Scenario: A linux server running Debian Sarge 3.1 setup according to Falko’s – The Perfect Setup – Debian Sarge (3.1).
Let’s assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it’s using eth0 as network interface name.

Needed programs and files

• Snort
• Snort rules
• PCRE (Perl Compatible Regular Expressions)
• LIBPCAP
• BASE (Basic Analysis and Security Engine)
• ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It’s obvious that this download directory can be any name and in anyplace)

cd /root
mkdir snorttemp
cd snorttemp

Now you need to get Snort.
The latest version at the time of writing this is 2.6.0

wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz

When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And let’s remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the “Sourcefire VRT Certified Rules – The Official Snort Ruleset (unregistered user release)” rules
(If you are a member of the forum you can also download the – registered user release):

wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:

mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0

and cd into snort-2.6.0:

cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file:

tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work.

To make snort work with BASE, we need more!

PCRE – Perl Compatible Regular Expressions.

Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the pcre-6.3.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz

Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz

Incoming search terms:

• snort base apache windows (1)
• snort programming (1)

Prelude will allow to log all of the events to the prelude database and be consulted using one interface (prewikka). This howto will describe how to install and configure the different tools that will make up the complete solution.

This howto is based on bits and scraps I found in order to resolve some issues, parts from the manuals and my own experiance with installing the complete solution.

For more information on snort visit: www.snort.org

For more information on ossec visit: www.ossec.net

For more information on prelude visit: www.prelude-ids.org

Prerequisites:

Let’s just assume you followed the The Perfect Server – Ubuntu Gutsy Gibbon (Ubuntu 7.10). If not follow that howto and only install / add those part’s you havent got installed on your system.

The following packages are useful, so please check that they are installed correctly:

apt-get install ntpdate
apt-get install dbconfig-common

Installing And Configuring Prelude

Normally, we would have to compile and install libprelude, libpreludedb, and then create the databases. Luckely enough the packages are provide by the Ubuntu repositories.

Prelude Manager

apt-get install prelude-manager

- Using default TLS settings from /etc/prelude/default/tls.conf:
- Generated key size: 1024 bits.
- Authority certificate lifetime: unlimited.
- Generated certificate lifetime: unlimited.

- Creating analyzer prelude-manager.
- Creating /etc/prelude/profile/prelude-manager…
- Allocated ident for prelude-manager: 4232957740008155.
- Generating RSA private key… This might take a very long time.
[Increasing system activity will speed-up the process.]

- Generating 1024 bits RSA private key…

During the installation, the manager will create the profile for the prelude user. It can take a (very) long time, since GnuTLS tries to access /dev/random instead of /dev/urandom (for security reasons). This may change in the future (maybe using an option to have a faster generation, but crytographically less secure).

dbconfig will then ask you if you want it to configure the database automatically. If you don’t want to, just say no, and configure everything manually (the sql scripts are in directory /usr/share/libpreludedb/). Let’s suppose the answer is yes.

Note: the number of questions may change, depending on debconf verbosity (set using dpkg-reconfigure debconf), and dbconfig parameters, in file /etc/dbconfig-common/config.

configure database with dbconfig-common: yes
database type:

Set the type to the database you previously installed. In this case mysql.

Database admin password: ******

dbconfig-common will ask for a password for the ‘prelude’ user. If you don’t provide any (just pressing enter), it will generate a random one. Don’t worry, the configuration file will be update automatically.

dbconfig-common: writing config to /etc/dbconfig-common/prelude-manager.conf

Creating config file /etc/dbconfig-common/prelude-manager.conf with new version
granting access to database prelude for prelude@localhost: success.
verifying access for prelude@localhost: success.
creating database prelude: success.
verifying database prelude exists: success.
populating database via sql… done.
dbconfig-common: flushing administrative password
Starting Prelude Manager: prelude-manager.

The Ubunty package automatically creates the user and the database for prelude. If you want to change the password, do so first in mysql and after in /etc/prelude-manager/prelude-manager.conf.

Prelude-Manager should now be running:

ps auxw | grep manager

prelude 28530 0.0 0.1 59384 4480 ? Ssl 13:49 0:00 /usr/sbin/prelude-manager

The first part is over, you now have a manager up and running.

Listen address:

The default listen address is localhost (127.0.0.1). This means that you have to change this to add sensors on different hosts in order for the agents to be able to reach the prelude-manager.

Edit  /etc/prelude-manager/prelude-manager.conf:

listen = xxx.xxx.xxx.xxx

Restart the server, and check the address (if you changed the address):

# /etc/init.d/prelude-manager stop

Stopping Prelude Manager: prelude-manager.

# /etc/init.d/prelude-manager start

Starting Prelude Manager: prelude-manager.

# netstat -pantu | grep prelude

tcp 0 0 192.168.66.1:4690 0.0.0.0:* LISTEN 30544/prelude-manager

Prelude-LML

You need to install prelude-lml on every host you want to monitor. Prelude-LML will analyze your logs and reports event to the managers.

# apt-get install prelude-lml

…
Starting Prelude LML: prelude-lml.

Before it can be used, two things needs to be done:

• The address of the manager must be configured on the lml
• The manager won’t trust sensors, until they are registered

Manager address

If you changed the address the manager is listening on, you need to change the address in the client config on every machine you install prelude-lml .

The adress of the manager is stored in file /etc/prelude/default/client.conf:

[prelude]
server-addr = 127.0.0.1

Registering the sensor

Registering the sensor is a four-step process, which requires to run commands on both the sensor and the manager:

On the LML client, run the register command:

prelude-adduser register prelude-lml “idmef:w” <manager address> –uid 0 –gid 0

Tip: if you don’t remember the command, just run prelude-lml. Since it is not registered, it will fail, but is smart enough to display the help:

# prelude-lml
- Subscribing plugin pcre[default]
- pcre plugin loaded 394 rules.
- Monitoring /var/log/messages through pcre[default]
* WARNING: /var/log/everything/current does not exist.
prelude-client: error starting prelude-client: could not open ‘/etc/prelude/profile/prelude-lml/analyzerid’ for reading

Profile ‘prelude-lml’ does not exist. In order to create it, please run:
prelude-adduser register prelude-lml “idmef:w” <manager address> –uid 0 –gid 0.

LML must be registered with uid and gid 0, since the process will be executed as root (to be able to analyze logs).

LML will then one for the One-Time Password(OTP), which will be provided by the manager:

Enter the one-shot password provided by the “prelude-adduser” program:
- enter registration one-shot password:

On the manager, run the following:

prelude-adduser registration-server prelude-manager

…
- Starting registration server.
- generated one-shot password is “dummypass”.
…

Enter the password to the LML prompt:

- enter registration one-shot password:
- confirm registration one-shot password:
- connecting to registration server (127.0.0.1:5553)…
- Anonymous authentication to registration-server successful.
- Sending certificate request.

The LML is now waiting for the Manager to sign the certificate.

On the manager, validate the certificate signing request:

- Anonymous authentication one-shot password check successful.
- Waiting for client certificate request.
- Analyzer with ID=”3559090256170900″ ask for registration with permission=”idmef:w”.
Approve registration [y/n]: y
The certificate is generated and sent to the client:
- Registering analyzer “3559090256170900″ with permission “idmef:w”.
- Generating signed certificate for client.
- Sending server certificate to client.
- ::ffff:127.0.0.1:47054 successfully registered.

On the client you will see:

LML registration is successful
- Receiving signed certificate.
- Receiving CA certificate.
- prelude-lml registration to 127.0.0.1 successful.

Now, the manager and the sensor have a trust relation, and can send messages to each other.

This process takes some time, but it increases security and th communication between the sensor and the manager is encrypted.

Finally, the LML sensor should be up too:

/etc/init.d/prelude-lml start

Starting Prelude LML: prelude-lml.
ps auxw | grep lml
root 1946 0.3 0.0 20856 3424 ? Ss 14:35 0:00 /usr/bin/prelude-lml -d -q -P /var/run/prelude-lml.pid

This concludes the first part.

Install Prewikka

Prewikka is the graphical frontend to Prelude, using a web server.

Installation

Prewikka requires two databases: one to get the Prelude alerts (which is the same as configured before), and one to store its own data (prewikka). Actually, the Ubuntu packages does only create the prewikka database, and does not configure access to Prelude alerts, so alert installation needs to be done manually.

Install Prewikka

apt-get install prewikka

The package will install required dependencies (python, for ex), and will ask for the database configuration. As for Prelude, we choose to use dbconfig-common, give the administrator password and press enter for the DB password to let dbconfig-common generate one for us.

Configure Prelude-Manager Access

Get the password from prelude-manager configuration file /etc/prelude-manager/prelude-manager.conf and edit prewikka configuration file /etc/prewikka/prewikka.conf:

vi /etc/prewikka/prewikka.conf

[idmef_database]
type: mysql
host: localhost
user: prelude
pass: **********
name: prelude

The [database] section is automatically configured by dbconfig-common, so do not modify it.

Web Server Configuration:

The configuration is explained in file /usr/share/doc/prewikka/README.Debian. You can choose between 3 configurations:

• Apache / CGI setup with VirtualHost
• Apache / mod_python setup with VirtualHost
• Prewikka from the command line tool

As an example I’ll use the mod_python setup.

apt-get install libapache2-mod-python

Add a VirtualServer to your apache configuration with the following content:

NameVirtualHost *
<VirtualHost *>
        ServerAdmin admin@domain.com
        <Location />
                SetHandler mod_python
                PythonHandler prewikka.ModPythonHandler
                PythonOption PrewikkaConfig /etc/prewikka/prewikka.conf
        </Location>

        <Location /prewikka>
                SetHandler None
        </Location>

        Alias /prewikka /usr/share/prewikka/htdocs
        Alias /htdocs /usr/share/prewikka/htdocs
</VirtualHost>

Restart you apache webserver and you can login to the prewikka interface.

Note: you can of course always us a setting for apache like:

NameVirtualHost xxx.xxx.xxx.xxx:80
<VirtualHost prewikka.yourdomain.tld:80>

This is usefull when you have other services running on your apache server.

Part 2: Installing And Configuring Snort

I will not write the complete howto for this since there is a hwto for snort: Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated).

I’ll describe here the steps necessary to have snort logging to prelude. In this setup you also don’t need to install a mysql database and the base webinterface since snort will log to prelude and you can use the prewikka interface to see the snort alerts.

Follow all of the steps described in the howto above and replace the entry below with the new one:

Replace

./configure -enable-dynamicplugin –with-mysql
make
make install

With

./configure -enable-dynamicplugin –eanble-prelude
make
make install

Instead of doing:

Scroll down the list to the section with “# output database: log, mysql, user=“, remove the “#” from in front of this line.
Change the “user=root” to “user=snort”, change the “password=password” to “password=snort_password“, “dbname=snort”
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

Do:

Scroll down the list to the section with “# output alert_prelude: profile=snort“, remove the “#é in front of this line and that’s it.

From step 5 on (5. Set up the Mysql database.) everything can be skipped.

Now we have to register the snort agent to the prelude manager:

prelude-adduser register snort “idmef:w” <manager address> –uid snort –gid snort

On the prelude manager server:

prelude-adduser registration-server prelude-manager

This will register the snort agent to the prelude manager, as you did above for the prelude-lml.

Once the registration process is complete run:

snort -c /etc/snort/snort.conf

If everything goes right than you will see:

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
- Connecting to 127.0.0.1:4690 prelude Manager server.
- TLS authentication succeed with Prelude Manager.

The entry eth0 depends on the ethernet adapter you specified. Important is that you see that snort is connecting to the prelude manager server and tls authentication was successfull.

If the agent is connecting, and you see snort in the agent list of prewikka than you can stop the process with ctrl-c and issue:

snort -c /snort/snort.conf -D

to start snort as a daemon. In the line above you can always add -i ethX if you don’t listen on all network interfaces and want to specify a specific interface.

Part 3 : Installing And Configuring Ossec

First of all we will download and unpack the ossec source:

cd /src
wget http://www.ossec.net/files/ossec-hids-1.4.tar.gz
tar xvzf ossec-hids-1.4.tar.gz

Now do the following to add prelude support:

cd ossec-hids-xx
cd src
make setprelude

Then edit Config.OS and add -lgcc_s in all lines ahead -lpthread like this:

CPRELUDE=-DPRELUDE -lprelude -pthread -lgcc_s -L/usr/lib -lprelude -lgnutls -lgcrypt -lrt -ldl

The majority of this HOWTO is taken directly from the Installation Manual for OSSEC-HID which is a very easy to follow manual. If you run into trouble please look at the manual first as it will always have the most up to date information.

Now the easy part. Ossec comes with an install script install.sh which does all of the hard work for us.

cd ..
./install.sh

Pick what language you want to read everything in and hit enter.

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l’installazione in Italiano, scegli [it].
** Aby instalować w języku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]: en <enter>

Next it is going to warn us that we need a C compiler on the machine, and give you some general information about your computer (kernel version, user and host).

Go ahead and hit enter likes it says.

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux some information
- User: root
- Host: your hostname
– Press ENTER to continue or Ctrl-C to abort. –

Next select a local install:

1- What kind of installation do you want (server, agent, local or help)? local <enter>

Now choose were you want to install it. Use the default or change it if you want to. This howto however will assume the default location.

Choose where to install the OSSEC HIDS [/var/ossec]: <enter>

Now select you notification options. You can choose answers used in this howto or different ones. I would recommend setting “Y” to everything. Active responses are really nice. It will set some default configuration variables based on your answers and certian things it finds on your system.

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What’s your e-mail address? youremail@yourdomain.com
- What’s your SMTP server ip/host? your smtp server address (localhost)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:

http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:
- 192.168.2.1

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:
– /var/log/messages
– /var/log/auth.log
– /var/log/syslog
– /var/log/mail.info
– /var/log/apache2/error.log (apache log)
– /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue —

Now it will compile everything. This shouldn’t take too long to complete. It only took around 1-2 minutes for my box. After it is completed press enter to finish.

- Unknown system. No init script added.
- Configuration finished properly.
- To start OSSEC HIDS:/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.If you have any question, suggestion or if you find any bug,contact us at contact@ossec.net or using our public maill it atossec-list@ossec.net(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list). More information can be found at http://www.ossec.net
— Press ENTER to finish (maybe more information below). —

Now unfortunately it doesn’t detect Ubuntu so it will not create an init script. This is simple enough to take care of. (Yes, its basic. If you want to improve it please feel free to do so) Copy and paste the following into /etc/init.d/ossec:

#!/bin/sh

case "$1" in
start)
  /var/ossec/bin/ossec-control start
;;
stop)
  /var/ossec/bin/ossec-control stop
;;
restart)
  $0 stop && sleep 3
  $0 start
;;
reload)
  $0 stop
  $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

Now make it executable:

chmod +x /etc/init.d/ossec

Add it to our runlevels so it starts on boot:

update-rc.d ossec defaults

ossec.conf/var/ossec/etc/ossec.confossecprelude:

<global>
 ...
<prelude_output>yes</prelude_output>
</global>

Finally we’ll add ossec as an agent in prelude:

prelude-adduser registration-server prelude-manager

On the management server do:

prelude-adduser register OSSEC “idmef:w” localhost –uid ossec –gid ossec

Note: The sensor name MUST be in uppercase > OSSEC.

Start the ossec with init.d script powered by OSSEC (1.4 version should now detect ubuntu/debian OS and the init script will work!) or RShadow script.

If you see this you’r up and running.

Starting OSSEC HIDS v1.4 (by Daniel B. Cid)…
Connecting to 127.0.0.1:4690 prelude Manager server.
TLS authentication succeed with Prelude Manager.

Now go to the url where you installed prewikka, and login with the user admin and password admin. Change this password immediately in order to prevent unauthorized access.

Incoming search terms:

• ubuntu intrusion detection (3)
• prelude ids debian (2)
• ossec prelude centos ids (2)
• ubuntu install prelude-manager tar gz (2)
• apt-get install prelude-manager (2)
• ubuntu ossec eth disabled (2)
• prelude tar gz (1)
• prelude prewikka database management (1)
• prelude tar gz ids ubuntu (1)
• prelude ossec ubuntu (1)

Open your favorite web browser and go to: http://www.example.com/base-1.2.5/setup
If all is setup okay you should see the BASE Setup Program page:

Click on Continue

step 1 of 5:
Enter the path to ADODB (/var/www/adodb):

click on Submit Query

step 2 of 5:
Enter the needed info on the next screen: (leave the Use Archive Database as is):

click on Submit Query

step 3 of 5:
If you want to Use Authentication for the Base page you can do so here:

click on Submit Query

step 4 of 5:
Click on Create BASE AG to create the database.

and after Create BASE AG

Once done, click on Now continue to step 5…

To make the Graph’s from BASE work you will also need to install Image_Color, Image_Canvas and Image_Graph.
To do this do:

pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

That it for BASE!

If you want you can chmod the base-1.2.5 dir back to 775:

chmod 775 base-1.2.5

You can also delete the snorttemp directory, and all the files in it.

Starting Snort

To start SNORT and make BASE show you the Snort’s logged info, you will need to run:

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

Now wait some time and see all the Snort alerts show up in BASE.

Links

• BASE: http://secureideas.sourceforge.net
• Snort: http://www.snort.org

Incoming search terms:

• directadmin snort (2)
• path to adodb snort base windows (2)
• snort base create archive database (2)
• snort y base en windows (2)
• intrusion detection by shell script (1)
• snort base windows (1)
• snort directadmin (1)
• snort xenserver (1)

Lets start with: LIBPCAP.
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the libcap map:

cd libpcap-0.9.4

and make / install LIBPCAP:

./configure
make
make install

Next is PCRE.
Again, make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the PCRE map:

cd pcre-6.3

and make / install pce-6.3

./configure
make
make install

Now it time for Snort:
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the snort map:

cd snort-2.6.0

and make / install Snort with some extra needed options!

./configure –enable-dynamicplugin –with-mysql
make
make install

Snort needs some maps, so let’s create them:

mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Moving the Snort files from the installation map to the just created maps.
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

and cd into snort-2.6.0:

cd snort-2.6.0

and into the rules

cd rules

now we copy all files from the /rules into /etc/snort/rules

cp * /etc/snort/rules

We will do the same for the files in the install /etc folder:

cd ../etc
cp * /etc/snort

Fixing the snort.conf

The /etc/snort/snort.conf needs some tuning to get it to work on your system!
So cd into /etc/snort:

cd /etc/snort

and open snort.conf with nano (or any other ‘text’ editor)

nano snort.conf

change “var HOME_NET any” to “var HOME_NET 192.168.0.5/32”
change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET”
change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”

As we made snort with the ‘–with-mysql’ option and as BASE needs it, we also need to tell Snort what database to use.
Scroll down till you see “# output database“, and remove the # in front of the line for the MySQL.
Now also change the “user“, “password” and “dbname“. Make a note of this as you will need it later!
Save the file and close ‘nano’

Setting up the MySQL Database for Snort.

There are many ways to create the snort database.
The table layout can be found in the file create_mysql in the /root/snorttemp/snort-2.6.0/schemas directory.
Whichever way you create the database, make sure the ‘user’, ‘password’ and ‘dbame’ are the same as the one you set in the /etc/snort/snort.conf file!

After creating you can test snort and see if you get any errors with:

snort -c /etc/snort/snort.conf

Exit the test with Ctrl+C

If you get no error’s Snort is setup correct.

Moving ADOdb and BASE

Moving ADOdb:
cd back to the download dir

cd /root/snorttemp/

and move adodb it to the root of the www map:

mv adodb /var/www

Next: BASE (Basic Analysis and Security Engine )
Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig.

mv base-1.2.5 /var/www/www.example.com/web

and cd into /var/www/www.example.com/web

cd /var/www/www.example.com/web

To enable BASE to write the setup file we need to chmod the base-1.2.5 folder to 757:

chmod 757 base-1.2.5

Incoming search terms:

• base snort mysql windows (1)
• echo create database snort; | mysql -u root -p mysql -u root -p -D snort < /schemas/create_mysql (1)
• snort base install on windows (1)

Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the libpcap-0.9.4.tar.gz file:

wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz

Untar the file:

tar -xvzf libpcap-0.9.4.tar.gz

Remove the file:

rm libpcap-0.9.4.tar.gz

BASE (Basic Analysis and Security Engine )

Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah))
cd back to the snorttemp map:

cd /root/snorttemp

and download the base-1.2.5.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/secureideas/base-1.2.5.tar.gz

Untar the file:

tar -xvzf base-1.2.5.tar.gz

Remove the file:

rm base-1.2.5.tar.gz

ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).)

Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php)
cd back to the snorttemp map:

cd /root/snorttemp

and download the adodb490.tgz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/adodb/adodb490.tgz

Untar the file:

tar -xvzf adodb490.tgz

Remove the file:

rm adodb490.tgz

ls should now show the following directorys in /root/snorttemp:
adodb, base-1.2.5, libpcap-0.9.4, pcre-6.3 and snort-2.6.0

Incoming search terms:

• snort on openvz (3)
• openvz snort (3)
• snort nginx (2)
• snort openvz (1)
• snort on ovz (1)
• snort nginx detectino (1)
• nginx intruder detection (1)
• snort base nginx (1)
• openvz intrusion detection (1)
• nginx mod_security (1)