This chapter describes the various configuration tasks to get snort and the tools up and running.
Instead of doing the work twice I only provide a link to a document describing the various tasks of compiling/installing MySQL, Apache, ACID etc. by Jason Lewis: http://www.packetnexus.com/docs/packetnexus/
Please keep in mind that I'm not the author of either the document or the scripts mentioned there. I didn't even test the scripts so please don't ask me about them ;)
You can start installing snort by getting the actual tarball from http://www.snort.org/ and compile it yourself or try to find precompiled binaries for your distribution.
For version 1.8.3 you can find precompiled binaries for rpm based linux distributions, FreeBSD, Solaris and Windows at www.snort.org.
I'm no longer maintaining my own RPMS since work hasn't to be done more than once. But I will offer you my adjusted snortd.multi initscript at http://www.lug-burghausen.org/projects/Snort-Statistics/snortd.multi.
My old 1.8.1 RPMS with MySQL support (but without PostgreSQL support!) can still be found at http://www.lug-burghausen.org/projects/Snort-Statistics/snort-1.8.1-4.i386.rpm. To create a postgreSQL enabled version, download the Source RPM, edit the spec file and rebuild the RPM. If you are not familiar with creating RPMs you should have a look on the RPM-HOWTO or http://www.rpm.org/ where Maximum RPM is located, a downloadable book about RPM along with other good sources about RPM.
var HOME_NET any var EXTERNAL_NET any # DNS_SERVERS holds the addresses of "noisy" computers like DNS or NWM # to be ignored from portscans var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32] var SMTP_SERVERS $HOME_NET ... |
After all that theoretical stuff here is the preprocessor part of /etc/snort/snort.conf:
preprocessor frag2 preprocessor stream4: detect_scans detect_state_problems preprocessor stream4_reassemble: ports all preprocessor unidecode: 80 8080 preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS |
The database output module requires the following parameters:
Now let's take a look on the output module part of /etc/snort/snort.conf:
output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID output database: alert, mysql, user=snort password=mypassword dbname=snort host=localhost sensor_name=mysensor |
If you are using more than one physical snort sensor and would log to a database I would recommend using a central database on a separate machine. You then can correlate alert data with a single console getting a better overview when attacks are found.
The configuration of classification types is done in /etc/snort/classification.config. Normally you don't have to touch it since it is preconfigured for the shipped snort rules. But if you (again like me) are using Max Vision's vision.rules you'll have to add some lines because the classtypes are different. Just copy and paste all config classification: lines from vision.conf to /etc/snort/classification.config. And remember to take the vision.rules for snort 1.8 (called vision18.rules and vision18.conf on http://www.whitehats.com/) as the older ones are not prepared for the new format introduced in snort 1.8!
Here's the /etc/snort/classification.config I used with vision.rules:
# # config classification:shortname,short description,priority # #config classification: not-suspicious,Not Suspicious Traffic,0 config classification: unknown,Unknown Traffic,1 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,3 config classification: successful-recon-limited,Information Leak,4 config classification: successful-recon-largescale,Large Scale Information Leak,5 config classification: attempted-dos,Attempted Denial of Service,6 config classification: successful-dos,Denial of Service,7 config classification: attempted-user,Attempted User Privilege Gain,8 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7 config classification: successful-user,Successful User Privilege Gain,9 config classification: attempted-admin,Attempted Administrator Privilege Gain,10 config classification: successful-admin,Successful Administrator Privilege Gain,11 # added from vision18.conf # classification for use with a management interface # low risk config classification: not-suspicious,policy traffic that is not suspicious,0 config classification: suspicious,suspicious miscellaneous traffic,1 config classification: info-failed,failed information gathering attempt,2 config classification: relay-failed,failed relay attempt,3 config classification: data-failed,failed data integrity attempt,4 config classification: system-failed,failed system integrity attempt,5 config classification: client-failed,failed client integrity attempt,6 # med risk config classification: denialofservice,denial of service,7 config classification: info-attempt,information gathering attempt,8 config classification: relay-attempt,relay attempt,9 config classification: data-attempt,data integrity attempt,10 config classification: system-attempt,system integrity attempt,11 config classification: client-attempt,client integrity attempt,12 config classification: data-or-info-attempt,data integrity or information gathering attempt,13 config classification: system-or-info-attempt,system integrity or information gathering attempt,14 config classification: relay-or-info-attempt,relay of information gathering attempt,15 # high risk config classification: info-success,successful information gathering attempt,16 config classification: relay-success,successful relay attempt,17 config classification: data-success,successful data integrity attempt,18 config classification: system-success,successful system integrity attempt,19 config classification: client-success,successful client integrity attempt,20 |
The classification and rule files are included in /etc/snort/snort.conf. Some rule files used here have been copied from the CVS, e.g. virus.rules because they were not shipped with the standard distribution.
As stated before the vision.rules file will be fetched via the tool arachnids_upd which is discussed later.
Arachnids_upd changes the name from vision18.rules to vision.rules but the rules are of course the ones prepared for snort 1.8+.
Since the variable definitions for INTERNAL and EXTERNAL in vision.rules are not the same as with the snort rules I use a script to change these names. Take a look at the arachnids_upd section below.
# Include classification & priority settings include /etc/snort/classification.config include /etc/snort/exploit.rules include /etc/snort/scan.rules include /etc/snort/finger.rules include /etc/snort/ftp.rules include /etc/snort/telnet.rules include /etc/snort/smtp.rules include /etc/snort/rpc.rules include /etc/snort/rservices.rules include /etc/snort/backdoor.rules include /etc/snort/dos.rules include /etc/snort/ddos.rules include /etc/snort/dns.rules include /etc/snort/netbios.rules include /etc/snort/web-cgi.rules include /etc/snort/web-coldfusion.rules include /etc/snort/web-frontpage.rules include /etc/snort/web-iis.rules include /etc/snort/web-misc.rules include /etc/snort/sql.rules include /etc/snort/x11.rules include /etc/snort/icmp.rules include /etc/snort/shellcode.rules include /etc/snort/misc.rules include /etc/snort/policy.rules include /etc/snort/info.rules #include /etc/snort/icmp-info.rules include /etc/snort/virus.rules include /etc/snort/local.rules # vision.rules will be catched by arachnids_upd include /etc/snort/vision.rules |
When you are done with setting up /etc/snort/snort.conf you should start snort by calling /etc/rc.d/init.d/snortd start and correct any errors you get in the log file /var/log/messages (ignore any database related messages since the database has not been set up at this time, you also may have to document out the output module database). If everything is ok you can go on with configuring the other parts.
INTERFACE="ippp0" |
Maybe a better solution would be to check the interface's config file for an entry like
ONBOOT=yes |
and only if there is not yes then the interface will be shut down. But that's not yet implemented.
Now here is the extended snort initscript:
#!/bin/sh # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that # currently detects more than 1100 host and network # vulnerabilities, portscans, backdoors, and more. # # June 10, 2000 -- Dave Wreski Dave Wreski <dave at linuxsecurity.com> # - initial version # July 08, 2000 Dave Wreski <<dave at guardiandigital.com> # - added snort user/group # - support for 1.6.2 # April 11, 2001 Sandro Poppi <spoppi at gmx.de> # - added multiple interfaces option for use with dial up lines # or more than one sniffer interface # I don't think the libpcap option to use "-i any" is a good choice, # because snort would be set up to monitor one or more ip-less interfaces # while leaving the monitor interface "unprotected" # - changed the subsystem name from snort to snortd to get rid of error messages # when rebooting (the killall script on a redhat box depends on the correct name) # - added a function daemonMult derived from the function daemon in /etc/rc.d/init.d/functions # to allow starting multiple instances of snort with the convenience of the daemon function # (eventually this could be integrated into the normal daemon function of redhat, have to get # in touch with the author) # January 01, 2002 Sandro Poppi <spoppi at gmx.de> # - added check if swatch is installed # - added check for interfaces other than ethernet since only those are expected to work with ifconfig # # Source function library. . /etc/rc.d/init.d/functions # A function to start a program even more than once # rewritten version of the daemon function in /etc/rc.d/init.d/functions daemonMult() { # Test syntax. gotbase= user= nicelevel=0 while [ "$1" != "${1##-}" -o "$1" != "${1##+}" ]; do case $1 in '') echo '$0: Usage: daemon [+/-nicelevel] {program}' return 1;; --check) shift base=$1 gotbase="yes" shift ;; --user) shift daemon_user=$1 shift ;; -*|+*) nicelevel=$1 shift ;; *) nicelevel=0 ;; esac done # Save basename. [ -z $gotbase ] && base=`basename $1` # make sure it doesn't core dump anywhere; while this could mask # problems with the daemon, it also closes some security problems ulimit -S -c 0 >/dev/null 2>&1 # Echo daemon [ "$BOOTUP" = "verbose" ] && echo -n " $base" # And start it up. if [ -z "$daemon_user" ]; then nice -n $nicelevel initlog $INITLOG_ARGS -c "$*" && success "$base startup" || failure "$base startup" else nice -n $nicelevel initlog $INITLOG_ARGS -c "su $daemon_user -c \"$*\"" && success "$base startup" || failure "$base startup" fi } # Specify your network interface(s) here INTERFACE="eth1 eth2" # See how we were called. case "$1" in start) if [ -x /usr/bin/swatch ] ; then echo -n "Starting swatch: " # inserted poppi to make use of swatch # starting it before snort to get hints on startup errors of snort # if using the snort option -s use /var/log/secure, # if using output alert_syslog: in snort.conf use /var/log/messages /usr/bin/swatch --daemon --tail /var/log/messages --config-file /etc/swatch/swatchrc & touch /var/lock/subsys/swatch echo "done." echo fi # added multiple interfaces option for i in `echo "$INTERFACE"` ; do echo -n "Starting snort on interface $i: " # inserted to implement ip-less sniffer interface for snort at startup # if the interface is not yet loaded or if the interface isn't up yet if [ `/sbin/ifconfig $i 2>&1 | /bin/grep -c "Device not found"` = "0" \ -o `/sbin/ifconfig $i 2>&1 | /bin/grep -c "UP"` = "0" ] ; then # check for interfaces other than ethernet! if [ `echo $i | /bin/grep -c "^eth"` = "1" ] ; then # check if there is a config for the given interface # normally this should be omitted for security reasons for a sniffer interface if [ -s "/etc/sysconfig/network-scripts/ifcfg-$i" ]; then # use the config /sbin/ifup $i else # ip less sniffer interface /sbin/ifconfig $i up promisc fi fi fi # call the rewritten daemon function from above daemonMult /usr/sbin/snort -u snort -g snort -d -D \ -i $i -I -l /var/log/snort -c /etc/snort/snort.conf echo done touch /var/lock/subsys/snortd ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snortd # inserted Poppi if [ -x /usr/bin/swatch ] ; then echo echo -n "Stopping swatch: " kill `ps x|grep "/usr/bin/swatch"|grep -v grep|awk '{ print $1 }'` rm -f /var/lock/subsys/swatch fi # shutdown interface if and only if it has NO ip address # and if it is a ethernet interface # this is done because we don't want to shutdown interfaces still needed for i in `echo "$INTERFACES"`; do if [`echo $i | /bin/grep -c "^eth"` = "1" -a \ `/sbin/ifconfig $i 2>&1 | /bin/grep -c "inet addr:"` = "0" ] ; then /sbin/ifconfig $i down fi done echo ;; restart) $0 stop $0 start ;; status) status snort #status swatch ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 |
#!/bin/sh # Script to be run from within swatch to send alerts in multiple formats # inspired from script on www.snort.org by Bill Richardson # extended to read a file called "hosts" with names of # workstation to send a winpopup, syntax is the same as with snortd option -M # Poppi, 02.05.2001 # Prerequisites: # Samba set up correctly # Change the following variables according to your system (for RedHat 7.x user it should be ok) # hostfile holds the name of the file containing the workstation for winpopups hostfile="/etc/snort/hosts" # recipientfile holds the addresses of all recipients in a single file, # seperated by newline recipientfile="/etc/snort/recipients" # if a recipient file exists if [ -s "$recipientfile" ] ; then # generate the recipientlist with email adresses. for i in `cat $recipientfile` ; do recipients="$recipients "$i done echo "$*" | mail -s "Snort-Alert!!!" "$recipients" fi # if a hostfile exists, send winpopups if [ -s "$hostfile" ] ; then for i in `cat $hostfile` ; do echo "Snort-Alert! $*" | smbclient -M $i > /dev/null 2>&1 done fi |
ws001 ws002 ws003 |
jane@internal.local.com henk@snort.info sandro@snort.info |
If any of these two files is omitted then the corresponding feature is disabled.
/bin/kill -SIGUSR1 <pid of snort>
Sep 29 07:51:48 ids01 snort[8000]: =============================================================================== Sep 29 07:51:48 ids01 snort[8000]: Snort analyzed 27316 out of 27316 packets, Sep 29 07:51:48 ids01 snort[8000]: dropping 0(0.000%) packets Sep 29 07:51:48 ids01 snort[8000]: Breakdown by protocol: Action Stats: Sep 29 07:51:48 ids01 snort[8000]: TCP: 27152 (99.400%) ALERTS: 0 Sep 29 07:51:48 ids01 snort[8000]: UDP: 0 (0.000%) LOGGED: 0 Sep 29 07:51:48 ids01 snort[8000]: ICMP: 164 (0.600%) PASSED: 0 Sep 29 07:51:48 ids01 snort[8000]: ARP: 0 (0.000%) Sep 29 07:51:48 ids01 snort[8000]: IPv6: 0 (0.000%) Sep 29 07:51:48 ids01 snort[8000]: IPX: 0 (0.000%) Sep 29 07:51:48 ids01 snort[8000]: OTHER: 0 (0.000%) Sep 29 07:51:48 ids01 snort[8000]: DISCARD: 0 (0.000%) Sep 29 07:51:48 ids01 snort[8000]: =============================================================================== Sep 29 07:51:48 ids01 snort[8000]: Fragmentation Stats: Sep 29 07:51:48 ids01 snort[8000]: Fragmented IP Packets: 0 (0.000%) Sep 29 07:51:48 ids01 snort[8000]: Fragment Trackers: 0 Sep 29 07:51:48 ids01 snort[8000]: Rebuilt IP Packets: 0 Sep 29 07:51:48 ids01 snort[8000]: Frag elements used: 0 Sep 29 07:51:48 ids01 snort[8000]: Discarded(incomplete): 0 Sep 29 07:51:48 ids01 snort[8000]: Discarded(timeout): 0 Sep 29 07:51:48 ids01 snort[8000]: Frag2 memory faults: 0 Sep 29 07:51:48 ids01 snort[8000]: =============================================================================== Sep 29 07:51:48 ids01 snort[8000]: TCP Stream Reassembly Stats: Sep 29 07:51:48 ids01 snort[8000]: TCP Packets Used: 27152 (99.400%) Sep 29 07:51:48 ids01 snort[8000]: Stream Trackers: 1 Sep 29 07:51:48 ids01 snort[8000]: Stream flushes: 0 Sep 29 07:51:48 ids01 snort[8000]: Segments used: 0 Sep 29 07:51:48 ids01 snort[8000]: Stream4 Memory Faults: 0 Sep 29 07:51:48 ids01 snort[8000]: =============================================================================== |
#!/bin/bash # Script to generate and extract snort statistics from syslog or given file # generated after kill -USR1 <snort-pid> # # This script assumes that the pid is logged into the logfile! # This can be obtained using the following line in snort.conf: # output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID # # (c) Sandro Poppi 2001 # Released under GPL echo "Starting gathering snort internal statistics. Please be patient..." if [ "$1." == "." -o ! -e "$1" ] ; then # no or unexistent file given, using default log_file="/var/log/messages" else # when using non-standard logfile location make sure snort uses this logfile # when sending signal USR1 else this script won't work! log_file="$1" fi # find out snort pids snort_pid=`/sbin/pidof snort` # get internal statistics for all snort processes # not using killall to get already sorted output for i in `echo $snort_pid` ; do kill -USR1 $i # sleep for 2 secs to let snort time to send statistics to syslog ;) sleep 2 done # immediately restart snort after sending signal USR1 # this may be ommitted when using CVS version of snort after about 01.11.2001 # or any version from 1.8.2 or higher /etc/rc.d/init.d/snortd restart for i in `echo $snort_pid` ; do # process logfile filename=/var/log/snort/archive/snort.`date "+%Y-%m-%d"`.$i.log # check for existing file and rename it if existing if [ -e "$filename" ] ; then mv "$filename" "$filename.bak" fi egrep "snort\[$i\]:" $log_file > "$filename" # check if there are dropped packets using lines like # Oct 22 18:02:06 xbgh17183 snort[573]: dropping 0(0.000%) packets if [ "`egrep "dropping" $filename | awk -F "[ (]" '{ print $7 }'`" != "0" -a \ "`egrep -c "dropping" $filename`" != "0" ] ; then echo "Snort's dropping packets!!! Take a look on the configuration and/or the system's performance!!!" fi done echo "Gathering snort internal statistics finished..." |
Probably the simplest way to test snort is to use snot which can be found on http://www.sec33.com/sniph/.
You have to have libnet installed for snot. Since on RedHat 7.x there is no RPM available you could use libnet-1.0.2-6mdk.i586.rpm from Mandrake Soft, which can be found on http://rpmfind.net/ and of course on Mandrake's site http://www.mandrake.com/. Most Mandrake RPMs could be used with no problem on a RedHat system. But be warned: Mandrake does not provide i386 RPMs so you can't use them with a processor less than an old Pentium P5. In such a case you have to get the sources from http://www.packetfactory.net/projects/libnet and compile it from scratch yourself.
To compile snot you only have to untar the tarball, cd into the snot directory and call make. If compilation exits without an error snot is ready to use, if not you are almost always missing some development packages.
To prepare snot you should first copy /etc/snort/snort.conf into the snot directory and cat one or more rule files to the end of the copied snort.conf using e.g.:
cat /etc/snort/backdoor.rules >> snort.conf
Then on one console you should call tail -f /var/log/messages, while on another you should try to run the tests.
Snot can then be called the following way assuming you used lo as the interface name in the snortd initscript:
./snot -r snort.conf -d localhost -n 5
With that command you tell snot to use the copied snort.conf, the destination is localhost and for not triggering too many alerts restrict it to a maximum of 5.
You'll probably get some messages saying ignoring additional parameters because snot can not handle yet the new parameters introduced in snort 1.8. Don't panic, just ignore the messages, snot works fine though.
In /var/log/messages you should now see some snort alerts, e.g.:
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.213.151:6969 -> 127.0.0.1:3170 Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.213.151:6969 -> 127.0.0.1:3170 Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.155.231:6969 -> 127.0.0.1:57580 Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.155.231:6969 -> 127.0.0.1:57580 Sep 10 18:22:33 ids01 snort[1536]: <lo> Deep Throat access: 192.168.170.42:2140 -> 127.0.0.1:60521 |
If you get similiar alerts it's ok, if not please take again a look on your configuration until you get this far.
Now it's time to edit /etc/snort/snort.conf again and put in the correct value to the INTERFACE variable, restart snort and get a cup of coffee. You have deserved it!
To allow Snort to send alerts to MySQL you first have to install MySQL. With most linux distributions there are MySQL packages available so you should use them. If not you'll probably have to compile and install it from scratch by downloading the tarball from http://www.mysql.org/. Take a look at the documentation shipped with MySQL to set it up.
When you have a running MySQL daemon (with RedHat after installing the RPMs run /etc/rc.d/init.d/mysql start) you have to initialize a snort database. This is documented in the next section.
Since there should be a password set for each account you'll have to use the -p option on the mysql commandline.
[root@ids01 /root]# mysql -u root -p Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 133 to server version: 3.23.32 Type 'help;' or '\h' for help. Type '\c' to clear the buffer mysql>create database snort; Query OK, 1 row affected (0.00 sec) mysql> connect snort Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Connection id: 139 Current database: snort mysql> status -------------- mysql Ver 11.12 Distrib 3.23.32, for redhat-linux-gnu (i386) Connection id: 139 Current database: snort Current user: root@localhost Current pager: stdout Using outfile: '' Server version: 3.23.32 Protocol version: 10 Connection: Localhost via UNIX socket Client characterset: latin1 Server characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 1 day 2 hours 6 min 21 sec Threads: 14 Questions: 4272 Slow queries: 0 Opens: 58 Flush tables: 1 Open tables: 18 Queries per second avg: 0.045 -------------- mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> exit Bye |
To generate the required table structure of the database use the create_mysql script which can be found in the contrib section of the original tarball or my RPM.
[root@ids01 /root]# mysql -u root -p snort < ./contrib/create_mysql
You'll have to add a userid/password pair for the database, remember to change xxxx to a password suitable for your environment!
[root@ids01 /root]# mysql -u root -p mysql Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 148 to server version: 3.23.32 Type 'help;' or '\h' for help. Type '\c' to clear the buffer mysql> insert into user (User,Password) values('snort',PASSWORD('xxxx')); Query OK, 1 row affected (0.00 sec) mysql> exit Bye |
Now add some extra tables for your convenience shipped in the contrib section of the snort tarball and my RPM using the command
zcat snortdb-extra.gz | mysql -u root -p snort
If you wish to use the archiving feature of ACID you'll have to create another database snort_archive (or any other name you prefer) exactly the same way as you defined the snort database.
From now on the database is ready to be used for logging with the database output module of snort which you could now activate in /etc/snort/snort.conf.
if (!defined('_ADODB_LAYER')) { define('_ADODB_LAYER',1); define('ADODB_FETCH_DEFAULT',0); define('ADODB_FETCH_NUM',1); define('ADODB_FETCH_ASSOC',2); define('ADODB_FETCH_BOTH',3); GLOBAL $ADODB_vers, // database version $ADODB_Database, // last database driver used $ADODB_COUNTRECS, // count number of records returned - slows down query $ADODB_CACHE_DIR, // directory to cache recordsets $ADODB_FETCH_MODE; // DEFAULT, NUM, ASSOC or BOTH. Default follows native driver default... $ADODB_FETCH_MODE = ADODB_FETCH_DEFAULT; /** * SET THE VALUE BELOW TO THE DIRECTORY WHERE THIS FILE RESIDES * ADODB_RootPath has been renamed ADODB_DIR */ if (!defined('ADODB_DIR')) define('ADODB_DIR','/var/www/html/adodb'); |
Install ACID into a directory visible to your webserver like /var/www/html/acid/.
In /var/www/html/acid/acid_conf.php you'll have to edit some variables to suit your environment.
In ChartLib_path you define the path to PHPlot, in our case /var/www.html/phplot.
All other variables should be sufficient for now. You can edit them to suit your needs.
<?php $ACID_VERSION = "0.9.6b15"; /* Path to the DB abstraction library * (Note: DO NOT include a trailing backslash after the directory) * e.g. $foo = "/tmp" [OK] * $foo = "/tmp/" [OK] * $foo = "c:\tmp" [OK] * $foo = "c:\tmp\" [WRONG] */ $DBlib_path = "/var/www/html/adodb"; /* The type of underlying alert database * * MySQL : "mysql" * PostgresSQL : "postgres" */ $DBtype = "mysql"; /* Alert DB connection parameters * - $alert_dbname : MySQL database name of Snort alert DB * - $alert_host : host on which the DB is stored * - $alert_port : port on which to access the DB * - $alert_user : login to the database with this user * - $alert_password : password of the DB user * * This information can be gleaned from the Snort database * output plugin configuration. */ $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "snort"; $alert_password = "xxxx"; /* Archive DB connection parameters */ $archive_dbname = "snort_archive"; $archive_host = "localhost"; $archive_port = ""; $archive_user = "snort"; $archive_password = "xxxx"; /* Type of DB connection to use * 1 : use a persistant connection (pconnect) * 2 : use a normal connection (connect) */ $db_connect_method = 1; /* Path to the graphing library * (Note: DO NOT include a trailing backslash after the directory) */ $ChartLib_path = "/var/www/html/phplot"; /* File format of charts ('png', 'jpeg', 'gif') */ $chart_file_format = "png"; /* Chart default colors - (red, green, blue) * - $chart_bg_color_default : background color of chart * - $chart_lgrid_color_default : gridline color of chart * - $chart_bar_color_default : bar/line color of chart */ $chart_bg_color_default = array(255,255,255); $chart_lgrid_color_default = array(205,205,205); $chart_bar_color_default = array(190, 5, 5); /* Maximum number of rows per criteria element */ $MAX_ROWS = 20; /* Number of rows to display for any query results */ $show_rows = 50; /* Number of items to return during a snapshot * Last _X_ # of alerts/unique alerts/ports/IP */ $last_num_alerts = 15; $last_num_ualerts = 15; $last_num_uports = 15; $last_num_uaddr = 15; /* Number of items to return during a snapshot * Most Frequent unique alerts/IPs/ports */ $freq_num_alerts = 5; $freq_num_uaddr = 15; $freq_num_uports = 15; /* Number of scroll buttons to use when displaying query results */ $max_scroll_buttons = 12; /* Debug mode - how much debugging information should be shown * Timing mode - display timing information * SQL trace mode - log SQL statements * 0 : no extra information * 1 : debugging information * 2 : extended debugging information * * HTML no cache - whether a no-cache directive should be sent * to the browser (should be = 1 for IE) * * SQL trace file - file to log SQL traces */ $debug_mode = 0; $debug_time_mode = 1; $html_no_cache = 1; $sql_trace_mode = 0; $sql_trace_file = ""; /* Auto-Screen refresh * - Refresh_Stat_Page - Should certain statistics pages refresh? * - Stat_Page_Refresh_Time - refresh interval (in seconds) */ $refresh_stat_page = 1; $stat_page_refresh_time = 180; /* Display First/Previous/Last timestamps for alerts or * just First/Last on the Unique Alert listing. * 1: yes * 0: no */ $show_previous_alert = 1; /* Sets maximum execution time (in seconds) of any particular page. * Note: this overrides the PHP configuration file variable * max_execution_time. Thus script can run for a total of * ($max_script_runtime + max_execution_time) seconds */ $max_script_runtime = 180; /* How should the IP address criteria be entered in the Search screen? * 1 : each octet is a separate field * 2 : entire address is as a single field */ $ip_address_input = 2; /* Resolve IP to FQDN (on certain queries?) * 1 : yes * 0 : no */ $resolve_IP = 0; /* Should summary stats be calculated on every Query Results page * (Enabling this option will slow page loading time) */ $show_summary_stats = 1; /* DNS cache lifetime (in minutes) */ $dns_cache_lifetime = 20160; /* Whois information cache lifetime (in minutes) */ $whois_cache_lifetime = 40320; /* Snort spp_portscan log file */ $portscan_file = "/var/log/snort/portscan.log"; /* Event cache Auto-update * * Should the event cache be verified and updated on every * page log? Otherwise, the cache will have to be explicitly * updated from the 'cache and status' page. * * Note: enabling this option could substantially slow down * the page loading time when there are many uncached alerts. * However, this is only a one-time penalty. * * 1 : yes * 0 : no */ $event_cache_auto_update = 1; /* Link to external Whois query */ $external_whois_link = "http://www.samspade.org/t/ipwhois?a="; ?> |
Try to trigger some snort rules with snot (see section above) or e.g. nmap (see http://www.nmap.org/, a portscanner with many more capabilities) or nessus (see http://www.nessus.org/, a security scanner to find vulnerabilities of a system).
Now you should get all alarms right the time they happen with ACID.
SnortSnarf is another tool which analyses snort's logfile instead of a database.
Install SnortSnarf by taring it into a directory you like, I use /opt/SnortSnarf/.
Copy the following files to the webserver's cgi-bin directory (e.g. /var/www.cgi-bin/):
/opt/SnortSnarf/cgi/* /opt/SnortSnarf/include/ann_xml.pl /opt/SnortSnarf/include/web_utils.pl /opt/SnortSnarf/include/xml_help.pl |
./setup_anns_dir.pl -g apache /var/www/html/SnortSnarf/annotations
Check the rights in /var/www/html/SnortSnarf/annotations and make them look like this:
[root@ids01 SnortSnarf]# ll -a /var/www/html/SnortSnarf/annotations/ total 16 drwxrwx--- 2 root apache 4096 May 23 14:31 . drwxr-xr-x 8 root root 4096 May 23 14:17 .. -rw-r--r-- 1 apache apache 478 May 23 14:31 new-annotation-base.xml |
My crontab enrty looks like this:
# generate SnortSnarf statistics every hour from 6am to 6pm 0 6,7,8,9,10,11,12,13,14,15,16,17,18 * * * /opt/SnortSnarf/snortsnarf.sh |
Here's the /opt/SnortSnarf/snortsnarf.sh listing:
#!/bin/sh # wrapper for use with crontab to get rid of the @INC problem # Poppi, 22.05.2001 cd /opt/SnortSnarf ./snortsnarf.pl -d /var/www/html/SnortSnarf -db /var/www/html/SnortSnarf/annotations/new-annotation-base.xml -dns -rulesfile /etc/snort/snort.conf -ldir "file://var/log/snort/" /var/log/messages /var/log/messages.1 /var/log/messages.2 /var/log/messages.3 /var/log/messages.4 |
Another issue is that www.whitehats.com is often offline so no rules can be downloaded.
Untar the arachnids_upd package to a directory of your choice, I choose /opt/arachnids_upd/.
my $url = "http://www.whitehats.com/ids/vision18.rules.gz"; # Default URL. |
proxy_user = user proxy_passwd = xxxx http_proxy = <proxy>:<port> ftp_proxy = <proxy>:<port> use_proxy = on |
#!/bin/sh # Script to generate the correct updates of vision.rules using arachnids_upd.pl # Poppi 22.05.2001 # get new rules (requires ~/.wgetrc to be set up to access internet) /opt/arachnids_upd/arachnids_upd.pl -o /opt/arachnids_upd/vision.rules -b /opt/arachnids_upd/rules.backup/ -c # change the variable names according to the ones used in /etc/snort/snort.conf and copy the new file to the right place cat /opt/arachnids_upd/vision.rules | sed s/EXTERNAL/EXTERNAL_NET/g | sed s/INTERNAL/HOME_NET/g > /etc/snort/vision.rules # restart snort for the rules to take effect /etc/rc.d/init.d/snortd restart |
# Put the IDS numbers of the rules that should be disabled in here. # One number per line. # Examples: 1 # Ignore IDS1 2 # Ignore IDS2 3 # Ignore ISD3 # I think you get it now :) |
Swatch requires the following perl modules to be installed:
perl-TimeDate perl-Date-Calc perl-Time-HiRes perl-File-Tail |
Swatch is available as an RPM from http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.noarch.rpm along with the source RPM I created http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.src.rpm.
Swatch is configured via a single config file /etc/swatch/swatch.conf.
I'm shipping it with a demo swatch.conf containing two rules for snort messages and snort errors shown below along with some other examples from the original swatch package.
# global swatch.conf file # * Poppi, 30.04.2001 # - initial version # # * Poppi, 08.06.2001 # - added error support; make sure to start swatch BEFORE snort ;) # # Poppi, 19.09.2001 # - added throttle for not getting too much alarms of the same incident # normal snort messages (with PID) # get rid of double alerts for 10 secs, e.g. pings watchfor /snort\[/ bell exec /etc/snort/snort-check $0 throttle 00:00:10 # snort error messages could be with or without the [!] indicator watchfor /snort: (\[\!\])* ERROR/ bell exec /etc/snort/snort-check $0 |
The first rule is for getting all alerts generated via the output module alert_syslog, the second for getting any error messages snort generates at startup if anything went wrong (like errors in a rule file).
Both rules do ring the pc bell (well, if the sensor is used in a room without operators in sight this does not make much sense ;) and make use of the snort-check script described before to alert the given persons. In $0 swatch gives you the complete line of the logfile entry which triggered swatch.
Swatch has to be started prior to snort. Instead of generating an own swatch initscript with the correct chkconfig dates I chose to include it in /etc/rc.d/init.d/snortd because the dependencies of my use of swatch are such that I - again for me - decided to do that. I know that's not the "fine english way", and the swatch part can be put into an own initscript relatively easy. Maybe I will change this in the future.