Introduction

Snort is what we call an IDS (Intrusion Detection System) and more specifically a passive NIDS (Network Intrusion Detection System). It can therefore detect who is trying to compromise your system.

Currently it’s not perfect, but it’s still less expensive than some IPS (Intrusion Prevention System). Snort coupled with BASE provides real convenience for intrusion detection.

Installation and configuration

Documentation on installing and configuring Base and Snort

Using Debian packages

For my part, I only followed a small portion since I used Debian packages directly (advantage of automatic updates). For those who want to take the same route:

1
apt-get install snort-mysql php5-gd libpcre3 acidbase python-adodb

Explanations for beginners:

  • Snort is the tool that will listen in promiscuous mode on one or more of your network cards and thus detect potential intrusion attempts
  • BASE/AcidBase is the one that will read the results of Snort recorded in the SQL database (or other)

It’s mentioned in the documentation, but for people like me who prefer to read between the lines, here’s the command to test your snort configuration:

1
snort -c /etc/snort/snort.conf

FAQ

BASE: Database ERROR: Table ‘snort.iphdr’ doesn’t exist

If you encounter this problem after an update or reinstallation, you just need to reimport an SQL file. Better practice than long explanations:

1
2
3
cd /usr/share/doc/snort-mysql/
gzip -d create_mysql.gz
mysql -uroot -pPASSWORD -D snort < create_mysql

That’s it! So it wasn’t really a big deal, and BASE is running again :-)

Resources

Last updated 10 Feb 2008, 10:43 +0200. history