Deploying Snort with Barnyard2 and BASE on Ubuntu Linux
Tech
1
This guide walks through installing and wiring Snort, Barnyard2, and BASE on Ubuntu to build a basic network intrusion detection stack (LAMP + Snort + Barnyard2 + BASE). The steps assume Ubuntu 18.04 and a user with sudo privileges.
Environment
- Example host: 1 vCPU, 2 GB RAM, 40 GB disk
- OS: Ubuntu 18.04
- Network interface in examples: eth0 (adjust if your interface differs, e.g., ens3)
Optional: point APT to a closer mirror (e.g., Aliyun/Tsinghua) for faster downloads.
Install the LAMP stack
- Apache
sudo apt update
sudo apt install -y apache2
- MySQL
sudo apt install -y mysql-server libmysqlclient-dev mysql-client autoconf libtool
sudo mysql_secure_installation
- PHP 5.6 (via PPA)
sudo apt install -y software-properties-common
sudo add-apt-repository ppa:ondrej/php -y
sudo apt update
sudo apt install -y \
libapache2-mod-php5.6 php5.6 php5.6-common php5.6-gd \
php5.6-cli php5.6-xml php5.6-mysql php-pear libphp-adodb
sudo systemctl restart apache2
- Verify PHP
Create /var/www/html/info.php and browse it:
echo '<?php phpinfo(); ?>' | sudo tee /var/www/html/info.php
Open http://127.0.0.1/info.php (or http://SERVER_IP/info.php) to confirm PHP is active.
Build and install DAQ
Prepare dependencies and compile DAQ (Data Acquisition library):
sudo apt install -y flex bison libpcap-dev
# Adjust paths/versions to match your tarball locations
DAQ_VER=2.0.6
cd /usr/src
sudo tar -xzf /path/to/daq-${DAQ_VER}.tar.gz -C /usr/src
cd /usr/src/daq-${DAQ_VER}
./configure
make -j"$(nproc)"
sudo make install
Build and install Snort
Install Snort build requirements and compile:
sudo apt install -y libpcre3-dev libdumbnet-dev liblua5.2-dev libnghttp2-dev
SNORT_VER=2.9.12
cd /usr/src
sudo tar -xzf /path/to/snort-${SNORT_VER}.tar.gz -C /usr/src
cd /usr/src/snort-${SNORT_VER}
./configure --enable-sourcefire
make -j"$(nproc)"
sudo make install
sudo ldconfig
Check installation:
snort -V
Create Snort system user, directories, and permissions
sudo groupadd --force snort
sudo id snort >/dev/null 2>&1 || sudo useradd -r -s /sbin/nologin -c "SNORT_IDS" -g snort snort
# Configuration and rule directories
sudo install -d -m 5775 -o snort -g snort /etc/snort
sudo install -d -m 5775 -o snort -g snort /etc/snort/rules
sudo install -d -m 5775 -o snort -g snort /etc/snort/rules/iplists
sudo install -d -m 5775 -o snort -g snort /etc/snort/preproc_rules
sudo install -d -m 5775 -o snort -g snort /etc/snort/so_rules
# Dynamic rules
sudo install -d -m 5775 -o snort -g snort /usr/local/lib/snort_dynamicrules
# Logs
sudo install -d -m 5775 -o snort -g snort /var/log/snort
sudo install -d -m 5775 -o snort -g snort /var/log/snort/archived_logs
# Empty rule files
sudo -u snort touch /etc/snort/rules/iplists/black_list.rules
sudo -u snort touch /etc/snort/rules/iplists/white_list.rules
sudo -u snort touch /etc/snort/rules/local.rules
Copy default configuration files from the Snort source tree:
# Adjust the source directory if you built elsewhere
SRC=/usr/src/snort-2.9.12
sudo cp "$SRC"/etc/*.conf* /etc/snort/
sudo cp "$SRC"/etc/*.map /etc/snort/
sudo cp "$SRC"/etc/*.dtd /etc/snort/
# Dynamic preprocessors (path produced by the build)
sudo install -d -m 5775 -o root -g root /usr/local/lib/snort_dynamicpreprocessor
cd "$SRC"/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/
sudo cp -a * /usr/local/lib/snort_dynamicpreprocessor/
Configure Snort
Edit /etc/snort/snort.conf:
sudo sed -i 's@^ipvar HOME_NET.*@ipvar HOME_NET 172.25.45.23/18@' /etc/snort/snort.conf
sudo awk '
/var RULE_PATH/ {print "var RULE_PATH /etc/snort/rules"; next}
/SO_RULE_PATH/ {print "SO_RULE_PATH /etc/snort/so_rules"; next}
/PREPROC_RULE_PATH/ {print "PREPROC_RULE_PATH /etc/snort/preproc_rules"; next}
/WHITE_LIST_PATH/ {print "WHITE_LIST_PATH /etc/snort/rules/iplists"; next}
/BLACK_LIST_PATH/ {print "BLACK_LIST_PATH /etc/snort/rules/iplists"; next}
{print}
' /etc/snort/snort.conf | sudo tee /etc/snort/snort.conf.new >/dev/null && sudo mv /etc/snort/snort.conf.new /etc/snort/snort.conf
# Ensure unified2 output is present
sudo grep -q '^output unified2' /etc/snort/snort.conf || \
echo 'output unified2: filename snort.u2, limit 128' | sudo tee -a /etc/snort/snort.conf
# Enable local.rules and disable other includes if desired
if ! grep -q 'include \$RULE_PATH/local.rules' /etc/snort/snort.conf; then
echo 'include $RULE_PATH/local.rules' | sudo tee -a /etc/snort/snort.conf
fi
Load community rules and add a simple ICMP rule:
# Unpack and copy community rules
sudo tar -xzf /path/to/community-rules.tar.gz -C /tmp
sudo cp /tmp/community-rules/* /etc/snort/rules/
# Add a basic ICMP alert rule
sudo bash -c 'cat >> /etc/snort/rules/local.rules' <<'RULE'
alert icmp any any -> $HOME_NET any (
msg:"ICMP test detected";
classtype:icmp-event;
sid:10000001;
rev:1;
gid:1;
)
RULE
# Map SID to message
sudo bash -c 'cat > /etc/snort/sid-msg.map' <<'MAP'
1 || 10000001 || 001 || icmp-event || 0 || ICMP test detected || url,tools.ietf.org/html/rfc792
MAP
Validate configuration:
sudo snort -T -c /etc/snort/snort.conf -i eth0
To watch console alerts while generating ICMP traffic:
sudo ufw disable || true
sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
# From another host, ping this server's eth0 IP and observe alerts
Build and install Barnyard2
Compile Barnyard2 with MySQL support:
sudo apt install -y autoconf automake libtool pkg-config libmysqlclient-dev
cd /usr/src
sudo tar -xzf /path/to/barnyard2-2-1.13.tar.gz -C /usr/src
cd /usr/src/barnyard2-2-1.13
autoreconf -fvi -I ./
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
If compilation fails due to a SOCKET type redefinition in src/output-plugins/spo_alert_fwsam.c, replace that identifier with BARNYARD2_SOCKET before buildign:
sed -i 's/\bSOCKET\b/BARNYARD2_SOCKET/g' src/output-plugins/spo_alert_fwsam.c
make -j"$(nproc)"
sudo make install
Verify installation:
barnyard2 -V
Configure Barnyard2 and MySQL schema
Prepare config and state:
sudo cp /usr/src/barnyard2-2-1.13/etc/barnyard2.conf /etc/snort/
sudo install -d -m 0775 -o snort -g snort /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort:snort /var/log/snort/barnyard2.waldo
Create the Snort database and user:
mysql -u root -p <<'SQL'
CREATE DATABASE IF NOT EXISTS snort;
USE snort;
SOURCE /usr/src/barnyard2-2-1.13/schemas/create_mysql;
CREATE USER IF NOT EXISTS 'snort'@'localhost' IDENTIFIED BY '123456';
GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* TO 'snort'@'localhost';
FLUSH PRIVILEGES;
SQL
Append database output configuration to /etc/snort/barnyard2.conf:
sudo bash -c 'cat >> /etc/snort/barnyard2.conf' <<'CONF'
output database: log, mysql, user=snort password=123456 dbname=snort host=localhost sensor name=sensor01
CONF
sudo chmod 0644 /etc/snort/barnyard2.conf
Run Snort and Barnyard2
Start MySQL and generate events:
sudo service mysql start
# Run Snort to produce unified2 logs
sudo snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0
Process unified2 logs with Barnyard2 (continuous):
sudo barnyard2 \
-c /etc/snort/barnyard2.conf \
-d /var/log/snort \
-f snort.u2 \
-w /var/log/snort/barnyard2.waldo \
-u snort -g snort
Process a single u2 file (on-demand):
sudo barnyard2 -c /etc/snort/barnyard2.conf -o /var/log/snort/snort.u2.1588583079
Confirm events are loading:
mysql -u snort -p -D snort -e "SELECT COUNT(*) FROM event"
Install BASE and ADOdb
- ADOdb library
sudo tar -xzf /path/to/adodb-5.20.14.tar.gz -C /var/www/html
sudo mv /var/www/html/adodb5 /var/www/html/adodb
- BASE files
sudo tar -xzf /path/to/base-1.4.5.tar.gz -C /var/www/html
sudo mv /var/www/html/base-1.4.5 /var/www/html/base
sudo systemctl restart apache2
- PHP settings and permissions
# Tune PHP error reporting for BASE (Apache SAPI)
PHPINI=/etc/php/5.6/apache2/php.ini
sudo sed -i 's@^\s*error_reporting\s*=.*@error_reporting = E_ALL & ~E_NOTICE@' "$PHPINI"
sudo systemctl restart apache2
# Set directory permissions
sudo chown -R root:root /var/www/html
sudo chmod 755 /var/www/html/adodb
- Web-based setup
Open http://SERVER_IP/base/setup/index.php and follow the prompts:
- Language: simplified_chinese (or preferred)
- ADOdb path: /var/www/html/adodb
- Database: use the previously created snort DB and credentials
- Admin account for BASE UI: e.g., snort / 123456
- Create tables when prompted
- At the end, copy the generated configuration to /var/www/html/base/base_conf.php as instructed
When all checks are green, BASE is ready and should show data loaded by Barnyard2.
Using Snort
Snort supports three modes: packet sniffer, packet logger, and network IDS.
- Sniffer mode (print IP/TCP/UDP/ICMP headers):
snort -v
- Packet logger mode (store packets on disk):
# Text logs with verbose decode
snort -vde -l /path/to/logdir
# Limit to a home network
snort -vde -l /path/to/logdir -h 192.168.1.0/24
# Binary pcap-style logging
snort -l /path/to/logdir -b
# Read and decode a binary log file
snort -dv -r /path/to/logdir/snort.log
- Network IDS mode (rule-driven detection):
snort -dev -l /path/to/logdir -h 192.168.1.0/24 -c /etc/snort/snort.conf
Initialization output indicates successful startup; subsequent network traffic matching rules is then printed.
