لطفا منتظر باشید ...
Hack 85 Manage a Sensor Network
Use SnortCenter''s easy-to-use
web interface to manage your NIDS sensors.
Managing an IDS sensor and keeping
track of the alerts it generates can be a daunting task, and even
more so when you''re dealing with multiple sensors.
One way to unify all your IDS management tasks into a single
application is to use SnortCenter
(http://users.pandora.be/larc/),
a management system for Snort.
SnortCenter is comprised of a web-based console
and sensor agents that are run on each machine in your NIDS
infrastructure. It lets you unify all of your management and
monitoring duties into one program, which can help you get your work
done quickly. SnortCenter has its own user
authentication scheme, and supports encrypted communication between
the web-based management console and the individual sensor agents.
This enables you to update multiple sensors with new Snort rules or
create new rules of your own and push them to your sensors securely.
SnortCenter also allows you to start and stop
your sensors remotely through its management interface. To monitor
the alerts from your sensors, SnortCenter can
integrate with ACID [Hack #83] .
To set up
SnortCenter, you''ll first need to
install the management console on a web server that has both
PHP support and access to
a MySQL database server where
SnortCenter can store its configuration
database. To install the management console, download the
distribution from the download page (http://users.pandora.be/larc/download/) and
unpack it. This will create a directory called
www (so be sure not to unpack it where
there''s already a www
directory) containing SnortCenter''s PHP scripts,
graphics, and SQL schemas. Then, copy the contents of the
www directory to a suitable location within your
web server''s document root.
For example:
# tar xfz snortcenter-v1.0-RC1.tar.gz
# cp -R www /var/www/htdocs/snortcenter
In order for SnortCenter to communicate with
your database, you''ll need to install
ADODB (http://php.weblogs.com/adodb) as well. This
is a PHP package that provides database abstraction functionality.
After you''ve downloaded the ADODB code, unpack it
into your document root (e.g., /var/www/htdocs).
You''ll also need to install curl (http://curl.haxx.se). Download the source
distribution, unpack it, and run ./configure && make
install. Alternatively, it might be available with your
operating system (Red Hat has a curl RPM, and *BSD includes it in the
ports tree).
After that''s out of the way, you''ll
need to edit
SnortCenter''s
config.php (e.g.,
/var/www/htdocs/snortcenter/config.php) and
change these variables to similar values that fit your situation:
$DBlib_path = "../adodb/";
$DBtype = "mysql";
$DB_dbname = "SNORTCENTER";
$DB_host = "localhost";
$DB_port = ";
$DB_user = "snortcenter";
$DB_password = "snortcenterpass";
$hidden_key_num =1823701983719312;
This configuration will tell SnortCenter to look
for the ADODB code in the adodb directory
located at the same directory level as the one containing
SnortCenter. In addition, it will tell
SnortCenter to connect to a
MySQL database called
SNORTCENTER that is running on the local machine
as the user snortcenter with the password
snortcenterpass. Since it is connecting to a MySQL
server on the local machine, there is no need to specify a port. If
you want to connect to a database running on another system, you
should specify 3389 for the port, which is the
default used by MySQL. Set $hidden_key_num to a
random number.
After you''re done editing
config.php, you''ll need to
create the database and user you specified and set the proper
password for it:
$ mysql -u root -p mysql
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 27 to server version: 3.23.55
Type ''help;'' or ''\h'' for help. Type ''\c'' to clear the buffer.
mysql> create database SNORTCENTER;
Query OK, 1 row affected (0.01 sec)
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON
SNORTCENTER.* TO snortcenter@localhost IDENTIFIED
BY ''snortcenterpass'';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.02 sec)
mysql> Bye
Now create the database tables:
$ mysql -u root -p SNORTCENTER < snortcenter_db.mysql
Congratulations, it''s time to try out
SnortCenter! To do this, go to the URL that
corresponds to where you installed it within your document root
(e.g., http://example.com/snortcenter/). You should
see something like Figure 7-5.
Figure 7-5. The SnortCenter login page
Enter in the default login/password
admin/change, and then click
the Login button. After you do that, you should see a page similar to
Figure 7-6.
Figure 7-6. The initial SnortCenter main page
Now that you know that the management console has been installed
successfully, you can move on to installing the agent. But before
doing that, you should change the password for the admin account. To
do this, click on the Admin button, then click on the User
Administration menu item that appears. After that, click on View
Users. You should then see a page like Figure 7-7.
Figure 7-7. SnortCenter''s user listing page
Clicking on the icon to the left of the username should bring you to
a page similar to Figure 7-8; here you can
edit the admin
account''s information, including the password.
Figure 7-8. Changing the admin account''s password and email address
Now you can go on to set up your
sensor agents (really,
I''m serious this time).
SnortCenter''s sensor agents are
written in Perl and require the
Net::SSLeay module to communicate with the
management console through a secure channel. If you have
Perl''s CPAN module installed, you can install
Net::SSLeay easily by running the following
command:
# perl -MCPAN -e "install Net::SSLeay"
To install the sensor code, you''ll first need to
unpack it. This will create a directory called
sensor containing all of the sensor agent code.
Then copy that directory to a suitable permanent location.
For example:
# tar xfz /tmp/snortcenter-agent-v1.0-RC1.tar.gz
# cp -R sensor /usr/local/snortcenter
Next you''ll need to create an SSL
certificate for the sensor. You can do
this by running the following command:
# cd /usr/local/snortcenter
# mkdir conf
# openssl req -new -x509 -days 3650 -nodes \
-out conf/sensor.pem -keyout conf/sensor.pem
Alternatively, you can create a signed certificate [Hack #45]
and use that.
After you''ve done that, run the sensor
agent''s setup script:
# sh setup.sh
****************************************************************************
* Welcome to the SnortCenter Sensor Agent setup script, version 1.0 RC1 *
****************************************************************************
Installing Sensor in /usr/local/snortcenter ...
****************************************************************************
The Sensor Agent uses separate directories for
configuration files and log files.
Unless you want to place them in a other directory, you
can just accept the defaults.
Config file directory [/usr/local/snortcenter/conf]:
This script will prompt you for several pieces of information, such
as the sensor agent''s configuration file and log
directories, the full path to the perl binary
(e.g., /usr/bin/perl), as well as the location
of your snort binary and rules. In addition, it
will ask you questions about your operating system, what port and IP
address you want the sensor agent to listen on (the default is TCP
port 2525), and what IP addresses are allowed to connect to the
agent. In particular, it will ask you to set a login and password
that the management console will use for logging into the agent.
After it has prompted you for all the information it needs, it will
start the sensor agent on the port and IP address specified in the
configuration file. You can now test out the sensor agent by
accessing it with your web browser (be sure to use
https instead of http). You
should see a page similar to Figure 7-9 after
entering the login information contained in the setup script.
Figure 7-9. The sensor agent direct console page
Now you can go
back to the
main management console and add the sensor to it. To do this, log
back into the management console and select Add Sensor from the
Sensor Console menu. After doing this, you should see something
similar to Figure 7-10.
Figure 7-10. Adding a sensor agent
Fill in the information that you used when running the setup script
and click the Save button. When the next page loads, the sensor that
you just added should appear in the sensor list. You can push a basic
configuration to the sensor by opening the Admin menu, then selecting
the Import/Update Rules item, and then Update from Internet. After
you''ve done that, go back to the sensor list by
clicking View Sensors in the Sensor Consoles menu, and then click the
Push hyperlink for the sensor. To start Snort on that particular
sensor, click the Start link. After you''ve done
that, you should see a page similar to Figure 7-11.
Figure 7-11. SnortCenter''s sensor list after starting a sensor
You can now configure your sensor by using the Sensor Config and
Resources menus. Once you''ve created a configuration
you''re satisfied with, you can push it to your
sensor(s) by going back to the sensor list and selecting
Push.
