Network Security Hacks [Electronic resources] نسخه متنی

Hack 83 Keep Track of Alerts

Use ACID to make sense of your IDS
logs.

Once you have set up Snort to log
information to your database [Hack #82] ),
you may find it hard to cope with all the data that it generates.
Very busy and high-profile sites can generate a huge number of Snort
warnings that eventually need to be tracked down. One way to
alleviate the problem is to install ACID
(http://acidlab.sourceforge.net).

ACID , otherwise known as
the Analysis Console for Intrusion Databases,
is a web-based frontend
to databases that contain alerts from intrusion detection systems. It
features the ability to search for alerts based on a variety of
criteria, such as alert signature, time of detection, source and
destination address and ports, as well as payload or flag values.
ACID can display the packets that triggered the
alerts, as well as decode their layer-3 and layer-4 information.
ACID also contains alert management features
that allow you to group alerts based on incident, delete acknowledged
or false positive alerts, email alerts, or archive them to another
database. ACID also provides many different
statistics on the alerts in your database based on time, the sensor
they were generated by, signature, and packet-related statistics such
as protocol, address, or port.

To install ACID, you'll first
need a web server and a working installation of
PHP (e.g., Apache and
mod_php), as well as a Snort installation that has
been configured to log to a database (e.g., MySQL). You will also
need a couple of PHP code libraries: ADODB (http://php.weblogs.com/adodb) for database
abstraction and either
PHPlot (http://www.phplot.com) or

JPGraph (http://www.aditus.nu/jpgraph) for graphics
rendering.

After you have downloaded these packages, unpack them into a
directory that can be used to execute PHP content on the web server.
Next, change to the directory that was created by unpacking the
ACID distribution (i.e.,
./acid) and edit the
acid_conf.php file. Here you will need to tell
ACID where to find ADODB and JPGraph, as well as
how to connect to your Snort database.

You can do this by changing these variables to similar values that
fit your situation:

$Dblib_path = "../adodb";
$Dbtype = "mysql";
$alert_dbname = "SNORT";
$alert_host = "localhost";
$alert_port = ";
$alert_user="snort";
$alert_password = "snortpass";

This will tell ACID to look for the ADODB code
in the adodb directory at the same directory
level as the acid directory. In addition, it
will tell ACID to connect to a MySQL database
called SNORT that is running on the local machine,
using the user snort with the password
snortpass. Since it is connecting to a MySQL
server on the local machine, there is no need to specify a port
number. If you want to connect to a database running on another
system, you should specify 3389, which is the
default port used by MySQL.

Additionally, you can configure an
archive database for ACID using variables that
are similar to the ones used to configure the alert database. The
following variables will need to be set to use
ACID's archiving features:

$archive_dbname
$archive_host
$archive_port
$archive_user
$archive_password

To tell ACID
where to find the graphing library that you want to use,
you will need to set the $ChartLib_path variable.
If you are using
JPGraph 1.13 and have unpacked it from the
same directory you unpacked the ACID
distribution, you would enter something like this:

$ChartLib_path = "../jpgraph-1.13/src";

Congratulations! You're finished mucking about in
configuration files for the time being. Now open a web browser and go
to the URL that corresponds to the directory where you unpacked
ACID. You should then be greeted with a database
setup page as shown in Figure 7-1.

Before you can use
ACID, it must create some database tables for
its own use. To do this, click the Create ACID AG button. After this,
you should see a screen confirming that the tables were created. In
addition, you can have ACID create indexes for
your events table if this was not done prior to setting up
ACID. Indexes will greatly speed up queries as
your events table grows, at the expense of using a little more disk
space. Once you are done with the setup screen, you can click the
Home link to go to the main ACID page, as seen
in Figure 7-2.

ACID has a fairly intuitive user interface. The
main table provides plenty of links to see many useful views of the
database at a glance, such as the list of source or destination IP
addresses associated with the alerts in your database, as well as the
source and destination ports.