ACIDBASE - Install With SNORT Setup On Ubuntu 24.4

Return to Wiki Index

Before configuring Acidbase, ensure that Snort is properly installed and configured to log alerts to a database. Modify the Snort configuration file (`/etc/snort/snort.conf`) to enable database logging.

output database: log, mysql, user=snort dbname=snort host=localhost password=your_secure_password

Make sure you replace `your_secure_password` with the password for the Snort database user. This configuration tells Snort to log alerts to a MySQL database.

Acidbase requires a database to store Snort's logs and alerts. This guide assumes you are using MySQL, but you can adapt the steps for PostgreSQL.

1. Create the Snort database and user:

mysql -u root -p
CREATE DATABASE snort;
CREATE USER 'snort'@'localhost' IDENTIFIED BY 'your_secure_password';
GRANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost';
FLUSH PRIVILEGES;

2. Import Snort's schema into the database. You can find the schema in the Snort directory:

cd /etc/snort
mysql -u snort -p snort < create_mysql.sql

This step ensures that the Snort database is correctly set up to handle logs and alerts.

After Snort is configured to log to the database, configure Acidbase to read from it. The Acidbase configuration file is typically located at `/etc/acidbase/acidbase.conf`.

Edit the configuration file to set the database connection parameters. For example:

$dbname = 'snort';
$dbuser = 'snort';
$dbpass = 'your_secure_password';
$dbhost = 'localhost';

Replace `your_secure_password` with the actual password you set for the Snort database user.

Acidbase provides a web interface to interact with Snort logs. You need a web server (like Apache) to serve the Acidbase interface.

If not already installed, install Apache and PHP:

sudo apt update
sudo apt install apache2 php libapache2-mod-php

Then, configure Apache to serve Acidbase. Place the Acidbase files in the web server's root directory (usually `/var/www/html`):

sudo cp -r /path/to/acidbase/* /var/www/html/
sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/

Finally, restart Apache:

sudo systemctl restart apache2

To test the setup, open a web browser and go to `http://localhost/acidbase`. If everything is configured correctly, you should see the Acidbase interface.

Acidbase offers several tools to manage and analyze Snort logs and alerts. Below are some examples of how to use the Acidbase interface.

Once Snort is running and logging alerts, Acidbase will display these alerts in a tabular format. You can filter alerts by severity, timestamp, or source/destination IP.

To view all alerts, simply navigate to the main page of Acidbase, and it will show the latest alerts recorded by Snort.

You can search alerts by specific parameters. For example, to find all alerts from a specific IP address:

SELECT * FROM event WHERE src_ip = '192.168.1.100';

This SQL query will display all events from the specified source IP.

Acidbase allows you to delete, flag, or modify alerts. To delete an alert, simply check the box next to the alert and click "Delete." To flag an alert, use the "Flag" button, which will mark it for further review.

Acidbase also provides options to export alerts to different formats such as CSV, making it easier to share the data or analyze it offline.

To export alerts, select the alerts you wish to export and click the "Export" button, then choose the desired format.

Acidbase offers several advanced features for managing and analyzing Snort data.

You can create custom alerts by modifying the Snort configuration file and specifying custom rule sets. To create a custom rule:

alert ip any any -> 192.168.1.0/24 any (msg:"Custom alert"; sid:1000001;)

This rule triggers an alert for any IP that attempts to communicate with the `192.168.1.0/24` network.

If you are running multiple Snort instances on different machines, Acidbase can be configured to aggregate logs from multiple databases. In the Acidbase configuration file, specify the IP addresses and credentials for each Snort instance:

$snort_servers = (
  array('host' => '192.168.1.101', 'db' => 'snort', 'user' => 'snort', 'pass' => 'password'),
  array('host' => '192.168.1.102', 'db' => 'snort', 'user' => 'snort', 'pass' => 'password')
);

This allows Acidbase to pull data from multiple sources and display it in a unified interface.

For large environments with high traffic, it is important to optimize the performance of both Snort and Acidbase.

Optimize Snort's performance by adjusting the `snort.conf` file:

# Increase the performance of Snort by disabling unnecessary modules
config disable_decode_alert
config disable_decode_ip4

Additionally, you can optimize Snort's packet capture settings, such as increasing the buffer size:

config buffer_size 262144

Acidbase performance can be improved by enabling caching for frequently queried data. Modify the `acidbase.conf` file:

$cache_enabled = true;
$cache_time = 600;  # Cache time in seconds

This will cache query results for 10 minutes, reducing the load on the database.

This section addresses common issues encountered while setting up or using Acidbase with Snort.

If Acidbase is unable to connect to the database, ensure that the database is running and accessible. Check the connection settings in both the Acidbase and Snort configuration files.

Test the connection with the following command:

mysql -u snort -p -h localhost snort

If the connection fails, check the database logs for errors.

If the Acidbase web interface doesn't load, ensure that the Apache web server is running:

sudo systemctl status apache2

If the service is inactive, restart it with:

sudo systemctl restart apache2

If Snort is not generating alerts that appear in Acidbase, check the Snort log directory and ensure that alerts are being generated properly. The Snort log file is usually located in `/var/log/snort`.

You can also manually check if the alerts are present in the database with:

mysql -u snort -p snort -e "SELECT * FROM event;"

• [Snort Official Website](https://www.snort.org/)
• [Acidbase GitHub Repository](https://github.com/acidbase/acidbase)
• [Snort Database Schema Documentation](https://snort.org/documents/)
• [MySQL Documentation](https://dev.mysql.com/doc/)
• [Apache HTTP Server Documentation](https://httpd.apache.org/docs/)
• [How to Optimize Snort Performance](https://www.snort.org/faq/optimizing-snort)

---

Return to Wiki Index