Installing Snort 2.9.7.x on Ubuntu – Part 6: Installing BASE
I am leaving this older guide online for anyone who wants to install this older version of Snort on Ubuntu, but you really should be using the updated guide for the 2.9.9.x version of Snort, since support for older versions of Snort are set to expire, and the updated guide is kept more up to date and includes BASE instead of Snorby for a Web GUI.
- Installing Snort
- Configure Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Installing BASE
- Creating Startup Scripts
In the previous two articles in this series: we installed Snort, configured it to work as a NIDS with Barnyard2, and setup PulledPork to automatically download rulesets from snort.org. In this article, we are going to configure BASE, a web front end for viewing Snort alerts from the MySQL database we created in earlier articles.
We start by installing pre-requisites from the Ubuntu repository:
sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear
And then install pear Image_Graph (ignore the warnings below):
sudo pear install -f Image_Graph ... WARNING: failed to download pear.php.net/Image_Graph within preferred state "stable", will instead download version 0.8.0, stability "alpha" WARNING: failed to download pear.php.net/Image_Canvas within preferred state "stable", will instead download version 0.3.5, stability "alpha" ...done: 9,501 bytes install ok: channel://pear.php.net/Image_Color-1.0.4 install ok: channel://pear.php.net/Image_Canvas-0.3.5 install ok: channel://pear.php.net/Image_Graph-0.8.0
We need to install 5.18 version of ADODB (people have reported that newer versions of ADODB work, but I haven’t tested them):
cd ~/snort_src wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-518-for-php5/adodb518a.tgz/download -O adodb518.tgz tar -xvzf adodb518.tgz sudo mv adodb5 /var/adodb
Now we can download and install BASE 1.4.5:
cd ~/snort_src wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz tar -zxvf base-1.4.5.tar.gz
Here we run into a difference between Ubuntu 12 and 13 versus 14. Ubuntu 12 and 13 use Apache 2.2, while Ubuntu 14 uses Apache 2.4. The difference affects where you copy BASE to, and where the configuration file is stored.
For Ubuntu 12 and 13:
sudo mv base-1.4.5 /var/www/base/ cd /var/www/base sudo cp base_conf.php.dist base_conf.php sudo chown -R www-data:www-data /var/www/base sudo chmod o-r /var/www/base/base_conf.php sudo vi /var/www/base/base_conf.php
For Ubunt 14:
sudo mv base-1.4.5 /var/www/html/base/ cd /var/www/html/base sudo cp base_conf.php.dist base_conf.php sudo chown -R www-data:www-data /var/www/html/base sudo chmod o-r /var/www/html/base/base_conf.php sudo vi /var/www/html/base/base_conf.php
Now for both systems, make the following edits to base_conf.php:
$BASE_urlpath = '/base'; # line 50 $DBlib_path = '/var/adodb/'; #line 80 $alert_dbname = 'snort'; # line 102 $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'MYSQLSNORTPASSWORD'; # line 106
Now we need to restart Apache:
sudo service apache2 restart
The last step to configure BASE is done via http:
- Browse to http://ServerIP/base/index.php and click on “setup page” link (replace ServerIP with the IP of your Snort Server).
- Click on “Create BASE AG” button on the upper right of the page
- Click on the “Main page” line
Congratulations, if you see the ICMP events in the BASE web page, you have successfully set-up BASE. Continue to the next section to Creating Startup Scripts for Snort and Barnyard2.