';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT INSERT,SELECT,CREATE,DELETE on snort.* \ to
snort_user_here
@localhost IDENTIFIED BY '
snort_users_password
';
Query OK, 0 rows affected (0.01 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)
mysql> quit Bye
6.7.2.4 Configure Snort
First you'll need to download the latest sources from
http://www.snort.org (currently v2.0.5). After unpacking, use the create_mysql file to create the necessary tables in the snort database. That's all the configuration you need; you can now simply delete the unpacked directory.
# tar xvfz snort-2.0.5.tar.gz # cd snort-2.0.5/contrib # cp create_mysql /tmp
# /usr/local/bin/mysql -p < /tmp/create_mysql snort Enter password: Enter the MySQL root
password here
# cd /usr/local/etc
# cp snort.conf-sample snort.conf # vi snort.conf
Scroll down until you reach the # output database: log, mssql,
dbname=snort user=snort password=test line. Insert the following lines beneath it:
output database: log, mysql, user= mysql_user_name password= mysql_users_
password dbname=snort host=localhost
output database: alert, mysql, user= mysql_user_name password= mysql_users_
password dbname=snort host=localhost
Now page down toward the bottom of the file and select the types of rules you want to monitor for. Keep in mind that the more rules you use, the more work snort will have to do, using up CPU cycles and memory that might be better used elsewhere. For example, if you don't want to monitor X11 or Oracle on any computer on your network, comment out those rules. When you're done, save your changes and exit.
Finish by creating the snort log directory:
# cd /var/log # mkdir snort
6.7.2.5 Configure ACID
Start by tightening the permissions of the configuration file:
# chmod 644 /usr/local/www/acid/acid_conf.php
Have a good read through the Security section of /usr/local/www/acid/README when you're configuring ACID. It contains many good pointers to ensure your configuration is secure.
Then, change the section that contains alert_dbname = "snort_log"; to include the appropriate entries:
$alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = "";
$alert_user = " mysql_snort_user ";
$alert_password = " mysql_snort_users_password ";
Leave the Archive parameters alone, unless you want to create a separate database for snort to store archived alert messages in. To do this, you'll need to log into MySQL, create an archive database, set the appropriate permissions, and run the mysql_create script again as described earlier. The Snort and ACID documentation describe this in more detail.
You do need to tell ACID where to find some of the libraries installed earlier. In particular, change:
$ChartLib_path = "";
to:
$ChartLib_path = "/usr/local/share/jpgraph";
6.7.3 Running ACID
It's time to start Apache:
# /usr/local/sbin/apachectl start
/usr/local/sbin/apachectl start: httpd started
Then, link the ACID web directory. Of course, for security reasons, I recommend giving the link name something other than acid.
# cd /usr/local/www/
# ln -s /usr/local/www/acid /usr/local/www/snort
Point your web browser to http://localhost/snort/acid_main.php and click the Setup link. Click the Create ACID AG button to create the extended tables that ACID will use. When it finishes, you should see something similar to the following:
Successfully created 'acid_ag'
Successfully created 'acid_ag_alert'
Successfully created 'acid_ip_cache'
Successfully created 'acid_event'
Now click the Main page link to be taken to ACID's main display page. At this point you might ask, "Where are the alerts?" There aren't any—we didn't start snort!
6.7.4 Running Snort
First, try starting snort manually to make sure it works. Use the -i switch to specify the network interface that will be monitoring traffic. In my case, it is xl0.
# cd /usr/local/etc
# /usr/local/bin/snort -c snort.conf -i xl0
database: using the "alert" facility 1458 Snort rules read...
1458 Option Chains linked into 146 Chain Headers 0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order:
->activation->dynamic->alert->pass->log
--= = Initialization Complete = =--
-*> Snort! <*-
Version 2.0.5 (Build 98)
By Martin Roesch ([email protected], www.snort.org)
If snort doesn't show any errors, as depicted here, pat yourself on the back: snort is running!
Quit snort by pressing Ctrl-C, and restart it in daemon mode:
# /usr/local/bin/snort -c snort.conf -i xl0 -D
Now flip on over to the ACID display page in your web browser. You should start to see alerts coming in. Figure 6-6 shows a sample alert listing.
Figure 6-6. ACID alerts
Note that each detected signature includes a hyperlink to information about that particular type of attack. Snort also keeps track of how many packets matched that signature, the number of unique source and destination addresses, and the time frame between the first and last packet.
You can also configure your own alert groups to better organize your results, as shown in Figure 6-7.
Figure 6-7. ACID alert groups
ACID can also display each rogue packet in intimate detail, as seen in
Figure 6-8.
Figure 6-8. An ACID packet in detail
Keep in mind that you'll probably start getting false positives,
depending on the types of traffic on your network. However, these can easily be weeded out by making the appropriate changes to your /usr/local/etc/snort.conf file and the rule files in /usr/local/share/snort.
If you start noticing a bunch of alerts that look like Figure 6-9, it's a good indication that some nodes on your network are infected with a virus or worm.
Figure 6-9. Suspicious Snort alerts
6.7.5 Hacking the Hack
Snort and ACID have many additional features. For example, you can use your favorite mail transfer agent, such as Sendmail or Postfix, to send out email alerts, and you can create an archive database to store alerts generated by snort. There's even a snort plug-in for the Big Brother System and Network Monitor that can alert you when 30 or more alerts are generated.
You can also add additional security to MySQL, Snort, and ACID by creating a nonprivileged snort user and locking down the
/usr/local/www/acid directory with the use of a properly configured .htaccess file. Configuration of these features goes beyond the scope of this hack, but I encourage you to read all the documentation included with these applications, as well as the documentation at each
application's home page, to find out how you can tailor them to suit your needs.
6.7.6 See Also
•
• The MySQL Reference Manual (
http://www.mysql.com/documentation/index.html)
•
• The Snort web site (http://www.snort.org/)
•
• The Analysis Console for Intrusion Databases (ACID) web site (http://www.cert.org/kb/acid/)
•
• The Big Brother Network and System Monitor web site (
< Day Day Up >