- Installing Snort
- Configuring Snort
- Testing Snort
- Starting Snort Automatically
- Configuring MySQL
- Managing All this Information
- Where Should You Go from Here?
Managing All this Information
There are many ways in which you can monitor your sensors. We'll take a look at several of them.
How Do I Configure Snort to Work with ARIS?
ARIS extractor knows how to parse Snort v1.7 and v1.8 log files. Unfortunately, it does not understand binary log files in the tcpdump format. This means that you must output logs and alerts in a formatted ASCII method, send alerts to a centralized syslog server, or post-process binary logs using the Snort "-r" command line.
To enable output in the formatted ASCII method and/or the syslog service, simply define one or both of these output plugins in the snort.conf configuration file:
output alert_full: snort.log output alert_syslog: LOG_AUTH LOG_ALERT
ARIS extractor can then be configured to run at a scheduled interval to parse those logfiles and upload your incidents to the ARIS Incident Console. For more information on ARIS, please read the documentation found at the ARIS homepage (http://aris.securityfocus.com/).
Email-based Alerting
Logcheck is a free open-source tool from Psionic Software, released as part of the Abacus Project. Logcheck is available as part of many GNU/Linux distributions, and can be compiled on many other UNIX variants. The source code is available from the Logcheck homepage (http://www.psionic.com/abacus/logcheck/).
Logcheck monitors your syslog files for messages generated by any program that can log to those services. This means that you can configure your Windows NT and 2000 servers to log to a centralized syslog server that Logcheck monitors. At configured intervals, Logcheck will email any suspicious activity to a specified email address.
Web-based Alert Management
If you prefer to look at your log files via a Web browser, you can make use of another utility that runs on both UNIX/Linux and Win32 platforms. SnortSnarf (http://www.silicondefense.com/software/snortsnarf/) by Silicon Defense is a set of Perl scripts and CGI programs that convert your Snort logs into a fully linked set of HTML pages. There is a similar program specific to Win32 platforms called WinSnort2HTML (http://home.earthlink.net/~ckoutras/), which does not require Perl.
The Cadillac of Web browser IDS management consoles is called Analysis Console for Intrusion Databases (ACID).
ACID (Analysis Console for Intrusion Databases)
ACID allows you to correlate, inspect, manage, group, and graph Snort alerts and logs collected from all your Snort sensors. ACID is platform-agnostic, and really only requires a Web server that is capable of running PHP (http://www.php.net/). Thus, you can run ACID just as easily from an IIS server on Windows 2000 as you can an Apache server on Solaris.
ACID can be downloaded from the ACID homepage (http://acidlab.sourceforge.net/), which also contains links to documentation, the ACID FAQ, mailing lists, and the few dependencies required by ACID for full functionality.
Dependencies of ACID
ACID requires a working Web server with PHP installed. On Windows NT and 2000, IIS is included. On most UNIX/Linux distributions, Apache is included. If you need to install a Web server from scratch, I recommend you look at the Apache Toolbox. The Apache Toolbox automates downloading source, all the dependencies for the Apache Web server, and any modules you choose to install, such as PHP, mod_ssl, and so on.
Most GNU/Linux distributions have binary packages available for both Apache and PHP. The recommended version of PHP is 4.02 or newer; most recent GNU/Linux distributions will have at least that version available.
Our Windows brethren are not so blessed. Luckily, the homepage of the next dependency has an "E-Z installer" version of PHP for IIS. Your best bet is to download and install PHP from the ADODB Web site (http://php.Weblogs.com/adodb). After installation, there is only one config file modification for PHP installed on Windows that is necessary. Using Notepad or Wordpad to edit the c:\winnt\php.ini file, change the session.save_path variable to point to a writable directory, such as c:\winnt\temp.
ACID can utilize any of the different backend databases that Snort can log to. To do this, it utilizes a database abstraction layer API. That DB abstraction layer API is ADODB for PHP version 0.93 or newer. ADODB for PHP can be downloaded from the ADODB Web site. Uncompress and extract the files in the ADODB archive, and place them in a directory accessible by your Web server. For Apache installations, this might be
/var/www/adodb
For Windows and IIS, the most likely place would be
c:\inetpub\scripts\adodb
The last component for ACID is PHPlot for PHP, which is a dynamic plotting library. PHPlot depends on the GD graphics library to be installed first. Many other applications on UNIX/Linux require that library, so it may already be installed. On Windows, if you grab the PHP compiled at the ADODB homepage, it should have the GD library already included.
Download the PHPlot for PHP library from http://www.phplot.com/, and uncompress and extract into a directory that is accessible by your Web server. Apache installations would use
/var/www/phplot
Windows and IIS installations would use
c:\inetpub\scripts\phplot
Installing and Configuring ACID
Download, uncompress, and extract the files from the ACID archive. Those files should be placed in a directory accessible to your Web browser. For Apache-based systems, that might be
/var/www/acid
Windows and IIS installations would use
c:\inetpub\wwwroot\acid
Edit the file acid_conf.php, and modify the following values:
$DBlib_path = "C:\inetpub\scripts\adodb"; /* Windows NT/2000 */ $DBlib_path = "/var/www/adodb"; /* UNIX/Linux */ $ChartLib_path = "C:\inetpub\scripts\phplot";/* Windows NT/2000 */ $ChartLib_path = "/var/www/phplot"; /* UNIX/Linux */ $Dbtype = "mysql"; /* MySQL or appropriate database */ $alert_dbname = "snort_log"; /* Database Name */ $alert_host = "192.168.71.20"; /* SQL IP Server Address */ $alert_port = ""; /* If different than the default */ $alert_user = "snort_console"; /* SQL Database User */ $alert_password = "console_passwd "; # SQL Database User Password
Point your browser to http://acidconsole/acid/acid_main.php, and you should be in business. The first time you launch ACID, it will check the Snort database schema. Several performance enhancements to the database schema have been made since the Snort 1.7 release. ACID will look to modify the database tables and add indexes to increase performance.