Last month’s article looked at iptables firewall management with Big Fish. This month, let’s will take a look at intrusion detection using SNORT, along with its LAMP-based analysis add-on, ACID, short for “Analysis Console for Intrusion Databases.”
SNORT, lovingly referred to as “the pig,” is an advanced packet sniffer and logger that analyzes traffic on your network. It can be setup for protocol analysis, regular expression string matching, and network attack detection, including buffer overflows, stealth port scans, SMB probes, and many more.
ACID is a PHP- based application that provides a graphical user interface for analysis of intrusion detection system (IDS) databases, including SNORT’s. ACID is a perfect partner for SNORT, as it’s interface allows you to review and examine alerts based on source/destination ports and addresses, layer-3 and layer-4 packet information, and dynamically generated graphs. The charts and graphs are based on alert type, time, sensor, signature, protocol, IP address and ports. ACID also provides an advanced alert management system that lets you group individual alerts to form incidents and give you flexible control over false positives. ACID can also analyze, report, and alert against firewall logs.
SNORT is an open-source package released under the GNU GPL. The latest SNORT package can be downloaded at http://www.snort.org/dl/
. The version used here is 2.3.0.RC1
. The latest ACID package is available from http://acidlab.sourceforge.net/
. Although the latest ACID version is dated January 2003, it is still valid and works seamlessly with the latest SNORT version. The ACID version used here is 0.9.6b23.
SNORT can be configured in three modes: sniffer, packet logger, and network IDS. Most people install SNORT for its complete suite of IDS features. SNORT IDS utilizes user-generated rule sets to perform actions based on packets it logs on your network. (Don’t fret, SNORT contains several production-ready rule sets to get you going.)
Before you install SNORT, choose the host machine carefully. Ideally, you’ll want to install IDS services just inside and just outside your firewall. You can even install SNORT on your firewall host, the single point of entry into a local network. On a firewall, SNORT can have access to sniff across all network devices and VLANS traversing its host.
There are also a number of pre-requisites for SNORT and ACID.
If you want to use ACID with SNORT, you’ll need a database for event storage. Make sure you have a database installed and configured prior to installing SNORT. SNORT supports MySQL, PostgreSQL, Oracle, XML
), and generic ODBC
data sources. You may also need to install the Perl Compatible Regular Expression
(PCRE) library. PCRE can be retrieved from http://www.pcre.org/
Download the SNORT 2.3.0RC1 tarball and its MD5
checksum from http://www.snort.org/dl/
and verify that the file is intact and pristine. You can generate the MD5 checksum on your SNORT tarball by typing md5sum snort-2.3.0RC1.tar.gz
. If the checksum is correct, untar the package.
The plain old ./configure step won’t be enough for installing SNORT, as you’ll want to add some options, including support for MySQL and SNMP, where the latter allows you to integrate SNORT IDS with third-party network monitoring packages.
In the SNORT source directory, run the following configure command:
$ ./configure ––with-snmp ––with-mysql
You may also have to specify the directory where your MySQL headers are located. For example, on the test machine, the command was ./configure ––with-snmp ––with-mysql=/usr/local/mysql. If ./configure… works, type make, then as root, type make install to complete the installation.
Now that SNORT is installed, create the MySQL data source and configure it for use. For example, if your MySQL server is on the same host as SNORT, you can just run mysqladmin create snort. Then, create the data structure for this database using the import script included in the SNORT tarball. While in the SNORT source directory, type mysql snort<./schemas/create_mysql.
Next, grant access to this database to a SNORT user. Enter the MySQL console and enter the following:
grant SELECT, INSERT on snort.*
to snortuser@localhost identified by "h@ckm3";
Then, grant INSERT for the sensor table only:
grant SELECT, INSERT, UPDATE on snort.sensor
to snortuser@localhost identified by "h@ckm3";
Finally, before starting up SNORT for the first time, become root.
Create a logging directory with the command mkdir /var/log/snort
, and create the SNORT rule set directory, using mkdir /etc/snort
. Change directory into /etc/snort/
and download the latest set of rules from the SNORT web site at http://www.snort.org/dl/rules/
. Untarring the package creates all of the rules in the directory /etc/snort/rules/
. Move all of the files in /etc/snort/rules/
# cd /etc/snort/rules
# mv * ../
# rmdir rules
The rules tarball also includes an updated snort.conf file, located in the /etc/snort directory. Copy that file to your system’s /etc directory and open it with your favorite text editor.
In snort.conf, you can setup specific internal and external networks (or devices) and other host-types for SNORT to include in its sniffing. Find the variable declaration for RULE_PATH and set the path to /etc/snort/rules. If you’re running IIS on your network for some reason, find the iis_unicode_map preprocessor declaration and set the path for the unicode.map file to /etc/snort/unicode.map. Otherwise, you can comment out that preprocessor reference completely.
Next, set the path for classification.config to /etc/snort/classification.config and set reference.config to /etc/snort/reference.config. For now, leave everything else as-is and only configure the output plug-in for MySQL. Scroll down to the “output database” examples and enter the following line[( broken across two lines here for print)]:
output database: log, mysql, user=snortuser
password=h@ckm3 dbname=snort host=localhost
Further down in snort.conf is where you define the various SNORT rule sets. Included in the source package are a number of default rule sets, in addition to advanced rules that you can customize for your environment. As you will see, the SNORT rule sets are also a good way to measure how much traffic on your network is dedicated to P2P, chat, and even adult-content. Combined with the ACID interface, SNORT can give you extreme business intelligence on how your network is being used, in addition to pointing out exploits. Customizing these rule sets is out of the scope of this article, but the SNORT web site offers extensive information.
SNORT is a standalone package, but ACID requires the traditional web components. The test machine used for the sample installation ran ran Linux kernel 2.4.20-8, Apache 1.3.28, PHP 5.0.3RC1 (although ACID runs on PHP 4.0.4+), and Mod_SSL 2.8.1501.3.28 supported by OpenSSL 0.9.7a. As ACID can be made accessible over the Internet, it is imperative that you install SSL into Apache.
Download the ACID 0.9.6b23 tarball from http://acidlab.sourceforge.net
and verify its MD5 checksum. If the checksum is correct, untar the package to create an acid
folder. Copy acid
to a directory in your Apache DocumentRoot
. For this example, the URL will be https://localhost/acid.
Next, you’ll need to install the MySQL tables necessary for ACID integration with SNORT. Enter the acid directory and type
mysql snort < create_acid_tbls_mysql.sql
ACID requires a number of database permissions ACID to work properly and securely. You should also create a different user for ACID, as its permissions are different than those for the SNORT user. The MySQL grant permissions matrix is available in the README file in the ACID source directory. However, for ease of management you can just run…
grant SELECT, INSERT, UPDATE, DELETE on
snort.* to aciduser@localhost identified by ’h@ckm3’"
… in the MySQL console.
Next, open the acid_conf.php file in your favorite text editor and set values that correspond to your system. $DBlib_path should be set to to the full path for your ADODB installation; $DBtype should be “mysql” (if you’re using MySQL); $alert_dbname should be snort; alert_host should be localhost; $alert_port can be left blank for default; and $alert_user and $alert_password should be the login credentials for the MySQL ACID user.
If you installed JpGraph, edit the variable $ChartLib_path in acid_conf.php with the absolute path of the JpGraph directory. This will enable ACID to construct and display custom graphs of various alert data.
That concludes the very basic ACID installation. Now, browse to your acid directory using your favorite web browser to see the dashboard page reporting overall usage metrics. However, since SNORT has not been started you shouldn’t see much of anything reported at this point.
There is one bug in this version of ACID: it doesn’t support dates greater than 2004. However, the bug is easily fixed: edit acid_graph_form.php, acid_state_citems.php, and acid_stat_time.php and add 2005 and later years.
Starting and Testing Your IDS
At this point, SNORT should be ready to start and ACID should be ready to report. On the command line, type snort&. To see if its working, login to the MySQL SNORT database and run select*from sensor. You should see the localhost IP addresses and interfaces. Next, browse to your ACID installation with a web broswer.
If you’re lucky (or unlucky, depending on how you look at it) you might already have real-world events logged by SNORT. You can generate some test scans using nmap or a vulnerability tester that deep probes your host. Any way you can do it, generate some test data to familiarize yourself with the ACID reports and graphing tools.
For example, if you have nmap available, execute the following command and SNORT will go haywire with ICMP ping alerts:
$ nmap –sX –p 22,53,110,143,4564 I<192.168.*.1-127>
Substitute 192.168.*.1-127 with your internal network range. Never run something like this outside of your own local network.
When you login to your ACID interface, you should see a large amount of ICMP traffic reported. To create an alert group for this particular event type, click on the link for Most Recent Alerts: ICMP, then use the drop-down at the bottom of the query screen and select Create AG(by Name). Enter a name in the text box, such as ICMP PING, and click the Entire Query Button. You can also select a variety of events to combine into a single alert group for incident classification.
SNORT and the ACID analyzer interface are valid starting points for an enterprise IDS. These tools are in use within educational institutions, home-based LANs, as well as large, Fortune 500 companies around the world.
However, unless you have the staff to constantly analyze the reports and graphs generated by ACID it will be hard to employ the system effectively. The open-source project Nagios is a full-feature network/host monitoring system that integrates well with SNORT/ACID. With Nagios’ embedded notification module providing for email, instant message, and SMS alerts, coupled with ACID’s analysis capabilities, you will be fully informed and have the research available to respond to any critical security incident.
What doesn’t SNORT/ACID do is protect you from writing sloppy code. Check your work before deploying to production servers, and have a colleague look over it as well. Most successful intrusion attempts are the result of poor development standards, including cookie hijacking and URL/SQL injection. If you’re unsure how to script a function correctly, ask for help, especially if you’re attempting to write an ecommerce application that accepts and stores customer’s credit cards.
You have a responsibility to protect all of your visitors, the ones that trust your site and the applications running on it.
Michael Bordash’s company, IP-soft.net, provides managed IT services for Fortune 1000 companies. He is also the founder of InternetDJ.com. You can reach Michael at