Intrusion Detection With BASE And Snort

This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.

Scenario: A linux server running Debian Sarge 3.1 setup according to Falko's - The Perfect Setup - Debian Sarge (3.1).
Let's assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it's using eth0 as network interface name.

Needed programs and files

  • Snort
  • Snort rules
  • PCRE (Perl Compatible Regular Expressions)
  • LIBPCAP
  • BASE (Basic Analysis and Security Engine)
  • ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It's obvious that this download directory can be any name and in anyplace)

cd /root
mkdir snorttemp
cd snorttemp

Now you need to get Snort.
The latest version at the time of writing this is 2.6.0

wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz

When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And let’s remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
(If you are a member of the forum you can also download the - registered user release):

wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:

mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0

and cd into snort-2.6.0:

cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file:

tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work.

To make snort work with BASE, we need more!

PCRE - Perl Compatible Regular Expressions.

Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the pcre-6.3.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz

Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz

Share this page:

14 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-07-21 15:13:09

After editing the "user", "password" and "dbname" (on page 3) its time to make a new SQL database.

Login to your SQL server

mysql -u root -p
(Enter password)

mysql> create database snort;
mysql> exit

Now that you have a SQL database ready, we can use the SNORT schemas for the proper layout.

mysql -D snort -u root -p < /root/snorttemp/snort-2.6.0/schemas/create_mysql
(Enter password)

Finally we are ready to test snort.

snort -c /etc/snort/snort.conf

EXAMPLE: 

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2006 Sourcefire Inc., et al.
 
Enjoy!

From: Anonymous at: 2006-08-10 16:56:58


If you get:
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
when running:


./configure --enable-dynamicplugin --with-mysql


You may need to install the gcc c++ compiler.

Just run:


apt-get install g++



...and when it's finished, rerun the configure command, and you should be sorted out.


From: at: 2007-04-26 03:53:09

if you running test snort.


snort -c /etc/snort/snort.conf


and get an error like this : 


ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi"
Fatal Error, Quitting..


Solution :


you must edit file /etc/snort/rules/web-misc.rules with your favorite text editor, on Line 452 . and :


change/add line above :
pcre:"fn=Eye\d{4}_\d{2}.log/Rmsi"


with :
pcre:"/fn=Eye\d{4}_\d{2}.log/Rmsi"


Just add '/' in front line. 

From: HomeSen at: 2009-08-03 09:22:57

Hi @ all,


 I ran into some issues with my snort install on Debain 5r2. And I thought, it might be helpful to post the solutions I found:


1.  While ./configure... I got mysql.h not found


You need to install the package libmysqlclient-dev


2. Loading dynamic detection library /usr/local/lib/snort_dynamicrules/bad-traffic.so... ERROR: Failed to load /usr/local/lib/snort_dynamicrules/bad-traffic.so: /usr/local/lib/snort_dynamicrules/bad-traffic.so: cannot open shared object file: No such file or directory
Fatal Error, Quitting..



This one can be fixed by copying all files from <snort_src_folder>/so_rules/precompiled/Debian-Lenny/i386/2.8.4/ to /usr/local/lib/snort_dynamicrules/


3. When trying to start snort, I also got the following: ERROR: ERROR /etc/snort/rules/exploit.rules(23): Couldn't resolve hostname HOME_NET
Fatal Error, Quitting..


 That was tricky one, since it wasn't that easy to localize the evil's root. In snort.conf you have to change the line:


var EXTERNAL_NET !HOME_NET


to


var EXTERNAL_NET !$HOME_NET


Because the Dollar-sign is missing there.


Hope this helps a few unlucky as I was ;-)

From: Anonymous at: 2013-05-13 18:27:47

what is you get an error that says parsing rules file "/etc/snort/snort.conf"

 error: /etc/snort/snort.conf(1) Invalid configuration line :FdF#..................................................

From: Anonymous at: 2009-05-19 18:29:29

thanks.....this tutorial helped me out a lot.

From: Anonymous at: 2006-07-10 21:30:13

Nice, easy to follow tutorial. Keep up the good work!

It's been a while that I've been meaning to get back to using snort. I think I'll give a try sometime this week. Never used BASE, I'll probably try it out this Wednesday.

Good Stuff.

--Jon Zhttp://jzencovich.blogspot.com/

From: Anonymous at: 2006-08-06 00:56:50

 Not bad actually, but the project still not grow up, if you use commercial variants you know this is nowhere comparing to them...

From: kav5 at: 2006-09-08 19:51:18

Looks good but it is not complete. It would be very nice to add snortsam installation to the tutorial because it implements IPS system. (to block attacker automatically) 

From: Anonymous at: 2009-04-15 19:05:35

 If u get these :


Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/base_action.inc.php on line 29


,...........................


 


 Try issuing these commands and see if it helps:

pear install Mail
pear install Mail_Mime

From: at: 2007-07-23 04:59:25

This guide is a pretty good start but I actually found Patrick Harper's guide to be more in-depth. His guide is available at www.internetsecurityguru.com which I've used to develop a Snort/Centos/BASE install cd that I'm calling EasyIDS.

From: at: 2008-01-14 10:59:27

Thanks a lot for your tutorial. It allowed me to get everything up and running in a very short time.

From: pevma at: 2010-02-26 11:16:57

Also folks,


to get the graphics working by country and world maps:


There are 2 files: 


1. world_map6.png


2. world_map6.txt


do a search:


find / -iregex ".*world_map6.png"


you will find the file...then copy it to where your "PEAR directory" is


You will find your "PEAR directory" after you execute :


pear config-show


Then copy the 2 files in the "PEAR directory" under /Image/Graph/Images/Maps/


so the FULL path should look something like this:


/usr/share/php/Image/Graph/Images/Maps/


 


That solevs one of the problems ...then you get an error like ".... couldn find...or not defined $GeoIPfree_file_ascii and $ip2cc"...something of the sort...for this purpose in your cmd execute:


perl -MCPAN -e 'install  Geography::Countries'


then


 perl -MCPAN -e 'install  IP::Country'


ok...almost there


then find your  base_conf.php  - should be somewhere in your /var/www/ directory  or the directories inder that


edit the file /base_conf.php/   towards the end you will find 


" $IP2CC..." uncomment that ...maybe restart your browser or clear the cahce of your browser and you are ready to go!!!


thats it

From: wisedud2u at: 2010-04-05 10:43:49

after you install the Geography::Countries do this


root@a3s:~#  cd /usr/lib/perl5/site_perl/5.8.8/Geo/


root@a3s:Geo#wget  http://cpansearch.perl.org/src/BRICAS/Geo-IPfree-0.6/misc/ipct2txt.pl


 root@a3s:Geo#perl ipct2txt.pl ./ipscountry.dat /path/to/your/htdocs/base/ips-ascii.txt