naka共享空间: Centos snort

snort+base step 4

Wed, 19 Dec 2007 01:58:15 GMT

Naka原创

5,数据库建立，Barnyard安装。

Barnyard是snort1.9之后出现的，主要作用是处理snort的输出。我第一次安装成功之后，系统运行正常。使用几天之后，无意中重启了系统，结果发现 base中没用数据，查证mysql工作正常，后来找到Barnyard不能正常工作，原因是我修改了 Barnyard.conf出现错误。

5.1数据库建立：

在Mysql中建立snort的数据库，以便将snort输出数据保存在mysql中，然后用base来进行分析。

在任意位置输入（默认用户为root，默认密码为空，下面代码建立用户，不知道意思搜索google）：

mysql

mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');

>Query OK, 0 rows affected (0.25 sec)

mysql> create database snort;

>Query OK, 1 row affected (0.01 sec)

mysql> grant INSERT,SELECT on root.* to snort@localhost;

>Query OK, 0 rows affected (0.02 sec)

mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password);

>Query OK, 0 rows affected (0.25 sec)

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;

>Query OK, 0 rows affected (0.02 sec)

mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;

>Query OK, 0 rows affected (0.02 sec)

mysql> exit

下面建立数据库：

位置snort-2.6.1.5/schemas/create_mysql，将目录移动到schemas目录下面，然后使用如下命令建立mysql数据表

mysql -u root -p < create_mysql snort

Enter password: 选择你在上一步中建立的密码。

5.2：安装Barnyard

tar –xvzf barnyard-0.2.0.tar.gz
cd barnyard-0.2.0
./configure --enable-mysql
make
make install
cd etc/
cp barnyard.conf /etc/snort

5.3修改snort.conf和barnyard.conf(这两个文件都在/ect/snort下面了)

在snort.conf中找到

# output alert_unified: filename snort.alert, limit 128

# output log_unified: filename snort.log, limit 128

把前面的＃去掉

在barnyard中找到：

config hostname: 随便你自己给个名字

config interface：看用那个网卡接收数据，如果是单网卡一般是eth0

下面两行都去掉＃，然后在user root后面加一个空格，加password空格“你的密码”

# output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root

# output log_acid_db: mysql, database snort, server localhost, user root, detail full

要让snort和barnyard工作起来,还需要了解一个名词waldo file:

Barnyard runs in one of three modes: one-shot, continual, or continual with checkpoint. One-shot mode (or batch mode) is used to run Barnyard against a single unified logfile and then exit. Continual watches a unified logfile as it is written to. The continual with checkpoint mode is similar to the continual mode except it keeps track of where it is in the file by keeping a pointer in a file (sometimes called a waldo file). If Barnyard crashes, processing will continue at this point in the unified logfile.

5.4 创建一个waldo file

运行:

snort –c /etc/snort/snort.conf #参数c的意思可以google搜索 snort手册

当屏幕上显示Not Using PCAP_FRAMES的时候按ctrl+c 停止工作.

进入目录/var/log/snort

运行:

touch /var/log/snort/barnyard.waldo

先看看按ctrl+c 之后生成的文件,应该有两个一个.alert一个.log

vi barnyard.waldo

打开之后是一个空文件，把/var/log/snort snort.log XXXXXX 0 这句话写入这个文件中，xxxx代表了一些数字。

还记得上面几个步骤中copy了两个文件，一个是snort，一个是barnyard。

执行service snort start

service barnyard start

没有问题的话，基本上安装就没问题了。即使有问题，也会有提示，这些提示和snort.conf,barnyard.cof有关。

无意中找到一篇Barnyard的文章

Wed, 19 Dec 2007 01:40:32 GMT

Barnyard (and Sguil)

One of the costliest activities Snort performs is its alert logging. Data needs to be gathered, formatted, and written. In the case of database writes, Snort must send the alert to the database and wait for confirmation of a successful write. The situation is made even worse when the database server is running on another system on network.

Snort has the ability to dump the information that it has gathered on a particular alert into a binary file. This is very quick, since no processing needs to be performed on the data. The Barnyard application reads this file, formats the alert data, and writes it to the chosen output mechanism. The output mechanism can be the conventional Snort logfile, syslogs, comma-separated-value formatted (CSV) file, or a database server. Barnyard can be configured to run on the same platforms as Snort, and their installation and configuration are very similar. Figure 13-1 illustrates the way Snort and Barnyard work together. Barnyard does a very good job of logging to the ACID database allowing Administrators to continue using familiar tools.

Figure 13-1. Barnyard working with Snort

13.1.1 Configuring Snort's Unified Binary Output

When using unified binary output, Snort is configured normally; the only difference is the output plug-in selected in the snort.conf file. The log_unified output plug-in is the only output plug-in that should be configured. The format of the directive is:

output log_unified: filename <filename>, limit <log file size>

filename

The base filename Snort uses when logging alerts. A timestamp is appended to the filename. The file is created in the location you chose for Snort logfiles to be written (/var/log/snort by default, but configurable using -l.

logfile size

Designates the maximum size that a logfile can attain. Consider 128 MB a minimum size. When this file is full, Snort stops writing to that one and starts another with the same base name but a new timestamp.

A sample snort.conf entry would be:

output log_unified: filename unified.log, limit 512

When Snort starts writing to a new file as a result of the size limit being reached, Barnyard continues processing with new file automatically if it is running in continual mode (see Section 13.1.4 below).

13.1.2 Installing Barnyard

Download Barnyard from http://www.snort.org/dl/barnyard and extract it to a standard location (I prefer /usr/local/src/barnyard). To enable database support, you need to use a directive when running configure. To enable support for MySQL support, use (--enable-mysql); to enable PostgreSQL, use (--enable-postgres). The command line is below:

# cd /usr    /local/src/barnyard/barnyard-0.x.0/

# ./configure --enable-mysql

# make

# make install

After install, you can find the Barnyard executable in /usr/local/bin and the barnyard.conf file in the /etc directory in your source directory. You can copy this to a location like /usr/local/etc or keep it where it is.

13.1.3 The barnyard.conf File

Most Barnyard options are managed using the barnyard.conf file. There are two sections to the file: the declarations and the output plug-ins.

Here are the configuration declarations:

config daemon

Designates that Barnyard runs in the background (as a daemon). The same as the -D command-line option.

config localtime

Sets Barnyard to use local time instead of UTC. This is generally not recommended due to the confusion it can cause with multiple sensors.

config hostname : <hostname>

Sets the hostname of the sensor. Currently only used by the ACID database plug-in.

config interface : <interface name>

Sets the interface name for use with the ACID database plug-in.

config filter: < filter regular expression>

Normally, this is set to stop an infinite loop if you are sniffing traffic on the same interface you are running a console using SSH. Here's a sample setting:

Config filter: not port 22

The output plug-ins consist of:

output alert_fast: < filename>

Outputs a file that is similar to Snort's "fast" format; very stripped down, with no packet headers.

output log_dump: < filename>

Outputs a file that is similar to Snort's ASCII packet dump mode.

output alert_csv: < long list of options>

(Experimental plug-in) Creates a file with user-designated fields. It might be useful for some custom scripting, but for the vast majority of administrators who are sophisticated enough to use Barnyard, a database is a better choice. If you want to do custom scripting, refer to the database schema in Appendix A and create database-aware scripts. You'll be happier.

output alert_syslog: < facility>, < priority>

Outputs using the syslog mechanism with the same options as Snort (see Chapter 5).

output alert_syslog2: < facility>, < priority>

Uses a mechanism similar to the alert_syslog output line, but has the expanded formats of syslog2 available.

output log_pcap: <filename>

Outputs data in the standard pcap format.

output alert_acid_db : <database type>, sensor_id <sensor id>, database <database name>, server <server address>, user <username for database>, password <database password>

Sends alert information (less detailed than log information) to an ACID database. Designate the database type (mysql, postrgres, and so on), and supply the location of the server (localhost or IP address), database name, and the authentication information for the database user.

output log_acid_db : <database type>, sensor_id <sensor id>, database <database name>, server <server address>, user <username for database>, password <database password>, detail <full or fast>

Sends detailed log information to an ACID database. Designate the database type (mysql, postrgres, and so on) and supply the location of the server (localhost or IP address), database name, and the authentication information for the database user. One last bit of data to include is the detail option (fast or full). I always use full. Here's a sample configuration line for the ACID output plugin:

output log_acid_db: mysql, sensor_id 1, database snort, server 10.10.10.25, user 

snort_user, password pa$$w0rd, detail full

output sguil : <db type>, sensor_id <sensor ID>, database <db name>, server <IP address or hostname>, user <db username>,password <db password>, sguild_host <IP address or hostname>, sguild_port <port number>

Sends detailed log information to a sguil server database. Designate the database type (mysql, postgres, and so on), supply the location of the database server, the database user and password, the sguil server location, and the port that sguil is listening on (defaults to 7736). Here's sample configuration for the sguil output plug-in:

output sguil: mysql, sensor_id 1, database sguil, server 10.10.10.25, user sguil_

user, password pa$$w0rd, sguild_host localhost, sguild_port 7736

13.1.4 Barnyard Command-Line Options

Barnyard runs in one of three modes: one-shot, continual, or continual with checkpoint. One-shot mode (or batch mode) is used to run Barnyard against a single unified logfile and then exit. Continual watches a unified logfile as it is written to. The continual with checkpoint mode is similar to the continual mode except it keeps track of where it is in the file by keeping a pointer in a file (sometimes called a waldo file). If Barnyard crashes, processing will continue at this point in the unified logfile.

The mode that Barnyard is running in (as well as other potentially ephemeral configuration settings) is designated at the command line. The command line options for Barnyard are:

-R

Similar to the -T test mode of Snort. Processes the configuration and tells you if you have any problems. This has gotten very useful in recent versions of Barnyard.

-c < path to barnyard.conf>

The path to the configuration file.

-d < dir>

The directory where Snort will be writing the unified binary format logs.

-L < dir>

If Barnyard is configured to output to files, this path designates where the files should be written.

-v

Increases verbosity of console output.

-s < file>

The path to Snort's sid-msg.map file. Included with the Snort rules download and specifies the sid for an alert message.

-g < file>

The path to Snort's gen-msg.map file. Included with the Snort rules download and specifies the detection generator that is associated with a generator ID.

-p < file>

The path to Snort's classification.config file. This is included with the Snort rules download and specifies the alert classifications used by Snort.

-a < dir>

If a unified logfile is processed, it can be archived to another location as specified.

-f < base>

The base name for the Snort unified binary format logs. This is the filename without the appended timestamp.

-n

Only process new events.

-w < file>

The checkpoint (waldo) file used for continual with checkpoint mode.

-D

Run in daemon mode.

-X < file>

Specify a file to store the PID of the Barnyard process.

-o

Enable one-shot mode on the specified file.

-t < timestamp>

You can specify the timestamp for the first file to be processed. The timestamp is in Unix time (seconds since the epoch).

Here are some sample command lines (they can get very long). First, there's batch (one-shot) mode:

barnyard -c /usr/local/etc/barnyard.conf -d /var/log/snort \

-c /usr/local/share/snort_rules/classification.config \

-s /usr/local/share/snort_rules/sid-msg.map \

-g /usr/local/share/snort_rules/gen-msg.map -o unified.log.1083726235

Then we have continual mode with checkpoint:

barnyard -c /usr/local/etc/barnyard.conf -d /var/log/snort \

-c /usr/local/share/snort_rules/classification.config \

-s /usr/local/share/snort_rules/sid-msg.map \

-g /usr/local/share/snort_rules/gen-msg.map -w /usr/local/etc/waldo.chk \

-f unified.log

13.1.5 Sguil: An Alternative Management Console

Developer:

Bamm Visscher

Link:

http://squil.sourceforge.net

Download Link:

http://sourceforge.net/project/showfiles.php?group_id=71220

Platform:

Tcl/Tk client/server architecture

Prerequisites:

MySQL, Snort, Barnyard, Tcl/Tk 8.3 or newer (http://www.tcl.tk/software/tcltk/), Tclx libraries (http://tclx.sourceforge.net), Mysqltcl (http://www.xdobry.de/mysqltcl/), incr tcl (itcl) (http://incrtcl.sourceforge.net/itcl/), tcllib extension (http://tcllib.sf.net), Tcpflow (http://www.circlemud.org/~jelson/software/tcpflow/), p0f (http://lcamtuf.coredump.cx/p0f.shtml)

As the prerequisite list indicates, installing Sguil can be hairy. Getting it running involves installing the standard Snort components, Tcl (tool control language) and tk (a graphical user interface toolkit), several add-on Tcl libraries, and the Tcpflow and p0f applications. Then set up a database for Sguil to use, install the GUI server, and the GUI client, patch Snort's source code and recompile, configure Barnyard's Sguil output plugin, and configure a script to get the data from Snort, Tcpflow, and p0f into the database. Detailed installation instructions are available on the Sguil web page.

Sguil is a near real-time interface to Snort alerts that relies on Barnyard, Tcpflow, and p0f to gather alert data. Tcpflow and p0f are used to create a transcript of network traffic that can be useful in discrimating false positives and post-incident forensic analysis. The interface is actually very nice to use and presents the alert information in a useful format.

An extract from the Sguil home page:

Events can be validated by placing them into one of seven incident categories or marking the event as having no further action required (NA). These actions remove the events from the RealTime tab of all the connected clients but are not deleted from the database. Archived events can easily be retrieved from the database through preformatted queries, or the analyst can create a custom query using SQL.

Sguil isn't that different from the ACID interface: both allow you to monitor alerts and search by event, sensor, alert classification, alert priority, or timestamp. Sguil is more up-to-date with the latest preprocessors梡articularly the new flow-portscan system. Both ACID and Sguil lack sensor-management tools.

Where connecting to ACID is easy since it is a web-based interface, the only way to get a remote client to connect to a central server is by using an exported X-session (a security no-no). Looking back at the last few paragraphs, I see that I'm drawing a lot of comparisons between ACID and sguil. Functionally, they are very similar. Sguil's transcript feature differentiates it.

A daunting installation, poor client model, and lack of many new features make it difficult to recommend Sguil. I advise sticking with ACID.

Figures Figure 13-2 and Figure 13-3 show screenshots of Sguil in action.

Figure 13-2. Sguil console in action

Figure 13-3. The sguil query builder

snort+base step 3

Tue, 18 Dec 2007 05:58:47 GMT

Naka原创:

4,准备安装snort,并且建立规则

进入到第2建立的文件夹:

4.1 安装snort

tar -xvzf snort-2.6.1.5.tar.gz
cd snort-2.6.1.5
./configure --with-mysql --enable-dynamicplugin #参数必须加，不然100％无法运行
make
make install
groupadd snort #建立组
useradd -g snort snort -s /sbin/nologin #建立用户，不也许telnet登陆

mkdir /etc/snort 建立snort文件夹，会把安装文件夹下步骤2的中snort/etc 拷贝到这里
mkdir /etc/snort/rules 建立规则文件夹，会把snort的规则放到这里
mkdir /var/log/snort 建立snort运行log文件夹
cd etc/
cp * /etc/snort

4.2 安装rules

tar -xvzf snortrules-pr-2.4.tar.gz #退回第2建立的文件夹后执行
cd rules
cp * /etc/snort/rules

4.3 修改snort配置文件

vi /etc/snort

var HOME_NET 10.0.0.0/24 修改成你自己的网断.

var EXTERNAL_NET !$HOME_NET 定义除内网之外的所有网段为外网

var RULE_PATH /etc/snort/rules

...............待继

snort+base step 2

Mon, 17 Dec 2007 04:48:08 GMT

Naka原创:

3,准备两个文件,都将放到/etc/init.d文件夹内,直接找到这个目录vi snort和barnyard copy进去就可以。对这两个文件，还要在后面做处理。

第一个文件,用来启动snort:
#!/bin/sh
#
# chkconfig: 2345 99 82
# description: Starts and stops the snort intrusion detection system
#
# config: /etc/snort/snort.conf
# processname: snort

# Source function library
. /etc/rc.d/init.d/functions

BASE=snort
DAEMON="-D"
INTERFACE="-i eth0"
CONF="/etc/snort/snort.conf"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0
# See how we were called.
case "$1" in
start)
        if [ -n "`/sbin/pidof $BASE`" ]; then
                echo -n $"$BASE: already running"
                echo ""
                exit $RETVAL
        fi
        echo -n "Starting snort service: "
        /usr/local/bin/$BASE $INTERFACE -c $CONF $DAEMON
        sleep 1
        action "" /sbin/pidof $BASE
        RETVAL=$?
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/snort
        ;;
stop)
        echo -n "Shutting down snort service: "
        killproc $BASE
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snort
        ;;
restart|reload)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
status)
        status $BASE
        RETVAL=$?
        ;;
*)
        echo "Usage: snort {start|stop|restart|reload|status}"
        exit 1
esac

exit $RETVAL

第二个文件:用来启动barnyard

# program options
CONF="/etc/snort/barnyard.conf"
GEN_MAP="/etc/snort/gen-msg.map"
SID_MAP="/etc/snort/sid-msg.map"
LOG_DIR="/var/log/snort"
LOG_FILE="snort.log"
WALDO_FILE="/var/log/snort/barnyard.waldo"
DAEMON="-D"

# Check that $BASE exists.
[ -f /usr/local/bin/$BASE ] || exit 0

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

RETVAL=0

# See how we were called.
case "$1" in
start)
if [ -n "`/sbin/pidof $BASE`" ]; then
echo -n $"$BASE: already running"
echo ""
exit $RETVAL
fi
echo -n "Starting Barnyard: "
/usr/local/bin/$BASE -c $CONF -g $GEN-MAP -s $SID_MAP -d $LOG_DIR -f $LOG_FILE -w $WALDO_FILE $DAEMON
sleep 1
action "" /sbin/pidof $BASE
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/barnyard
;;
stop)
echo -n "Shutting down Barnyard: "
killproc /usr/local/bin/$BASE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/barnyard
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status $BASE
RETVAL=$?
;;
*)
echo "Usage: barnyard {start|stop|restart|reload|status}"
exit 1
esac

exit $RETVAL

基本上，安装条件具备了，下一步就开始snort＋adodb＋base

。。。。。。。。。。。。。。待续

snort+base step 1

Sun, 16 Dec 2007 11:51:02 GMT

Naka原创:

参考了无数英文资料，虽然有些羞于写成原创，但是辛辛苦苦弄了三周，才弄好，那就自我安慰原创一下。所有参考文章我都放在
http://cid-2b3776eff823a0d5.skydrive.live.com/browse.aspx/snort 如果有兴趣就可以看看。

Snort算是安装完了，对于初学，Linux下Snort的安装过程充满了困难（软件兼容）。我接触linux的时候是Redhat7.3，使用了一年，之后再也没有接触了过。最近对网络安全和linu方面的一些知识很是来兴趣，以此又开始拿起linux。开始的时候，我直接下了个RHEL5来弄，由于不是注册用户，yum根本使用不了，后来才知道。。。。RHEL商业化了，郁闷啊。再后来下了个Centos 5，终于把snort给弄上了。分step1，2，3是因为我根本没有精力来一次把整个安装过程写下来。。。。。痛苦.

需要的软件和版本:
1,Centos 5 finall
2,mysql-server-5.0.22-2.1.0.1
3,mysql-bench-5.0.22-2.1.0.1
4,mysql-5.0.22-2.1.0.1
5,php-mysql-5.1.6-15.el5
6,mysql-devel-5.0.22-2.1.0.1
7,perl-DBD-MySQL-3.0007-1.fc6
8,mysqlclient10
9,httpd-2.2.3-11.el5.centos
10,Gcc-4.1.2-14.el5
11,pcre-devel-6.6-2.el5_1.7
12,php-gd-5.1.6-15.el5
13,Gd-2.0.33.9.3.fc6
14,glib2-devel-2.12.3-2.fc6
15,gcc-c++-4.1.2-14.el5
16,libpcap-devel-0.9.4-11.el5
17,php-pear-1.4.9-4
18,snort-2.6.0
19,base-1.3.8(用低版本出不来Graph Alert，我不知道什么原因)
20,snortrules-pr-2.4
21,adodb480
22,barnyard2.0

安装过程中,Centos默认安装就可以。之所以要写上面的这些软件包，是因为snort的安装过程不难，难的是这些软件的匹配和兼容(花了我三个周时间，当然，我是不是高手)。安装环境准备：

1，别看这么多软件是吓倒了，使用yum能够很方便的安装Centos的软件环境。
yum –y install －－alldepeds mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ libpcap-devel php php-pear等待吧，最好你的网络足够好，反正我默认安装Centos之后，通过yum还要下载75M的，在家里使用adsl根本没戏，时间太长。在单位就好点，所以也就是我最近天天加班的原因：）．yum完之后，验证一下httpd和mysql运行是不是正常.

2，建立一个文件夹，此文件夹用来放Centos系统不带的所有软件，包括snort，snort rules，base，adodb，banryard等等
   http://www.snort.org/dl/old 因为现在是snort最新版本是snort-2.8.0.tar.gz，而我只用了老版本，所以可以直接在这个地址下载
　http://www.snort.org/dl/barnyard/ barnyard下载
   http://easynews.dl.sourceforge.net/sourceforge/adodb/ adodb下载
   http://easynews.dl.sourceforge.net/sourceforge/secureideas/ base下载

待续．．．．．．．．．．．．

Analyzing Snort Data With the Basic Analysis and Security Engine (BASE)

Sat, 15 Dec 2007 08:14:27 GMT

Analyzing Snort Data With the Basic Analysis and Security Engine (BASE)

Amy Rich, October 2005

Abstract: This article describes storing Snort alert output in a MySQL database and using the web front end BASE to analyze the data.

Contents

In the article Introduction to Intrusion Detection With Snort, I covered basic concepts of intrusion detection and the installation and use of Snort, a network-based intrusion detection system (NIDS). In this article, I'll detail storing Snort alert output in a MySQL database and using the web front end BASE to analyze the data. BASE is the successor to ACID, the Analysis Console for Intrusion Databases, developed by Roman Danyliw at the CERT Coordination Center as a part of the AirCERT (Automated Incident Reporting) project. BASE is actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.

Introduction to BASE, the Basic Analysis and Security Engine

BASE searches and processes databases containing security events logged by assorted network monitoring tools such as firewalls and IDS programs. BASE is written in the PHP programming language and displays information from a database in a user friendly web front end. When used with Snort, BASE reads both tcpdump binary log formats and Snort alert formats. Once data is logged and processed, BASE has the ability to graphically display both layer-3 and layer-4 packet information. It also generates graphs and statistics based on time, sensor, signature, protocol, IP address, TCP/UDP port, or classification. The BASE search interface can query based on alert meta information such as sensor, alert group, signature, classification, and detection time, as well as packet data such as source/destination addresses, ports, packet payload, or packet flags.

BASE allows for the easy management of alert data. The administrator can categorize data into alert groups, delete false positives or previously handled alerts, and archive and export alert data to an email address for administrative notification or further processing. Support for user logins and roles, allowing an administrator to control what is seen through the web interface, is also expected in an upcoming release of BASE. As of the current release of BASE (1.1.3), the hooks are there, but the code is not yet functional.

In the case we'll examine, Snort will log alert data to a MySQL database which will then be read by BASE and displayed via an Apache web server. BASE also supports other database back ends and can display information via any web server that supports PHP.

Installing and Configuring the Necessary Prerequisites

In order for BASE to function, we must first install and configure a back end database, in this case MySQL, to store the Snort alerts. In addition, we'll need Apache and Snort compiled with MySQL support. We also need to install PHP and a couple of PHP add-ons. ADOdb is an object-oriented PHP library used to interface to the database. You may already have some of these necessary tools on your system as part of the default distribution, depending on what version of the operating system you're running. The instructions below assume you are using the GNU tool chain (tar, make, gcc, and so on).

MySQL

We first start by obtaining and installing the MySQL package from MySQL. When unpacking, be sure to use GNU tar, since tar in the Solaris OS has issues with long file names. To avoid dependencies, we'll configure MySQL to build without libgcc and without zlib, but we'll still compile against openssl. (This assumes you've previously installed gcc and openssl.)

wget \
  http://dev.mysql.com/get/Downloads/MySQL-4.1/mysql-4.1.13.tar.gz/\
  from/http://mysql.mirrors.pair.com/

tar zxf mysql-4.1.13.tar.gz
cd mysql-4.1.13

LDFLAGS="-R/usr/local/lib" ./configure --prefix=/usr/local \
     --with-openssl \
     --without-docs \
     --without-libgcc \
     --with-named-z-libs=z
make
make install

If you run into issues compiling or installing MySQL, take a look at the Solaris OS section of the MySQL Reference Manual.

Snort

Now that we have MySQL installed, we can compile Snort with MySQL support. Slightly modify the installation directions from the previous article on Snort:

../configure --with-mysql=/usr/local --with-openssl=/usr/local

Then follow the rest of the installation instructions provided there.

Now set up the Snort database in MySQL. First create the snort user and grant the appropriate permissions:

mysqladmin -u root -p create snort

Next, run the MySQL script included in the Snort source directory to create the appropriate tables:

mysql -u root -p < snort-2.3.3/schemas/create_mysql snort

Now add the snort user and set the permissions:

mysql -u root -p snort

mysql> set PASSWORD FOR snort@localhost=PASSWORD('snort_user_password');
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql> flush privileges;
mysql> exit

Finally, edit the snort.conf file and modify the output plug-in:

output database: log, mysql, dbname=snort user=snort password=snort host=localhost
output database: alert, mysql, dbname=snort user=snort password=snort host=localhost

This will cause both log and alert data to be written to the database.

To verify that Snort is able to write to MySQL, make sure MySQL is running, then start Snort with the following options:

snort -c /etc/snort.conf -g snort

Once Snort and MySQL are running, wait a few moments until it collects some alert data. Then run the following command:

echo "SELECT count(*) FROM event" | mysql -u root -p snort

Your output should look similar to the following, where the number is the number of alerts you've received:

count(*)
1

If the number is zero, then you haven't seen any traffic that will trigger an alert, or you need to revisit your Snort/MySQL configurations.

PHP

This article assumes that you're running Apache as your web server, and that you've installed it with the GNU layout. If you're using a different web server or have installed Apache in a different location, these directions will need modification. First, download PHP from a nearby mirror. I've chosen us2.php.net:

wget http://us2.php.net/get/php-4.3.11.tar.gz/from/this/mirror

Now configure PHP to install into /usr/local/php and use apxs to add the libphp4.so module to Apache. The PHP configure lines below also tell PHP where to find MySQL, GNU gettext, OpenSSL, zlib, libjpeg, and libpng:

LDFLAGS="-R/usr/local/lib"  ./configure --prefix=/usr/local/php \
     --enable-memory-limit=yes \
     --with-apxs=/usr/local/sbin/apxs \
     --with-gettext=/usr/local \
     --with-exif \
     --without-mm \
     --with-mysql=/usr/local \
     --with-openssl=/usr/local \
     --with-zlib \
     --with-jpeg-dir=/usr/local \
     --with-png-dir=/usr/local \
     --with-exec-dir=/usr/local/php/libexec \
     --enable-cli \
     --enable-sockets
make
make install

In a production environment, you'll want to edit /usr/local/php/lib/php.ini and set the display_errors variable to off so that debugging messages will not be inlined in the HTML. If you prefer to have inline debugging messages, then it's recommended to at least set the error_reporting variable to E_ALL & ~E_NOTICE.

Obtain further information about PHP from the PHP web site, and further information about Apache from the Apache HTTP Server Project site.

ADOdb

ADOdb is a performance-conscious database abstraction layer for PHP. BASE requires ADOdb to talk to MySQL on the back end. First, obtain the source:

wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz

Then unpack the source and place ADOdb where it can be accessed by BASE. The documentation recommends placing it in the Apache document root, but you can also configure BASE with ADOdb outside of Apache's tree (such as /usr/local/share/) if desired.

PEAR Modules

BASE documentation also recommends installing several PEAR modules. PEAR, the PHP Extension and Application Repository, is installed as part of PHP and is to PHP what CPAN is to Perl. If PEAR::Image_Graph is not already installed, obtain it by running the following commands:

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

Installing and Configuring BASE

Now that all of the prerequisites are in place, we can install and configure BASE itself.

Downloading and Installing BASE

First go to http://prdownloads.sourceforge.net/secureideas/base-1.1.3.tar.gz?download and pick a mirror from which to download the source code. Next, unpack the source tarball into your Apache DocumentRoot:

cd /usr/local/apache/htdocs
tar zxf /path/to/base-1.1.3.tar.gz
mv base-1.1.3 base

Use the supplied SQL script to create the BASE database:

mysql -u root -p < base/sql/create_base_tbls_mysql.sql snort

If you're using a database other than MySQL or upgrading to BASE from ACID, there are different scripts available in the base/sql directory.

Configuring BASE

Once you create the database, configure BASE by copying the base_conf.php.dist file to base_conf.php and customizing it to fit your environment:

cd base
cp base_conf.php.dist base_conf.php

Options in the config file are all well commented, but those listed in the table below are the minimum that must be set.

Table 1: Required Configuration Options

Variable

Function

Value

$DBlib_path

Full path to the ADOdb installation

"/usr/local/share/adodb"

$DBtype

Type of database used

"mysql"

$Use_Auth_System

Set to 1 to force users to authenticate to use BASE

0

$BASE_urlpath

The root URI of your site

"/base"

$alert_dbname

The alert database name

"snort"

$alert_host

The alert database server

"localhost"

$alert_port

The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)

$alert_user

The username for the alert database

"snort"

$alert_password

The password for the username

"snort_user_password"

Until the authentication portion of BASE is working properly, protect the directory where you installed BASE. Apache can be configured to deny access based on IP address, as well as to require a user to enter a password. Modify /usr/local/apache/etc/httpd.conf and add something like the following to allow users from the host 192.168.1.100 to authenticate:

<Directory /usr/local/apache/htdocs/base/> 
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
AuthType Basic
AuthName Access is restricted.
AuthUserFile /path/to/htpasswd/file
require valid-user
</Directory>

Populate the .htpasswd file with username and encrypted password data. Please refer to the documentation on the Apache web site for more help on configuring access restriction.

Using BASE

You should now have a functional BASE install accessible at http://www.your.domain/base, and you're ready to begin using the GUI to view and manage alerts.

Navigating the Main Screen

Once you log in, the main page shows a summary of currently logged alerts as well as various alert summary breakdowns and links to graphs (see Figure 1).

Figure 1: Main Page of BASE
(Click to Enlarge)

Drilling down into any of the summaries will present a list of events. Depending on the list, it is possible to drill further down and gain more detail. For example, following the link Today's alerts: unique, brings up a new screen with a summary of alerts which begin at the previous midnight. A link labeled snort, located to the left of each signature, attempts to connect to the signature database at the Snort web site and provide more detailed information about that particular signature.

Drilling down on a source or destination IP address on any of the screens brings up a summary that includes how many times that IP was logged as a source or destination address. It also indicates the first and last time the IP was logged. Additionally, the summary page contains links to external web-based tools that provide DNS and Whois lookup services.

Drilling down on the source or destination port's links displays a summary of ports, number of occurrences, time first seen and time last seen. Each listed port number is a hyperlink to the SANS Internet Storm Center page for that port number.

Creating Alert Groups

Alert groups can be created to group event information into user-defined categories for easy perusal. In order to create a new alert group or modify existing groups, click on the Alert Group Maintenance link at the bottom of the main page.

Next, click the Create link and fill out the name and description fields for the new group. For this example I'll create an alert group named test2 based on an alert signature. To do so, I return to the main page and select the Unique alerts link, then decide to use the signature named IIS UNICODE CODEPOINT ENCODING.

I check the box next to that signature, then scroll to Action box at the bottom of the page. From the drop down menu labeled {action} I select the option to ADD to AG by Name, type in test2, and click on the Selected button. Returning to the Alert Group Maintenance screen I see that the group test2 now shows two alerts.

The Search Function

BASE has a search function that can be used to quickly search through the database for certain criteria and present it in an ordered fashion.

Figure 2: Search Function in BASE
(Click to Enlarge)

The allowable search criteria include Alert Group, Signature, and Alert Time. The results can be ordered by timestamp, signature, source IP, or destination IP. Unfortunately, there is no option to use an IP address as one of the criteria.

Generating Graphs

Graphs can be created from Alert Data or Alert Detection Time.

The Alert Data can be graphed and charted based on a variety of options to create easily readable reports. Figure 3 below shows a screen shot of a simple pie chart.

Figure 3: Pie Graph of Time vs. Number of Alerts
(Click to Enlarge)

This next screen shot shows a bar graph based on Alert Detection Time which can be used to identify periods of heavy activity.

Figure 4: Bar Graph of Time vs. Number of Alerts
(Click to Enlarge)

These charts and graphs allow the system administrator to visually pinpoint periods of attacks. The images created by BASE are also a valuable resource for inclusion in managerial reports and departmental presentations dealing with site security.

Resources

BASE Resources

Resources for Additional Software

Other Resources

centso 下的snort base终于工作了

Tue, 11 Dec 2007 10:18:30 GMT

值得开心的是。。。经过三个周的攻坚，终于在这个时候，Base开始工作了，终于走进了这个免费IDS的空间。安装过程一波三折，郁闷之极，但是结果确令人愉快，攻略是写不动了，先贴个图表示庆贺。