Snort sencors

Use SnortCenter’s easy-to-use web interface to manage your NIDS sensors.

Managing an IDS sensor and keeping track of the alerts it generates can be a daunting task, and even more so when you’re dealing with multiple sensors. One way to unify all your IDS management tasks into a single application is to use SnortCenter (http://users.pandora.be/larc/), a management system for Snort.

SnortCenter is comprised of a web-based console and sensor agents that are run on each machine in your NIDS infrastructure. It lets you unify all of your management and monitoring duties into one program, which can help you get your work done quickly. SnortCenter has its own user authentication scheme, and supports encrypted communication between the web-based management console and the individual sensor agents. This enables you to update multiple sensors with new Snort rules or create new rules of your own and push them to your sensors securely. SnortCenter also allows you to start and stop your sensors remotely through its management interface. To monitor the alerts from your sensors, SnortCenter can integrate with ACID [Hack #83] .

To set up SnortCenter, you’ll first need to install the management console on a web server that has both PHP support and access to a MySQL database server where SnortCenter can store its configuration database. To install the management console, download the distribution from the download page (http://users.pandora.be/larc/download/) and unpack it. This will create a directory called www (so be sure not to unpack it where there’s already a www directory) containing SnortCenter’s PHP scripts, graphics, and SQL schemas. Then, copy the contents of the www directory to a suitable location within your web server’s document root.

For example:

# tar xfz snortcenter-v1.0-RC1.tar.gz

# cp -R www /var/www/htdocs/snortcenter

In order for SnortCenter to communicate with your database, you’ll need to install ADODB (http://php.weblogs.com/adodb) as well. This is a PHP package that provides database abstraction functionality. After you’ve downloaded the ADODB code, unpack it into your document root (e.g., /var/www/htdocs).

You’ll also need to install curl (http://curl.haxx.se). Download the source distribution, unpack it, and run ./configure && make install. Alternatively, it might be available with your operating system (Red Hat has a curl RPM, and *BSD includes it in the ports tree).

After that’s out of the way, you’ll need to edit SnortCenter’s config.php (e.g., /var/www/htdocs/snortcenter/config.php) and change these variables to similar values that fit your situation:

$DBlib_path = “../adodb/”;

$DBtype = “mysql”;

$DB_dbname = “SNORTCENTER”;

$DB_host = “localhost”;

$DB_port = “”;

$DB_user = “snortcenter”;

$DB_password = “snortcenterpass”;

$hidden_key_num =1823701983719312;

This configuration will tell SnortCenter to look for the ADODB code in the adodb directory located at the same directory level as the one containing SnortCenter. In addition, it will tell SnortCenter to connect to a MySQL database called SNORTCENTER that is running on the local machine as the user snortcenter with the password snortcenterpass. Since it is connecting to a MySQL server on the local machine, there is no need to specify a port. If you want to connect to a database running on another system, you should specify 3389 for the port, which is the default used by MySQL. Set $hidden_key_num to a random number.

After you’re done editing config.php, you’ll need to create the database and user you specified and set the proper password for it:

$ mysql -u root -p mysql

Enter password:

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 27 to server version: 3.23.55

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> create database SNORTCENTER;

Query OK, 1 row affected (0.01 sec)

mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON SNORTCENTER.* TO \

snortcenter@localhost IDENTIFIED BY ‘snortcenterpass’;

Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;

Query OK, 0 rows affected (0.02 sec)

mysql> Bye

Now create the database tables:

$ mysql -u root -p SNORTCENTER < snortcenter_db.mysql

Congratulations, it’s time to try out SnortCenter! To do this, go to the URL that corresponds to where you installed it within your document root (e.g., http://example.com/snortcenter/). You should see something like Figure 7-5.
Figure 7-5. The SnortCenter login page

Enter in the default login/password admin/change, and then click the Login button. After you do that, you should see a page similar to Figure 7-6.
Figure 7-6. The initial SnortCenter main page

Now that you know that the management console has been installed successfully, you can move on to installing the agent. But before doing that, you should change the password for the admin account. To do this, click on the Admin button, then click on the User Administration menu item that appears. After that, click on View Users. You should then see a page like Figure 7-7.
Figure 7-7. SnortCenter’s user listing page

Clicking on the icon to the left of the username should bring you to a page similar to Figure 7-8; here you can edit the admin account’s information, including the password.
Figure 7-8. Changing the admin account’s password and email address

Now you can go on to set up your sensor agents (really, I’m serious this time).

SnortCenter’s sensor agents are written in Perl and require the Net::SSLeay module to communicate with the management console through a secure channel. If you have Perl’s CPAN module installed, you can install Net::SSLeay easily by running the following command:

# perl -MCPAN -e “install Net::SSLeay”

To install the sensor code, you’ll first need to unpack it. This will create a directory called sensor containing all of the sensor agent code. Then copy that directory to a suitable permanent location.

For example:

# tar xfz /tmp/snortcenter-agent-v1.0-RC1.tar.gz

# cp -R sensor /usr/local/snortcenter

Next you’ll need to create an SSL certificate for the sensor. You can do this by running the following command:

# cd /usr/local/snortcenter

# mkdir conf

# openssl req -new -x509 -days 3650 -nodes \

-out conf/sensor.pem -keyout conf/sensor.pem

Alternatively, you can create a signed certificate [Hack #45] and use that.

After you’ve done that, run the sensor agent’s setup script:

# sh setup.sh

****************************************************************************

* Welcome to the SnortCenter Sensor Agent setup script, version 1.0 RC1 *

****************************************************************************

Installing Sensor in /usr/local/snortcenter …

****************************************************************************

The Sensor Agent uses separate directories for configuration files and log files.

Unless you want to place them in a other directory, you can just accept the defaults.

Config file directory [/usr/local/snortcenter/conf]:

This script will prompt you for several pieces of information, such as the sensor agent’s configuration file and log directories, the full path to the perl binary (e.g., /usr/bin/perl), as well as the location of your snort binary and rules. In addition, it will ask you questions about your operating system, what port and IP address you want the sensor agent to listen on (the default is TCP port 2525), and what IP addresses are allowed to connect to the agent. In particular, it will ask you to set a login and password that the management console will use for logging into the agent. After it has prompted you for all the information it needs, it will start the sensor agent on the port and IP address specified in the configuration file. You can now test out the sensor agent by accessing it with your web browser (be sure to use https instead of http). You should see a page similar to Figure 7-9 after entering the login information contained in the setup script.
Figure 7-9. The sensor agent direct console page

Now you can go back to the main management console and add the sensor to it. To do this, log back into the management console and select Add Sensor from the Sensor Console menu. After doing this, you should see something similar to Figure 7-10.
Figure 7-10. Adding a sensor agent

Fill in the information that you used when running the setup script and click the Save button. When the next page loads, the sensor that you just added should appear in the sensor list. You can push a basic configuration to the sensor by opening the Admin menu, then selecting the Import/Update Rules item, and then Update from Internet. After you’ve done that, go back to the sensor list by clicking View Sensors in the Sensor Consoles menu, and then click the Push hyperlink for the sensor. To start Snort on that particular sensor, click the Start link. After you’ve done that, you should see a page similar to Figure 7-11.
Figure 7-11. SnortCenter’s sensor list after starting a sensor

You can now configure your sensor by using the Sensor Config and Resources menus. Once you’ve created a configuration you’re satisfied with, you can push it to your sensor(s) by going back to the sensor list and selecting Push.

Dette indlæg blev udgivet i Knowledge Base, Linux, Networking, Old Base. Bogmærk permalinket.

Skriv et svar