UPDATE: Snort 2.9.9.x has been released. Please see the updated series of articles here or my quick install guide here.

I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Installing Snort
2. Configure Snort to Run as a NIDS
3. Writing and Testing a Single Rule With Snort
4. Installing Barnyard2
5. Installing PulledPork
6. Installing BASE
7. Creating Startup Scripts
8. Conclusion

Overview

In the previous two articles in this series: we installed Snort, configured it to work as a NIDS with Barnyard2, and setup PulledPork to automatically download rulesets from snort.org. In this article, we are going to configure BASE, a web front end for viewing Snort alerts from the MySQL database we created in earlier articles.

Onward

We start by installing pre-requisites from the Ubuntu repository:

sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear

And then install pear Image_Graph (ignore the warnings below):

sudo pear install -f Image_Graph
...
		WARNING: failed to download pear.php.net/Image_Graph within preferred state "stable", will instead download version 0.8.0, stability "alpha"
		WARNING: failed to download pear.php.net/Image_Canvas within preferred state "stable", will instead download version 0.3.5, stability "alpha"

		...done: 9,501 bytes
		install ok: channel://pear.php.net/Image_Color-1.0.4
		install ok: channel://pear.php.net/Image_Canvas-0.3.5
		install ok: channel://pear.php.net/Image_Graph-0.8.0

We need to install 5.18 version of ADODB (people have reported that newer versions of ADODB work, but I haven’t tested them):

cd ~/snort_src
wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz
tar -xvzf adodb518.tgz
sudo mv adodb5 /var/adodb

Now we can download and install BASE 1.4.5:

cd ~/snort_src
wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
tar -zxvf base-1.4.5.tar.gz

Here we run into a difference between Ubuntu 12 and 13 versus 14. Ubuntu 12 and 13 use Apache 2.2, while Ubuntu 14 uses Apache 2.4. The difference affects where you copy BASE to, and where the configuration file is stored.

For Ubuntu 12 and 13:

sudo mv base-1.4.5 /var/www/base/
cd /var/www/base
sudo cp base_conf.php.dist base_conf.php
sudo chown -R www-data:www-data /var/www/base
sudo chmod o-r /var/www/base/base_conf.php
sudo vi /var/www/base/base_conf.php

For Ubunt 14:

sudo mv base-1.4.5 /var/www/html/base/
cd /var/www/html/base
sudo cp base_conf.php.dist base_conf.php
sudo chown -R www-data:www-data /var/www/html/base
sudo chmod o-r /var/www/html/base/base_conf.php
sudo vi /var/www/html/base/base_conf.php

Now for both systems, make the following edits to base_conf.php:

	$BASE_urlpath = '/base';			# line 50
	$DBlib_path = '/var/adodb/';		#line 80
	$alert_dbname   = 'snort';			# line 102
	$alert_host     = 'localhost';
	$alert_port     = '';
	$alert_user     = 'snort';
	$alert_password = 'MYSQLSNORTPASSWORD';	# line 106

Now we need to restart Apache:

sudo service apache2 restart

The last step to configure BASE is done via http:

1. Browse to http://ServerIP/base/index.php and click on “setup page” link (replace ServerIP with the IP of your Snort Server).
2. Click on “Create BASE AG” button on the upper right of the page
3. Click on the “Main page” line

Congratulations, if you see the ICMP events in the BASE web page, you have successfully set-up BASE. Continue to the next section to Creating Startup Scripts for Snort and Barnyard2.