Intrusion Detection With BASE And Snort

This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.

Scenario: A linux server running Debian Sarge 3.1 setup according to Falko's - The Perfect Setup - Debian Sarge (3.1).
Let's assume we have one working website ( and that the document root is: /var/www/
The IP of the server is and it's using eth0 as network interface name.

Needed programs and files

  • Snort
  • Snort rules
  • PCRE (Perl Compatible Regular Expressions)
  • BASE (Basic Analysis and Security Engine)
  • ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It's obvious that this download directory can be any name and in anyplace)

cd /root
mkdir snorttemp
cd snorttemp

Now you need to get Snort.
The latest version at the time of writing this is 2.6.0


When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And let’s remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules!
Go to: and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
(If you are a member of the forum you can also download the - registered user release):


Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:

mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0

and cd into snort-2.6.0:

cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file:

tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work.

To make snort work with BASE, we need more!

PCRE - Perl Compatible Regular Expressions.

Go to: and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the pcre-6.3.tar.gz file:


Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz

Share this page:

15 Comment(s)

Add comment


From: Anonymous at: 2006-07-21 15:13:09

After editing the "user", "password" and "dbname" (on page 3) its time to make a new SQL database.

Login to your SQL server

mysql -u root -p
(Enter password)

mysql> create database snort;
mysql> exit

Now that you have a SQL database ready, we can use the SNORT schemas for the proper layout.

mysql -D snort -u root -p < /root/snorttemp/snort-2.6.0/schemas/create_mysql
(Enter password)

Finally we are ready to test snort.

snort -c /etc/snort/snort.conf


        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.6.0 (Build 59)
   ''''    By Martin Roesch & The Snort Team:
           (C) Copyright 1998-2006 Sourcefire Inc., et al.

From: Anonymous at: 2013-05-13 18:27:47

what is you get an error that says parsing rules file "/etc/snort/snort.conf"

 error: /etc/snort/snort.conf(1) Invalid configuration line :FdF#..................................................

From: Anonymous at: 2006-08-10 16:56:58

If you get:
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
when running:

./configure --enable-dynamicplugin --with-mysql

You may need to install the gcc c++ compiler.

Just run:

apt-get install g++

...and when it's finished, rerun the configure command, and you should be sorted out.

From: at: 2007-04-26 03:53:09

if you running test snort.

snort -c /etc/snort/snort.conf

and get an error like this : 

ERROR: ERROR /etc/snort/rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi"
Fatal Error, Quitting..

Solution :

you must edit file /etc/snort/rules/web-misc.rules with your favorite text editor, on Line 452 . and :

change/add line above :

with :

Just add '/' in front line. 

From: HomeSen at: 2009-08-03 09:22:57

Hi @ all,

 I ran into some issues with my snort install on Debain 5r2. And I thought, it might be helpful to post the solutions I found:

1.  While ./configure... I got mysql.h not found

You need to install the package libmysqlclient-dev

2. Loading dynamic detection library /usr/local/lib/snort_dynamicrules/ ERROR: Failed to load /usr/local/lib/snort_dynamicrules/ /usr/local/lib/snort_dynamicrules/ cannot open shared object file: No such file or directory
Fatal Error, Quitting..

This one can be fixed by copying all files from <snort_src_folder>/so_rules/precompiled/Debian-Lenny/i386/2.8.4/ to /usr/local/lib/snort_dynamicrules/

3. When trying to start snort, I also got the following: ERROR: ERROR /etc/snort/rules/exploit.rules(23): Couldn't resolve hostname HOME_NET
Fatal Error, Quitting..

 That was tricky one, since it wasn't that easy to localize the evil's root. In snort.conf you have to change the line:




Because the Dollar-sign is missing there.

Hope this helps a few unlucky as I was ;-)

From: Anonymous at: 2009-05-19 18:29:29

thanks.....this tutorial helped me out a lot.

From: Anonymous at: 2006-07-10 21:30:13

Nice, easy to follow tutorial. Keep up the good work!

It's been a while that I've been meaning to get back to using snort. I think I'll give a try sometime this week. Never used BASE, I'll probably try it out this Wednesday.

Good Stuff.

--Jon Z

From: Anonymous at: 2006-08-06 00:56:50

 Not bad actually, but the project still not grow up, if you use commercial variants you know this is nowhere comparing to them...

From: kav5 at: 2006-09-08 19:51:18

Looks good but it is not complete. It would be very nice to add snortsam installation to the tutorial because it implements IPS system. (to block attacker automatically) 

From: Anonymous at: 2009-04-15 19:05:35

 If u get these :

Warning: include_once(Mail.php) [function.include-once]: failed to open stream: No such file or directory in /var/www/web/base-php4/includes/ on line 29



 Try issuing these commands and see if it helps:

pear install Mail
pear install Mail_Mime

From: pevma at: 2010-02-26 11:16:57

Also folks,

to get the graphics working by country and world maps:

There are 2 files: 

1. world_map6.png

2. world_map6.txt

do a search:

find / -iregex ".*world_map6.png"

you will find the file...then copy it to where your "PEAR directory" is

You will find your "PEAR directory" after you execute :

pear config-show

Then copy the 2 files in the "PEAR directory" under /Image/Graph/Images/Maps/

so the FULL path should look something like this:



That solevs one of the problems ...then you get an error like ".... couldn find...or not defined $GeoIPfree_file_ascii and $ip2cc"...something of the sort...for this purpose in your cmd execute:

perl -MCPAN -e 'install  Geography::Countries'


 perl -MCPAN -e 'install  IP::Country'

ok...almost there

then find your  base_conf.php  - should be somewhere in your /var/www/ directory  or the directories inder that

edit the file /base_conf.php/   towards the end you will find 

" $IP2CC..." uncomment that ...maybe restart your browser or clear the cahce of your browser and you are ready to go!!!

thats it

From: wisedud2u at: 2010-04-05 10:43:49

after you install the Geography::Countries do this

root@a3s:~#  cd /usr/lib/perl5/site_perl/5.8.8/Geo/


 root@a3s:Geo#perl ./ipscountry.dat /path/to/your/htdocs/base/ips-ascii.txt


From: at: 2007-07-23 04:59:25

This guide is a pretty good start but I actually found Patrick Harper's guide to be more in-depth. His guide is available at which I've used to develop a Snort/Centos/BASE install cd that I'm calling EasyIDS.

From: at: 2008-01-14 10:59:27

Thanks a lot for your tutorial. It allowed me to get everything up and running in a very short time.

From: Bob at: 2015-03-11 21:22:52

Doesn't look like the latest version of snort contains the needed mysql plugin so it doesn't look like based can be used as it interfaces with mysql.  Can someone verify this?