Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Intrusion Detection With BASE And Snort


This tutorial shows how to install and configure BASE (Basic Analysis and Security Engine) and the Snort intrusion detection system (IDS) on a Debian Sarge system. BASE provides a web front-end to query and analyze the alerts coming from a Snort IDS system. With BASE you can perform analysis of intrusions that Snort has detected on your network.

Scenario: A linux server running Debian Sarge 3.1 setup according to Falko’s – The Perfect Setup – Debian Sarge (3.1).
Let’s assume we have one working website (www.example.com) and that the document root is: /var/www/www.example.com/web
The IP of the server is 192.168.0.5 and it’s using eth0 as network interface name.

Needed programs and files

  • Snort
  • Snort rules
  • PCRE (Perl Compatible Regular Expressions)
  • LIBPCAP
  • BASE (Basic Analysis and Security Engine)
  • ADOdb (ADOdb Database Abstraction Library for PHP (and Python).)

Downloading and untaring

We need a temporary place for all the files that we are going to download, and untar.
To keep things simple we will create a directory in the /root named snorttemp. (It’s obvious that this download directory can be any name and in anyplace)

cd /root
mkdir snorttemp
cd snorttemp

Now you need to get Snort.
The latest version at the time of writing this is 2.6.0

wget http://www.snort.org/dl/current/snort-2.6.0.tar.gz

When the download is finished untar the file:

tar -xvzf snort-2.6.0.tar.gz

And let’s remove the tar file:

rm snort-2.6.0.tar.gz

We also need the Snort rules!
Go to: http://www.snort.org/pub-bin/downloads.cgi and scroll down till you see the “Sourcefire VRT Certified Rules – The Official Snort Ruleset (unregistered user release)” rules
(If you are a member of the forum you can also download the – registered user release):

wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz

Move the snortrules-pr-2.4.tar.gz into the snort-2.6.0 map:

mv snortrules-pr-2.4.tar.gz /root/snorttemp/snort-2.6.0

and cd into snort-2.6.0:

cd snort-2.6.0

Untar the snortrules-pr-2.4.tar.gz file:

tar -xvzf snortrules-pr-2.4.tar.gz

Remove the tar file:

rm snortrules-pr-2.4.tar.gz

We are done downloading the files needed to get Snort to work.

To make snort work with BASE, we need more!

PCRE – Perl Compatible Regular Expressions.

Go to: http://www.pcre.org/ and select a download link for the pcre-6.3tar.gz file to download PCRE (at time of writing this it is pcre-6.3.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the pcre-6.3.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/pcre/pcre-6.3.tar.gz

Untar the file:

tar -xvzf pcre-6.3.tar.gz

Remove the tar:

rm pcre-6.3.tar.gz

LIBPCAP

Go to: http://www.tcpdump.org/ and select a download link for Libpcap (at time of writing this it is libpcap-0.9.4.tar.gz)
cd back to the snorttemp map:

cd /root/snorttemp

and download the libpcap-0.9.4.tar.gz file:

wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gz

Untar the file:

tar -xvzf libpcap-0.9.4.tar.gz

Remove the file:

rm libpcap-0.9.4.tar.gz

BASE (Basic Analysis and Security Engine )

Go to: http://secureideas.sourceforge.net/ and download the latest release (at time of writing BASE 1.2.5 (sarah))
cd back to the snorttemp map:

cd /root/snorttemp

and download the base-1.2.5.tar.gz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/secureideas/base-1.2.5.tar.gz

Untar the file:

tar -xvzf base-1.2.5.tar.gz

Remove the file:

rm base-1.2.5.tar.gz

ADOdb: (ADOdb Database Abstraction Library for PHP (and Python).)

Go to: http://adodb.sourceforge.net/ and download the latest release (at time of writing adodb-490-for-php)
cd back to the snorttemp map:

cd /root/snorttemp

and download the adodb490.tgz file:

wget http://surfnet.dl.sourceforge.net/sourceforge/adodb/adodb490.tgz

Untar the file:

tar -xvzf adodb490.tgz

Remove the file:

rm adodb490.tgz

ls should now show the following directorys in /root/snorttemp:
adodb, base-1.2.5, libpcap-0.9.4, pcre-6.3 and snort-2.6.0

ls

Installing

Lets start with: LIBPCAP.
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the libcap map:

cd libpcap-0.9.4

and make / install LIBPCAP:

./configure
make
make install

Next is PCRE.
Again, make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the PCRE map:

cd pcre-6.3

and make / install pce-6.3

./configure
make
make install

Now it time for Snort:
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp

cd into the snort map:

cd snort-2.6.0

and make / install Snort with some extra needed options!

./configure –enable-dynamicplugin –with-mysql
make
make install

Snort needs some maps, so let’s create them:

mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort

Moving the Snort files from the installation map to the just created maps.
Make sure that you are in the directory that you downloaded all files.

cd /root/snorttemp
and cd into snort-2.6.0:

cd snort-2.6.0
and into the rules

cd rules
now we copy all files from the /rules into /etc/snort/rules

cp * /etc/snort/rules
We will do the same for the files in the install /etc folder:

cd ../etc
cp * /etc/snort
Fixing the snort.conf

The /etc/snort/snort.conf needs some tuning to get it to work on your system!
So cd into /etc/snort:

cd /etc/snort
and open snort.conf with nano (or any other ‘text’ editor)

nano snort.conf

change “var HOME_NET any” to “var HOME_NET 192.168.0.5/32”
change “var EXTERNAL_NET any” to “var EXTERNAL_NET !$HOME_NET”
change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”

As we made snort with the ‘–with-mysql’ option and as BASE needs it, we also need to tell Snort what database to use.
Scroll down till you see “# output database”, and remove the # in front of the line for the MySQL.
Now also change the “user”, “password” and “dbname”. hint Make a note of this as you will need it later!
Save the file and close ‘nano’
Setting up the MySQL Database for Snort.

There are many ways to create the snort database.
The table layout can be found in the file create_mysql in the /root/snorttemp/snort-2.6.0/schemas directory.
Whichever way you create the database, make sure the ‘user’, ‘password’ and ‘dbame’ are the same as the one you set in the /etc/snort/snort.conf file!

After creating you can test snort and see if you get any errors with:

snort -c /etc/snort/snort.conf

Exit the test with Ctrl+C

If you get no error’s Snort is setup correct.
Moving ADOdb and BASE

Moving ADOdb:
cd back to the download dir

cd /root/snorttemp/

and move adodb it to the root of the www map:

mv adodb /var/www

Next: BASE (Basic Analysis and Security Engine )
Still in the download dir, we move the base dir into the 1st website map that you create with ISPconfig.

mv base-1.2.5 /var/www/www.example.com/web

and cd into /var/www/www.example.com/web

cd /var/www/www.example.com/web

To enable BASE to write the setup file we need to chmod the base-1.2.5 folder to 757:

chmod 757 base-1.2.5

BASE web page setup

Open your favorite web browser and go to: http://www.example.com/base-1.2.5/setup
If all is setup okay you should see the BASE Setup Program page:

base0

Click on Continue

step 1 of 5:
Enter the path to ADODB (/var/www/adodb):

base1

click on Submit Query

step 2 of 5:
Enter the needed info on the next screen: (leave the Use Archive Database as is):

base2

click on Submit Query

step 3 of 5:
If you want to Use Authentication for the Base page you can do so here:

base3

click on Submit Query

step 4 of 5:
Click on Create BASE AG to create the database.

base4a

and after Create BASE AG

base4b

Once done, click on Now continue to step 5…

base5

To make the Graph’s from BASE work you will also need to install Image_Color, Image_Canvas and Image_Graph.
To do this do:

pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

That it for BASE!

If you want you can chmod the base-1.2.5 dir back to 775:

chmod 775 base-1.2.5

You can also delete the snorttemp directory, and all the files in it.

Starting Snort

To start SNORT and make BASE show you the Snort’s logged info, you will need to run:

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

Now wait some time and see all the Snort alerts show up in BASE.

alerts

 

 

Comments

comments