Intrusion Detection With BASE And Snort

Intrusion Detection With BASE And Snort

This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.

Scenario: A linux server running Debian Sarge 3.1 setup according to Falko's - The Perfect Setup - Debian Sarge (3.1).
Let's assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it's using eth0 as network interface name.

Needed programs and files

• Snort
• Snort rules
• PCRE (Perl Compatible Regular Expressions)
• LIBPCAP
• BASE (Basic Analysis and Security Engine)
• ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It's obvious that this download directory can be any name and in anyplace)

cd /root
mkdir snorttemp
cd snorttemp

Now you need to get Snort.
The latest version at the time of writing this is 2.6.0

wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz

When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And let’s remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the "Sourcefire VRT Certified Rules - The Official Snort Ruleset (unregistered user release)" rules
(If you are a member of the forum you can also download the - registered user release):

wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:

mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0 

and cd into snort-2.6.0:

cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file:

tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work.

To make snort work with BASE, we need more!

PCRE - Perl Compatible Regular Expressions.

Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the pcre-6.3.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz

Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz