Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Acid/Base on Solaris

The Analysis Console for Intrusion Databases (ACID) is a rather slow PHP-based analysis engine to search and process the database of security events generated by snort. It is mostly useful as a generic event viewing tool. Theoretically it is not limited to Snort: conversion from other types of events can be done by a script like logsnorter ( www.snort.org/downloads/logsnorter-0.2.tar.gz).

ACID was written by Roman Danyliw in early 2000. It was written as a part of  abandoned in 2003 AIRCERT project at the CERT Coordination Center (they should probably spend more money of such projects then simply wasting them on alerts, conferences and red tape -- actually they duplicate a lot of work done by U.S. DOE-CIAC). 

Roman Danyliw maintained it in his free time for three years (the last update of ACID is dated February 2, 2004) and probably at some point decided that "enough is enough".

He currently (as of 2006) serves as the chair of the Extended Incident Handling IETF working group which is a part of the CERT/NetSA (Network Situational Awareness) Team.

He also works on the System for Internet-Level Knowledge (SiLK) NetFlow suite. 

Architecturally the tool is good and was well designed. The architecture chosen permits to slice Snort alerts in different sometimes non-trivial ways. It definitely can help to understand and analyze the large alerts stream.  Capabilities can be discovered only by extensive trial and error as good documentation and usage Acid in analysis of stream of alerts are currently absent.

ACID GUI is pretty capable and its functionality can compete with proprietary applications. It's pretty sad and speaks volumes about CERT bureaucracy that they drop the support of this project (project that perfectly fits CERT charter ) despite its quite large user base and minimum amount of money needed for such a support.  This lack of leadership is very sad but well too common...

If used on small to medium streams of alerts ACID is really helpful in analysis of traffic and the quality of interface of comparable with commercial offerings  (although shortcomings mentioned below diminished its value). 

It features:

• Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).
   
• Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts
   
• Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.
   
• Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification

ACID is written in PHP and thus, like any open source tool, is customizable by the user.  ACID code is not operating systems dependent. It can be unpacked and after modification of config file works OK on Solaris 10 or OpenSolaris. Here is an OpenSolaris example:

SERVER: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.7d PHP/4.4.1
SERVER HW: SunOS example 5.11 snv_23 sun4u
PHP VERSION: 4.4.1
PHP API: apache2handler
PHP Logging level: (2039) [E_ERROR] [E_WARNING] [E_PARSE] [E_CORE_WARNING] [E_CORE_ERROR] [E_COMPILE_ERROR] [E_COMPILE_WARNING]
Loaded Modules: [ xml ] [ tokenizer ] [ standard ] [ sockets ] [ session ] [ posix ] [ pcre ] [ overload ] [ mysql ] [ gettext ] [ gd ] [ ctype ] [ zlib ] [ openssl ] [ apache2handler ] 

DB Type: mysql
DB Abstraction Version: V4.68 25 Nov 2005 (c) 2000-2005 John Lim (jlim#natsoft.com.my). All rights reserved. Released BSD & LGPL.
ALERT DB Name: snort
ARCHIVE DB Name: snort_archive

ACID is not scalable beyond several hundred thousand alerts and in real situation with stock Snort signatures events database needs periodic purging due to huge amount of false positives that clutter the database (see acid_perf.html for some interesting statistics).  You can improve the situation slightly writing a Perl script (or script in any other language) that deletes/modifies the most obnoxious rules automatically with each update.  Doing this manually each time is really counterproductive.

On low end V210 with 2 CPUs, 2G of memory and 10K RPM drives and Solaris 10 it became sluggish after 100K events, slow after 300K and unusable with about million events cached. On a better Linux dual core server (two dual core 3GHz CPUs 4G of RAM) with faster (1.33GHz)  memory and the same 10K RPMs drives (under RHEL 4.3) it become sluggish approximately after 300K alerts: a noticeable improvement.  I think 15K drives can make working with 500K alerts  on this server feasible. 

Please note that without careful tuning of your ruleset on large traffic stream the alert database grows very fast and usually became unusable in 24 hours. In latter case the load time can exceed 10 min.

The number of events should kept within approximately 200K range for ACID to remain usable on a V210. This goal requires pretty high level of tuning of snort ruleset. Without tuning snort ruleset on high volume connection (approximately one megabyte of traffic per second) produces such amount of false positives that the number of events can exceed ACID capability to process them in 12 hours or less. In one of my experiments I accumulated 2,857,175 alerts using a subset of snort standard ruleset that come with snort 2.4 (slightly cleaned from most obvious noise; let's say half-tuned) in one night on 100Mps link.

You need to drop the snort database to "revive" ACID from coma. But dropping database each 12 or even 24 hours is an overkill. You need approximately a week of data to see any trends.

As ACID development was dropped by CERT, attempts to "revive" it as well as to bypass some of the ACID limitations led to creation of several derivative packages. Among them we can mention:

• Placid by Phil Deneault (dznzault@hiddzngroup.nzt, z's for e's)  This is a much more compact (138K of code) and faster package.  Note: codebase contains cleanout-snort -- a Perl script for cleaning of ACID database.

  Placid(Phil Loathes ACID) was created as a replacement for CMU's ACID. Acid was too big, too slow, and had too many requirements for me. So I rewrote almost the entire thing (as well as added a few new features) using Python.
  
  Placid is a stateless CGI-based snortdb frontend. It has many of the same features(and some different ones besides) but takes much less overhead and doesn't require anything except apache and python. No PHP had to be beaten into submission in using this tool.

• BASE (the Basic Analysis and Security Engine.) A fork of ACID database. Questionable quality and more bloated codebase but it work and is more recent then the rogonal codebase. The latest version that is verified to work with Solaris is 1.2:

The BASE project team is proud to announce the release of BASE 1.2. This release is available from the project homepage on SF.net http://sourceforge.net/projects/secureideas

 We would like to thank  everyone that had a part in making this release a success.

This release fixes a number of bugs people were having with PHP 5 and searches. Alex Butcher also submitted a patch to fix the sort issue some people were experiencing. We also have fixes to emails regarding portscans and with quotes on one of the pages...

 A number of features were added in this release. These features include:

• The ability to download a binary file of the packet that caused the Snort alert.
• Increased the number of sources for port information
• Added Internet Storm Center Source/Subnet report
• TrustedSource.org IP lookup
• The ability to look up signatures from a local source

• BASE+ BASE+ is a fork of base by Nikns Siankin that does not depend on ADODB library (few functions used from ADODB are included inside the main tree). Latest version 1.30 and it is more recent then BASE.  BASE+ 1.3.0 (daiga) released   2006-08-30

  "The BASE+ team is proud to announce that the 1.3.0 (daiga) release of the Basic Analysis and Security Engine (BASE+) is now available from:
  
  http://sourceforge.net/projects/baseplus
  
  This release comes after five months of enormous amounts of effort. Improvements which I would like to highlight:

  • does not depend on external ADOdb library, since minimum code is integrated into BASE+
  • do not need to edit base_conf.php by hand - all can be done using new configuration graphical user interface

  In this release we fully support one more database backend - IBMDB2 (since snort-2.6 supports it) and finally Oracle has been fully supported.
  
  PDF and XLS report generation code by Mordread Wallas has been implemented. Also in this release authentication code has been audited and hardened. The full CHANGELOG is available in the release tarball.
  
  I would also like to welcome new team members and thank the departed ones for all of their hard work ].
  
  Thanks again
  Nikns"

Please note that from my limited experience with BASE (I did not try BASE+ yet) it looks more like "vanity" project that lasted for a year and was abandoned after that, so it is unclear whether the codebase for BASE is an improvement over ACID or not.  Superficially it looks like only non-essential, "cosmetic", presentation-related staff, useless setup scripts as well as sources renaming with minor refactoring. They added one table: base_users  to provide multi-user environment, but as Base is mainly an event reader, so the value of this idea is minimal. The quality of refactoring is low; I would call it more "GPL-inspired codebase vandalizing" then refactoring. 

ACID originally has a large codebase (as Phil Deneault, the author of Python reimplementation,  noted "Acid was too big, too slow, and had too many requirements for me"), but there is a noticeable additional bloat in BASE codebase ( more then 50% growth in byte count). In case you need to understand some code (that's what open source is about, is not it :-) I recommend to use the original ACID codebase first. 

From brief analysis it looks like BASE mainly added some internationalization code (as if English is not a standard de facto in computing :-)  and user maintenance code

Quality of error checking deteriorated and sometimes BASE does not produce diagnostic messages in situations where ACID does (just try to use PHP without MySQL support compiled -- in BASE you will be greeted with blank screen while ACID produced a correct diagnostic message).

Refactoring done in BASE included an introduction of  a more-or-less standard tree directory structure. While ACID codebase is flat and that's is a small deficiency, BASE  codebase is organized with the usage of a separate ./includes directory, ./sql directory (there are ~ 16K of sql code in acid) and several others, typical for modern applications directories tree design (images, docs, styles, etc). There is also a directory ./setup with badly written, largely useless setup files  (47K) which try to generate base_conf.php from user answers on badly/incorrectly formulated questions :-).

Introduction of   ./includes and  ./sql  subdirectories is definitely logical. But it was done poorly: the ./includes directory is actually very big ( 388K, more then a half of total codebase) and it contains files that should never be classified as includes.  Root directory still contains file that properly should be classified as includes (for example base_common.php ).

Please note that BASE contains two large modules that has nothing to do with basic functionality: includes/class.ezpdf.php and includes/class.pdf.php. They are 103K and 56K respectively so discrepancy in codebase sizes is smaller that it looks.

Here is the table that shows some correspondences between ACID and BASE codebases:

Moreover BASE does not have basic functionality necessary to the functional package (automatic  maintenance mode like moving event to archive after N days, the functionality that was present in ACID).  Without automatic movement of alerts to the archive BASE its usable only in hobby projects: after a hundred thousand alerts (please note that default snort signatures are very noisy) it became slow, then very slow and then non-responsive.  Manual deletion works but it's not enough.

All-in-al it looks like another demonstration of the weaknesses of GPL licensing.  If my observation is true it's amazing how many people who write about Snort were fooled by this fork. It looks like people who love open source seldom read sources ;-)

Solaris Idiosyncrasies

Solaris does not comes with PHP preconfigured but Sun created CSQamp package from cooltools which includes all three components configured to work together. That means that to use Acid or Base 1.2 on Solaris you need to do the following:  

1. Remove installed apache, and if installed PHP and MySql packages
    
2. Install CSQamp package from cooltools. This package includes Apache HTTP Server 2.0.58, MySQL 5.0.22 and PHP 5.1.4 built to work together. Apache httpd is built with MPM pre-fork and modules to support PHP, SSL and Perl. PHP has support for MySQL. Note, to work with PHP, MySQL included in this package is a 32-bit version for client-side use only.
    
3. Install updated libxml2 library from Sunfreeware (Solaris native library will not work) with all the prerequisites listed below:
   • libxml2-2.6.26-sol10-sparc-local.gz Libxml2 is the XML C library developed for the Gnome project - installs in /usr/local. libxml2 requires that the zlib, libiconv, and either libgcc-3.4.6 or gcc-3.4.6 packages be installed.
      
4. Remove native library /usr/lib/libxml2.so.2  and link new one to libxml2.so.2
   
   rm /usr/lib/libxml2.so.2 /usr/lib/libxml2.so
   ln -s /usr/local/lib/libxml2.so.2.6.26 /usr/lib/libxml2.so.2
   ln -s /usr/local/lib/libxml2.so.2.6.26 /usr/lib/libxml2.so

   You should have something like
   
   lrwxrwxrwx 1 root root 32 Oct 25 11:28 libxml2.so -> /usr/local/lib/libxml2.so.2.6.26*
   lrwxrwxrwx 1 root root 32 Oct 25 11:00 libxml2.so.2 -> /usr/local/lib/libxml2.so.2.6.26*
    

5. Start Apache and try to run test.php that should contain a single line <?phpinfo( )?> in the body:
   
   <html><head>
   <title>PHP test</title>
   </head>
   <body>
   <?phpinfo( )?>
   </body>
   </html>
   
   It should work. If not consult Google about the error that you are getting.
    
6. Change the root of the Web server to /var/www/html.
    
7. Unpack acid or base in /var/www/html
    
8. unpack adodb  in /var/www
    
9. Modify iether acid_conf.php or base_conf.php  config file

   You have to put several configuration parameters in orse Asid of Base to work on your server:

   • Location of ADODB files. In our case $DBlib_path = '/var/www/adodb';  which is the adodb directory under the directory where ACID files are located.
   • Type of database server. $DBtype = 'mysql';
   • MySQL-related parameters. They include:
     • MySQL database name for Snort log data ( Usually snort)
     • MySQL database server name or IP address (usually localhost)
     • Port for communication with MySQL database (default is fine)
     • MySQL database user name ( usually snort)
     • MySQL database password (whatever your choice might be).
       
       $alert_dbname = 'snort';
       $alert_host = 'localhost';
       $alert_port = '';
       $alert_user = 'snort';
       $alert_password = 'whatever_you_chose';
        
   • Optionally same parameters for archive database.
   • If you want graphic then for Acid you need to provide the location of PHPLOT files. ACID works OK without graphic.

Notes: Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected. This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books. The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link. Search Amazon by keywords:     Open directory Research Index

Old News ;-)

[Nov 3, 2006] BigAdmin Feature Article SAMP (Solaris, Apache 2, MySQL 5, and PHP 5) Setup for Solaris 10 OS and Solaris Express by Neal Pollack

It looks like the author does not know about the existence of  Cool Tools packages. Still the article contains a lot of useful information about details of installations and possible gotchas.

October 2006 (BigAdmin). Many documents and blogs can be found on the Internet explaining how to use the Solaris 10 OS for a SAMP server (Solaris, Apache 2, MySQL, PHP). However, many of these articles are for older versions of the software packages or do not include the popular PHP language. Some of them lack any detail or examples to help you understand the process.

Before starting, it should be clarified that an installation of the Solaris 10 OS or Solaris Express does include Apache 2.0.x and MySQL 4. The Companion CD for the Solaris 10 OS also includes PHP 4. However, at this time the Solaris OS does not bundle PHP 5 or MySQL 5.

An older article for configuring a SAMP server with the above packages can be found among the community submissions on the BigAdmin portal. However, that article lacks significant detail and uses the older Apache 1.3. Mel Lester's article (also on the BigAdmin portal) is well-written, shows much detail, and is almost what we want. The only exception is that Lester's article uses the version of MySQL 4 that is bundled with the Solaris 10 OS, and not the current MySQL version 5.x that we prefer.

The primary reason that many of us like to rebuild software is to obtain recent versions of the packages, which might include performance enhancements, bug and security fixes, and compile-time options that provide features you may need for various PHP web applications.

For this exercise, the installation will use the following software:

• Apache as delivered with the Solaris installation
• MySQL 5, from Blastwave.org, using pkg-get to install it
• The latest PHP 5 from php.net, downloaded and compiled

[Oct 25, 2006] Problem with libxml2 on Solaris

PHPBuilder.com - Problem installing PHP5.0.2 with Apache2.0.52 in Solaris9

[Oct 10, 2006] BASE+ BASE+ is a fork of BASE by Nikns Siankin that does not depend on ADODB library

Latest version 1.30 and it is more recent then BASE.  BASE+ 1.3.0 (daiga) released   2006-08-30

"The BASE+ team is proud to announce that the 1.3.0 (daiga) release of the Basic Analysis and Security Engine (BASE+) is now available from:

http://sourceforge.net/projects/baseplus

This release comes after five months of enormous amounts of effort. Improvements which I would like to highlight:

* does not depend on external ADOdb library, since minimum code is integrated into BASE+
* do not need to edit base_conf.php by hand - all can be done using new configuration graphical user interface

In this release we fully support one more database backend - IBMDB2 (since snort-2.6 supports it) and finnaly Oracle has been fully supported.

PDF and XLS report generation code by Mordread Wallas has been implemented. Also in this release authentication code has been audited and hardened. The full CHANGELOG is available in the release tarball.

I would also like to welcome new team members and thank the departed ones for all of their hard work ].

Thanks again
Nikns"

[May 10, 2006] [PDF] snort4-latest

This document provides a step-by-step guide to building an intrusion detection system using open-source software. The process involves Installing RedHat Linux 7.1, Compiling/Installing and configuration of MySql/Apache/ACID/Snort, Setup of Snort rules f Hardening of Machine The document assumes a basic level understanding of linux and computer technologies.. . . This document provides a step-by-step guide to building an intrusion detection system using open-source software. The process involves Installing Red Hat Linux 7.1, Compiling/Installing and configuration of MySql/Apache/ACID/Snort, Setup of Snort rules f Hardening of Machine The document assumes a basic level understanding of linux and computer technologies.

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching in order to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture.

Read this full article at Entropy.ie 

[Apr 22 2006] Neohapsis Archives - Snort Discuss - #0153 - [Snort-users] RE BASE-AAnval MySQL dbase management

[unisog] ACID not 2005 compliant

[Oct 25, 2005] SGUIL - The Analyst Console for Network Security Monitoring.

There is much noise about Sguil from one of the co-authors but his idea that it is superior to ACID is a little bit far fetched...

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts. The sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

NewsForge/Using ACID and SnortSnarf with Snort

This article is excerpted from the newly published book Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID.

ACID consists of many PHP scripts and configuration files that work together to collect and analyze information from a database and present it through a Web interface. You have to have a Web server, database server, PHP, and some other tools installed on your system to make it work. I am using a Red Hat Linux 7.1 machine with the Apache Web server, PHP, and MySQL, which are part of the Red Hat distribution.

ACID offers many features:

• You can search on a large number of criteria like source and destination addresses, time, and ports.
• You can view different parts of packet -- header parts as well as the payload.
• You can managed alerts by creating alert classes and sending them to an email address.
• Graphical representation includes charts based upon time, protocol, IP addresses, port numbers, and classifications.
• You can take snapshots of the alerts database; for example, you can view alerts for the last 24 hours, unique alerts, or frequent alerts.
• You can go to different whois databases on the Internet to find out who owns a particular IP address that is attacking your network.

All of these facilities are available through the Web browser. Support packages like GD library and PHPLOT are used to print graphs on the Web pages. PHP connects to the backend MySQL database to get and update data. For this purpose, you have to provide the database user name and password.

Installation and configuration

Since ACID needs additional packages like PHPLOT and GD library to work, you need to make sure that everything is installed properly. Fortunately you can install components independently from each other in no particular order. The following step-by-step process makes it easy to put everything in place.

• Install and test Snort.
• Install and test MySQL. Create a database and tables so that Snort can log its activity into the database. After that you have to configure Snort using snort.conf file so that it logs its data to the database server.
• Install Apache.
• Download ACID and uncompress it under the directory where Apache looks for HTML files. (The Apache package that is part of the Red Hat distribution has its HTML files under /var/www/html directory.
• Install PHP. (If you are using a precompiled or RPM version of Apache, PHP may already have been built into it as a module.) Set display_errors variable in /etc/php.ini to Off.
• Install GD library as /usr/lib/libgd.so.
• Uncompress PHPLOT in the directory where Apache looks for HTML files. This software is used to create graphics in the Web pages.
• Download ADODB and install it in the directory where Apache looks for HTML files. ADODB is an object-oriented library written in PHP used to connect to the database.
• If you want to archive old data using ACID, create a MySQL database snort_archive using "create database snort_archive;" command and grant permissions to a user (in our case username rr) to manage the database using the command grant CREATE,INSERT,DELETE,UPDATE,SELECT on snort_archive.* to rr@localhost;.
• Create tables in this database using the command mysql -u rr -p snort_archive <CONTRIB/CREATE_MYSQL.
• Set display_errors variable in /etc/php.ini to Off.

Now configure ACID so that it can interact with the MySQL database. The configuration process also enables Snort to use the PHPLOT package. The configuration process is simple and includes setting up different parameters in the acid_conf.php configuration file which is located in the same directory where you uncompressed the ACID files. In our case, the file is located in the /var/www/html/acid directory. You have to put information about the following items in this file:

• Location of ADODB files. In our case this path is ./adodb, which is the adodb directory under the directory where ACID files are located.
• Type of database server. For the example in this book the type of server is "mysql".
• MySQL database name for Snort log data.
• MySQL database server name or IP address.
• MySQL database user name and password.
• Name of the archive database if you are using one.
• Database server name where archive database is located. In our case both snort and snort_archive databases are located on localhost.
• Database user name and password to access snort_archive database.
• Location of PHPLOT files. In our case this is ./phplot-4.4.6, which is the phplot-4.4.6 directory under the directory where ACID files are located.

This information is present in the start of the acid_conf.php file. The typical opening lines of this file in my installation are as follows:

<?php

$ACID_VERSION = "0.9.6b21";

/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the
* directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
*/
$DBlib_path = "./adodb";

/* The type of underlying alert database
*
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
*/
$DBtype = "mysql";

/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort
: alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with
: this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "rr";
$alert_password = "rr78x";

/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "rr";
$archive_password = "rr78x";

/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
*/
$db_connect_method = 1;

/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the directory)
*/
$ChartLib_path = "./phplot-4.4.6";

Use the same user name, password, and database name as you use in snort.conf file.

Using ACID

If you have installed everything right, you should now be able to access ACID by going to URL http://<your_web_server>/acid/. The first time you visit this URL, ACID needs to perform some setup tasks. Click the Setup page link to move to the DB Setup page. Click the "Create ACID AG" link so that ACID can create its own table to support Snort. ACID creates these tables in the main Snort database and uses them for its own housekeeping data. You can now click the "Main Page" link towards the bottom of the page to go to the main ACID page.

The ACID main page provides an overview of currently available data. It has different sections to display information in groups. You can view traffic profiles by different protocols, get a snapshot of sensors, search data and see:

• A list of sensors that are logging data to the database.
• The number of unique alerts and their detail.
• The total number of alerts and their detail.
• Source IP addresses for the captured data. By following the subsequent links, you can find the owner of the source IP address by looking up whois databases.
• Destination IP addresses for captured data.
• Source and destination ports.
• Alerts related to a particular protocol, like TCP alerts, UDP alerts, and ICMP alerts.
• Search alert and log data for particular entries.
• Most frequent alerts.
• Plot alert data, which is still experimental.

ACID can search the captured log and alert data using parameters such as:

• A particular sensor, when you are using a central database to log data from many Snort sensors.
• Time of alert using start and ending time.
• Source and destination addresses.
• Different fields in the IP packet header.
• Transport layer protocols.
• String of data in the payload area of the IP packet.

Searching for data in the database is easy. All the criteria that you specify in this screen are translated to a SQL statement that is passed to the MySQL database server. Results of your query are displayed when you click the "Query DB" button. You can then click a particular alert line to find out more information about that alert.

Snort can also be used to find fully qualified names for source and destination addresses found in captured data. For example, to create a list of unique destination IP addresses and hostnames, you can write a rule that creates an alert for all outgoing HTTP requests, though of course that is not intrusion activity.

To get whois information about a particular address, you can click on any address and select a whois database, like American Registry for Internet Numbers (ARIN). This information is usually the first step to finding out the owner of the attacking IP address and his contact information. Once you have it, you can contact the owner and ask him to stop bad guys from probing your network.

[Jun 06. 2005] Neohapsis Archives - Snort Discuss - #0021 - RE [Snort-users] acid-base recovery

From: John Hally (JHally@epnet.com)
Date: Mon Jun 06 2005 - 11:42:35 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Doh!
 

I should have known that one.

Thanks Joel/Dominik!

-----Original Message-----
From: Joel Esler [mailto:eslerjgmail.com]
Sent: Monday, June 06, 2005 12:25 PM
To: Dominik Gehl
Cc: John Hally; snort-userslists.sourceforge.net
Subject: Re: [Snort-users] acid/base recovery
 

You would have to create the snort database found in the
"create_mysql" directory. This isn't the "ACID" database..per say..
it's the Database that Snort is commonly coded to log to..

On 6/6/05, Dominik Gehl <dgehlinverse.ca> wrote:
> Hi,
>
> you can find the MySQL db script to create the ACID database in the
> snort distribution at snort-2.3.3/schemas/create_mysql
>
> Dominik
>
> On Mon, 2005-06-06 at 12:12 -0400, John Hally wrote:
> > Hello All,

> > I had the unfortunate happen and lost a raid array that housed all of
> > my alert data for BASE. I'm in the midst of recovering and it looks
> > like that the sql files in the BASE tar file are not the only one(s)
> > needed to rebuild the database. Is acid's original sql table setup
> > required as well? Base is erroring with:
> >

> > Database ERROR: Table 'snort.iphdr' doesn't exist
> > It does not exist after I've run:
> > Mysql -u (user) -p -D snort < create_base_tbls_mysql.sql
> > The tables have been created and this is what I have in
> > my /usr/lib/mysql/snort directory:
> >
> > acid_ag_alert.frm
> > acid_ag.frm acid
> > event.frm
> > acid_ip_cache.frm
> > base_roles.frm
> > base_users.frm
> > acid_ag_alert.MYD
> > acid_ag.MYD acid_event.MYD
> > acid_ip_cache.MYD
> > base_roles.MYD
> > base_users.MYD
> > acid_ag_alert.MYI
> > acid_ag.MYI
> > acid_event.MYI
> > acid_ip_cache.MYI
> > base_roles.MYI
> > base_users.MYI
 
> > Thanks in advance!

[Oct 25, 2005] SGUIL - The Analyst Console for Network Security Monitoring.

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides realtime events from snort/barnyard. It also includes other components which facilitate the practice of Network Security Monitoring and event driven analysis of IDS alerts. The sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

Placid by Phil Deneault (dznzault@hiddzngroup.nzt, z's for e's)

Placid(Phil Loathes ACID) was created as a replacement for CMU's ACID. Acid was too big, too slow, and had too many requirements for me. So I rewrote almost the entire thing(as well as added a few new features) using Python.

Requirements:

• Apache HTTP server(www.apache.org)
• MySQL 3.23 or better(www.mysql.org)
• Python 2.2 or better(www.python.org)
• The correct MySQLdb module for your python/mysql interface(http://sourceforge.net/projects/mysql-python)

Screenshots

• Event Screen
• Event listing
• Search Form
• Signatures Listing

Placid falls under the GPL

You can download the newest version here: placid-2.0.9.tar.gz
You can verify the checksums here:MD5/SHA1 checksums

The Bleeding Edge of Snort - Tool Similar to ACID-BASE

Tool Similar to ACID/BASE

Monday, November 29 2004 @ 12:40 PM EST
Contributed by: jalexand
Views: 1057  I found a new front end to a snort data base that is very fast and handles very large databases (ie millions of alerts). It might be of interest to other bleeding snort users.

It can be found here

http://speakeasy.wpi.edu/placid/

Jason Alexander
The University of Iowa

Tool Similar to ACID/BASE

Authored by: rubin on Monday, November 29 2004 @ 01:53 PM EST

We use PLACID here at Oregon State University, and have good results with it as well. ACID is simply unusable when your monitoring a large-scale network with it. -Alex

[ Reply to This ]

Tool Similar to ACID/BASE

Authored by: jonkman on Monday, November 29 2004 @ 06:51 PM EST | Parent ]

Tool Similar to ACID/BASE

Authored by: bbaldwin on Wednesday, December 01 2004 @ 05:41 PM EST

We've been very happy with SGUIL. It helps us solve the problem of verifying if an alert actually caused damage or not. http://sguil.sourceforge.net/ -bill

[Oct 26, 2005] BigAdmin Feature Article Analyzing Snort Data With the Basic Analysis and Security Engine (BASE) by Amy Rich, October 2005

Extremely weak and superficial paper

In order for BASE to function, we must first install and configure a back end database, in this case MySQL, to store the Snort alerts. In addition, we'll need Apache and Snort compiled with MySQL support. We also need to install PHP and a couple of PHP add-ons. ADOdb is an object-oriented PHP library used to interface to the database. You may already have some of these necessary tools on your system as part of the default distribution, depending on what version of the operating system you're running. The instructions below assume you are using the GNU tool chain (tar, make, gcc, and so on).

MySQL

We first start by obtaining and installing the MySQL package from MySQL. When unpacking, be sure to use GNU tar, since tar in the Solaris OS has issues with long file names. To avoid dependencies, we'll configure MySQL to build without libgcc and without zlib, but we'll still compile against openssl. (This assumes you've previously installed gcc and openssl.)

wget \
  http://dev.mysql.com/get/Downloads/MySQL-4.1/mysql-4.1.13.tar.gz/\
  from/http://mysql.mirrors.pair.com/

tar zxf mysql-4.1.13.tar.gz
cd mysql-4.1.13

LDFLAGS="-R/usr/local/lib" ./configure --prefix=/usr/local \
     --with-openssl \
     --without-docs \
     --without-libgcc \
     --with-named-z-libs=z
make
make install

If you run into issues compiling or installing MySQL, take a look at the Solaris OS section of the MySQL Reference Manual.

Snort

Now that we have MySQL installed, we can compile Snort with MySQL support. Slightly modify the installation directions from the previous article on Snort:

../configure --with-mysql=/usr/local --with-openssl=/usr/local

Then follow the rest of the installation instructions provided there.

Now set up the Snort database in MySQL. First create the snort user and grant the appropriate permissions:

mysqladmin -u root -p create snort

Next, run the MySQL script included in the Snort source directory to create the appropriate tables:

mysql -u root -p < snort-2.3.3/schemas/create_mysql snort

Now add the snort user and set the permissions:

mysql -u root -p snort

mysql> set PASSWORD FOR snort@localhost=PASSWORD('snort_user_password');
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql> flush privileges;
mysql> exit

Finally, edit the snort.conf file and modify the output plug-in:

output database: log, mysql, dbname=snort user=snort password=snort host=localhost
output database: alert, mysql, dbname=snort user=snort password=snort host=localhost

This will cause both log and alert data to be written to the database.

To verify that Snort is able to write to MySQL, make sure MySQL is running, then start Snort with the following options:

snort -c /etc/snort.conf -g snort

Once Snort and MySQL are running, wait a few moments until it collects some alert data. Then run the following command:

echo "SELECT count(*) FROM event" | mysql -u root -p snort

Your output should look similar to the following, where the number is the number of alerts you've received:

count(*)
1

If the number is zero, then you haven't seen any traffic that will trigger an alert, or you need to revisit your Snort/MySQL configurations.

PHP

This article assumes that you're running Apache as your web server, and that you've installed it with the GNU layout. If you're using a different web server or have installed Apache in a different location, these directions will need modification. First, download PHP from a nearby mirror. I've chosen us2.php.net:

wget http://us2.php.net/get/php-4.3.11.tar.gz

Now configure PHP to install into /usr/local/php and use apxs to add the libphp4.so module to Apache. The PHP configure lines below also tell PHP where to find MySQL, GNU gettext, OpenSSL, zlib, libjpeg, and libpng:

LDFLAGS="-R/usr/local/lib"  ./configure --prefix=/usr/local/php \
     --enable-memory-limit=yes \
     --with-apxs=/usr/local/sbin/apxs \
     --with-gettext=/usr/local \
     --with-exif \
     --without-mm \
     --with-mysql=/usr/local \
     --with-openssl=/usr/local \
     --with-zlib \
     --with-jpeg-dir=/usr/local \
     --with-png-dir=/usr/local \
     --with-exec-dir=/usr/local/php/libexec \
     --enable-cli \
     --enable-sockets
make
make install

In a production environment, you'll want to edit /usr/local/php/lib/php.ini and set the display_errors variable to off so that debugging messages will not be inlined in the HTML. If you prefer to have inline debugging messages, then it's recommended to at least set the error_reporting variable to E_ALL & ~E_NOTICE.

Obtain further information about PHP from the PHP web site, and further information about Apache from the Apache HTTP Server Project site.

ADOdb

ADOdb is a performance-conscious database abstraction layer for PHP. BASE requires ADOdb to talk to MySQL on the back end. First, obtain the source:

wget http://unc.dl.sourceforge.net/sourceforge/adodb/adodb465.tgz

Then unpack the source and place ADOdb where it can be accessed by BASE. The documentation recommends placing it in the Apache document root, but you can also configure BASE with ADOdb outside of Apache's tree (such as /usr/local/share/) if desired.

PEAR Modules

BASE documentation also recommends installing several PEAR modules. PEAR, the PHP Extension and Application Repository, is installed as part of PHP and is to PHP what CPAN is to Perl. If PEAR::Image_Graph is not already installed, obtain it by running the following commands:

/usr/local/php/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz
/usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz

 

Installing and Configuring BASE

Now that all of the prerequisites are in place, we can install and configure BASE itself.

Downloading and Installing BASE

First go to http://prdownloads.sourceforge.net/secureideas/base-1.1.3.tar.gz?download and pick a mirror from which to download the source code. Next, unpack the source tarball into your Apache DocumentRoot:

cd /usr/local/apache/htdocs
tar zxf /path/to/base-1.1.3.tar.gz
mv base-1.1.3 base

Use the supplied SQL script to create the BASE database:

mysql -u root -p < base/sql/create_base_tbls_mysql.sql snort

If you're using a database other than MySQL or upgrading to BASE from ACID, there are different scripts available in the base/sql directory.

Configuring BASE

Once you create the database, configure BASE by copying the base_conf.php.dist file to base_conf.php and customizing it to fit your environment:

cd base
cp base_conf.php.dist base_conf.php

Options in the config file are all well commented, but those listed in the table below are the minimum that must be set.

Table 1: Required Configuration Options

Variable Function Value $DBlib_path Full path to the ADOdb installation "/usr/local/share/adodb" $DBtype Type of database used "mysql" $Use_Auth_System Set to 1 to force users to authenticate to use BASE 0 $BASE_urlpath The root URI of your site "/base" $alert_dbname The alert database name "snort" $alert_host The alert database server "localhost" $alert_port The port where the database is stored (Leave blank if you're not running MySQL on a network socket.) "" $alert_user The username for the alert database "snort" $alert_password The password for the username "snort_user_password"

 

Until the authentication portion of BASE is working properly, protect the directory where you installed BASE. Apache can be configured to deny access based on IP address, as well as to require a user to enter a password. Modify /usr/local/apache/etc/httpd.conf and add something like the following to allow users from the host 192.168.1.100 to authenticate:

<Directory /usr/local/apache/htdocs/base/> 
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
AuthType Basic
AuthName Access is restricted.
AuthUserFile /path/to/htpasswd/file
require valid-user
</Directory> 

Populate the .htpasswd file with username and encrypted password data. Please refer to the documentation on the Apache web site for more help on configuring access restriction.

Using BASE

You should now have a functional BASE install accessible at http://www.your.domain/base, and you're ready to begin using the GUI to view and manage alerts.

[Oct 9, 2005] Neohapsis Archives - Snort Discuss - #0081 - [Snort-users] BASE 1.2 (betty) released

From: Kevin Johnson
Date: Sun Oct 09 2005 - 16:04:46 CDT

The BASE project team is proud to announce the release of BASE 1.2.
This release is available from the project homepage on SF.net http://sourceforge.net/projects/secureideas

We would like to thank  everyone that had a part in making this release a success.

This release fixes a number of bugs people were having with PHP 5 and searches. Alex Butcher also submitted a patch to fix the sort issue some people were experiencing. We also have fixes to emails regarding portscans and with quotes on one of the pages. (Thanks Michael and Nikns!).

 A number of features were added in this release. These features include:
- The ability to download a binary file of the packet that caused the Snort alert.
        - Increased the number of sources for port information
        - Added Internet Storm Center Source/Subnet report
        - TrustedSource.org IP lookup
        - The ability to look up signatures from a local source
        
We hope that these features and fixes will increase the ability of  BASE to meet your needs. And we welcome any and all feedback regarding this release and any other release of BASE.

Thanks
Kevin Johnson and the BASE project team
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas 
http://base.secureideas.net 
The next step in IDS analysis!

[Jan 27, 2005] Phillip G Deneault deneault at WPI.EDU

• revious message: [unisog] ACID not "2005" compliant
• Next message: [unisog] ResNet 2005 in Atlanta
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I realize this won't fix your problem with ACID, but the problem you are 
having now I ran into in 2002 and it was the straw that broke the camel's 
back.  I had too many problems with ACID(its lack of speed, its separate 
'back' button, its use of PHP, its inability to handle multiple instances 
from a single browser, etc) so I rewrote my own using just python cgi 
scripts.  It is slightly scaled back from ACID(it lacks a decent graph 
feature, and a few other things) but it performs MUCH better.  On my 2Ghz 
database system, I've been able to have 40 million records in the database 
before the CGI's started timing out.

Its available at http://speakeasy.wpi.edu/placid/.

The nice thing about it is that since it only reads from the database, you 
can run it in tandem with ACID.  It will just ignore any ACID specific 
data.

Phil

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault              "We work in the dark. We do what we can.
deneault at wpi.edu                              We give what we have.
Network Security Analyst 		  Our doubt is our passion,
Network Operations                     and our passion is our task.
Worcester Polytechnic Institute    The rest is the madness of art."
http://www.wpi.edu/~deneault/   		      - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

On Mon, 24 Jan 2005, Michael Holstein wrote:

> I don't know if the folks at CERT still maintain ACID (www.cert.org/kb/acid) 
> but I know there are lots of us (myself included) that probably still use it.
>
> The "search" feature tops out at 2004 as of version 0.9.6b23 (most recent one 
> they've got posted). For those who haven't figured it out on their own, it's 
> a simple fix :
>
> Modify the following two files and add these lines (they look just like the 
> previous several lines .. search for '2004' in the file).
>
> acid_stat_time.php:
> <OPTION VALUE="2005" '.chk_select($time[$i][2],"2005").'>2005
>
> acid_state_citems.inc:
> echo '                               <OPTION VALUE="2005" 
> '.chk_select($this->criteria[$i][4],"2005").'>2005</SELECT>';
>
> If anyone wants the lazy way, email me and I'll just send you a copy of both 
> of those that have values up to 2007.
>
> Cheers,
>
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

[May 30, 2003] SNORT-ACID install on Solaris9 ACID installation includes MySQL and Apache installation

While slightly outdated, this is still the only more or less coherent document explaining installation from Sun.

[May 8, 2003] Using ACID and SnortSnarf with Snort - Chapter 6 of Intrusion Detection with SNORT by Rafeeq Rehman

This is one chapter, but the whole book is freely available. To obtain the while book Using ACID and SnortSnarf with Snort go to the publisher site: [PDF] Intrusion Detection Systems with Snort Advanced IDS Techniques ...

This book excerpt is from Chapter 6 of Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq ur Rehman, ISBN 0-13-140733-3, copyright 2003. All rights reserved. This chapter, titled "Using ACID and SnortSnarf with SNORT" is posted with permission from Prentice Hall PTR.

Analysis Console for Intrusion Databases (ACID) is a tool used to analyze and present Snort data using a Web interface. This chapter provides information about ACID and discusses how to install it with MySQL and Snort to view and analyze the intrusion detection data logged by Snort into the database.

In addition to ACID, the chapter also provides basic information about SnortSnarf, another tool that can be used with a web server. SnortSnarf is able to parse Snort log files and generate HTML pages that can be viewed using a Web browser.

Author: Rehman, Rafeeq ur Download:
To obtain the while book Using ACID and SnortSnarf with Snort go to the publisher site

[Apr 03, 2003]  Script to cleanup ACID-Snort Alerts in MySQL DB...

[prev in list] [next in list] [prev in thread] [next in thread]

List:       snort-users
Subject:    [Snort-users] Script to cleanup ACID/Snort Alerts in MySQL DB...
From:       "Dusty Hall" <halljer () auburn ! edu>
Date:       2003-04-03 23:34:23
[Download message RAW]

Gang,

  I just thought I'd pass this script along..  hopefully it will save someone some time/grief.  The main reason I wrote it is because we are still in the process of tweaking Snort and our number of Alerts get out of hand quickly.  ACID's frontend to delete the Alerts timed out most of the time and I wanted a way to schedule the cleanup of Alerts..

Later,


-Dusty


--CODE--

#!/usr/bin/perl -w
#----------------------------------------
# name: alert_cleanup.pl
#
# description: script to cleanup snort/acid db (only tested w/mysql)
#
# goal: allows you to schedule db cleanup without using php frontend
#
# usage: snort_db_cleanup.pl "2003-04-01 8:00:00" "2003-04-01 9:00:00"
#
# comments: dusty hall, halljer@<NOSPAM>auburn.edu
#----------------------------------------

use strict;
use DBI;

my $ds = "dbi:mysql:snort";
my $db_user = "acid_user";
my $db_pass = "secret";
my $db = DBI->connect($ds, $db_user, $db_pass) or die $DBI::errstr;

my ($cid,$sid,$sql,$time_select,$exec_time_select);
my
($event,$iphdr,$tcphdr,$udphdr,$icmphdr,$opt,$data,$acid_ag_alert,$acid_event);
my
($exec_event,$exec_iphdr,$exec_tcphdr,$exec_udphdr,$exec_icmphdr,$exec_opt,$exec_data, \
$exec_acid_ag_alert,$exec_acid_event); my %timeframe;

$timeframe{start} = $ARGV[0];
$timeframe{finish} = $ARGV[1];
chomp $timeframe{start};
chomp $timeframe{finish};

$time_select = "select acid_event.sid,acid_event.cid from acid_event
where timestamp >= '$timeframe{start}' and timestamp <=
'$timeframe{finish}'";
$exec_time_select = $db->prepare($time_select);

$exec_time_select->execute();
$exec_time_select->bind_columns(undef,\$sid,\$cid);

while ($exec_time_select->fetch) {

 $event = "delete from event where sid='$sid' and cid='$cid'";
 $iphdr = "delete from iphdr where sid='$sid' and cid='$cid'";
 $tcphdr = "delete from tcphdr where sid='$sid' and cid='$cid'";
 $udphdr = "delete from udphdr where sid='$sid' and cid='$cid'";
 $icmphdr = "delete from icmphdr where sid='$sid' and cid='$cid'";
 $opt = "delete from opt where sid='$sid' and cid='$cid'";
 $data = "delete from data where sid='$sid' and cid='$cid'";
 $acid_ag_alert = "delete from acid_ag_alert where ag_sid='$sid' and
ag_cid='$cid'";
 $acid_event = "delete from acid_event where sid='$sid' and
cid='$cid'";
 
 $exec_event = $db->prepare($event);
 $exec_iphdr = $db->prepare($iphdr);
 $exec_tcphdr = $db->prepare($tcphdr);
 $exec_udphdr = $db->prepare($udphdr);
 $exec_icmphdr = $db->prepare($icmphdr);
 $exec_opt = $db->prepare($opt);
 $exec_data = $db->prepare($data);
 $exec_acid_ag_alert = $db->prepare($acid_ag_alert);
 $exec_acid_event = $db->prepare($acid_event);

 $exec_event->execute();
 $exec_iphdr->execute();
 $exec_tcphdr->execute();
 $exec_udphdr->execute();
 $exec_icmphdr->execute();
 $exec_opt->execute();
 $exec_data->execute();
 $exec_acid_ag_alert->execute();
 $exec_acid_event->execute();

 $exec_event->finish();
 $exec_iphdr->finish();
 $exec_tcphdr->finish();
 $exec_udphdr->finish();
 $exec_icmphdr->finish();
 $exec_opt->finish();
 $exec_data->finish();
 $exec_acid_ag_alert->finish();
}

$exec_time_select->finish;

--CODE--

[Jan 08, 2003] Analysis Console for Intrusion Databases (ACID) by Roman Danilow. Documentation applicable to v0.9.5 and later

• Installation and Configuration
• FAQ
• Configuration Parameters
• Searching and Specifying Criteria
• Alert Group
• Managing Large Alert Databases (Deleting and Archiving)
• Performance Tuning
• Latest CHANGELOG
• TODO
• CREDITS
• Screen Captures

[Apr 05, 2002]  SecurePoint - Snort mailing list archive

Forum:   SecurePoint - Snort mailing list archive
 Date:      2002, Apr 05
 From:      Denis Romanov <nobody at nowhere.com>

Hi Ed! If you think this is an incorrect way of dealing with the snort_archive, please let me know.

In case no one answered your question yet. If you have done this before, just disregard it. I would go over your snort_archive database again.

Verify if the password is ok.

Check your acid_conf.php file, there is a section which takes care of the archive feature in ACID.

/* Archive DB connection parameters */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "root";
$archive_password = "password";     ///change the password to yours

Login to your mysql and recheck if your snort_archive tables are present.

If not, you will have to create them the same way you did your snort = tables.

#mysql -p < /usr/local/src/snort-1.8.4/contrib/create_mysql  snort_archive

then grant DELETE,INSERT,SELECT priviliges to snort_archive, like you did to snort.

#mysql -p
>grant INSERT,SELECT,DELETE on snort_archive.* to root@localhost;
>FLUSH PRIVILIGES;
>quit

Back to ACID, and try archiving again. It should work. Regards, Denis

---

Message: 3
From: "Ed Spick" <es AT soas.ac DOT uk>
To: snort-users AT lists.sourceforge DOT net
Date: Thu, 4 Apr 2002 17:00:18 +0100
Subject: [Snort-users] acid-archive-snortprob
Hi
I have a problem with archiving of snort alerts logged to mysql running=20 through acid, hope someone can help ? =20

my config  :
Acid 0.9.6b20
snort  1.8.3-5
php 4.1.2
mysql 3.23.49a
adodb 172 (also tried 180)
apache 1.3.22
redhat 7

Whenever I choose an alert and ask to move it to the archive database I

get=20
this fatal error :

Fatal error: Call to a member function on a non-object in=20 /var/www/html/acid/acid_db.inc on line 93

Not sure whether this is a php or an adodb or a mysql problem ? The archive database is there with the correct permissions and as far as I have read everything is configured as required by the documentation. I've searched archives for last year - no-one else seems to have seen this ?

Any help gratefully rceved as I have over 400,000 alerts to archive

Cheers ed spick=20

[Nov 19, 2002] Complete Snort-based IDS Architecture, Part Two by Anton Chuvakin, Ph.D. and Vladislav V. Myasnyankin  

Very incomplete and from rather suspect author (Anton Chuvakin :-). The only useful into is how to split log stream if you are listening on several interfaces

Many companies find it hard to justify acquiring the IDS systems due to their perceived high cost of ownership. However, not all IDS systems are prohibitively expensive. This is second part of a two-part article that will provide a set of detailed directions to build an affordable intrusion detection architecture from hardware and freely available software. In this installment we shall discuss Web interface configuration, summaries and daily reporting, automated attack response, sensor installation, installation of the central station, and big distributed IDS systems.

Web Interface Configuration

First, you should deploy an Apache Web server with an SSL support, if it is not already installed by the Debian config. The command to run is "apt-get install apache-ssl". When configuring, you will be asked for some information that is required to generate the SSL key pair. One need to enter the same server name as was used for the base Linux set-up.

Next, ACID IDS console is deployed via "apt-get install acidlab". This is yet another point when the choice of Debian becomes clear, as there are no packages to compile and no dependences to troubleshoot. Answering the set-up questions is easy. The only one that needs special attention is the question about the database user: it is not root as suggested by the set-up script, but the “acid” user, which we already created during the database set-up. You should also agree to inserting string with PHP module into config file and running the apache config script.

At the time of writing, there was a small bug in the ACID package install script: by default, the script does not install MySQL support for PHP needed for ACID. So, this should be done by hand:

# apt-get install php4-mysql 

and Apache should be restarted as follows for the changes to take effect:

/etc/init.d/apache-ssl restart

Now, the system can be tested. For this one should go to the appropriate page using HTTPS protocol: https://<the server address or name>/acidlab/ . On the first load, one will be asked to click on the “Setup Page” link to complete the installation. On this page the “create_AG” button should be pushed. With this, set-up is almost complete; the only remaining part is to limit the access to the server via Apache basic authentication.

The following lines should be added to the /etc/acidlab/apache.conf file after the “AllowOverride None” line:

AuthType Basic
AuthName "Restricted"
AuthUserFile .htpasswd
Require valid-user

In addition, one can restrict access only from specified IP addresses. For example, if one wants to allow access to ACID console only from 192.168.2.1, 192.168.2.2 and entire 192.168.1.0 C-class network, the appropriate changes are:

order deny,allow
deny from all
allow from 192.168.1.0/255.255.255.0, 192.168.2.1, 192.168.2.2

To complete the access control set-up, one should go to the /etc/apache-ssl directory and create the password file:

# htpasswd -c .htpasswd <username>

You will be prompted for password. Several users can be added by the “htpasswd .htpasswd <username1>”, etc commands.

The IDS system is now fully operational with Web access to alerts and packet data.

Some other free consoles exist for Snort. One of the better known free ones is SnortCenter. This is a Web-based client-server management system written in PHP and Perl. It includes SSL-encryption, built-in user authentication, rules management and multi-language support.

The latest and greatest Snort front end is made by Sourcefire, home of Marty Roesch and Snort. The slick web GUI seamlessly integrates alarm viewing with rule management, a big advantage over other Web front ends. It also provides a simple, but flexible interface for rule editing and many useful alarm viewing modes (including graphing) as well as full control over other aspects of Snort behavior, such as preprocessor configuration. Sourcefire GUI also has an option of issuing live signature updates directly from the Sourcefire site.

Additional Features

There are some additional features, which you can use to make IDS administration and event analysis process even easier. One good idea is to add daily reporting and some attack response capabilities.

Summaries and Daily Reporting

The most essential part of IDS deployment is monitoring of routine network activity. An effective way to accomplish this is to get daily reports on the activity. To provide daily statistics, one can query the alert MySQL database or configure Snort to also output data to syslog for summarization. The former approach can be implemented using SnortReport, which is available at http://www.circuitsmaximus.com/download.html. It can be used for real-time or historical reporting from the MySQL or PostgreSQL database of alarms generated by Snort.

Many tools are written to utilize the latter approach of summarizing Snort alarms from syslog. SnortSnarf by Silicon Defense is perhaps the most well known of these. It can produce HTML reports from snort alert files, include port scan summary, alert summary by alarm, alert summary by source and destination and others. Other scripts include