Intrusion Detection With BASE And Snort
This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.
Scenario: A linux server running Debian Sarge 3.1 setup according to Falko's - The Perfect Setup - Debian Sarge (3.1).
Let's assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it's using eth0 as network interface name.
Needed programs and files
- Snort rules
- PCRE (Perl Compatible Regular Expressions)
- BASE (Basic Analysis and Security Engine)
- ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)
Downloading and untaring
We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It's obvious that this download directory can be any name and in anyplace)
Now you need to get Snort.
The latest version at the time of writing this is 2.6.0
When the download is finished untar the file:
tar -xvzf snort-2.6.0.tar.gz
And letâ€™s remove the tar file:
We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
(If you are a member of the forum you can also download the - registered user release):
Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:
mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0
and cd into snort-2.6.0:
Untar the snortrules-pr-2.4.tar.gz file:
tar -xvzf snortrules-pr-2.4.tar.gz
Remove the tar file:
We are done downloading the files needed to get Snort to work.
To make snort work with BASE, we need more!
PCRE - Perl Compatible Regular Expressions.
Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:
and download the pcre-6.3.tar.gz file:
Untar the file:
tar -xvzf pcre-6.3.tar.gz
Remove the tar: