If you have been folowing this set of documentation, you will have already emerged or installed the following packages / programs which are prerequisites for BASE:

  •Installed From Portage:
    •GD
    •jpeg
    •Libnet
    •Libpcap
    •Libpcre
    •Libpng
    •MySQL
    •Zlib

  •Installed From Source:
    •Apache
    •PHP
    •Snort

  •Installed From PEAR:
    •PEAR::Image_Canvas
    •PEAR::Image_Graph
    •PEAR::Image_Color
    •PEAR::Log
    •PEAR::Numbers_Roman
    •PEAR::Numbers_Words

You will need to install ADODB as it is a required package for BASE. You can obtain it at http://adodb.sourceforge.net .

To install ADODB, simply gunzip and untar the tarball into your website root (usr/local/apache2/htdocs in this case) and restart Apache. Make sure that the files are executable by all users.

Now we can begin the BASE install.

Prior to deploying BASE, successful logging of alerts from the sensor (be it Snort, logsnorter, etc.) to the database should be confirmed. BASE can only manage alerts stored in the database. Consult the appropriate documentation for database logging configuration specifics.

• Snort -- README.database included in the source distribution or at http://www.snort.org/documentation.html
• logsnorter -- README included in distribution

In order to confirm successful logging, use the command-line database clients (or a graphical front-end tool) to execute the following SQL queries:

[for MySQL]

$ echo "SELECT count(*) FROM event" | mysql snort_db -u root -p

(Note: the connection parameters used with mysql may vary with your configuration. In this case, the mysql client will connect to the snort_db database as the root user prompting for a password)

[MySQL and PostgreSQL] : GRANT select ON schema TO base_user

(Gives the SELECT privilege to the schema table to user base_user)

1. Install Apache, PHP (and GD). There are many configuration options whose specifics are best addressed by the appropriate package's documentation. Here are several suggestion.
2. Edit the PHP configuration file, php.ini, and make the following changes:

   [All OSes]

   • Set the display_errors variable to off (display_errors = off) for production deployments of BASE. This setting will prevent debugging messages from being included inline to the HTML. If it is desired to to have some debugging messages sent inline, then it is recommended to at least set the error_reporting variable to E_ALL & ~E_NOTICE (error_reporting = E_ALL & ~E_NOTICE).

   [Windows]

   • For PostgreSQL support, uncomment the following line:

     extension=php_pgsql.dll

     For MSSQL support, uncomment the following line:

     extension=php_mssql.dll

     (For MySQL support, nothing special needs to get done)

   • Set the SMTP variable to refer to your SMTP server.
   • Set the session.save_path variable to a temporary directory writable by the web server (e.g. c:\temp).

   [UNIX]

   • Set the sendmail_path variable to the full path to your mail transfer agent (MTA) such as sendmail.
3. Start the web server.
4. Uncompress and install ADODB 1.2+. This process should be as simple as copying the files into a directory viewable by the web server and PHP. In the case of Apache, any child directory of DocumentRoot set in httpd.conf.

   [UNIX] $ cp adodb112.tgz /home/httpd/html $ cd /home/httpd/html $ tar xvfz adodb112.tgz $ cd ..

5. (Optional) Install signatures into BASE install
   • Create a directory named signature/ in the BASE install directory o Copy any signature txt file you would like into that directory

IV. CONFIGURATION _____________________________________

1. The file base_conf.php.dist needs to be copied to base_conf.php. This will enable you to edit the configuration while retaining the original settings in case you have problems. The file base_conf.php controls the configuration of BASE.

   Note: base_conf.php is PHP code which will be included in each BASE page request. As such, it is imperative that the opening <?php and closing ?> tags not be removed from the file. Likewise, no extra lines can be found before or after these <?php ?> delimiters.

   All conventions of the PHP language (e.g. comments) apply to the base_conf.php file. For example, the comment characters are either a '// or / ... /'.

   // comment #1

   / multi-line comment #1 multi-line comment #2 /

   The general format of each configuration entry is:

   $ = ;

   Variable names are case sensitive.

   The following options will need to be set with site specific information in order for BASE to function properly. Aside from this minimal configuration, there are a number of other settings which can be tweaked. Please see http://sourceforge.net/projects/secureideas for an exhaustive list.

   • $DBlib_path : full path to the ADODB installation (Note: do not include a trailing \ character)
   • $DBtype : type of the database used ("mysql", "postgres", "mssql") o $Use_Auth_System: Set this to 1 if you would like to use the user authentication system. Remember add a user before setting it to 1! o $BASE_urlpath : This needs to be set to the root URI of your site. example: /~kjohnson/base
   • $alert_dbname : alert database name o $alert_host : alert database server o $alert_port : port where the database is stored o $alert_user : username for the alert database o $alert_password : password for the username

   [OPTIONAL for alert archiving support]

   • $archive_exists : Set to 1 o $archive_dbname : archive/backup database name o $archive_host : archive database server o $archive_port : o $archive_user : "root"; o $archive_password : "mypassword";

2. Open the base_main.php page in a browser. If the any database changes are required, BASE will prompt for action.

   For new databases, several BASE specific tables will need to be created. When running BASE for the first time, an error message will appear:

   | The underlying database appears to be incomplete/invalid. | | The database version is valid, but the BASE DB structure is not present. | Use the Setup page to configure and optimize the DB.

   Click on the "Setup page" link to be brought to the DB configuration page (base_db_setup.php). This next page will facilitate the creation of the necessary tables. Click on the "Create BASE AG" buttons as seen below.

   | BASE tables Adds tables to extend the Snort DB to [Create BASE AG] | support the BASE functionality

   After the tables are created, BASE will return status indicating success.

3. Read the security notes about deploying BASE.
4. SECURITY _____________________________________

As with any software, an appropriate deployment strategy must be employed. The following are some recommendations and notes about the security of BASE.

• Run BASE only on encrypted connections for many of the queries could return potentially sensitive information. The use of HTTPS (SSL/TLS) is highly recommended (mod_ssl -- http://www.modssl.org provides this functionality for Apache).
• There is currently a simple authentication mechanism in BASE. However, both can be provided by tweaking the underlying components. Use native web server authenticate techniques to identify users connecting to the BASE pages (e.g. basic or digest HTTP authentication or X.509 certificates with mod_ssl).

  Authorization can also be provided through per-file or per-directory access control methods specific to the web server (e.g. through .htaccess files in Apache). Furthermore, the specific actions which can be performed on the individuals alerts in the database can be controlled to a certain degree through the privileges assigned to the underlying database user configured in BASE. For example, the ability to delete alerts can be easily controlled by granting or revoking the DELETE SQL privilege from the BASE database user. Thus, by create two separate users each set in two different instances of BASE, a read-only and a full-access configuration can be established.

• While the primary interface of BASE is through a web browser, proper file permissions still need to be set on the local file system. These permissions will protect against potential unauthorized viewing or modification of BASE files by users who have local accounts to the web server.
• BASE is currently beta! Currently no real work has been done in validating any input. This means that the code may allow arbitrary access to the underlying database. Exercise extreme caution in deploying this application in a public area.
• The alert (and archive) database passwords configured in BASE are stored in clear-text in the file system. Their security is contingent on the settings of the local file system permissions. Furthermore, these passwords are hard-coded in the application and are only as secure as any other PHP "code" from being exposed in unparsed form. Improper configurations of the web server can result in the exposure of these passwords if unparsed PHP files are returned.