Snort-Setup for Statistics HOWTO

Sandro Poppi

<spoppi at gmx.de>

v1.01, Feb 23, 2002

Revision History
Revision 1.01	2002-02-23	Revised by: sp
- added "Setting up Linux for Snort" section - added mysql option -p - added some clarifications in mysql section
Revision 1.0	2002-01-01	Revised by: sp
- first release version - moved to snort version 1.8.3 - changed RPMS to point to www.snort.org - added link for my snortd initscript - added warning about automatic rule update - added hint to IDSPM - changed for rule files to /etc/snort to reflect snort.org's RPMS - as allways: clarified some parts
Revision 0.05	2001-11-14	Revised by: sp
- renamed HOWTO to Snort-Setup for Statistics HOWTO - added short statistic script which I was inspired by Greg Sarsons - clarified some parts and corrected some typos
Revision 0.04	2001-09-29	Revised by: sp
- added section "snort internal statistics" suggested from Greg Sarson - added short statistic script contributed by Greg Sarson but commented it out to get a more general version
Revision 0.03	2001-09-19	Revised by: sp
- added throttle option to swatch.conf - changed ACID to version 0.9.6b15 - added some comments in ACID section - added MD5 checksum section but commented it out
Revision 0.02	2001-09-16	Revised by: sp
Some clarifications as suggested from Greg Sarsons, thx ;)
Revision 0.01	2001-09-04	Revised by: sp
Initial version

This HOWTO describes how to configure Snort version 1.8.3 to be used in conjunction with the statistical tools ACID (Analysis Console for Intrusion Databases) and SnortSnarf. It also intends to get some internal statistics out of snort, e.g. if there are packets dropped.

Additionally a description of how to automatically update Max Vision's rules, some scripts which may be helpful and a demo swatch configuration is included.

Table of Contents

1. Introduction

1.1. Copyright Information
1.2. Disclaimer
1.3. New Versions
1.4. Credits
1.5. Feedback
1.6. Translations

2. Structure

3. Technical Overview

4. Configuration

4.1. Setting up Linux for Snort

4.2. Configuring Snort

4.2.1. /etc/snort/snort.conf
4.2.2. /etc/rc.d/init.d/snortd
4.2.3. /etc/snort/snort-check
4.2.4. Snort internal Statistics
4.2.5. Testing Snort

4.3. Configuring MySQL

4.4. Configuring ADODB

4.5. Configuring PHPlot

4.6. Configuring ACID

4.7. Configuring SnortSnarf

4.8. Configuring Arachnids_upd

4.9. Configuring Swatch

5. Security Issues

6. Getting Help

7. Questions and Answers

1. Introduction

This document was written when I created an IDS sensor with Snort and using some statistic tools in order to help others implementing it. If at least one out there can be helped it has been worth the work.

Snort is an excellent Network Intrusion Detection System (NIDS) for various unices. The Snort homepage can be found at http://www.snort.org/. The version described here is 1.8.3 which was the actual version at the time of writing.

The statistic tools I will describe here are ACID, a database analysis tool for Snort which can be found at http://www.cert.org/kb/acid/ and SnortSnarf, a statistic tool for Snort logs downloadable from http://www.silicondefense.com/software/snortsnarf/index.htm.

Additional support packages are needed for ACID. These are a PHP4 capable webserver like apache (http://www.apache.org/), PHPlot used for creating graphs in PHP (http://www.phplot.com/) and ADODB used for connecting to databases with PHP (http://php.weblogs.com/ADODB/).

The description also includes which additional software is needed for ACID and how to configure along with some scripts I use including a changed version of the snortd initscript and a short chapter about swatch (http://www.stanford.edu/~atkins/swatch) a log file watcher script written in perl. I created a swatch RPM which can be found at http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.noarch.rpm.

One hint for those interested in maintaining more than one snort sensor: You might take a look at IDSPM (IDS Policy Manager) at http://www.activeworx.com/ which is an application to maintain various sensors with different policies along with merging capabilities for new rules and a lot more. The only "nasty" thing is that it runs on W2K/XP and is not (yet?) Open Source.

1.1. Copyright Information

Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions.

All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below.

In short, we wish to promote dissemination of this information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs.

If you have any questions, please contact <linux-howto at metalab.unc.edu>

1.2. Disclaimer

No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that.

All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.

1.3. New Versions

This is the initial release.

The main site for this HOWTO is http://www.lug-burghausen.org/projects/Snort-Statistics/.

Mirrors may be found at the Linux Documentation Project or Snort homepages.

The newest version of this HOWTO will always be made available on the main website, in a variety of formats:

1.4. Credits

Credits go to a variaty of people including

Martin Roesch <roesch at sourcefire.com> Author of Snort
Roman Danyliw <roman at danyliw.com> Author of ACID
James Hoagland <hoagland at SiliconDefense.com> Author of SnortSnarf
Stuart Staniford <stuart at SiliconDefense.com> Author of SnortSnarf
Joe McAlerney <joey at siliconDefense.com> Author of SnortSnarf
John Lim <jlim at natsoft.com.my> Author of ADODB
Afan Ottenheimer <afan at users.sourceforge.net> Author of PHPlot
Andreas Östling <andreaso at it.su.se> Author of arachnids_upd
Max Vision <vision at whitehats.com> "Distributor" of vision.rules and maintainer of http://www.whitehats.com/
Greg Sarsons <gsarsons at home.com> for proof reading and suggestions
All the peaople on the snort-users mailinglist, they helped me and of course they will help YOU >;)
...

If I missed someone it was not because of not honoring her or his work!

1.5. Feedback

Feedback is most certainly welcome for this document. Without your submissions and input, this document wouldn't exist. Please send your additions, comments and criticisms to the following email address : <spoppi at gmx.de>.

1.6. Translations

There are currently no translations available.