< BASE, Snort Tables and PEAR | Java & Friends  | Perl and Oinkmaster - Snort Rules Update Tool >


 

 

Testing Snort and BASE with Errors Troubleshooting

 

 

What do we have in this session?

  1. Testing BASE and Snort

  2. BASE and MySQL Errors

  3. More Errors

 

 

 

 

 

Testing BASE and Snort

 

First of all, let run snort manually (we failed to run it as the Windows’s service previously!). Choose appropriate interface (NIC) that having traffic.

 

Viewing the available interfaces on the machine using Snort -W

 

We use the WAN (PPP/SLIP) interface in this case interface #4 (running in IDS mode). Execute the following Snort’s command. -p option is for promiscuous mode.

 

C:\>snort -c c:\snort\etc\snort.conf -l c:\snort\log -v -i4 –p

 

When there are activities, the verbose should be visible.

 

Running snort with the snort -c c:\snort\etc\snort.conf -l c:\snort\log -v -i4 –p command showing the sample output on the Windows console

 

BASE and MySQL Errors

 

Then, browse to http://localhost/base-1.4.5/base_main.php to interact with the BASE webpage. Well, we encounter the following errors. Look like the connection to mysql failed miserably. The errors information can be found in Google.

 

...Notice: Undefined index: QUERY_STRING in C:\Inetpub\wwwroot\base-1.4.5\includes\base_state_criteria.inc.php on line 248 Warning: mysql_pconnect(): [2002] A connection attempt failed because the connected party did not (trying to connect via tcp://localhost:3306) in C:\PHP\adodb5\drivers\adodb-mysql.inc.php on line 383 Warning: mysql_pconnect(): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. in C:\PHP\adodb5\drivers\adodb-mysql.inc.php on line 383 Fatal error: Maximum execution time of 30 seconds exceeded in C:\PHP\adodb5\drivers\adodb-mysql.inc.php on line 383 PHP Notice: Undefined index: QUERY_STRING in C:\Inetpub\wwwroot\base-1.4.5\includes\base_state_criteria.inc.php on line 248 PHP Warning: mysql_pconnect(): [2002] A connection attempt failed because the connected party did not (trying to connect via tcp://localhost:3306) in C:\PHP\adodb5\drivers\adodb-mysql.inc.php on line 383 PHP Warning: mysql_pconnect(): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. in C:\PHP\adodb5\drivers\adodb-mysql.inc.php on line 383 PHP Fatal error: Maximum execution time of 30 seconds exceeded in C:\PHP\adodb5\drivers\adodb-mysql.inc.php on line 383...

 

Then, as suggested, we change all the 'localhost' occurrences to '127.0.0.1' (without the single quote) in base_conf.php file. These errors should be resolved if we setup BASE, mySQL, PHP etc on the real server that having real domain name. Then, reopen the URL.

 

Basic Analysis and Security Engine (BASE) in action loaded through Internet browser

 

More Errors

 

Well, less errors! At the top page, we have the following errors.

 

Notice: Undefined index: QUERY_STRING in C:\Inetpub\wwwroot\base-1.4.5\includes\base_state_criteria.inc.php on line 248 Notice: Undefined index: REQUEST_URI in C:\Inetpub\wwwroot\base-1.4.5\includes\base_output_html.inc.php on line 92

 

And at the bottom with the following errors.

 

PHP Notice: Undefined index: QUERY_STRING in C:\Inetpub\wwwroot\base-1.4.5\includes\base_state_criteria.inc.php on line 248 PHP Notice: Undefined index: REQUEST_URI in C:\Inetpub\wwwroot\base-1.4.5\includes\base_output_html.inc.php on line 92

 

When there is no data, errors will be thrown. To resolve these errors, re-open base_state_criteria.inc.php and find line 248. Replace the original code:

 

$query_string = CleanVariable($_SERVER["QUERY_STRING"], VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER);

 

With the following and save the file.

 

$query_string = CleanVariable((isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : ''), VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER);

 

Next, open base_output_html.inc.php file find code on line 92. Replace the original code:

 

htmlspecialchars(CleanVariable($_SERVER["REQUEST_URI"], VAR_FSLASH | VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER), ENT_QUOTES).'">'."\n";

 

With the following and save the file.

 

htmlspecialchars(CleanVariable((isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : ''), VAR_FSLASH | VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER), ENT_QUOTES).'">'."\n";

 

Then let do a simple customization by changing the following code in base_main.php to enable the custom footer. A simple custom sample footer is under contrib sub folder.

 

/* Custom footer addition.  The below variable, if set, will cause

 *  base_main.php to include whatever file is specified.

 *  A sample custom footer file is in the contrib directory

 */

$base_custom_footer = '/contrib/custom_base_footer.php';

 

Reload the base_main.php file from browser.

 

Reloading Basic Analysis and Security Engine (BASE) through Internet browser

 

Those errors vanished! Everything looks fine! Click one of the links, for example any protocol.

 

Testing a link in Basic Analysis and Security Engine (BASE) GUI

-------------------------------------------------------------

 

 

 

 

 

 

 

 

----------------------------------------------------------------------

Anothe PHP warning of the Basic Analysis and Security Engine (BASE)

 

At bottom of the page, there are more errors.

 

Warning: Unknown: 1 result set(s) not freed. Use mysql_free_result to free result sets which were requested using mysql_query() in Unknown on line 0 PHP Warning: Unknown: 1 result set(s) not freed. Use mysql_free_result to free result sets which were requested using mysql_query() in Unknown on line 0

 

To resolve these non-critical warnings, re-open php.ini file. Find the following code.

 

; Trace mode. When trace_mode is active (=On), warnings for table/index scans and

; SQL-Errors will be displayed.

; http://php.net/mysql.trace-mode

mysql.trace_mode = On

 

Turn off mysql.trace_mode.

 

; Trace mode. When trace_mode is active (=On), warnings for table/index scans and

; SQL-Errors will be displayed.

; http://php.net/mysql.trace-mode

mysql.trace_mode = Off

 

mysql_free_result() will free all memory associated with the result identifier result and only needs to be called if you are concerned about how much memory is being used for queries that return large result sets. All associated result memory is automatically freed at the end of the script's execution.

Save the file and reload the base_main.php and try any links.

 

Basic Analysis and Security Engine (BASE) in action with no more error

 

Hmmm, no more errors when clicking any links. Click another link, as in this case, 1.

 

Basic Analysis and Security Engine (BASE) - another PHP notices

 

Another PHP Notice….However these also are non critical errors which can be suppressed by modifying the error_reporting variable in php.ini file that can be found at:

 

http://php.net/error-reporting

 

 

A lot of configuration options for Snort, BASE, PHP and also mysql were not covered in this lengthy tutorial. However we have successfully demonstrated how to run Snort with BASE (together with other required 'friends' such as PHP, MySQL and IIS server.

This was intended to be a how-to on getting all these thingies running on Windows XP Pro SP2. There are many other considerations to take into account such as where to place the IDS sensor on the network, refined configuration of Snort and Snort rules, setting up SMTP alert notifications in BASE, security implications and many more. Those things should be customized to your organization needs.

 

 

 

 

 

 


 

< BASE, Snort Tables and PEAR | Java & Friends  | Perl and Oinkmaster - Snort Rules Update Tool >