Jan. 23, 2011, 3:05 a.m.
posted by unixgeek
Keep Track of Alerts
Use BASE to make sense of your IDS logs.
Once you have set up Snort to log information to your database [Hack #106], you might find it hard to cope with all the data that it generates. Very busy and high-profile sites can generate a huge number of Snort warnings that eventually need to be followed up on. One way to alleviate the problem is to install the Basic Analysis and Security Engine (BASE).
BASE (http://secureideas.sourceforge.net) is a web-based interface to Snort alert databases. It features the ability to search for alerts based on a variety of criteria, such as alert signature, time of detection, source and destination addresses and ports, as well as payload or flag values. BASE can display the packets that triggered the alerts and can decode their layer-3 and layer-4 information.
BASE also contains alert-management features that allow you to group alerts related to a specific incident, delete acknowledged or false-positive alerts, email alerts, or archive them to another database. It also provides many different statistics on the alerts in your database based on time, the sensor they were generated by, signature, and packet-related statistics such as protocol, address, or port.
To install BASE, you'll first need a web server and a working installation of PHP (e.g., Apache and mod_php), as well as a Snort installation that has been configured to log to a database (e.g., MySQL). You will also need a couple of PHP code libraries: ADODB (http://adodb.sourceforge.net) for database abstraction and PEAR::Image_Graph (http://pear.veggerby.dk) for graphics rendering.
After you have downloaded ADODB, unpack it into a suitable directory. You'll then need to install Image_Graph. Download the Image_Graph package and its dependencies, Image_Color and Image_Canvas, and then run the following commands:
# pear install Image_Color-1.0.2.tgz install ok: Image_Color 1.0.2 # pear install Image_Canvas-0.3.0.tgz install ok: Image_Canvas 0.3.0 # pear install Image_Graph-0.7.2.tgz Optional dependencies: package \QNumbers_Roman' is recommended to utilize some features. package \QNumbers_Words' is recommended to utilize some features. install ok: Image_Graph 0.7.2
Next, unpack BASE and rename the directory that was created (e.g., base-1.2.4) to base. Then, change to the directory and copy the base_conf.php.dist file to base_conf.php. Now, edit that file to tell BASE where to find ADODB, as well as how to connect to your Snort database.
You can do this by changing these variables to similar values that fit your situation:
$DBlib_path = "../..adodb"; $DBtype = "mysql"; $alert_dbname = "SNORT"; $alert_host = "localhost"; $alert_port = ""; $alert_user="snort"; $alert_password = "snortpass";
This configuration tells BASE to look for the ADODB code in the adodb directory one level above the base directory. In addition, it tells BASE to connect to a MySQL database called SNORT that is running on the local machine, using the user snort with the password snortpass. Since it is connecting to a MySQL server on the local machine, there is no need to specify a port number. If you want to connect to a database running on another system, you should specify 3389, which is the default port used by MySQL.
Additionally, you can configure an archive database for BASE using variables that are similar to the ones used to configure the alert database. You'll need to set the following variables to use BASE's archiving features:
$archive_dbname $archive_host $archive_port $archive_user $archive_password
You'll also need to set $archive_exists to 1.
Congratulations! You're finished mucking about in configuration files for the time being. Now, open a web browser and go to the URL that corresponds to the directory where you unpacked BASE. You should be greeted with the database setup page shown in Figure.
The BASE database setup page
Before you can use BASE, you must tell it to create some database tables for its own use. To do this, click the Create BASE AG button. You should see a screen confirming that the tables were created. In addition, you can have BASE create indexes for your events table if this was not done before. Indexes will greatly speed up queries as your events table grows, at the expense of using a little more disk space.
Once you are done with the setup screen, click the Home link to go to the main BASE page, shown in Figure.
The BASE home page
BASE has a fairly intuitive user interface. The main table provides plenty of links to display many useful views of the database at a glance, such as lists of the source or destination IP addresses or ports associated with the alerts in your database.