Prerequisites to Installing BASE

When dealing with operational intrusion detection systems, there are many plug-ins and third-party tools to help security and network analysts make some sense of all the data Snort may be producing. Logging to a database like MySQL or to a central logging server like Syslog are both reasonable approaches to storing Snort output for analysis. To actually conduct that analysis, you can apply any number of tools, most of which work by accessing the Snort logs within a database and formatting, sorting, grouping, and/or reporting on the log data in order to make it more usable for analysis. Many popular security information and event management (SIEM) tools are designed to take in Snort alert data – either alone or, more commonly, in combination with log data from other tools and devices – and provide data visualization, aggregation, and analysis. These SIEM tools offer a lot of functionality but are often complex to set up and use (not to mention sometimes quite expensive). One popular open-source tool for viewing Snort data is the Basic Analysis and Security Engine (BASE), a PHP-based tool that retrieves data from a database like MySQL and formats it for presentation in a web browser. This instruction set focuses on BASE.

BASE itself is in many ways easier to install than the tools like Snort it is designed to work with. In contrast to compiled, executable programs like Snort, Wireshark, Apache HTTP Server, and MySQL, BASE is not a compiled program at all, but instead is written in the PHP scripting language and its instruction sets are therefore run by a web server such as Apache. This means that the primary task for setting up BASE is putting the PHP script files in the appropriate location on your computer where the web server can access them, and then adjusting some configuration settings to connect the dots between the web server and database. Because it is written in a platform-independent scripting language, it is also possible to install the same BASE package on either Windows or Linux platforms. While BASE is in many ways optimized for use with Snort, bear in mind that it is possible to get BASE running correctly whether or not Snort is running, or even installed. BASE does not communicate in any way with Snort, only with the logging database that stores Snort output. Despite this, most of the useful instructions you will find on the Web for installing BASE combine the steps for installing Snort and its dependent packages with installing BASE itself. If you already have Snort running (and particularly if you have already set it up with Barnyard2 to load Snort output data in MySQL) adding BASE to the mix is pretty straightforward.

Although BASE is relative easy to install, there are quite a few technical prerequisites for running BASE, only one of which is having a database like MySQL installed (we’ll assume the use of MySQL for the purposes of these instructions, but BASE supports quite a few other databases too). The key programs you will need to get BASE running include:

  • A web server capable of running PHP, which for our purposes will be Apache HTTP Server.
  • A PHP language interpreter for your web server of choice, typically installed as a module or plug-in to the web server.
  • The ADOdb database abstraction library for PHP. The point of using a database abstraction layer is that the front-end application (BASE in this case) can be written in a manner independent of the underlying database, rather than having to customize the program for different types of databases.
  • The appropriate table structure set up within the database, as well as a username with full privileges to that table space that BASE can use to access the database. If you have loaded the Snort logging schema for MySQL, when you first configure and run BASE it will first prompt you and then go ahead and add the necessary BASE-specific additions to the tablespace in the Snort database.

The page Getting and Installing Necessary Tools listed all the components necessary to move forward with installing BASE, taking advantage of the Synaptic package manager used in Ubuntu to install Apache2, PHP, and related software. These instructions presume that you have already installed Apache and PHP.

  1. Locate the default directory for web pages on the computer where you have Apache installed. On most Linux distributions this location is /var/www, but on Ubuntu 14.04 it is /var/www/html. You can also specify an alternate location in the Apache configuration file if you choose not to use the default.
  2. Verify that Apache is running. If you need to start it up, you can use the Apache monitor tool to start the web server with the command service apache2 start. The easiest way to check if Apache is running is to open a browser (like Firefox in Ubuntu Linux) and open the localhost address http://127.0.0.1/. If you see a web page with the title "Apache 2 Ubuntu Default Page" then you know Apache has been installed correctly and is currently running.
  3. Verify that PHP is installed. Create a new text file using nano or another editor with the following contents and save it as "test.php" in your default web directory (/var/www/html):

    <?php
    phpinfo();
    ?>

Now open a browser and type "http://127.0.0.1/test.php" in the address bar. If PHP is installed, you will see a series of tables showing its configuration information. If PHP is not installed, you will either see an error message, see the raw text of your test.php file, or see a prompt asking if you want to open or save the file. Please note: if you verified your install of Apache before you installed PHP, you need to stop and then re-start Apache using the command service apache2 restart so that the configuration changes made by the PHP installation process will be read by the program.