Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Acid/Base on Solaris

News Recommended Books Recommended Links  Tutorials, articles, how-ho documents Original Roman Danyliw documents Maillist archives Packet and Alerts Analysis
Solaris Idiosyncrasies Apache PHP Cleanout of ACID database History Humor Etc

The Analysis Console for Intrusion Databases (ACID) is a rather slow PHP-based analysis engine to search and process the database of security events generated by snort. It is mostly useful as a generic event viewing tool. Theoretically it is not limited to Snort: conversion from other types of events can be done by a script like logsnorter ( www.snort.org/downloads/logsnorter-0.2.tar.gz).

ACID was written by Roman Danyliw in early 2000. It was written as a part of  abandoned in 2003 AIRCERT project at the CERT Coordination Center (they should probably spend more money of such projects then simply wasting them on alerts, conferences and red tape -- actually they duplicate a lot of work done by U.S. DOE-CIAC). 

Roman Danyliw maintained it in his free time for three years (the last update of ACID is dated February 2, 2004) and probably at some point decided that "enough is enough".

He currently (as of 2006) serves as the chair of the Extended Incident Handling IETF working group which is a part of the CERT/NetSA (Network Situational Awareness) Team.

He also works on the System for Internet-Level Knowledge (SiLK) NetFlow suite. 

Architecturally the tool is good and was well designed. The architecture chosen permits to slice Snort alerts in different sometimes non-trivial ways. It definitely can help to understand and analyze the large alerts stream.  Capabilities can be discovered only by extensive trial and error as good documentation and usage Acid in analysis of stream of alerts are currently absent.

ACID GUI is pretty capable and its functionality can compete with proprietary applications. It's pretty sad and speaks volumes about CERT bureaucracy that they drop the support of this project (project that perfectly fits CERT charter ) despite its quite large user base and minimum amount of money needed for such a support.  This lack of leadership is very sad but well too common...

If used on small to medium streams of alerts ACID is really helpful in analysis of traffic and the quality of interface of comparable with commercial offerings  (although shortcomings mentioned below diminished its value). 

It features:

ACID is written in PHP and thus, like any open source tool, is customizable by the user.  ACID code is not operating systems dependent. It can be unpacked and after modification of config file works OK on Solaris 10 or OpenSolaris. Here is an OpenSolaris example:

SERVER: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.7d PHP/4.4.1
SERVER HW: SunOS example 5.11 snv_23 sun4u
PHP VERSION: 4.4.1
PHP API: apache2handler
PHP Logging level: (2039) [E_ERROR] [E_WARNING] [E_PARSE] [E_CORE_WARNING] [E_CORE_ERROR] [E_COMPILE_ERROR] [E_COMPILE_WARNING]
Loaded Modules: [ xml ] [ tokenizer ] [ standard ] [ sockets ] [ session ] [ posix ] [ pcre ] [ overload ] [ mysql ] [ gettext ] [ gd ] [ ctype ] [ zlib ] [ openssl ] [ apache2handler ] 

DB Type: mysql
DB Abstraction Version: V4.68 25 Nov 2005 (c) 2000-2005 John Lim (jlim#natsoft.com.my). All rights reserved. Released BSD & LGPL.
ALERT DB Name: snort
ARCHIVE DB Name: snort_archive

ACID is not scalable beyond several hundred thousand alerts and in real situation with stock Snort signatures events database needs periodic purging due to huge amount of false positives that clutter the database (see acid_perf.html for some interesting statistics).  You can improve the situation slightly writing a Perl script (or script in any other language) that deletes/modifies the most obnoxious rules automatically with each update.  Doing this manually each time is really counterproductive.

On low end V210 with 2 CPUs, 2G of memory and 10K RPM drives and Solaris 10 it became sluggish after 100K events, slow after 300K and unusable with about million events cached. On a better Linux dual core server (two dual core 3GHz CPUs 4G of RAM) with faster (1.33GHz)  memory and the same 10K RPMs drives (under RHEL 4.3) it become sluggish approximately after 300K alerts: a noticeable improvement.  I think 15K drives can make working with 500K alerts  on this server feasible. 

Please note that without careful tuning of your ruleset on large traffic stream the alert database grows very fast and usually became unusable in 24 hours. In latter case the load time can exceed 10 min.

The number of events should kept within approximately 200K range for ACID to remain usable on a V210. This goal requires pretty high level of tuning of snort ruleset. Without tuning snort ruleset on high volume connection (approximately one megabyte of traffic per second) produces such amount of false positives that the number of events can exceed ACID capability to process them in 12 hours or less. In one of my experiments I accumulated 2,857,175 alerts using a subset of snort standard ruleset that come with snort 2.4 (slightly cleaned from most obvious noise; let's say half-tuned) in one night on 100Mps link.

You need to drop the snort database to "revive" ACID from coma. But dropping database each 12 or even 24 hours is an overkill. You need approximately a week of data to see any trends.

As ACID development was dropped by CERT, attempts to "revive" it as well as to bypass some of the ACID limitations led to creation of several derivative packages. Among them we can mention:

Please note that from my limited experience with BASE (I did not try BASE+ yet) it looks more like "vanity" project that lasted for a year and was abandoned after that, so it is unclear whether the codebase for BASE is an improvement over ACID or not.  Superficially it looks like only non-essential, "cosmetic", presentation-related staff, useless setup scripts as well as sources renaming with minor refactoring. They added one table: base_users  to provide multi-user environment, but as Base is mainly an event reader, so the value of this idea is minimal. The quality of refactoring is low; I would call it more "GPL-inspired codebase vandalizing" then refactoring. 

Most of the work done by BASE and BASE+ forkers is vanity-fair related activity. Original documents and ACID codebase are the only one the still provide some insights into the application.

ACID originally has a large codebase (as Phil Deneault, the author of Python reimplementation,  noted "Acid was too big, too slow, and had too many requirements for me"), but there is a noticeable additional bloat in BASE codebase ( more then 50% growth in byte count). In case you need to understand some code (that's what open source is about, is not it :-) I recommend to use the original ACID codebase first. 

From brief analysis it looks like BASE mainly added some internationalization code (as if English is not a standard de facto in computing :-)  and user maintenance code

Quality of error checking deteriorated and sometimes BASE does not produce diagnostic messages in situations where ACID does (just try to use PHP without MySQL support compiled -- in BASE you will be greeted with blank screen while ACID produced a correct diagnostic message).

Refactoring done in BASE included an introduction of  a more-or-less standard tree directory structure. While ACID codebase is flat and that's is a small deficiency, BASE  codebase is organized with the usage of a separate ./includes directory, ./sql directory (there are ~ 16K of sql code in acid) and several others, typical for modern applications directories tree design (images, docs, styles, etc). There is also a directory ./setup with badly written, largely useless setup files  (47K) which try to generate base_conf.php from user answers on badly/incorrectly formulated questions :-).

Introduction of   ./includes and  ./sql  subdirectories is definitely logical. But it was done poorly: the ./includes directory is actually very big ( 388K, more then a half of total codebase) and it contains files that should never be classified as includes.  Root directory still contains file that properly should be classified as includes (for example base_common.php ).

Please note that BASE contains two large modules that has nothing to do with basic functionality: includes/class.ezpdf.php and includes/class.pdf.php. They are 103K and 56K respectively so discrepancy in codebase sizes is smaller that it looks.

Here is the table that shows some correspondences between ACID and BASE codebases:

Acid Base Comment
acid_action.inc includes/base_action.inc.php  
acid_ag_common.php
acid_ag_main.php		 base_ag_common.php
base_ag_main.php		  
acid_app_faq.php    
  includes/base_auth.inc.php  
acid_cache.inc base_cache.inc.php  
acid_common.php base_common.php Common functions (kind of API) used by the application. Should probably be an include file
  setup/base_conf_contents.php
 		  
acid_conf.php base_conf.php Setup page. Base also has rather useless setup scripts that can generate this page.
  includes/base_capabilities.php Chris Shepherd Capability registry
acid_constants.inc includes/base_constants.inc.php  
acid_db.inc includes/base_db.inc.php  
acid_db_common.php
 		 base_db_common.php
 		  
acid_db_setup.php base_db_setup.php  
  base_denied.php  
acid_footer.html
acid_graph_common.php
acid_graph_display.php
acid_graph_form.php
acid_graph_main.php
acid_hdr1.html
acid_hdr2.html		 base_footer.php
base_graph_common.php
base_graph_display.php
base_graph_form.php
base_graph_main.php
base_hdr1.php
base_hdr2.php		  
acid_include.inc includes/base_include.inc.php  
acid_log_error.inc includes/base_log_error.inc.php  
acid_log_timing.inc includes/base_log_timing.inc.php  
acid_main.php base_main.php Main script that produces initial page. Base version improves multiuser functionality
acid_maintenance.php base_maintenance.php  
acid_net.inc includes/base_net.inc.php  
acid_output_html.inc includes/base_output_html.inc.php  
acid_output_query.inc includes/base_output_query.inc.php  
  base_payload.php  
acid_qry_alert.php
acid_qry_common.php
acid_qry_form.php
acid_qry_main.php
acid_qry_sqlcalls.php		 base_qry_alert.php
base_qry_common.php
base_qry_form.php
base_qry_main.php
base_qry_sqlcalls.php		  
  includes/base_setup.inc.php  
acid_signature.inc includes/base_signature.inc.php  
acid_stat_alerts.php
acid_stat_class.php
acid_stat_common.php
acid_stat_ipaddr.php
acid_stat_iplink.php
acid_stat_ports.php
acid_stat_sensor.php
acid_stat_time.php
acid_stat_uaddr.php		 base_stat_alerts.php
base_stat_class.php
base_stat_common.php
base_stat_ipaddr.php
base_stat_iplink.php
base_stat_ports.php
base_stat_sensor.php
base_stat_time.php
base_stat_uaddr.php		  
  base_user.php  
acid_state_citems.inc includes/base_state_citems.inc.php  
acid_state_common.inc includes/base_state_common.inc.php  
acid_state_criteria.inc includes/base_state_criteria.inc.php  
acid_state_query.inc includes/base_state_query.inc.php  
  sql/acid2base_tbls_mssql.sql
sql/acid2base_tbls_mysql.sql
sql/acid2base_tbls_pgsql.sql		  
acid_style.css /styles/base_style.css  
create_acid_tbls_mssql.sql
create_acid_tbls_mssql_extra.sql
create_acid_tbls_mysql.sql		 sql/create_base_tbls_mssql.sql
sql/create_base_tbls_mssql_extra.sql
sql/create_base_tbls_mysql.sql		  
  sql/create_base_tbls_oracle.sql  
create_acid_tbls_pgsql.sql
create_acid_tbls_pgsql_extra.sql		 sql/create_base_tbls_pgsql.sql
sql/create_base_tbls_pgsql_extra.sql		  
  sql/upgrade_0.9.x_to_1.0-mysql.sql  
index.html    
  includes/base_template.php
includes/base_user.inc.php
includes/class.ezpdf.php
includes/class.pdf.php		  

Moreover BASE does not have basic functionality necessary to the functional package (automatic  maintenance mode like moving event to archive after N days, the functionality that was present in ACID).  Without automatic movement of alerts to the archive BASE its usable only in hobby projects: after a hundred thousand alerts (please note that default snort signatures are very noisy) it became slow, then very slow and then non-responsive.  Manual deletion works but it's not enough.

All-in-al it looks like another demonstration of the weaknesses of GPL licensing.  If my observation is true it's amazing how many people who write about Snort were fooled by this fork. It looks like people who love open source seldom read sources ;-)

Solaris Idiosyncrasies

Solaris does not comes with PHP preconfigured but Sun created CSQamp package from cooltools which includes all three components configured to work together. That means that to use Acid or Base 1.2 on Solaris you need to do the following:  

  1. Remove installed apache, and if installed PHP and MySql packages
     
  2. Install CSQamp package from cooltools. This package includes Apache HTTP Server 2.0.58, MySQL 5.0.22 and PHP 5.1.4 built to work together. Apache httpd is built with MPM pre-fork and modules to support PHP, SSL and Perl. PHP has support for MySQL. Note, to work with PHP, MySQL included in this package is a 32-bit version for client-side use only.
     
  3. Install updated libxml2 library from Sunfreeware (Solaris native library will not work) with all the prerequisites listed below:
  4. Remove native library /usr/lib/libxml2.so.2  and link new one to libxml2.so.2

    rm /usr/lib/libxml2.so.2 /usr/lib/libxml2.so
    ln -s /usr/local/lib/libxml2.so.2.6.26 /usr/lib/libxml2.so.2
    ln -s /usr/local/lib/libxml2.so.2.6.26 /usr/lib/libxml2.so

    You should have something like

    lrwxrwxrwx 1 root root 32 Oct 25 11:28 libxml2.so -> /usr/local/lib/libxml2.so.2.6.26*
    lrwxrwxrwx 1 root root 32 Oct 25 11:00 libxml2.so.2 -> /usr/local/lib/libxml2.so.2.6.26*
     

  5. Start Apache and try to run test.php that should contain a single line <?phpinfo( )?> in the body:

    <html><head>
    <title>PHP test</title>
    </head>
    <body>
    <?phpinfo( )?>
    </body>
    </html>

    It should work. If not consult Google about the error that you are getting.
     
  6. Change the root of the Web server to /var/www/html.
     
  7. Unpack acid or base in /var/www/html
     
  8. unpack adodb  in /var/www
     
  9. Modify iether acid_conf.php or base_conf.php  config file

    You have to put several configuration parameters in orse Asid of Base to work on your server:

Notes:
  • This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
  • The site contain some broken links as it develops like a living tree... Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.
Google Search
Open directory
Research Index

Old News ;-)

[Nov 3, 2006] BigAdmin Feature Article SAMP (Solaris, Apache 2, MySQL 5, and PHP 5) Setup for Solaris 10 OS and Solaris Express by Neal Pollack

It looks like the author does not know about the existence of  Cool Tools packages. Still the article contains a lot of useful information about details of installations and possible gotchas.
October 2006 (BigAdmin). Many documents and blogs can be found on the Internet explaining how to use the Solaris 10 OS for a SAMP server (Solaris, Apache 2, MySQL, PHP). However, many of these articles are for older versions of the software packages or do not include the popular PHP language. Some of them lack any detail or examples to help you understand the process.

Before starting, it should be clarified that an installation of the Solaris 10 OS or Solaris Express does include Apache 2.0.x and MySQL 4. The Companion CD for the Solaris 10 OS also includes PHP 4. However, at this time the Solaris OS does not bundle PHP 5 or MySQL 5.

An older article for configuring a SAMP server with the above packages can be found among the community submissions on the BigAdmin portal. However, that article lacks significant detail and uses the older Apache 1.3. Mel Lester's article (also on the BigAdmin portal) is well-written, shows much detail, and is almost what we want. The only exception is that Lester's article uses the version of MySQL 4 that is bundled with the Solaris 10 OS, and not the current MySQL version 5.x that we prefer.

The primary reason that many of us like to rebuild software is to obtain recent versions of the packages, which might include performance enhancements, bug and security fixes, and compile-time options that provide features you may need for various PHP web applications.

For this exercise, the installation will use the following software:

[Oct 25, 2006] Problem with libxml2 on Solaris

PHPBuilder.com - Problem installing PHP5.0.2 with Apache2.0.52 in Solaris9

dgunawa
12-29-2004, 01:55 PM
I am trying to install PHP5 to my sparc Solaris 9 system. I basically just did pkgadd the binary from sunfreeware.com. (I did pkgadd for all necessary pkg before installing PHP according to sunfreeware.com)

The following is my system:

- SunOS batavia 5.9 Generic_112233-11 sun4u sparc SUNW,Ultra-5_10

- PHP5.0.2

- Apache2.0.52

- mySql4.0.21

I tried to run the apache without PHP and it ran successfully. But whenever I added the PHP, I kept getting this msg when I start apachectl:

Syntax error on line 270 of /usr/local/apache2/conf/httpd.conf:
Cannot load /usr/local/apache2/modules/libphp5.so into server: ld.so.1: /usr/local/apache2/bin/httpd: fatal: relocation error: file /usr/local/apache2/modules/libphp5.so: symbol xmlRelaxNGCleanupTypes: referenced symbol not found

Anybody can help, or can tell me why ?

thank you,

Dave
tsinka
12-31-2004, 07:45 AM
Hi,

execute the command

ldd /usr/local/apache2/modules/libphp5.so

and check the output for anything like "not found" (e.g. "version not found").

Example:

libz.so.1 (SUNW_1.1) => (version not found)

That means that you need to install the zlib package.

Thomas
tsinka
12-31-2004, 07:51 AM
One more:

Execute the following command

xmllint --help

and check if that shows a relaxng option.

Thomas
dgunawa
12-31-2004, 10:25 AM
I did both:

[root@batavia:/usr/local/apache2/modules ] ldd libphp5.so
libresolv.so.2 => /usr/lib/libresolv.so.2
libm.so.1 => /usr/lib/libm.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libz.so => /usr/lib/libz.so
libxml2.so.2 => /usr/lib/libxml2.so.2
libiconv.so.2 => /usr/local/lib/libiconv.so.2
libc.so.1 => /usr/lib/libc.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libpthread.so.1 => /usr/lib/libpthread.so.1
/usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
libthread.so.1 => /usr/lib/libthread.so.1
librt.so.1 => /usr/lib/librt.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmd5.so.1 => /usr/lib/libmd5.so.1
/usr/platform/SUNW,Ultra-5_10/lib/libmd5_psr.so.1

Seems like it found everything. And for xmllint:
[root@batavia:/usr/local/apache2/modules ] xmllint --help
Unknown option --help
Usage : xmllint [options] XMLfiles ...
Parse the XML files and output the result of the parsing
--version : display the version of the XML library used
--debug : dump a debug tree of the in-memory document
--shell : run a navigating shell
--debugent : debug the entities defined in the document
--copy : used to test the internal copy implementation
--recover : output what was parsable on broken XML documents
--noent : substitute entity references by their value
--noout : don't output the result tree
--htmlout : output results as HTML
--nowrap : do not put HTML doc wrapper
--valid : validate the document in addition to std well-formed check
--postvalid : do a posteriori validation, i.e after parsing
--dtdvalid URL : do a posteriori validation against a given DTD
--timing : print some timings
--output file or -o file: save to a given file
--repeat : repeat 100 times, for timing or profiling
--insert : ad-hoc test for valid insertions
--compress : turn on gzip compression of output
--sgml : use the DocBook SGML parser
--html : use the HTML parser
--push : use the push mode of the parser
--memory : parse from memory
--nowarning : do not emit warnings from parser/validator
--noblanks : drop (ignorable?) blanks spaces
--format : reformat/reindent the input
--testIO : test user I/O support
--encode encoding : output in the given encoding
--catalogs : use SGML catalogs from $SGML_CATALOG_FILES
otherwise XML Catalogs starting from
file:///etc/xml/catalog are activated by default
--nocatalogs: deactivate all catalogs
--auto : generate a small doc on the fly
--xinclude : do XInclude processing
--loaddtd : fetch external DTD
--dtdattr : loaddtd + populate the tree with inherited attributes
--dropdtd : remove the DOCTYPE of the input docs

Libxml project home page: http://xmlsoft.org/
To report bugs or get some help check: http://xmlsoft.org/bugs.html

Seems like there is no relaxng option. Could this be the problem ? What should I do now ?

Thanks.....

Dave
tsinka
01-01-2005, 04:18 AM
Ok,

php 5 tries to load the libxml2 that comes with Solaris. This version seems to lack relaxng support.

Download and install the libxml2 package from sunfreeware.com.

I must say that I've Solaris 8 but the libxml2 available from sunfreeware.com for Solaris 8 comes with relaxng support and works without any problems on my system.

Execute the ldd command again after installing libxml2 and check if libxml2.so refers to something like /usr/local/lib/libxml2.so.2

EDIT: Execute xmllint --version instead of xmllint --help. That should show you which libxml version xmllint uses.

Thomas
dgunawa
01-01-2005, 11:50 PM
You are correct. That is the problem !
I installed the newest libxml2 from sunfreeware.com and I don't have that problem anymore.

Thank you

[Oct 10, 2006] BASE+ BASE+ is a fork of BASE by Nikns Siankin that does not depend on ADODB library

Latest version 1.30 and it is more recent then BASE.  BASE+ 1.3.0 (daiga) released   2006-08-30

"The BASE+ team is proud to announce that the 1.3.0 (daiga) release of the Basic Analysis and Security Engine (BASE+) is now available from:

http://sourceforge.net/projects/baseplus

This release comes after five months of enormous amounts of effort. Improvements which I would like to highlight:

* does not depend on external ADOdb library, since minimum code is integrated into BASE+
* do not need to edit base_conf.php by hand - all can be done using new configuration graphical user interface

In this release we fully support one more database backend - IBMDB2 (since snort-2.6 supports it) and finnaly Oracle has been fully supported.

PDF and XLS report generation code by Mordread Wallas has been implemented. Also in this release authentication code has been audited and hardened. The full CHANGELOG is available in the release tarball.

I would also like to welcome new team members and thank the departed ones for all of their hard work ].

Thanks again
Nikns"

[May 10, 2006] [PDF] snort4-latest

This document provides a step-by-step guide to building an intrusion detection system using open-source software. The process involves Installing RedHat Linux 7.1, Compiling/Installing and configuration of MySql/Apache/ACID/Snort, Setup of Snort rules f Hardening of Machine The document assumes a basic level understanding of linux and computer technologies.. . . This document provides a step-by-step guide to building an intrusion detection system using open-source software. The process involves Installing Red Hat Linux 7.1, Compiling/Installing and configuration of MySql/Apache/ACID/Snort, Setup of Snort rules f Hardening of Machine The document assumes a basic level understanding of linux and computer technologies.

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching in order to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture.

Read this full article at Entropy.ie 

[Apr 22 2006] Neohapsis Archives - Snort Discuss - #0153 - [Snort-users] RE BASE-AAnval MySQL dbase management

From: Administration (administrationremoteassessment.com)
Date: Sat Apr 22 2006 - 22:58:58 CDT

Keeping the size of your snort database is rather simple within Aanval.

Visit the Snort Module manager within the console and select the snort database auto-trimming feature along with the preferred # of records to begin trimming at. Aanval will ensure the snort database does not grow beyond this record limit by trimming out the oldest events first.

As for deleting specific events from Aanval based on source, destination, etc... Use the Event Browser or the Search query language like:

"sip:192.168.1.5 delete:"

This deletes all events with a source ip address of 192.168.1.5

* Of course take a look at the in-console help for more advanced methods, or help in fine tuning your deleting.

-- SNIP --

Hello All,

I'm curious as to how people are managing the mysql backend data that snort  reports. I've been mulling over adding syslog entries to the mix, but with the amount of denies I see at the borders/firewalls, the database is 
going to get unwieldy pretty fast. Not being a DBA but knowing enough to get things up and running, is there any 'canned' scripts out there to help me  out? I'm thinking along the lines of possibly archiving daily/weekly,
having the dbase drop entries older than X, or something to that effect.

Thoughts/suggestions?

Thanks!

[unisog] ACID not 2005 compliant

[Oct 25, 2005] SGUIL - The Analyst Console for Network Security Monitoring.

There is much noise about Sguil from one of the co-authors but his idea that it is superior to ACID is a little bit far fetched...

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts. The sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

NewsForge/Using ACID and SnortSnarf with Snort

This article is excerpted from the newly published book Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID.

ACID consists of many PHP scripts and configuration files that work together to collect and analyze information from a database and present it through a Web interface. You have to have a Web server, database server, PHP, and some other tools installed on your system to make it work. I am using a Red Hat Linux 7.1 machine with the Apache Web server, PHP, and MySQL, which are part of the Red Hat distribution.

ACID offers many features:

All of these facilities are available through the Web browser. Support packages like GD library and PHPLOT are used to print graphs on the Web pages. PHP connects to the backend MySQL database to get and update data. For this purpose, you have to provide the database user name and password.

Installation and configuration

Since ACID needs additional packages like PHPLOT and GD library to work, you need to make sure that everything is installed properly. Fortunately you can install components independently from each other in no particular order. The following step-by-step process makes it easy to put everything in place.

Now configure ACID so that it can interact with the MySQL database. The configuration process also enables Snort to use the PHPLOT package. The configuration process is simple and includes setting up different parameters in the acid_conf.php configuration file which is located in the same directory where you uncompressed the ACID files. In our case, the file is located in the /var/www/html/acid directory. You have to put information about the following items in this file:

This information is present in the start of the acid_conf.php file. The typical opening lines of this file in my installation are as follows:

<?php

$ACID_VERSION = "0.9.6b21";

/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the
* directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
*/
$DBlib_path = "./adodb";

/* The type of underlying alert database
*
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
*/
$DBtype = "mysql";

/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort
: alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with
: this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "rr";
$alert_password = "rr78x";

/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "rr";
$archive_password = "rr78x";

/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
*/
$db_connect_method = 1;

/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the directory)
*/
$ChartLib_path = "./phplot-4.4.6";

Use the same user name, password, and database name as you use in snort.conf file.

Using ACID

If you have installed everything right, you should now be able to access ACID by going to URL http://<your_web_server>/acid/. The first time you visit this URL, ACID needs to perform some setup tasks. Click the Setup page link to move to the DB Setup page. Click the "Create ACID AG" link so that ACID can create its own table to support Snort. ACID creates these tables in the main Snort database and uses them for its own housekeeping data. You can now click the "Main Page" link towards the bottom of the page to go to the main ACID page.

The ACID main page provides an overview of currently available data. It has different sections to display information in groups. You can view traffic profiles by different protocols, get a snapshot of sensors, search data and see:

ACID can search the captured log and alert data using parameters such as:

Searching for data in the database is easy. All the criteria that you specify in this screen are translated to a SQL statement that is passed to the MySQL database server. Results of your query are displayed when you click the "Query DB" button. You can then click a particular alert line to find out more information about that alert.

Snort can also be used to find fully qualified names for source and destination addresses found in captured data. For example, to create a list of unique destination IP addresses and hostnames, you can write a rule that creates an alert for all outgoing HTTP requests, though of course that is not intrusion activity.

To get whois information about a particular address, you can click on any address and select a whois database, like American Registry for Internet Numbers (ARIN). This information is usually the first step to finding out the owner of the attacking IP address and his contact information. Once you have it, you can contact the owner and ask him to stop bad guys from probing your network.

[Jun 06. 2005] Neohapsis Archives - Snort Discuss - #0021 - RE [Snort-users] acid-base recovery

From: John Hally (JHally@epnet.com)
Date: Mon Jun 06 2005 - 11:42:35 CDT

Doh!
 

I should have known that one.

Thanks Joel/Dominik!

-----Original Message-----
From: Joel Esler [mailto:eslerjgmail.com]
Sent: Monday, June 06, 2005 12:25 PM
To: Dominik Gehl
Cc: John Hally; snort-userslists.sourceforge.net
Subject: Re: [Snort-users] acid/base recovery
 

You would have to create the snort database found in the
"create_mysql" directory. This isn't the "ACID" database..per say..
it's the Database that Snort is commonly coded to log to..

On 6/6/05, Dominik Gehl <dgehlinverse.ca> wrote:
> Hi,
>
> you can find the MySQL db script to create the ACID database in the
> snort distribution at snort-2.3.3/schemas/create_mysql
>
> Dominik
>
> On Mon, 2005-06-06 at 12:12 -0400, John Hally wrote:
> > Hello All,

> > I had the unfortunate happen and lost a raid array that housed all of
> > my alert data for BASE. I'm in the midst of recovering and it looks
> > like that the sql files in the BASE tar file are not the only one(s)
> > needed to rebuild the database. Is acid's original sql table setup
> > required as well? Base is erroring with:
> >

> > Database ERROR: Table 'snort.iphdr' doesn't exist
> > It does not exist after I've run:
> > Mysql -u (user) -p -D snort < create_base_tbls_mysql.sql
> > The tables have been created and this is what I have in
> > my /usr/lib/mysql/snort directory:
> >
> > acid_ag_alert.frm
> > acid_ag.frm acid
> > event.frm
> > acid_ip_cache.frm
> > base_roles.frm
> > base_users.frm
> > acid_ag_alert.MYD
> > acid_ag.MYD acid_event.MYD
> > acid_ip_cache.MYD
> > base_roles.MYD
> > base_users.MYD
> > acid_ag_alert.MYI
> > acid_ag.MYI
> > acid_event.MYI
> > acid_ip_cache.MYI
> > base_roles.MYI
> > base_users.MYI
 
> > Thanks in advance!

[Oct 25, 2005] SGUIL - The Analyst Console for Network Security Monitoring.

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts. The sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Placid by Phil Deneault (dznzault@hiddzngroup.nzt, z's for e's)

Placid(Phil Loathes ACID) was created as a replacement for CMU's ACID. Acid was too big, too slow, and had too many requirements for me. So I rewrote almost the entire thing(as well as added a few new features) using Python.

Placid falls under the GPL

You can download the newest version here: placid-2.0.9.tar.gz
You can verify the checksums here:MD5/SHA1 checksums

The Bleeding Edge of Snort - Tool Similar to ACID-BASE

Tool Similar to ACID/BASE

Monday, November 29 2004 @ 12:40 PM EST
Contributed by: jalexand
Views: 1057  I found a new front end to a snort data base that is very fast and handles very large databases (ie millions of alerts). It might be of interest to other bleeding snort users.

It can be found here

http://speakeasy.wpi.edu/placid/

Jason Alexander
The University of Iowa

Tool Similar to ACID/BASE
Authored by: rubin on Monday, November 29 2004 @ 01:53 PM EST
We use PLACID here at Oregon State University, and have good results with it as well. ACID is simply unusable when your monitoring a large-scale network with it.
-Alex
[ Reply to This ]
Tool Similar to ACID/BASE
Authored by: jonkman on Monday, November 29 2004 @ 06:51 PM EST | Parent ]
Tool Similar to ACID/BASE
Authored by: bbaldwin on Wednesday, December 01 2004 @ 05:41 PM EST
We've been very happy with SGUIL. It helps us solve the problem of verifying if an alert actually caused damage or not.

http://sguil.sourceforge.net/

-bill

[Oct 26, 2005] BigAdmin Feature Article Analyzing Snort Data With the Basic Analysis and Security Engine (BASE) by Amy Rich, October 2005

Extremely weak and superficial paper

In order for BASE to function, we must first install and configure a back end database, in this case MySQL, to store the Snort alerts. In addition, we'll need Apache and Snort compiled with MySQL support. We also need to install PHP and a couple of PHP add-ons. ADOdb is an object-oriented PHP library used to interface to the database. You may already have some of these necessary tools on your system as part of the default distribution, depending on what version of the operating system you're running. The instructions below assume you are using the GNU tool chain (tar, make, gcc, and so on).

MySQL

We first start by obtaining and installing the MySQL package from MySQL. When unpacking, be sure to use GNU tar, since tar in the Solaris OS has issues with long file names. To avoid dependencies, we'll configure MySQL to build without libgcc and without zlib, but we'll still compile against openssl. (This assumes you've previously installed gcc and openssl.)

wget \
  http://dev.mysql.com/get/Downloads/MySQL-4.1/mysql-4.1.13.tar.gz/\
  from/http://mysql.mirrors.pair.com/

tar zxf mysql-4.1.13.tar.gz
cd mysql-4.1.13

LDFLAGS="-R/usr/local/lib" ./configure --prefix=/usr/local \
     --with-openssl \
     --without-docs \
     --without-libgcc \
     --with-named-z-libs=z
make
make install

If you run into issues compiling or installing MySQL, take a look at the Solaris OS section of the MySQL Reference Manual.

Snort

Now that we have MySQL installed, we can compile Snort with MySQL support. Slightly modify the installation directions from the previous article on Snort:

../configure --with-mysql=/usr/local --with-openssl=/usr/local

Then follow the rest of the installation instructions provided there.

Now set up the Snort database in MySQL. First create the snort user and grant the appropriate permissions:

mysqladmin -u root -p create snort

Next, run the MySQL script included in the Snort source directory to create the appropriate tables:

mysql -u root -p < snort-2.3.3/schemas/create_mysql snort

Now add the snort user and set the permissions:

mysql -u root -p snort

mysql> set PASSWORD FOR snort@localhost=PASSWORD('snort_user_password');
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql> flush privileges;
mysql> exit

Finally, edit the snort.conf file and modify the output plug-in:

output database: log, mysql, dbname=snort user=snort password=snort host=localhost
output database: alert, mysql, dbname=snort user=snort password=snort host=localhost

This will cause both log and alert data to be written to the database.

To verify that Snort is able to write to MySQL, make sure MySQL is running, then start Snort with the following options:

snort -c /etc/snort.conf -g snort

Once Snort and MySQL are running, wait a few moments until it collects some alert data. Then run the following command:

echo "SELECT count(*) FROM event" | mysql -u root -p snort

Your output should look similar to the following, where the number is the number of alerts you've received:

count(*)
1

If the number is zero, then you haven't seen any traffic that will trigger an alert, or you need to revisit your Snort/MySQL configurations.

PHP

This article assumes that you're running Apache as your web server, and that you've installed it with the GNU layout. If you're using a different web server or have installed Apache in a different location, these directions will need modification. First, download PHP from a nearby mirror. I've chosen us2.php.net: 

wget http://us2.php.net/get/php-4.3.11.tar.gz

Now configure PHP to install into /usr/local/php and use apxs to add the libphp4.so module to Apache. The PHP configure lines below also tell PHP where to find MySQL, GNU gettext, OpenSSL, zlib, libjpeg, and libpng:

LDFLAGS="-R/usr/local/lib"  ./configure --prefix=/usr/local/php \
     --enable-memory-limit=yes \
     --with-apxs=/usr/local/sbin/apxs \
     --with-gettext=/usr/local \
     --with-exif \
     --without-mm \
     --with-mysql=/usr/local \
     --with-openssl=/usr/local \
     --with-zlib \
     --with-jpeg-dir=/usr/local \
     --with-png-dir=/usr/local \
     --with-exec-dir=/usr/local/php/libexec \
     --enable-cli \
     --enable-sockets
make
make install

In a production environment, you'll want to edit /usr/local/php/lib/php.ini and set the display_errors variable to off so that debugging messages will not be inlined in the HTML. If you prefer to have inline debugging messages, then it's recommended to at least set the error_reporting variable to E_ALL & ~E_NOTICE.

Obtain further information about PHP from the PHP web site, and further information about Apache from the Apache HTTP Server Project site.

ADOdb

ADOdb is a performance-conscious database abstraction layer for PHP. BASE requires ADOdb to talk to MySQL on the back end. First, obtain the source:

wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz

Then unpack the source and place ADOdb where it can be accessed by BASE. The documentation recommends placing it in the Apache document root, but you can also configure BASE with ADOdb outside of Apache's tree (such as /usr/local/share/) if desired.

PEAR Modules

BASE documentation also recommends installing several PEAR modules. PEAR, the PHP Extension and Application Repository, is installed as part of PHP and is to PHP what CPAN is to Perl. If PEAR::Image_Graph is not already installed, obtain it by running the following commands:

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

 

Installing and Configuring BASE

Now that all of the prerequisites are in place, we can install and configure BASE itself.

Downloading and Installing BASE

First go to http://prdownloads.sourceforge.net/secureideas/base-1.1.3.tar.gz?download and pick a mirror from which to download the source code. Next, unpack the source tarball into your Apache DocumentRoot:

cd /usr/local/apache/htdocs
tar zxf /path/to/base-1.1.3.tar.gz
mv base-1.1.3 base

Use the supplied SQL script to create the BASE database:

mysql -u root -p < base/sql/create_base_tbls_mysql.sql snort

If you're using a database other than MySQL or upgrading to BASE from ACID, there are different scripts available in the base/sql directory.

Configuring BASE

Once you create the database, configure BASE by copying the base_conf.php.dist file to base_conf.php and customizing it to fit your environment:

cd base
cp base_conf.php.dist base_conf.php

Options in the config file are all well commented, but those listed in the table below are the minimum that must be set.

Table 1: Required Configuration Options
Variable
Function
Value
$DBlib_path
Full path to the ADOdb installation
"/usr/local/share/adodb"
$DBtype
Type of database used
"mysql"
$Use_Auth_System
Set to 1 to force users to authenticate to use BASE
0
$BASE_urlpath
The root URI of your site
"/base"
$alert_dbname
The alert database name
"snort"
$alert_host
The alert database server
"localhost"
$alert_port
The port where the database is stored
(Leave blank if you're not running MySQL on a network socket.)
""
$alert_user
The username for the alert database
"snort"
$alert_password
The password for the username
"snort_user_password"

 

Until the authentication portion of BASE is working properly, protect the directory where you installed BASE. Apache can be configured to deny access based on IP address, as well as to require a user to enter a password. Modify /usr/local/apache/etc/httpd.conf and add something like the following to allow users from the host 192.168.1.100 to authenticate:

<Directory /usr/local/apache/htdocs/base/> 
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
AuthType Basic
AuthName Access is restricted.
AuthUserFile /path/to/htpasswd/file
require valid-user
</Directory>

Populate the .htpasswd file with username and encrypted password data. Please refer to the documentation on the Apache web site for more help on configuring access restriction.

Using BASE

You should now have a functional BASE install accessible at http://www.your.domain/base, and you're ready to begin using the GUI to view and manage alerts.

[Oct 9, 2005] Neohapsis Archives - Snort Discuss - #0081 - [Snort-users] BASE 1.2 (betty) released

From: Kevin Johnson
Date: Sun Oct 09 2005 - 16:04:46 CDT

The BASE project team is proud to announce the release of BASE 1.2.
This release is available from the project homepage on SF.net http://sourceforge.net/projects/secureideas

We would like to thank  everyone that had a part in making this release a success.

This release fixes a number of bugs people were having with PHP 5 and searches. Alex Butcher also submitted a patch to fix the sort issue some people were experiencing. We also have fixes to emails regarding portscans and with quotes on one of the pages. (Thanks Michael and Nikns!).

 A number of features were added in this release. These features include:
- The ability to download a binary file of the packet that caused the Snort alert.
        - Increased the number of sources for port information
        - Added Internet Storm Center Source/Subnet report
        - TrustedSource.org IP lookup
        - The ability to look up signatures from a local source
        
We hope that these features and fixes will increase the ability of  BASE to meet your needs. And we welcome any and all feedback regarding this release and any other release of BASE.

Thanks
Kevin Johnson and the BASE project team
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas 
http://base.secureideas.net 
The next step in IDS analysis!

[Jan 27, 2005] Phillip G Deneault deneault at WPI.EDU 

I realize this won't fix your problem with ACID, but the problem you are 
having now I ran into in 2002 and it was the straw that broke the camel's 
back.  I had too many problems with ACID(its lack of speed, its separate 
'back' button, its use of PHP, its inability to handle multiple instances 
from a single browser, etc) so I rewrote my own using just python cgi 
scripts.  It is slightly scaled back from ACID(it lacks a decent graph 
feature, and a few other things) but it performs MUCH better.  On my 2Ghz 
database system, I've been able to have 40 million records in the database 
before the CGI's started timing out.

Its available at http://speakeasy.wpi.edu/placid/.

The nice thing about it is that since it only reads from the database, you 
can run it in tandem with ACID.  It will just ignore any ACID specific 
data.

Phil

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault              "We work in the dark. We do what we can.
deneault at wpi.edu                              We give what we have.
Network Security Analyst 		  Our doubt is our passion,
Network Operations                     and our passion is our task.
Worcester Polytechnic Institute    The rest is the madness of art."
http://www.wpi.edu/~deneault/   		      - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

On Mon, 24 Jan 2005, Michael Holstein wrote:

> I don't know if the folks at CERT still maintain ACID (www.cert.org/kb/acid) 
> but I know there are lots of us (myself included) that probably still use it.
>
> The "search" feature tops out at 2004 as of version 0.9.6b23 (most recent one 
> they've got posted). For those who haven't figured it out on their own, it's 
> a simple fix :
>
> Modify the following two files and add these lines (they look just like the 
> previous several lines .. search for '2004' in the file).
>
> acid_stat_time.php:
> <OPTION VALUE="2005" '.chk_select($time[$i][2],"2005").'>2005
>
> acid_state_citems.inc:
> echo '                               <OPTION VALUE="2005" 
> '.chk_select($this->criteria[$i][4],"2005").'>2005</SELECT>';
>
> If anyone wants the lazy way, email me and I'll just send you a copy of both 
> of those that have values up to 2007.
>
> Cheers,
>
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

[May 30, 2003] SNORT-ACID install on Solaris9 ACID installation includes MySQL and Apache installation

While slightly outdated, this is still the only more or less coherent document explaining installation from Sun.

[May 8, 2003] Using ACID and SnortSnarf with Snort - Chapter 6 of Intrusion Detection with SNORT by Rafeeq Rehman

This is one chapter, but the whole book is freely available. To obtain the while book Using ACID and SnortSnarf with Snort go to the publisher site: [PDF] Intrusion Detection Systems with Snort Advanced IDS Techniques ...

This book excerpt is from Chapter 6 of Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq ur Rehman, ISBN 0-13-140733-3, copyright 2003. All rights reserved. This chapter, titled "Using ACID and SnortSnarf with SNORT" is posted with permission from Prentice Hall PTR.

Analysis Console for Intrusion Databases (ACID) is a tool used to analyze and present Snort data using a Web interface. This chapter provides information about ACID and discusses how to install it with MySQL and Snort to view and analyze the intrusion detection data logged by Snort into the database.

In addition to ACID, the chapter also provides basic information about SnortSnarf, another tool that can be used with a web server. SnortSnarf is able to parse Snort log files and generate HTML pages that can be viewed using a Web browser.

Author: Rehman, Rafeeq ur Download:
To obtain the while book Using ACID and SnortSnarf with Snort go to the publisher site

[Apr 03, 2003]  Script to cleanup ACID-Snort Alerts in MySQL DB...

[prev in list] [next in list] [prev in thread] [next in thread]

List:       snort-users
Subject:    [Snort-users] Script to cleanup ACID/Snort Alerts in MySQL DB...
From:       "Dusty Hall" <halljer () auburn ! edu>
Date:       2003-04-03 23:34:23
[Download message RAW]

Gang,

  I just thought I'd pass this script along..  hopefully it will save someone some time/grief.  The main reason I wrote it is because we are still in the process of tweaking Snort and our number of Alerts get out of hand quickly.  ACID's frontend to delete the Alerts timed out most of the time and I wanted a way to schedule the cleanup of Alerts..

Later,


-Dusty


--CODE--

#!/usr/bin/perl -w
#----------------------------------------
# name: alert_cleanup.pl
#
# description: script to cleanup snort/acid db (only tested w/mysql)
#
# goal: allows you to schedule db cleanup without using php frontend
#
# usage: snort_db_cleanup.pl "2003-04-01 8:00:00" "2003-04-01 9:00:00"
#
# comments: dusty hall, halljer@<NOSPAM>auburn.edu
#----------------------------------------

use strict;
use DBI;

my $ds = "dbi:mysql:snort";
my $db_user = "acid_user";
my $db_pass = "secret";
my $db = DBI->connect($ds, $db_user, $db_pass) or die $DBI::errstr;

my ($cid,$sid,$sql,$time_select,$exec_time_select);
my
($event,$iphdr,$tcphdr,$udphdr,$icmphdr,$opt,$data,$acid_ag_alert,$acid_event);
my
($exec_event,$exec_iphdr,$exec_tcphdr,$exec_udphdr,$exec_icmphdr,$exec_opt,$exec_data, \
$exec_acid_ag_alert,$exec_acid_event); my %timeframe;

$timeframe{start} = $ARGV[0];
$timeframe{finish} = $ARGV[1];
chomp $timeframe{start};
chomp $timeframe{finish};

$time_select = "select acid_event.sid,acid_event.cid from acid_event
where timestamp >= '$timeframe{start}' and timestamp <=
'$timeframe{finish}'";
$exec_time_select = $db->prepare($time_select);

$exec_time_select->execute();
$exec_time_select->bind_columns(undef,\$sid,\$cid);

while ($exec_time_select->fetch) {

 $event = "delete from event where sid='$sid' and cid='$cid'";
 $iphdr = "delete from iphdr where sid='$sid' and cid='$cid'";
 $tcphdr = "delete from tcphdr where sid='$sid' and cid='$cid'";
 $udphdr = "delete from udphdr where sid='$sid' and cid='$cid'";
 $icmphdr = "delete from icmphdr where sid='$sid' and cid='$cid'";
 $opt = "delete from opt where sid='$sid' and cid='$cid'";
 $data = "delete from data where sid='$sid' and cid='$cid'";
 $acid_ag_alert = "delete from acid_ag_alert where ag_sid='$sid' and
ag_cid='$cid'";
 $acid_event = "delete from acid_event where sid='$sid' and
cid='$cid'";
 
 $exec_event = $db->prepare($event);
 $exec_iphdr = $db->prepare($iphdr);
 $exec_tcphdr = $db->prepare($tcphdr);
 $exec_udphdr = $db->prepare($udphdr);
 $exec_icmphdr = $db->prepare($icmphdr);
 $exec_opt = $db->prepare($opt);
 $exec_data = $db->prepare($data);
 $exec_acid_ag_alert = $db->prepare($acid_ag_alert);
 $exec_acid_event = $db->prepare($acid_event);

 $exec_event->execute();
 $exec_iphdr->execute();
 $exec_tcphdr->execute();
 $exec_udphdr->execute();
 $exec_icmphdr->execute();
 $exec_opt->execute();
 $exec_data->execute();
 $exec_acid_ag_alert->execute();
 $exec_acid_event->execute();

 $exec_event->finish();
 $exec_iphdr->finish();
 $exec_tcphdr->finish();
 $exec_udphdr->finish();
 $exec_icmphdr->finish();
 $exec_opt->finish();
 $exec_data->finish();
 $exec_acid_ag_alert->finish();
}

$exec_time_select->finish;

--CODE--

[Jan 08, 2003] Analysis Console for Intrusion Databases (ACID) by Roman Danilow. Documentation applicable to v0.9.5 and later

[Apr 05, 2002]  SecurePoint - Snort mailing list archive

Forum:   SecurePoint - Snort mailing list archive
 Date:      2002, Apr 05
 From:      Denis Romanov <nobody at nowhere.com>

Hi Ed! If you think this is an incorrect way of dealing with the snort_archive, please let me know.

In case no one answered your question yet. If you have done this before, just disregard it. I would go over your snort_archive database again.

Verify if the password is ok.

Check your acid_conf.php file, there is a section which takes care of the archive feature in ACID. 

/* Archive DB connection parameters */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "root";
$archive_password = "password";     ///change the password to yours
Login to your mysql and recheck if your snort_archive tables are present.

If not, you will have to create them the same way you did your snort = tables. 

#mysql -p < /usr/local/src/snort-1.8.4/contrib/create_mysql  snort_archive
then grant DELETE,INSERT,SELECT priviliges to snort_archive, like you did to snort. 
#mysql -p
>grant INSERT,SELECT,DELETE on snort_archive.* to root@localhost;
>FLUSH PRIVILIGES;
>quit
Back to ACID, and try archiving again. It should work. Regards, Denis
Message: 3
From: "Ed Spick" <es AT soas.ac DOT uk>
To: snort-users AT lists.sourceforge DOT net
Date: Thu, 4 Apr 2002 17:00:18 +0100
Subject: [Snort-users] acid-archive-snortprob
Hi
I have a problem with archiving of snort alerts logged to mysql running=20 through acid, hope someone can help ? =20 
my config  :
Acid 0.9.6b20
snort  1.8.3-5
php 4.1.2
mysql 3.23.49a
adodb 172 (also tried 180)
apache 1.3.22
redhat 7
Whenever I choose an alert and ask to move it to the archive database I 
get=20
this fatal error :
Fatal error: Call to a member function on a non-object in=20 /var/www/html/acid/acid_db.inc on line 93

Not sure whether this is a php or an adodb or a mysql problem ? The archive database is there with the correct permissions and as far as I have read everything is configured as required by the documentation. I've searched archives for last year - no-one else seems to have seen this ?

Any help gratefully rceved as I have over 400,000 alerts to archive

Cheers ed spick=20

[Nov 19, 2002] Complete Snort-based IDS Architecture, Part Two by Anton Chuvakin, Ph.D. and Vladislav V. Myasnyankin  

Very incomplete and from rather suspect author (Anton Chuvakin :-). The only useful into is how to split log stream if you are listening on several interfaces

Many companies find it hard to justify acquiring the IDS systems due to their perceived high cost of ownership. However, not all IDS systems are prohibitively expensive. This is second part of a two-part article that will provide a set of detailed directions to build an affordable intrusion detection architecture from hardware and freely available software. In this installment we shall discuss Web interface configuration, summaries and daily reporting, automated attack response, sensor installation, installation of the central station, and big distributed IDS systems.

Web Interface Configuration

First, you should deploy an Apache Web server with an SSL support, if it is not already installed by the Debian config. The command to run is "apt-get install apache-ssl". When configuring, you will be asked for some information that is required to generate the SSL key pair. One need to enter the same server name as was used for the base Linux set-up.

Next, ACID IDS console is deployed via "apt-get install acidlab". This is yet another point when the choice of Debian becomes clear, as there are no packages to compile and no dependences to troubleshoot. Answering the set-up questions is easy. The only one that needs special attention is the question about the database user: it is not root as suggested by the set-up script, but the “acid” user, which we already created during the database set-up. You should also agree to inserting string with PHP module into config file and running the apache config script.

At the time of writing, there was a small bug in the ACID package install script: by default, the script does not install MySQL support for PHP needed for ACID. So, this should be done by hand: 

# apt-get install php4-mysql

and Apache should be restarted as follows for the changes to take effect: 

/etc/init.d/apache-ssl restart

Now, the system can be tested. For this one should go to the appropriate page using HTTPS protocol: https://<the server address or name>/acidlab/ . On the first load, one will be asked to click on the “Setup Page” link to complete the installation. On this page the “create_AG” button should be pushed. With this, set-up is almost complete; the only remaining part is to limit the access to the server via Apache basic authentication.

The following lines should be added to the /etc/acidlab/apache.conf file after the “AllowOverride None” line: 

AuthType Basic
AuthName "Restricted"
AuthUserFile .htpasswd
Require valid-user

In addition, one can restrict access only from specified IP addresses. For example, if one wants to allow access to ACID console only from 192.168.2.1, 192.168.2.2 and entire 192.168.1.0 C-class network, the appropriate changes are: 

order deny,allow
deny from all
allow from 192.168.1.0/255.255.255.0, 192.168.2.1, 192.168.2.2

To complete the access control set-up, one should go to the /etc/apache-ssl directory and create the password file: 

# htpasswd -c .htpasswd <username>

You will be prompted for password. Several users can be added by the “htpasswd .htpasswd <username1>”, etc commands.

The IDS system is now fully operational with Web access to alerts and packet data.

Some other free consoles exist for Snort. One of the better known free ones is SnortCenter. This is a Web-based client-server management system written in PHP and Perl. It includes SSL-encryption, built-in user authentication, rules management and multi-language support.

The latest and greatest Snort front end is made by Sourcefire, home of Marty Roesch and Snort. The slick web GUI seamlessly integrates alarm viewing with rule management, a big advantage over other Web front ends. It also provides a simple, but flexible interface for rule editing and many useful alarm viewing modes (including graphing) as well as full control over other aspects of Snort behavior, such as preprocessor configuration. Sourcefire GUI also has an option of issuing live signature updates directly from the Sourcefire site.

Additional Features

There are some additional features, which you can use to make IDS administration and event analysis process even easier. One good idea is to add daily reporting and some attack response capabilities.

Summaries and Daily Reporting

The most essential part of IDS deployment is monitoring of routine network activity. An effective way to accomplish this is to get daily reports on the activity. To provide daily statistics, one can query the alert MySQL database or configure Snort to also output data to syslog for summarization. The former approach can be implemented using SnortReport, which is available at http://www.circuitsmaximus.com/download.html. It can be used for real-time or historical reporting from the MySQL or PostgreSQL database of alarms generated by Snort.

Many tools are written to utilize the latter approach of summarizing Snort alarms from syslog. SnortSnarf by Silicon Defense is perhaps the most well known of these. It can produce HTML reports from snort alert files, include port scan summary, alert summary by alarm, alert summary by source and destination and others. Other scripts include snort_stat and LogHog.

To simplify the analysis of events from many sensors running on the same machine (such as for the VLAN case), one can use the simple syslog filtering trick. Add a line to the corresponding snort.conf.ethX file: 

output alert_syslog: LOG_LOCALX LOG_ALERT

In this example one uses LOG_LOCAL1 facility for the first sensor running on the interface eth1. It is convenient to use different syslog facilities (LOG_LOCAL1, LOG_LOCAL2 etc) to distinguish the information flows and direct they into different log files for summary reporting. For example, for a 3-sensor machine one need to add to /etc/syslog.conf the following lines: 

LOG_LOCAL1.* /var/log/snorty/snorty-eth1.log
LOG_LOCAL2.* /var/log/snorty/snorty-eth2.log
LOG_LOCAL3.* /var/log/snorty/snorty-eth3.log

Now, before the log rotation procedure (enabled by default on Debian) starts, you need to simply run whichever Snort script against Snort log files and mail output to the appropriate address. For example, there is /etc/logrotate.d/syslog entry for using "snort_stat.pl" for daily summaries: 

/var/log/snort/snorty-eth1.log
        {
        prerotate
        /bin/cat /var/log/snort/snorty-eth1.log 
| /usr/local/bin/snort_stat.pl -i ETH1 -f | /usr/bin/mail\ 
cert@our.org -s "Snort Daily Report for sensor eth1"
        endscript
        rotate 7
        create 644 root root
        daily
        compress
        postrotate
            /etc/init.d/syslog restart >/dev/null 2&>1
        endscript
        }

The Snort log for a sensor running on eth1 is processed via snort_stat.pl, e-mailed to “cert@our.org", compressed and stored. Snort is then restarted.

HOWTO Build Snort with ACID

Building Snort with ACID (Analysis Console for Intrusion Databases) is not that difficult. On some level it may seem complex because there is a lot to compile, recompile, configure, install and reinstall. Don’t throw in the towel. Stick with it and you shall prosper. It’s well worth it. I have built snort with ACID more than 10 times in the last two months. Based on those experiences, I have done everything to make your experience quick and easy.

But, before we get started let’s clear up a few things first.

Recommended Links

In case of broken links please try to use Google search. If you find the page please notify us about new location
Google     

Notes: PHP 5 is not compatible with PHP 4 so any document that uses PHP5 is probably fake. Also ACID/BASE cannot benefit from Apache 2.x, apache 1.x probably should be used in appliance style installations.

SNORT-ACID install on Solaris9 ACID installation includes MySQL and Apache installation

While slightly outdated, this 13 page PDF document is still the only more or less coherent document explaining installation from Sun.

SourceForge.net Project Info - BASE

Original Roman Danyliw Documents

Note: Most of the work done by forkers is vanity-fair related fake activity. Original documents are the only one the still provide some insights into the application.

ACID: Frequently Asked Questions (FAQ)

AIR-CERT - Analysis Console for Intrusion Databases (ACID)

Documentation (applicable to v0.9.5 and later)

Analysis Console for Intrusion Databases (ACID) - old site

Analysis Console for Intrusion Databases (ACID) - new site on SourceForge

ACID Installation and Configuration (http://www.andrew.cmu.edu/user/rdanyliw/snort/acid_config.html) Last Updated: October 9. 2002

 

Tutorials, Articles, and HOW-TO documents

Notes:

[PDF] Snort, Apache, PHP, MySQL and Acid Install on RH9.0

One of the best installation documented available.

[Oct 26, 2005] BigAdmin Feature Article Analyzing Snort Data With the Basic Analysis and Security Engine (BASE)

Pretty weak article, but at least Solaris-based.  Do not believe that the author managed to install BASE correctly :-)

Amy Rich, October 2005

Abstract: This article describes storing Snort alert output in a MySQL database and using the web front end BASE to analyze the data.

Contents

In the article Introduction to Intrusion Detection With Snort, I covered basic concepts of intrusion detection and the installation and use of Snort, a network-based intrusion detection system (NIDS). In this article, I'll detail storing Snort alert output in a MySQL database and using the web front end BASE to analyze the data. BASE is the successor to ACID, the Analysis Console for Intrusion Databases, developed by Roman Danyliw at the CERT Coordination Center as a part of the AirCERT (Automated Incident Reporting) project. BASE is actively maintained and supported by a team of volunteers led by Kevin Johnson and Joel Esler.

HOWTO Setup BASE with Apache, Snort, and PostgreSQL - Gentoo Linux Wiki

HOWTO Build Snort with ACID

Building Snort with ACID (Analysis Console for Intrusion Databases) is not that difficult. On some level it may seem complex because there is a lot to compile, recompile, configure, install and reinstall. Don’t throw in the towel. Stick with it and you shall prosper. It’s well worth it. I have built snort with ACID more than 10 times in the last two months. Based on those experiences, I have done everything to make your experience quick and easy.

[Outdated] Snort-Setup for Statistics HOWTO by  spoppi at gmx.de v1.01, Feb 23, 2002

As stated before ACID needs a couple of additional programs installed to work correctly. While a database system like MySQL version 3.23+, a webserver with PHP 4.0.2+ support like apache with the PHP module mod_php and ADODB version 0.93+ are required, the graphics library gd version 1.8+ and PHPlot version 4.4.6+ are optional but recommended. Since apache, the PHP module and gd are almost always included and installed with any linux distribution they are not covered in this document.

For snort 1.8+ you'll need at least ACID 0.9.6b13. ACID is shipped with my RPM in the contrib section but may be an outdated version since ACID is developed rapidly. So you should always have a look at ACID's homepage if a newer version exists.

Install ACID into a directory visible to your webserver like /var/www/html/acid/.

In /var/www/html/acid/acid_conf.php you'll have to edit some variables to suit your environment.

First of all define the database type in the variable DBtype. Next define all alert_* and archive_* variables.

In ChartLib_path you define the path to PHPlot, in our case /var/www.html/phplot.

The last variable you have to define is portscan_file where you put in the complete path and filename of snort's portscan logfile.

All other variables should be sufficient for now. You can edit them to suit your needs.

Here's the config I use:

 

<?php

$ACID_VERSION = "0.9.6b15";

/* Path to the DB abstraction library
 *  (Note: DO NOT include a trailing backslash after the directory)
 *   e.g. $foo = "/tmp"      [OK]
 *        $foo = "/tmp/"     [OK]
 *        $foo = "c:\tmp"    [OK]
 *        $foo = "c:\tmp\"   [WRONG]
 */
$DBlib_path = "/var/www/html/adodb";

/* The type of underlying alert database
 *
 *  MySQL       : "mysql"
 *  PostgresSQL : "postgres"
 */
$DBtype = "mysql";

/* Alert DB connection parameters
 *   - $alert_dbname   : MySQL database name of Snort alert DB
 *   - $alert_host     : host on which the DB is stored
 *   - $alert_port     : port on which to access the DB
 *   - $alert_user     : login to the database with this user
 *   - $alert_password : password of the DB user
 *
 *  This information can be gleaned from the Snort database
 *  output plugin configuration.
 */
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort";
$alert_password = "xxxx";

/* Archive DB connection parameters */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "snort";
$archive_password = "xxxx";

/* Type of DB connection to use
 *   1  : use a persistant connection (pconnect)
 *   2  : use a normal connection (connect)
 */
$db_connect_method = 1;

/* Path to the graphing library
 *  (Note: DO NOT include a trailing backslash after the directory)
 */
$ChartLib_path = "/var/www/html/phplot";

/* File format of charts ('png', 'jpeg', 'gif') */
$chart_file_format = "png";

/* Chart default colors - (red, green, blue)
 *    - $chart_bg_color_default    : background color of chart
 *    - $chart_lgrid_color_default : gridline color of chart
 *    - $chart_bar_color_default   : bar/line color of chart
 */
$chart_bg_color_default     = array(255,255,255);
$chart_lgrid_color_default  = array(205,205,205);
$chart_bar_color_default    = array(190, 5, 5);

/* Maximum number of rows per criteria element */
$MAX_ROWS = 20;

/* Number of rows to display for any query results */
$show_rows = 50;

/* Number of items to return during a snapshot
 *  Last _X_ # of alerts/unique alerts/ports/IP
 */
$last_num_alerts = 15;
$last_num_ualerts = 15;
$last_num_uports = 15;
$last_num_uaddr = 15;

/* Number of items to return during a snapshot
 *  Most Frequent unique alerts/IPs/ports
 */
$freq_num_alerts = 5;
$freq_num_uaddr = 15;
$freq_num_uports = 15;

/* Number of scroll buttons to use when displaying query results */
$max_scroll_buttons = 12;

/* Debug mode     - how much debugging information should be shown
 * Timing mode    - display timing information
 * SQL trace mode - log SQL statements
 *   0 : no extra information
 *   1 : debugging information
 *   2 : extended debugging information
 *
 * HTML no cache - whether a no-cache directive should be sent
 *                 to the browser (should be = 1 for IE)
 *
 * SQL trace file - file to log SQL traces
 */
$debug_mode = 0;
$debug_time_mode = 1;
$html_no_cache = 1;
$sql_trace_mode = 0;
$sql_trace_file = "";

/* Auto-Screen refresh
 * - Refresh_Stat_Page - Should certain statistics pages refresh?
 * - Stat_Page_Refresh_Time - refresh interval (in seconds)
 */
$refresh_stat_page = 1;
$stat_page_refresh_time = 180;

/* Display First/Previous/Last timestamps for alerts or
 * just First/Last on the Unique Alert listing.
 *    1: yes
 *    0: no
 */
$show_previous_alert = 1;

/* Sets maximum execution time (in seconds) of any particular page.
 * Note: this overrides the PHP configuration file variable
 *       max_execution_time.  Thus script can run for a total of
 *       ($max_script_runtime + max_execution_time) seconds
 */
$max_script_runtime = 180;

/* How should the IP address criteria be entered in the Search screen?
 *   1 : each octet is a separate field
 *   2 : entire address is as a single field
 */
$ip_address_input = 2;

/* Resolve IP to FQDN (on certain queries?)
 *    1 : yes
 *    0 : no
 */
$resolve_IP = 0;

/* Should summary stats be calculated on every Query Results page
 * (Enabling this option will slow page loading time)
 */
$show_summary_stats = 1;

/* DNS cache lifetime (in minutes) */
$dns_cache_lifetime = 20160;

/* Whois information cache lifetime (in minutes) */
$whois_cache_lifetime = 40320;

/* Snort spp_portscan log file */
$portscan_file = "/var/log/snort/portscan.log";

/* Event cache Auto-update
 *
 *  Should the event cache be verified and updated on every
 *  page log?  Otherwise, the cache will have to be explicitly
 *  updated from the 'cache and status' page.
 *
 *  Note: enabling this option could substantially slow down
 *  the page loading time when there are many uncached alerts.
 *  However, this is only a one-time penalty.
 *
 *   1 : yes
 *   0 : no
 */
$event_cache_auto_update = 1;

/* Link to external Whois query */
$external_whois_link = "http://www.samspade.org/t/ipwhois?a=";

?>

You wonder why I use xxxx as password? Well, do you like your password to be available for everyone in the world? j/k >8)

When first calling ACID via your browser you'll get a hint that you have to install ACID support in the chosen database. Click on Setup and ACID should create the required entries in the database. If everything is set up correctly you'll get all informations which are currently in the database, normally nothing at this time ;)

Try to trigger some snort rules with snot (see section above) or e.g. nmap (see http://www.nmap.org/, a portscanner with many more capabilities) or nessus (see http://www.nessus.org/, a security scanner to find vulnerabilities of a system).

Now you should get all alarms right the time they happen with ACID.

[PDF] Installation Instructions for ACID

[PDF] Snort Enterprise Implementation

Project-ACID_Oracle

Etc

[Oct 25, 2005] SGUIL - The Analyst Console for Network Security Monitoring.

There is much noise about Sguil from one of the co-authors but his idea that it is superior to ACID is a little bit far fetched...

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts. The sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Why Sguil Is the Best Option for Network Security Monitoring Data

At this point you might think Sguil is a cool way to look at Snort alerts. It certainly is, but we're only getting started. The question that NSM theory was designed to answer was stated in the beginning of the book: "Now what?" Now that we have an alert, what does the analyst do with it? Most commercial and many open source systems leave analysts with alerts and expect them to make escalation decisions based on the information present in the alert. The fact that Snort can be tweaked to show the information seen thus far is a big win for the open source community. Where do we go next?

Sguil is designed to collect alert, session, and full content data. If we have the Snort sensor configured to log libpcap data for port 80 TCP, we can take the next step using full content data. If we right-click on the sid.cid field of the highlighted event, we are given options to query the following items...

RazorBack - Snort Network Intrusion Detection Front-End - Open Source

RazorBack is a log analysis program that interfaces with the SNORT open source Intrusion Detection System to provide real time visual notification when an intrusion signature has been detected on the network. Snort should be configured to send data to syslog for razorback to display the data.

Pixie - open source Cisco Pix log analysis tool (uses MySQL and PHP)

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

Last updated: August 15, 2009