Intrusion Detection System using

SNORT & BASE (Basic Analysis and

Security Engine)

Prepared By:
Tahira Farid
&
Anitha Prahladachar
Course: 60-564
Winter 2006
 2

Outline

• Introduction to BASE
• IDS test-bed
• Installing and Configuring Necessary
Prerequisites
• Installing and Configuring BASE
• Generating Signatures
• Results
• Acknowledgments
• References
 3

Introduction to BASE

• Basic Analysis and Security Engine

• Successor to ACID
• Developed by Danyliw at the CERT Coordination
Center as part of the AirCERT (Automated
Incident Reporting) project.
• Actively maintained and supported by a team of
volunteers led by Kevin Johnson and Joel Esler.
 4

Introduction to BASE (cont.)

• Provides web front-end to query and analyze the

alerts coming from a SNORT IDS system.
• Can search and process databases containing
security events logged by SNORT.
• Written in PHP.
• Has the ability to graphically display both layer-3
and layer-4 packet information.
 5

Introduction to BASE (cont.)

• Current Version is Base 1.2
• Current search interface can query based on
• Alert information
– Sensor
– Alert group
– Signature, classification & detection time
• Packet data information
– Source/destination addresses
– Ports
– Packet payload/flags
 6

Introduction to BASE (cont.)

• Provides easy management of Alert Data

• Administrator can categorize data into alert
groups, delete false positives or previously
handled alerts.
• Export alert data to an email address for
administrative notification.
• Support for user logins and roles, allowing an
administrator to control what is seen through
the web interface.
 7

BASE vs. ACID

• ACID
– No longer maintained
– Hasn’t been updated for 3 years
• BASE
– BASE is actively updated and revised.
– Has 200 bug fixes in it.
– Faster bringing pages up
– Provides more queries (i.e. today's unique
alerts, last 24/72 hours alert etc.)
 8

IDS test-bed

Host A (Source): Host B (Destination):

OS: Windows XP OS: Fedora Core 4

Software: Ethereal, Software: Snort,

CommView BASE, Ethereal,
MySQL, PHP, Apache
 9

Installing and Configuring Necessary

Prerequisites
• In order for our IDS to function properly we
install and configure the following components:
– MySQL
– Apache 2.2.0
– php-4.4.2
– httpd-2.2.0
– AdOdb460
– snort-2.4.3
– pcre-5.0
– PEAR Modules
– base-1.2
 10

MySQL

• 2 ways
– Download from www.mysql.com
– From Fedora Core4 installation CD
Go to Desktop-system settings- Add/remove
programs – MySQL
Select following components:
• MyODBC
• Mod_auth_mysql
• Mysql_devel
• Mysql_server
• Perl-DBD-MySQL
• Php-mysql
 11

Apache 2.2.0

• Download Apache httpd server version 2.2.0

from http://httpd.apache.org

• To install:
– ./configure
– Make
– Make install
 12

PHP 4.4.2

• Download PHP4.4.2 from http://www.php.net

• Extract source code in “/usr/local/src”
• Configure command:
– ./configure –with-mysql –with-apsx2
=/usr/local/apache2/bin/apxs –with-gd –with-
zlib
• Make
• Make install
 13

Configure php.conf

• In file /usr/local/apache2/conf/httpd.conf add line

– Include conf.d/*.conf
• mkdir /usr/local/apache2/conf.d
• “php.conf” in “conf.d”
– LoadModule php4_module modules /libphp4.so
– <Files *.php>
– SetOutputFilter PHP
– SetInputFilter PHP
– LimitRequestBody 9524288
– </Files>
– AddType application/x-httpd-php .php
– AddType application/x-httpd-php-source .phps
– DirectoryIndex index.php
 14

ADOdb

• A performance-conscious database abstraction

layer for PHP.
• BASE needs ADOdb to communicate with
MySQL.
• Download adodb from
http://unc.dl.sourceforge.net/sourceforge/adodb/
adodb460.tgz
• Extract adodb in “usr/local/apache2/htdocs”
 15

SNORT

• Create a dir “snortinstall”

• Download & unpack from
http://www.snort.org/dl/snort2.4.3.tar.gz
• Download & unpack from
http://umn.dl.sourceforge.net/sourceforge/pcre/p
cre-5.0.tar.gz
• To install SNORT:
– ./configure
– Make
– Make install
• To install PCRE(Perl Compatible Regular Expression):
– ./configure
– Make
– Make install
 16

Configuring SNORT

• Groupadd snort
• Useradd –g snort snort
• Create dir:
– /etc/snort
– /etc/snort/rules
– /var/log/snort
• Copy dir ‘rules’ from dir ‘snort2.3.0’ to
‘/etc/snort/rules’
 17

Configuring snort.conf

• var HOME_NET 10.2.2.0/32

• var EXTERNAL_NET !$HOME_NET
• var RULE_PATH /etc/snort/rules
• output database: log, mysql, user =snort
password=snort dbname=snort host=localhost
• output database: alert, mysql, user =snort
password=snort dbname=snort host=localhost
 18

Setting up database in MySQL

• Mysql
• SET PASSWORD FOR root@localhost = PASSWORD
(‘passwd’);
• Create database snort;
• SET PASSWORD FOR snort@localhost=PASSWORD(‘pwd
in snort.conf’);
• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort@localhost;
• Grant CREATE,INSERT,SELECT,DELETE,UPDATE on
snort.* to snort;
 19

To create tables
• Mysql –u root –p < ~/snortinstall/snort-4.3.0 /schemas
/create_mysql snort
• Enter password: the mysql root password
 20

To create tables
 21

PEAR Modules

• PEAR - PHP Extension and Application

Repository
• BASE documentation recommends PEAR
installation.
Commands for installation:
• /usr/local/php/bin/pear install Image_Color
• /usr/local/php/bin/pear install Log
• /usr/local/php/bin/pear install Numbers_Roman
• /usr/local/php/bin/pear install
http://pear.php.net/get/Numbers_Words-0.13.1.tgz
• /usr/local/php/bin/pear install
http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz
 22

To start the ‘services’

• chkconfig httpd on
• chkconfig mysqld on
• service httpd start
• service mysqld start
• /usr/local/apache2/bin/apachectl –k start
• snort –dev –l /var/log/snort –h 137.207.234.73/32
–c /etc/snort/snort.conf
 23

Configuring BASE

• Download BASE from

http://sourceforge.net/project/showfiles.php?gro
up_id=103348
• cp base-1.2.tar.gz /var/www/html/
• cd /var/www/html
• tar –xvzf base-1.2.tar.gz
• cd /var/www/html/base/
• cp base_conf.php.dist base_conf.php
• cd\
• cp /var/www/html/base-1.2
/usr/local/apache2/htdocs/
 24

Configuring BASE (cont.)

• Edit the base_conf.php file in
/usr/local/apache2/htdocs/
– $BASE_urlpath = "/base";
– $DBlib_path = "/usr/local/apache2/htdocs/adodb";
– $DBtype = "mysql";
– $alert_dbname = "snort";
– $alert_host = "localhost";
– $alert_port = "";
– $alert_user = "snort";
– $alert_password = "password_from_snort_conf";
– $archive_dbname = "snort";
– $archive_host = "localhost";
– $archive_port = "";
– $archive_user = "snort";
– $archive_password = " password_from_snort_conf ";
– $ChartLib_path = "/var/www/html/jpgraph-1.20.3/src";
 25

Configuring BASE (cont.)

• Open a web browser

• if the browser is on the localhost, type
http://localhost/base
• if the browser is on another machine type
http://IP_Address/base to begin using the GUI to
view and manage alerts.
 26

Generating Signatures on Host A

Ethernet layer 
header
 27

Results
• Before sending signatures from HOST A, Run
snort on HOST B
• In Mysql check: select * from signature;
 28

Results (cont.)

• In a web browser: http://137.207.234.73/base

 29

Results (cont.)
 30

Results (cont.)

• Unique Alerts
 31

Results (cont.)
• Different links located to the left of each signature, attempts to
connect to different signature databases to provide more
detailed information about that particular signature.
 32

Results (cont.)
• Source/ Destination IP link
brings up a summary
that includes:
• How many times that IP was
logged as a source or
destination
• First and last time that IP
was logged
• Contains links to external
web-based tools that provide
DNS and Whois look up
services.
 33

Results (cont.)
• Source/Destination Ports link
displays a summary of
• ports, number of
occurrences
• time first seen and time last
seen.
• Each listed port number is a
hyperlink to the SANS
Internet Storm Center
http://isc.sans.org for that
port number.
 34

Results (cont.)
• Creating Alert Groups
• Group event information into user-defined categories for easy
perusal.
 35

Results (cont.)
• Specify signatures for different AGs
 36

Results (cont.)
• Graph from Alert Data
 37

Results (cont.)
• Graph from Alert Detection Time to identify Periods of
Heavy Activity
 38

Results (cont.)
• The Search Function quickly searches through the database for certain criteria and
present it in an ordered fashion.
• Allowable search criteria include Alert Group, Signature, and Alert Time.
• The results can be ordered by timestamp, signature, source IP, or destination IP.
 39

Results (cont.)
• User and Role Management
 40

Results (cont.)
• Email Alerts
 41

Acknowledgements
• We would like to thank Dr.Aggarwal for giving us this
opportunity to handle such an industry standard level
project.
• We would also like to thank all other groups for giving us
valuable suggestions throughout the project.
 42

References

• www.snort.org
• www.sourceforge.net
• http://www.rootsecure.net/content/downloads/pd
f/snort_install_guide_fedora4.pdf
• http://www.sun.com/bigadmin/features/articles/s
nort_base.html
 43

Thank You!!!!
Demo in Room 3144
Questions?

Tahira Farid (farid1@uwindsor.ca)
Anitha Prahladachar (chikker@uwindsor.ca)