When dealing with operational intrusion detection systems, there are many plug-ins and third-party tools to help security and network analysts make some sense of all the data Snort may be producing. Logging to a database like MySQL or to a central logging server like Syslog are both reasonable approaches to storing Snort output for analysis. To actually conduct that analysis, you can apply any number of tools, most of which work by accessing the Snort logs within a database and formatting, sorting, grouping, and/or reporting on the log data in order to make it more usable for analysis. Many popular security information and event management (SIEM) tools are designed to take in Snort alert data – either alone or, more commonly, in combination with log data from other tools and devices – and provide data visualization, aggregation, and analysis. These SIEM tools offer a lot of functionality but are often complex to set up and use (not to mention sometimes quite expensive). One popular open-source tool for viewing Snort data is the Basic Analysis and Security Engine (BASE), a PHP-based tool that retrieves data from a database like MySQL and formats it for presentation in a web browser. This instruction set focuses on BASE.
BASE itself is in many ways easier to install than the tools like Snort it is designed to work with. In contrast to compiled, executable programs like Snort, Wireshark, Apache HTTP Server, and MySQL, BASE is not a compiled program at all, but instead is written in the PHP scripting language and its instruction sets are therefore run by a web server such as Apache. This means that the primary task for setting up BASE is putting the PHP script files in the appropriate location on your computer where the web server can access them, and then adjusting some configuration settings to connect the dots between the web server and database. Because it is written in a platform-independent scripting language, it is also possible to install the same BASE package on either Windows or Linux platforms. While BASE is in many ways optimized for use with Snort, bear in mind that it is possible to get BASE running correctly whether or not Snort is running, or even installed. BASE does not communicate in any way with Snort, only with the logging database that stores Snort output. Despite this, most of the useful instructions you will find on the Web for installing BASE combine the steps for installing Snort and its dependent packages with installing BASE itself. If you already have Snort running (and particularly if you have already set it up with Barnyard2 to load Snort output data in MySQL) adding BASE to the mix is pretty straightforward.
Although BASE is relative easy to install, there are quite a few technical prerequisites for running BASE, only one of which is having a database like MySQL installed (we’ll assume the use of MySQL for the purposes of these instructions, but BASE supports quite a few other databases too). The key programs you will need to get BASE running include:
The page Getting and Installing Necessary Tools listed all the components necessary to move forward with installing BASE, taking advantage of the Synaptic package manager used in Ubuntu to install Apache2, PHP, and related software. These instructions presume that you have already installed Apache and PHP.
Now open a browser and type "http://127.0.0.1/test.php" in the address bar. If PHP is installed, you will see a series of tables showing its configuration information. If PHP is not installed, you will either see an error message, see the raw text of your test.php file, or see a prompt asking if you want to open or save the file. Please note: if you verified your install of Apache before you installed PHP, you need to stop and then re-start Apache using the command service apache2 restart so that the configuration changes made by the PHP installation process will be read by the program.