Intrusion Detection With BASE And Snort
This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.
Scenario: A linux server running Debian Sarge 3.1 setup according to Falko's - The Perfect Setup - Debian Sarge (3.1).
Let's assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it's using eth0 as network interface name.
Needed programs and files
- Snort
- Snort rules
- PCRE (Perl Compatible Regular Expressions)
- LIBPCAP
- BASE (Basic Analysis and Security Engine)
- ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)
Downloading and untaring
We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It's obvious that this download directory can be any name and in anyplace)
cd /root
mkdir snorttemp
cd snorttemp
Now you need to get Snort.
The latest version at the time of writing this is 2.6.0
wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz
When the download is finished untar the file:
tar -xvzf snort-2.6.0.tar.gz
And let’s remove the tar file:
rm snort-2.6.0.tar.gz
We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
(If you are a member of the forum you can also download the - registered user release):
wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:
mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0
and cd into snort-2.6.0:
cd snort-2.6.0
Untar the snortrules-pr-2.4.tar.gz file:
tar -xvzf snortrules-pr-2.4.tar.gz
Remove the tar file:
rm snortrules-pr-2.4.tar.gz
We are done downloading the files needed to get Snort to work.
To make snort work with BASE, we need more!
PCRE - Perl Compatible Regular Expressions.
Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:
cd /root/snorttemp
and download the pcre-6.3.tar.gz file:
wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz
Untar the file:
tar -xvzf pcre-6.3.tar.gz
Remove the tar:
rm pcre-6.3.tar.gz