Installing BASE

The process of installing BASE is simple – retrieve the archive files for both BASE and ADOdb, extract the files into temporary directories, and then move the files to where they need to be in relation to the default web directory on your computer. You can use a web browser like Firefox on Ubuntu to download these packages from the Sourceforge website, or retrieve them from the command line using wget.

  1. Download BASE version 1.4.5 at http://sourceforge.net/project/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz/download OR # wget http://sourceforge.net/projects/secureideas/files/BASE/base-1.4.5/base-1.4.5.tar.gz
  2. Download ADOdb version 5.20.9 at http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.9.tar.gz/download OR # wget http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-520-for-php5/adodb-5.20.9.tar.gz/download
  3. Extract the BASE archive package: # tar -xzvf base-1.4.5.tar.gz
  4. Extract the ADOdb archive package: # tar -xzvf adodb-5.20.9.tar.gz
  5. Move or copy the entire “adodb5” directory and all its subfolders under the web server directory (that is, it will become /var/www/adodb5): # cp -r adodb5 /var/www
  6. Make sure that BASE will be able to read and execute php code in the ADOdb5 directory with the following command: # chmod 755 /var/www/adodb5
  7. Move the entire “base-1.4.5” directory into the default web server directory (you might want to rename it just “base” so after you move it you will have /var/www/html/base): # cp -r base-1.4.5 /var/www/html/base
  8. Switch to the base directory: # cd /var/www/html/base
  9. In the base directory, you will find a file called “base_conf.php.dist“. Copy or rename that file to “base_conf.php” and open the file with nano or another editor to edit it. This is the BASE configuration file. This file is helpfully self-documented, so scroll through and make the following edits:
    • Where you see the line “$BASE_urlpath = ”;” fill in the relative path to the base directory. If you put base directly under /var/www/html then the value to put between the single quotes is ‘/base’
    • Where you see the line “$DBlib_path = ”;” fill in the full path to the adodb directory (i.e., ‘/var/www/adodb5’ using these instructions so far)
    • Confirm that the database type is set correctly in the line “$DBtype = ‘mysql’;
    • Where you see the “Alert DB connection parameters” fill in the appropriate connection information for your installation of MySQL. If you followed the instructions for configuring MySQL on the page Setting Up MySQL, then typically “$alert_dbname” will be ‘snort’; “$alert_host” will be ‘localhost’; “$alert_port” will be ‘3306’; “$alert_user” will be ‘snort’; and “$alert_password” will be ‘snortpass’.
  10. Save the base_conf.php file.
  11. Open a browser and open http://127.0.0.1/base/base_main.php. This will cause the base_conf script to be loaded, and you will be prompted for any further action that is required (and notified if there is a problem, such as with logging into MySQL using the parameters you put in the conf file). Most often, BASE will tell you that additional tables need to be created in the Snort database; if you accept the recommendation the changes will be made for you. Most commonly, you will see the message “The underlying database snort@localhost appears to be incomplete/invalid.” The page you see will suggest using the BASE Setup page to add the structural elements to the Snort table needed to run BASE. Click on “Setup page“.
  12. On the BASE setup page, you should see an operation listed to add tables to extend the Snort DB to support BASE functionality. Click on the “Create BASE AG” button at the right of the screen.
  13. You should see a series of success messages, after which you can go back to http://127.0.0.1/base/base_main.php to open the default view in BASE.

The main page in BASE will not show any alert activity unless you first run Snort and generate some alerts with output directed to Barnyard2, which in turn populates the MySQL database. If Snort is not running (and if you haven’t previously run it with alerts to populate the Snort log database) all the statistics will be at zero. At this point you can start up Snort and generate some alerts while monitoring the activity in BASE. If you created the testing alert rules as instructed in “Generating Alerts” then you can use those rules to put some data in the MySQL Snort tables and view the results in BASE. If you are logging to unified output and using Barnyard to get the alert data into MySQL, then you need to get Barnyard up and running before you start Snort. Use the instructions at the end of the page “Setting Up Barnyard2” .

Recall that to get Snort to send unified2 output as configured in the snort.conf file, your startup command for Snort must not use the -A switch (such as -A fast or -A console) as this command option seems to override the output settings in snort.conf (this is counter to Snort documentation, but through direct experience this is the way Snort works).

  1. Open a command shell by searching for and selecting Terminal from the Dash Home in the Ubuntu desktop.
  2. Login as root using sudo su
  3. Navigate to the directory where Snort is installed: # cd /usr/local/bin
  4. Start Snort: # snort -c /etc/snort/snort.conf
  5. Open another terminal session, leaving Snort running in the first.
  6. Send a ping command to your local gateway (or any other host): $ ping 192.168.0.1 (substitute your router’s actual address here if it’s different)
  7. Press Ctrl-C to stop the ping process
  8. Open Firefox and browse to any web page
  9. Enter the BASE main page in the browser: http://127.0.0.1/base/base_main.php
  10. You should see information on the BASE screen indicating multiple alerts and TCP, UDP, and ICMP protocols represented in the traffic profile. As noted previously, you don’t usually need to take special action to cause UDP traffic to appear on a network, but if you don’t see any, you can run a traceroute from the command line, as the traceroute program on Linux uses UDP by default.