Intrusion
Detection Systems using SNORT (Sourcefire and Snort are Trademarks or
Registered Trademarks of Sourcefire, INC) have an ongoing good track record of
reporting any event on networks where you can formulate a detection rule. An unfortunate aspect to the use of
SNORT or any other IDS system is that you have to know a fair amount about
network topology in order to begin to approach the reports. This application
takes an approach that considers the users need to be able to perform triage on
an infested network at 3:00am and sleep deprived. MYSQLIDS produces a report
based upon 5 time criteria as shown above with the ability to correct for 3
time zones. It also allows for optional printing of the payload data. The
output is created in a common text file for a reason. File types with complex automation
support provided by the OS or support applications have the capacity to launch
html and viral payloads.
The
Analysis Console for Intrusion Databases (ACID) provides a good interface to
the data extracted with MYSQLIDS. It wraps it better in many ways except for
the perspective manner. You have more data presented than needed and the
retrieval of that data takes several queries to select and order the data in a
useful manner. Many of the alternative methods for analysis are scripted or
LINUX-only in their implementations. MYSQLIDS is a first generation query tool
for triage and trending over short periods in a large network. This is a
realistic limitation based by MYSQL 4GB database limits and retrieval efficacy.
You can quickly search for events in related sites with common time frame. The
second generation of this tool needs to address time zone correction so that
the queries can be made functional across time zones.
There
are two executables included in the mysqlids.zip. They are named mysqlidsxp.exe
and mysqlids2k.exe. The code should compile easily on Windows 2000 or XP using
Visual Studio 6. The database used in this example is MYSQL-3.23.58 and the
ODBC driver is MYODBC-3.51.06. To create a SNORT database, load MYSQL(3.23.58)
on a Windows NT/2000 server. Bounce the box. Login in and
“Start->Run->cmd” and then cd \mysql\bin. Key “mysqladmin –u root
password newpassword” (replacing newpassword with your new desired root
password. This enables the use of MYSQL database. Get a copy of MYSQL
Administrator from www.mysql.com and a copy
of MYSQL-Front from www.mysqlfront.de.
Install both of them and place icons on your desktop on the server. Open the
MYSQL Administrator program and logon with the credentials root,
newpassword,locahost. In the MYSQL Administrator gui, click on User
Administration. Right-click in the User Accounts area and select Add new User.
Populate the User Information for the new user (I suggest the setting the
userid for MYSQL User to snort and select an appropriate password). Don’t
forget to click the Apply changes button. Return to User Accounts. Right click
on the user snort and select “Add host from which the user can connect”. Enter
the name or ip address for each client or sensor which will connect to the
MYSQL database. Close MYSQL Administrator and open MYSQL-Front. The Add Session
gui should come up. Enter local for the General Name. Click the connection tab and provide the server name as
localhost. Click the Login tab and provide the root credentials. Hit OK and you
should see the gui display a pane labeled local. Right click on the localhost,
select NEW, then select Database. Name the database snort_db. Then hit File
-> Exit. Obtain a copy of the create_mysql from \snort\contrib. Place it in
a convenient location. Click Start->Run and key cmd and OK. Execute the
following steps:
cd \mysql\bin
mysql -u root -p
newpassword
connect snort_db
source create_mysql ;
commit ;
exit
Reopen
MYSQL Administrator – providing the root credentials to log in. Click on User
Administration. Select the user
snort. Then click the Schema Privileges tab. Click the snort_db Schemata. Highlight all of the
available privileges and click the < button. Then hit the Apply changes
button. Now close the MYSQL Administrator. On one of the sensors which you have
designated to be able to connect to the snort_db database, install snort, edit
\snort\etc\snort.conf with the edit verb to change its structure to dos. Then exit and use notepad to edit
\snort\etc\snort.conf. Correct the include locations as well as the rules path
then uncomment the line that reads as follows:
output database: log, mysql, user=snort,
user=root password=test dbname=db host=localhost
And change it to
output database: log, mysql,
user=snort password=newpassword dbname=snort_db host=server_ip
Replace
server_ip with the actual ip address for the server. Correct newpassword to the
actual snort password. Now you can start snort either as a service with
“c:\snort\bin\snort /service /install –c c:\snort\etc\snort.conf –l
c:\snort\log” or in command mode with “c:\snort\bin\snort –c
c:\snort\etc\snort.conf –l c:\snort\log”. You should test first with the
command mode execution to check for connectivity and function when you can see
the errors returned to the console. After testing, use “net start snort” to
start the service if you opted to install the service. In the previous case
visit the Control Panel services to set the startup mode for SNORT to
automatic. The sensor should now be logging to the database.
Configuration
of the MYSQLIDS requirements is as follows…set the following environment
variables at the system level:
IDS_DB_SERVER=server_ip
IDS_DB_USER=snort
IDS_DB_PASS=newpassword
On
the client install MYODBC-3.51.06. Now you may start mysqlids (2k or XP as
appripriate to the client). You’ll see an informational dialog box showing the
server, user and password information being used to contact the snort_db
database. Start by selecting one or more sensors … a sample interval … correct
the time zone correction … decide on payload or not …then hit the Generate
Report button. Use the Open Output button after the cursor returns to view the
report.
