Flylib.com

Books Software

 
 
 

Category list


Similar pages

Recipe 5.6. Installing and Configuring ACID


Buy on amazon.com >>
Babbin J. Biles S. Orebaugh A. D.
    << Previous page
    Table of contents
    Next page >>

    Recipe 5.6. Installing and Configuring ACID

    Problem

    You want to use ACID to analyze your Snort output.

    Solution

    Follow the recipes for Installing and Configuring MySQL (Recipe 2.11), Installing Snort Binaries on Linux (Recipe 1.2), and Configuring MySQL for Snort (Recipe 2.12). Make sure when you install Snort that you use the configure --with-mysql=/usr/local/mysql option.

    First, install Apache. At the time of this writing, the current version is 2.0.50. Use the following commands to install Apache: 

    [root@localhost root]#

tar zxvf httpd-2.0.50.tar.gz

[root@localhost root]#

cd httpd-2.0.50

[root@localhost httpd-2.0.50]#

./configure --prefix=/www --enable-so

[root@localhost httpd-2.0.50]#

make

[root@localhost httpd-2.0.50]#

make install

[root@localhost httpd-2.0.50]#

/www/bin/apachectl start

    Next, check the system to make sure the web server is working by opening a web browser and entering your IP address or "localhost." You should see the default Apache web page.

    Next, install PHP. You must install Version 4.3.8 because the current version, 5.0.0, does not work with ACID. Use the following commands to install PHP: 

    [root@localhost root]#

tar zxvf php-4.3.8.tar.gz

[root@localhost root]#

cd php-4.3.8

[root@localhost php-4.3.8]#

./configure --prefix=/www/php --with-apxs2=

/www/bin/apxs --with-config-filepath=/www/php --enable-sockets


--with-mysql=/usr/local/mysql --with-zlib-dir=/usr/local --with-gd

[root@localhost php-4.3.8]#

make

[root@localhost php-4.3.8]#

make install

[root@localhost php-4.3.8]#

cp php.ini-dist /www/php/php.ini

    Make the following changes to the /www/conf/httpd.conf file: 

    [root@localhost php-4.3.8]#

cd /www/conf

[root@localhost conf]#

vi httpd.conf

    Change the line: 

    DirectoryIndex index.html index.html.var

    to: 

    DirectoryIndex index.php index.html index.html.var

    Also, add the following line under the AddType section: 

    AddType application/x-httpd-php .php

    Next, make the following changes to create links for startup scripts so that the web server starts when you boot up in run levels 3 and 5 (run level 3 is full multiuser mode, and run level 5 is the X Window System): 

    [root@localhost conf]#

cd /www/bin

[root@localhost bin]#

cp apachectl /etc/init.d/httpd

[root@localhost bin]#

cd /etc/rc3.d

[root@localhost rc3.d]#

ln -s ../init.d/httpd S85httpd

[root@localhost rc3.d]#

ln -s ../init.d/httpd K85httpd

[root@localhost rc3.d]#

cd /etc/rc5.d

[root@localhost rc5.d]#

ln -s ../init.d/httpd S85httpd

[root@localhost rc5.d]#

ln -s ../init.d/httpd K85httpd

    Next, test the configuration with the following commands: 

    [root@localhost rc5.d]#

cd /www/htdocs

[root@localhost htdocs]#

echo "<?php phpinfo( ); ?>" > test.php

[root@localhost htdocs]#

/etc/init.d/httpd stop

[root@localhost htdocs]#

/etc/init.d/httpd start

    Open the web browser again and enter http://IPaddress/test.php or http://localhost/test.php . You should see a PHP table output of system information.

    Next, install adodb. At the time of this writing, the latest version is 4.5.1: 

    [root@localhost root]#

tar zxvf adodb451.tgz

[root@localhost root]#

cp -R ./adodb/ /www/htdocs

    Next, install JPGraph. The current version at the time of this writing is 1.16. Use the following commands to install JPGraph: 

    [root@localhost root]#

cp jpgraph-1.16.tar.gz /www/htdocs

[root@localhost root]#

cd /www/htdocs

[root@localhost htdocs]#

tar zxvf jpgraph-1.16.tar.gz

[root@localhost htdocs]#

rm -rf jpgraph-1.16.tar.gz

    Now you are ready to install ACID. The current version at the time of this writing is 0.9.6b23. Use the following commands to install ACID: 

    [root@localhost htdocs]#

cd /root

[root@localhost root]#

cp acid-0.9.6b23.tar.gz /www/htdocs

[root@localhost root]#

cd /www/htdocs

[root@localhost htdocs]#

tar zxvf acid-0.9.6b23.tar.gz

[root@localhost htdocs]#

rm -rf acid-0.9.6b23.tar.gz

[root@localhost htdocs]#

cd acid

[root@localhost acid]#

vi acid_conf.php

    Next, you must make a few configuration changes. Make sure the /www/htdocs/acid/acid_conf.php file contains the following information: 

    $DBlib_path = "/www/htdocs/adodb";

/* Alert DB connection parameters

 *   - $alert_dbname   : MySQL database name of Snort alert DB

 *   - $alert_host     : host on which the DB is stored

 *   - $alert_port     : port on which to access the DB

 *   - $alert_user     : login to the database with this user

 *   - $alert_password : password of the DB user

 *

 *  This information can be gleaned from the Snort database

 *  output plugin configuration.

 */

$alert_dbname   = "snort";

$alert_host     = "localhost";

$alert_port     = "";

$alert_user     = "root";

$alert_password = "newpassword";

/* Archive DB connection parameters */

$archive_dbname   = "snort";

$archive_host     = "localhost";

$archive_port     = "";

$archive_user     = "root";

$archive_password = "newpassword";

$ChartLib_path = "/www/htdocs/jpgraph-1.16/src";

    To continue with the configuration, open a web browser to http://localhost/acid/acid_main.php (Figure 5-16). Click on the Setup page link to continue (Figure 5-17).

    Figure 5-16. ACID initial setup page

    Figure 5-17. ACID database setup

    Next, click the button that says Create ACID AG. You now see that four tables were successfully created (Figure 5-18). Now when you go back to the main ACID page, it displays the Snort sensor statistics (Figure 5-19).

    Figure 5-18. ACID database setup complete

    Figure 5-19. ACID main page

    Discussion

    The Analysis Console for Intrusion Databases (ACID) is a great tool to use for viewing, analyzing, and graphing your Snort logs. It is a PHP-based analysis engine that searches and processes your IDS database logs. Some of its features include a search engine, packet viewer, alert management, and graphing and statistics generation.

    There are several prerequisites to installing ACID, including MySQL, Apache, PHP, ADODB, JPGraph, and Snort. The example provided installs ACID and its prerequisites on a default installation of Red Hat 9. When using other versions of Unix or Linux, you must download and install the appropriate prerequisites for your platform.

    Keeping up with alerts and logs is one of the hardest parts of managing an IDS. Using a tool like ACID makes the IDS administrator's job a lot easier. Its web frontend, ease of use, and features make it an invaluable tool to have for IDS data analysis.

    See Also

    http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html

    http://www.aditus.nu/jpgraph/jpdownload.php

    http://httpd.apache.org/download.cgi

    http://www.php.net/downloads.php

    http://adodb. sourceforge .net/

    Recipe 2.11

    Recipe 2.12

    Recipe 1.4

    Recipe 1.2

    Recipe 5.3


    Buy on amazon.com >>
    Babbin J. Biles S. Orebaugh A. D.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy