Snort has truly grown up. Its fans watched it grow from a fairly simple, lightweight, yet effective, intrusion detector into a full-blown intrusion detector and preventer. Snort now runs on Windows and Mac OS X as well as Linux and Unix.
Snort may be a full-blown intrusion detector and preventer, but it is also highly complex. Using BASE, an application for searching and processing databases generated by network-monitoring tools, is one way to streamline it.
As Snort increased its capabilities, it has grown in complexity. Keeping an eye on what it’s doing is a Spock-like endeavor. For those with neither futuristic brains nor pointy ears, the next best thing is Basic Analysis and Security Engine (BASE). BASE provides a Web-based window into what Snort is doing on your network.
BASE requires Snort, MySQL, an HTTP server, PHP, PCRE (i.e., the Perl Compatible Regular Expressions Library), libpcap, and the ADOdb Library for PHP. Barnyard and Oinkmaster are great optional tools that will help simplify the management of logfiles and rulesets. This sounds like a lot, but these are all standard packages that should be in your Linux distribution’s package repositories. BASE is not a Snort-specific utility, but rather an application for searching and processing databases generated by network-monitoring tools. Among other things, BASE reads tcpdump binary log formats and Snort alert formats.
When you have it all together, you’ll be able to run queries like on any database, create graphs, and sort information pretty much any way you want to, by signature, protocol, time, Snort sensor, TCP/UDP port, TCP/IP flags, and source and destination IP addresses. You’ll go a long way and learn a lot just by clicking links in the BASE Web interface to drill down and see what’s happening.
One useful feature is the ability to create Alert groups, which lets you sort BASE data in a way most useful to you. Documentation, howtos, and interesting articles on this is available at Snort.org/docs. Windows admins can visit Winsnort.com for everything they need to know about running Snort on Windows.