PA, drop me a line, you'd be welcome to stop in, I've had a couple members from this forum stop out and see me at the office.

Ahh, I understand now concerning your Driftnet screen saver. Thats not a bad idea at all and closely monitoring&logging the co-workers image_surfing over a corporate network is great for evidence of any malicious act. Would it not clog up the HDD's?

About the cam, thats odd. I would have thought being 'linux' the support for USB1.1 would have been well covered? It goes to show!

Heh, lol Simon! :) I remember reading one episode ages ago, like seriously a long time ago about a Christmas party, a salesman and a pimply faced teenager..can't really remember what happened but I recall it was a good read. I read a few others, but its been ages since I have.

Your right, when it comes to fun - problems are the best. You used SCADA at your work? I thought I watched a conference one time about SCADA being used in power stations, always thought it was a risk. I bet that your glad you made the move, it does sound like you had some craic with all those red alarms going off lol ;)

Within my city there are numerous mobile/cell phone masts, do you think its possible to implement on something similar for VoIP over 10 acres?...Well Im back from the garage and I got my coffee - Time to get BASE working :cool:

Your right, when it comes to fun - problems are the best. You used SCADA at your work? I thought I watched a conference one time about SCADA being used in power stations, always thought it was a risk. I bet that your glad you made the move, it does sound like you had some craic with all those red alarms going off lol ;)


SCADA is used in all kinds of industry but recently the power stations have been getting all the press because of a video that was released last year about a generator self destructing due to a 'hacker' infiltration in the network. It was staged for the cameras just to show what could happen.

A friend of mine had done extensive SCADA work at a plant that makes pies, basically the entire process is automated. The SCADA software that we use actually has a Recipe modules for mixing ingredients together. We of course don't need that.

During our change over, the contractor that was working with us, neglected to actually save a changed program to the PLC. That night, we had a thunderstorm and had a major power flicker in the building, the PLC lost power and forgot its programming. We didn't realize that was the problem and it took several hours to figure out what was wrong, because the PLC appeared to be ok. By the time we got it figured out, since the contractor was no longer on site and it was left up to us to fumble through it, the screens had clogged up and the inbound flow had filled a 48" pipe to 44", for the entire 8 mile run of the pipe. We had about another 30 minutes before it would have backed up to the point of popping manholes along it's length.

SCADA is used in all kinds of industry but recently the power stations have been getting all the press because of a video that was released last year about a generator self destructing due to a 'hacker' infiltration in the network. It was staged for the cameras just to show what could happen.

A friend of mine had done extensive SCADA work at a plant that makes pies, basically the entire process is automated. The SCADA software that we use actually has a Recipe modules for mixing ingredients together. We of course don't need that.

During our change over, the contractor that was working with us, neglected to actually save a changed program to the PLC. That night, we had a thunderstorm and had a major power flicker in the building, the PLC lost power and forgot its programming. We didn't realize that was the problem and it took several hours to figure out what was wrong, because the PLC appeared to be ok. By the time we got it figured out, since the contractor was no longer on site and it was left up to us to fumble through it, the screens had clogged up and the inbound flow had filled a 48" pipe to 44", for the entire 8 mile run of the pipe. We had about another 30 minutes before it would have backed up to the point of popping manholes along it's length.

Yeh man, I think the video you are talking about is the video that I watched, I think the 2 men who where presenting it where foreign, maybe German. SCADA pies....now thats food for thought lol!

Jesus!...Man that sounds amazing! Okay I can see that it was a complete disaster and a lot of work involved for you, especially when the contractor wasn't there - But that could make a really good scene in a movie, seriously. [I have wrote a few scripts lol]. You really do have an exciting job, for some reason I am getting an image of Dan Aykroyd in Sneakers :D

Well this BASE project is going to have to wait until I can get my Edimax to connect to my AP, all day today I have been tearing my hair out because I have connected to my AP 1,000+ times and my card decided to show me my AP, connect to it..then it stops working and I can't see any APs [evil repetitive loop]. Also, when it does decide to see APs it cant inject...I added my problem onto another thread as its OT here. I will conquer it, even if it means a prozac prescription! :eek:

EDIT (25/Jun/08): Just to update the people who may be following this thread, this is my last week of me attending a few business classes as I am starting my own business. I have not done anything on BASE since my last time editing one of the posts. I have however got my Edimax card working (simply by unplugging it and plugging it back in). So after my class tonight I will return here and begin sorting this BASE project out once and for all, I do not like things beating me for so long, sorry for 1-2days of no progression :)

[Btw, has anyone here on the fourms actually got this to work on BT3f]?

My head is fried.

Apart from the error: ERROR: $mycountry

I am getting this on BASE's HTTP interface:


Error (p)connecting to DB : snort@localhost

Check the DB connection variables in base_conf.php

= $alert_dbname : MySQL database name where the alerts are stored
= $alert_host : host where the database is stored
= $alert_port : port where the database is stored
= $alert_user : username into the database
= $alert_password : password for the username


Database ERROR:Access denied for user 'snort'@'localhost' (using password: YES)


Does anyone have an idea of what is going on? Maybe its MySQL not allowing a root user to use it or something. I am not sure. Has there not been anyone here that has BASE&Snort up and running on their Back|Track3-Final install? [With world map]? I have been torturing myself with this since last night [the other day I set it aside for a while as it was so annoying]. I have been changing base_conf.php and snort.conf constantly to see what happened if I changed a certain value and nothing is happening.

As per usual, I have searched Google and the error: ERROR: $mycountry is not ANYWHERE on Google apart from this thread. If anyone can help I would seriously appreciate it. Thanks

My head is fried.

Apart from the error: ERROR: $mycountry

I am getting this on BASE's HTTP interface:


Error (p)connecting to DB : snort@localhost

Check the DB connection variables in base_conf.php

= $alert_dbname : MySQL database name where the alerts are stored
= $alert_host : host where the database is stored
= $alert_port : port where the database is stored
= $alert_user : username into the database
= $alert_password : password for the username


Database ERROR:Access denied for user 'snort'@'localhost' (using password: YES)


Does anyone have an idea of what is going on? Maybe its MySQL not allowing a root user to use it or something. I am not sure. Has there not been anyone here that has BASE&Snort up and running on their Back|Track3-Final install? [With world map]? I have been torturing myself with this since last night [the other day I set it aside for a while as it was so annoying]. I have been changing base_conf.php and snort.conf constantly to see what happened if I changed a certain value and nothing is happening.

As per usual, I have searched Google and the error: ERROR: $mycountry is not ANYWHERE on Google apart from this thread. If anyone can help I would seriously appreciate it. Thanks

The $mycountry thing has to do with the GeoIPfree thing that's in the base.conf.php file. I don't recall setting mine, as I think it does it automatically when you compile that ips_ascii file so it can locate based upon IP.

Did you grant rights to your snort user in the database?


mysql --user=mysql -p mysql
GRANT ALL ON snort.* TO snort@localhost IDENTIFIED BY 'snortpassword';
GRANT ALL ON snort.* TO snort@"%" IDENTIFIED BY 'snortpassword';
flush privileges;
exit


You can either do that from the command line or from phpMyAdmin.

Extrapolate the information you need from my friend's page here: http://www.nmsworld.com/UNIX/Snort.htm

The $mycountry thing has to do with the GeoIPfree thing that's in the base.conf.php file. I don't recall setting mine, as I think it does it automatically when you compile that ips_ascii file so it can locate based upon IP.

Did you grant rights to your snort user in the database?



You can either do that from the command line or from phpMyAdmin.

Extrapolate the information you need from my friend's page here: http://www.nmsworld.com/UNIX/Snort.htm

Thanks streaker69,
I am not receiving any errors now within base, as you said; all I had to do was recompile the ips_ascii file. After resetting my MySQL password and reconfiguring the base_conf.php file and then reloading snort - I was hit with the usual error about $mycountry blah blah. I just reloaded snort and the errors are gone again.

Now my problem lays with Snort itself. I'm using 'rausb0' interface and tried to change the snort.conf to reflect my settings. SNORT is not picking anything up at all, I don't think its even running...back to the drawing board lol.

Thanks streaker69, oh and that link doesn't work for me as I think I am in the forbidden zone:

HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)


Its ok though, I was able to view it via a proxy. :)

EDIT: lol... I am still getting the "$mycountry has not been set as expected" error. Jesus! [Im still trying to get this working]. What is doing my head in is that those errors disappeared as I have set the configuration correctly, when I go to the Home of BASE and return to the graph after 25mins the errors appear again. As if something is resetting my conf files :confused: I emailed the BASE support team and linked them this thread, for their eyes I am going to paste my base_conf.php and snort.conf into text file and link it here [i][character limit] for what it's worth:


MediaFire link | [snort.conf & base_conf.php in ONE text file] (http://www.mediafire.com/?2xmmvxthe10)
MediaFire link | [Apache Error Log] (http://www.mediafire.com/?wm9dczgelz5)

Hi everyone,

This is Kevin from the BASE project. First, I am thrilled you are trying to get it working under Backtrack. We are still trying to work out all of the set up for the GeoIP service within BASE. The $mycountry error is one we have seen and hope is fixed in the CVS version of BASE. Either you can wait for 1.4.1 or download the CVS version from sf.net.

Thanks
Kevin

Hi everyone,

This is Kevin from the BASE project. First, I am thrilled you are trying to get it working under Backtrack. We are still trying to work out all of the set up for the GeoIP service within BASE. The $mycountry error is one we have seen and hope is fixed in the CVS version of BASE. Either you can wait for 1.4.1 or download the CVS version from sf.net.

Thanks
Kevin

As far as I know, it's working on my recently built CentOS machine. At least I haven't seen that error, and I've been able to build maps from BASE.

Could it be an issue with those that are outside of the US?

Thanks for jumping in here, I'm sure everyone appreciates seeing a Dev jump in give information.

Hi everyone,

This is Kevin from the BASE project. First, I am thrilled you are trying to get it working under Backtrack. We are still trying to work out all of the set up for the GeoIP service within BASE. The $mycountry error is one we have seen and hope is fixed in the CVS version of BASE. Either you can wait for 1.4.1 or download the CVS version from sf.net.

Thanks
Kevin

Hi Kevin - just wanted to say thanks for BASE - couldn't live without it :cool:

Thanks for jumping in here, I'm sure everyone appreciates seeing a Dev jump in give information.

Yeah Thanks Kevin for the input. Welcome and I hope you enjoy the forums.
:)

Two things to those that are possibly working on graphing using BASE and Snort.

In the 'base_conf.php' file there's instructions for configuring Geo and compiling the ips_ascii.txt file. The instructions are slightly wrong and if you follow them exactly it will create a blank file.

The original line:

perl ipct2txt.pl ./ipscountry.dat /var/www/html/base/ips-ascii.txt


My line:

perl ipct2txt.pl ipscountry.dat /var/www/html/base/ips-ascii.txt


Also, there appears to be something possibly wrong in the database in some cases where it will not display the map and you'll get errors when it's trying to render the map.


Warning: imagefilledpolygon() [function.imagefilledpolygon]: You must have at least 3 points in your array in /usr/share/pear/Image/Canvas/GD.php on line 1004

Warning: imagepolygon() [function.imagepolygon]: You must have at least 3 points in your array in /usr/share/pear/Image/Canvas/GD.php on line 1023


If I just select data from today, then it renders the graph. Anything outside of today, it doesn't and generates the above errors. I did have it working previously where it would work with 3 months of data in the database, so I don't know if there is something wrong with the data or not. I'm gonna try digging into the graphing page and see if I can figure out what data it's missing.

I will check the directions and see if we can fix them. Any idea why the ./ would break the system? It seems to work here. (Isn't that what every dev says. :) )

As to the "not enough data points" are you sure you have data to graph? We have seen where people will try with out the data and get that error.

Kevin

I will check the directions and see if we can fix them. Any idea why the ./ would break the system? It seems to work here. (Isn't that what every dev says. :) )

As to the "not enough data points" are you sure you have data to graph? We have seen where people will try with out the data and get that error.

Kevin

Well, the ./ when I tried it lastnigh while I was troubleshooting why all the sudden my graphs didn't work, generated an empty file. As soon as I removed it, it generated the correct file. I wanted to see if regen'ing the file solved my problem with what I was getting.

I have Snort Data spanning from June 24th to today, June 30th. If I select just the 24th or just the 29th (I haven't tried the 30th yet this morning), then it will graph properly on the world map. If I try any other days between the 24th and the 29th, then it gives the errors I posted. I've looked at the data and I don't see anything obvious.

I've turned on Debug mode in BASE and I don't see anything obviously wrong, except for the Debug line where it's supposed to print the statement about adding an extra dummy value to the array because of the bug in Pear, that line never prints, in either the working dataset or the non-working dataset.

If you like, I can send you my data and you can see if there's something wrong with it, maybe it'll help troubleshoot some of the issues with Pear?

Also, when it graphs the world map, is it supposed to put a circle around each country in relation to the size of the dataset from each country? I only ever get one circle and that's around the US, it seems as though it never draws one for any other country, and I did have this previously working on a file that had over 5000 lines and a couple dozen countries.

Hi everyone,

This is Kevin from the BASE project. First, I am thrilled you are trying to get it working under Backtrack. We are still trying to work out all of the set up for the GeoIP service within BASE. The $mycountry error is one we have seen and hope is fixed in the CVS version of BASE. Either you can wait for 1.4.1 or download the CVS version from sf.net.

Thanks
Kevin

Hi Kevin,

Thanks for the email and the post on this thread. I got Snort up and running, apparently I misread the manual. With a good sleep and a fresh mind I got snort running the way I like it. However I am not receiving any information within the BASE page, this is my fault not configuring my setup correctly. There are no other errors within BASE apart from the $mycountry and as I said in my email that I just sent you; I will update to CVS and see how it goes.

Thanks Kevin.

Could it be an issue with those that are outside of the US?

Thanks for jumping in here, I'm sure everyone appreciates seeing a Dev jump in give information.

I am in the UK [as you know], this may be a possibility.
Yeah streaker69, I am over the moon that Kevin posted on the thread...it kinda gives a cross-community feeling to it :D I couldn't ask for more if I could, this is brilliant :)

EDIT: Whoa, looks like a few more posts where posted while I was typing this out.

I enjoyed the read streaker69 and Kevin. I will test out the ips-ascii file myself later on tonight to see if it works. This is great folks, I really appreciate the help. Hopefully later I will be able to post some results, the other day 2 birds [chicks] landed in my garden and they are too young to fly. I have not been online due to looking after them since I found them. Anyway, thanks a million :cool:

Just an update:

I used streaker69's method of creating the ips-ascii file and now I am not getting the ips-ascii error:

perl ipct2txt.pl ipscountry.dat /var/www/html/base/ips-ascii.txt


Now that this error is out of the way, I am working on the '$mycountry' error. I have received further advise from Kevin on updating to CVS. I am now going to try this update and if real-life doesn't get in the way [as it does constantly], I plan to post my results today.

EDIT:

I updated CVS, by doing the following:

cvs -z3 -d:pserver:anonymous@secureideas.cvs.sourceforge.ne t:/cvsroot/secureideas co -P base-php4


$mycountry error is still there. I am working on it ;)

I just started working on mine again to see if I could get the Maps to work. I downloaded the latest CVS and copied it overtop my previous cacti installation (after making a backup first). It complained about a couple of missing pear modules, Mail and Mail_Mime. After I installed them, graphing the world map works fine. Of course, I didn't test graphing until after I fixed the pear errors, so it may have worked without installing those modules.

I was getting the $mycountry error on Slackware 12.1 using ip2cc. When securing PHP I had added exec() to disable_functions in my php.ini, removing this fixed the issue since exec(ip2cc) was failing and $mycountry returned empty. $mycountry is returned by either run_ip2cc() or GEOIpFree_IP2Country() in base_graph_common.php, chances are BASE may be failing to read the countries datafile. Remember, the Apache error log is your friend...

elazar