June 30, 2003

Using ACID and SnortSnarf with Snort

- by Rafeeq Ur Rehman -
Analysis Console for Intrusion Databases (ACID) is a tool written in PHP used to analyze and present Snort data via a Web interface. It works with Snort and databases like MySQL, and makes information in the database available to users through a Web server.
This article is excerpted from the newly published book Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID.

ACID consists of many PHP scripts and configuration files that work together to collect and analyze information from a database and present it through a Web interface. You have to have a Web server, database server, PHP, and some other tools installed on your system to make it work. I am using a Red Hat Linux 7.1 machine with the Apache Web server, PHP, and MySQL, which are part of the Red Hat distribution.

ACID offers many features:

  • You can search on a large number of criteria like source and destination addresses, time, and ports.
  • You can view different parts of packet -- header parts as well as the payload.
  • You can managed alerts by creating alert classes and sending them to an email address.
  • Graphical representation includes charts based upon time, protocol, IP addresses, port numbers, and classifications.
  • You can take snapshots of the alerts database; for example, you can view alerts for the last 24 hours, unique alerts, or frequent alerts.
  • You can go to different whois databases on the Internet to find out who owns a particular IP address that is attacking your network.

All of these facilities are available through the Web browser. Support packages like GD library and PHPLOT are used to print graphs on the Web pages. PHP connects to the backend MySQL database to get and update data. For this purpose, you have to provide the database user name and password.

Installation and configuration

Since ACID needs additional packages like PHPLOT and GD library to work, you need to make sure that everything is installed properly. Fortunately you can install components independently from each other in no particular order. The following step-by-step process makes it easy to put everything in place.

  • Install and test Snort.
  • Install and test MySQL. Create a database and tables so that Snort can log its activity into the database. After that you have to configure Snort using snort.conf file so that it logs its data to the database server.
  • Install Apache.
  • Download ACID and uncompress it under the directory where Apache looks for HTML files. (The Apache package that is part of the Red Hat distribution has its HTML files under /var/www/html directory.
  • Install PHP. (If you are using a precompiled or RPM version of Apache, PHP may already have been built into it as a module.) Set display_errors variable in /etc/php.ini to Off.
  • Install GD library as /usr/lib/libgd.so.
  • Uncompress PHPLOT in the directory where Apache looks for HTML files. This software is used to create graphics in the Web pages.
  • Download ADODB and install it in the directory where Apache looks for HTML files. ADODB is an object-oriented library written in PHP used to connect to the database.
  • If you want to archive old data using ACID, create a MySQL database snort_archive using "create database snort_archive;" command and grant permissions to a user (in our case username rr) to manage the database using the command grant CREATE,INSERT,DELETE,UPDATE,SELECT on snort_archive.* to rr@localhost;.
  • Create tables in this database using the command mysql -u rr -p snort_archive <CONTRIB/CREATE_MYSQL.
  • Set display_errors variable in /etc/php.ini to Off.

Now configure ACID so that it can interact with the MySQL database. The configuration process also enables Snort to use the PHPLOT package. The configuration process is simple and includes setting up different parameters in the acid_conf.php configuration file which is located in the same directory where you uncompressed the ACID files. In our case, the file is located in the /var/www/html/acid directory. You have to put information about the following items in this file:

  • Location of ADODB files. In our case this path is ./adodb, which is the adodb directory under the directory where ACID files are located.
  • Type of database server. For the example in this book the type of server is "mysql".
  • MySQL database name for Snort log data.
  • MySQL database server name or IP address.
  • MySQL database user name and password.
  • Name of the archive database if you are using one.
  • Database server name where archive database is located. In our case both snort and snort_archive databases are located on localhost.
  • Database user name and password to access snort_archive database.
  • Location of PHPLOT files. In our case this is ./phplot-4.4.6, which is the phplot-4.4.6 directory under the directory where ACID files are located.

This information is present in the start of the acid_conf.php file. The typical opening lines of this file in my installation are as follows:


<?php

$ACID_VERSION = "0.9.6b21";

/* Path to the DB abstraction library
* (Note: DO NOT include a trailing backslash after the
* directory)
* e.g. $foo = "/tmp" [OK]
* $foo = "/tmp/" [OK]
* $foo = "c:\tmp" [OK]
* $foo = "c:\tmp\" [WRONG]
*/
$DBlib_path = "./adodb";

/* The type of underlying alert database
*
* MySQL : "mysql"
* PostgresSQL : "postgres"
* MS SQL Server : "mssql"
*/
$DBtype = "mysql";

/* Alert DB connection parameters
* - $alert_dbname : MySQL database name of Snort
: alert DB
* - $alert_host : host on which the DB is stored
* - $alert_port : port on which to access the DB
* - $alert_user : login to the database with
: this user
* - $alert_password : password of the DB user
*
* This information can be gleaned from the Snort database
* output plugin configuration.
*/
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "rr";
$alert_password = "rr78x";

/* Archive DB connection parameters */
$archive_dbname = "snort_archive";
$archive_host = "localhost";
$archive_port = "";
$archive_user = "rr";
$archive_password = "rr78x";

/* Type of DB connection to use
* 1 : use a persistant connection (pconnect)
* 2 : use a normal connection (connect)
*/
$db_connect_method = 1;

/* Path to the graphing library
* (Note: DO NOT include a trailing backslash after the directory)
*/
$ChartLib_path = "./phplot-4.4.6";

Use the same user name, password, and database name as you use in snort.conf file.

Using ACID

If you have installed everything right, you should now be able to access ACID by going to URL http://<your_web_server>/acid/. The first time you visit this URL, ACID needs to perform some setup tasks. Click the Setup page link to move to the DB Setup page. Click the "Create ACID AG" link so that ACID can create its own table to support Snort. ACID creates these tables in the main Snort database and uses them for its own housekeeping data. You can now click the "Main Page" link towards the bottom of the page to go to the main ACID page.

The ACID main page provides an overview of currently available data. It has different sections to display information in groups. You can view traffic profiles by different protocols, get a snapshot of sensors, search data and see:

  • A list of sensors that are logging data to the database.
  • The number of unique alerts and their detail.
  • The total number of alerts and their detail.
  • Source IP addresses for the captured data. By following the subsequent links, you can find the owner of the source IP address by looking up whois databases.
  • Destination IP addresses for captured data.
  • Source and destination ports.
  • Alerts related to a particular protocol, like TCP alerts, UDP alerts, and ICMP alerts.
  • Search alert and log data for particular entries.
  • Most frequent alerts.
  • Plot alert data, which is still experimental.

ACID can search the captured log and alert data using parameters such as:

  • A particular sensor, when you are using a central database to log data from many Snort sensors.
  • Time of alert using start and ending time.
  • Source and destination addresses.
  • Different fields in the IP packet header.
  • Transport layer protocols.
  • String of data in the payload area of the IP packet.

Searching for data in the database is easy. All the criteria that you specify in this screen are translated to a SQL statement that is passed to the MySQL database server. Results of your query are displayed when you click the "Query DB" button. You can then click a particular alert line to find out more information about that alert.

Snort can also be used to find fully qualified names for source and destination addresses found in captured data. For example, to create a list of unique destination IP addresses and hostnames, you can write a rule that creates an alert for all outgoing HTTP requests, though of course that is not intrusion activity.

To get whois information about a particular address, you can click on any address and select a whois database, like American Registry for Internet Numbers (ARIN). This information is usually the first step to finding out the owner of the attacking IP address and his contact information. Once you have it, you can contact the owner and ask him to stop bad guys from probing your network.

Generating graphs and archiving data

Generating graphs is still experimental in ACID. You can go to the ACID main page where a link is provided to generate graphs. When generating graphs, you can select data and type of graph. For example, you can generate a line or bar graph for alerts in the last five days.

A sample bar graph

ACID uses the PHPLOT package on the backend side to generate these graphs. You can use JpGraph in place of PHPLOT. JpGraph has a different licensing scheme and there may be some restrictions for using it in commercial environment.

In addition to the tasks presented here, you can also use ACID to archive data and delete data from the database.

Earlier, you created a new database called snort_archive to archive the data from the main Snort database. Using ACID, you can move alerts from the main database to the archive database or just copy them. For example, if you want to move all alerts from the main database to the archive database, click the number next to "Total Number of Alerts" on the main ACID page. The next page displays all of the alerts in the database. If the number of alerts is more than 50, then only the first 50 alerts are displayed. Then you can use the bottom part of the screen to archive the alerts.

SnortSnarf and Barnyard

In addition to ACID, the article also provides basic information about SnortSnarf, another tool to display Snort data using a Web interface. SnortSnarf is able to parse Snort log files and generate HTML pages that can be viewed using a Web browser.

SnortSnarf is a Perl script; you can run it after downloading without going through any compilation process. You can run SnortSnarf from a cron script on a periodic basis.
It can parse Snort log files as well as extract data from MySQL database. The following command parses /var/log/snort/alert file and places the newly generated HTML files in the /var/www/html/snortsnarf directory where they can be viewed later using a Web browser.

snortsnarf.pl /var/log/snort/alert -d /var/www/html/snortsnarf

The following command extracts data from MySQL database running on the localhost. It uses a user name rr and password rr78x to login to the database.

snortsnarf.pl rr:rr78x@snort@localhost -d /var/www/html/snortsnarf

To get data from a database, you have to define the following parameters on the command line:

  • Database user name
  • Password
  • Database name
  • Host where database server is running
  • Port number for the database server. By default the port number is 3306 and this parameter is optional.

The general format of defining these parameters is user:passwd@dbname@host:port.

The SnortSnarf main page provides basic information about alert data.

You may also want to try Barnyard, a new tool intended to parse binary log files generated by Snort when you use the unified logging module. Download the package, decompress it, and run the configure script with a prefix command line parameter to define the directory where you intend to install it. A typical command line may be configure --prefix=/opt/barnyard. Run the make command, then run make install to install it. You also need to edit the barnyard.conf file before using the tool.

Rafeeq ur Rehman is founding director of Argus Network Security Services, Inc. He is an HP Certified System Administrator and CCNA with more than nine years' experience in Unix and network administration, as well as C and database programming. His books include The Linux Development Platform; Solaris 8 Training Guide (310-043): Network Administrator Certification; and HP Certified: HP-UX System Administration.

- Write for us -- and get paid! -

Category:

  • Open Source
Click Here!