Snort 2.9.9.x on Ubuntu – Part 7: Installing BASE
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
Installing BASE On Ubuntu
BASE is a simple web GUI for Snort. Alternate products include Snorby, Splunk, Sguil, AlienVault OSSIM, and any syslog server.
Splunk is a fantastic product, great for ingesting, collating, and parsing large data sets. Splunk is free to use (limited to 500 MB of data per day, which is a lot for a small shop). Sguil client is an application written in tcl/tk. Snorby is abandoned, and relies on old versions of many Ruby packages that makes documenting the installation difficult, and a constantly changing target.
I’ve chosen to use BASE in this guide because it’s simple to setup, simple to use, and works well for what it does. Both BASE and Snorby are abandoned projects, and while Snorby gives a nice web-2.0 interface, since it is written in Ruby-on-Rails, the Ruby packages it relies on are constantly upgrading, which causes compatibility issues with other required Snorby packages, which causes too many installation problems. If you want to try installing Snorby, please see these unsupported out of date guides for Ubuntu 14 or Ubuntu 16.
There is a slight difference between BASE on Ubuntu 14 versus 16: BASE requires PHP 5, which isn’t available in the Ubuntu 16 archives (Ubuntu has moved on to PHP 7 in this release), so we have to use a PPA on Ubuntu 16 to install the php 5 packages:
# Ubuntu 16 only: sudo add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt-get install -y apache2 libapache2-mod-php5.6 php5.6-mysql php5.6-cli php5.6 php5.6-common php5.6-gd php5.6-cli php-pear php5.6-xml
in Ubuntu 14, we can just install the necessary libraries:
# Ubuntu 14 only: sudo apt-get install -y apache2 libapache2-mod-php5 php5 php5-mysql php5-common php5-gd php5-cli php-pear
next install Pear image Graph:
sudo pear install -f --alldeps Image_Graph
Download and install ADODB:
cd ~/snort_src wget https://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.8.tar.gz tar -xvzf adodb-5.20.8.tar.gz sudo mv adodb5 /var/adodb sudo chmod -R 755 /var/adodb
Download BASE and copy to apache root
cd ~/snort_src wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz tar xzvf base-1.4.5.tar.gz sudo mv base-1.4.5 /var/www/html/base/
Create the BASE configuration file:
cd /var/www/html/base sudo cp base_conf.php.dist base_conf.php
Now edit the config file:
sudo vi /var/www/html/base/base_conf.php
with the following settings (note that the trailing slash on line 80 is required, despite the instructions in the configuration file):
$BASE_urlpath = '/base'; # line 50 $DBlib_path = '/var/adodb/'; #line 80 $alert_dbname = 'snort'; # line 102 $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = 'MySqlSNORTpassword'; # line 106
While in the base conf.php file, you will also want to comment out line 457 (we don’t want the DejaVuSans font), and un-comment (remove the two backslashes) from line 459, enabling a blank font. The section for fonts (begining at line 456) should look like this:
//$graph_font_name = "Verdana"; //$graph_font_name = "DejaVuSans"; //$graph_font_name = "Image_Graph_Font"; $graph_font_name = "";
Set permissions on the BASE folder, and since the password is in the base conf.php file, we should prevent other users from reading it:
sudo chown -R www-data:www-data /var/www/html/base sudo chmod o-r /var/www/html/base/base_conf.php
sudo service apache2 restart
The last step to configure BASE is done via http:
- Browse to http://ServerIP/base/index.php and click on the setup page link (replace ServerIP with the IP of your Snort Server).
- Click on the Create BASE AG button on the upper right of the page.
- Click on the Main page link.
Note: If you read through the BASE configuration file, there are a number of other options you can implement if you like. A few options are SMTP Email alerts, IP Address to Country Support, and user authentication.
Congratulations, if you’ve made it this far, you have a fully-functioning Snort system. Please continue on to the Conclusion for more things you can do with Snort.