Problem
You want to use ACID to analyze your Snort output.
Solution
Follow the recipes for Installing and Configuring MySQL (Recipe 2.11), Installing Snort Binaries on Linux (Recipe 1.2), and Configuring MySQL for Snort (Recipe 2.12). Make sure when you install Snort that you use the configure --with-mysql=/usr/local/mysql option.
First, install Apache. At the time of this writing, the current version is 2.0.50. Use the following commands to install Apache:
[root@localhost root]# tar zxvf httpd-2.0.50.tar.gz [root@localhost root]# cd httpd-2.0.50 [root@localhost httpd-2.0.50]# ./configure --prefix=/www --enable-so [root@localhost httpd-2.0.50]# make [root@localhost httpd-2.0.50]# make install [root@localhost httpd-2.0.50]# /www/bin/apachectl start
Next, check the system to make sure the web server is working by opening a web browser and entering your IP address or "localhost." You should see the default Apache web page.
Next, install PHP. You must install Version 4.3.8 because the current version, 5.0.0, does not work with ACID. Use the following commands to install PHP:
[root@localhost root]# tar zxvf php-4.3.8.tar.gz [root@localhost root]# cd php-4.3.8 [root@localhost php-4.3.8]# ./configure --prefix=/www/php --with-apxs2= /www/bin/apxs --with-config-filepath=/www/php --enable-sockets --with-mysql=/usr/local/mysql --with-zlib-dir=/usr/local --with-gd [root@localhost php-4.3.8]# make [root@localhost php-4.3.8]# make install [root@localhost php-4.3.8]# cp php.ini-dist /www/php/php.ini
Make the following changes to the /www/conf/httpd.conf file:
[root@localhost php-4.3.8]# cd /www/conf [root@localhost conf]# vi httpd.conf
Change the line:
DirectoryIndex index.html index.html.var
to:
DirectoryIndex index.php index.html index.html.var
Also, add the following line under the AddType section:
AddType application/x-httpd-php .php
Next, make the following changes to create links for startup scripts so that the web server starts when you boot up in run levels 3 and 5 (run level 3 is full multiuser mode, and run level 5 is the X Window System):
[root@localhost conf]# cd /www/bin [root@localhost bin]# cp apachectl /etc/init.d/httpd [root@localhost bin]# cd /etc/rc3.d [root@localhost rc3.d]# ln -s ../init.d/httpd S85httpd [root@localhost rc3.d]# ln -s ../init.d/httpd K85httpd [root@localhost rc3.d]# cd /etc/rc5.d [root@localhost rc5.d]# ln -s ../init.d/httpd S85httpd [root@localhost rc5.d]# ln -s ../init.d/httpd K85httpd
Next, test the configuration with the following commands:
[root@localhost rc5.d]# cd /www/htdocs [root@localhost htdocs]# echo "" > test.php [root@localhost htdocs]# /etc/init.d/httpd stop [root@localhost htdocs]# /etc/init.d/httpd start
Open the web browser again and enter http://IPaddress/test.php or http://localhost/test.php. You should see a PHP table output of system information.
Next, install adodb. At the time of this writing, the latest version is 4.5.1:
[root@localhost root]# tar zxvf adodb451.tgz [root@localhost root]# cp -R ./adodb/ /www/htdocs
Next, install JPGraph. The current version at the time of this writing is 1.16. Use the following commands to install JPGraph:
[root@localhost root]# cp jpgraph-1.16.tar.gz /www/htdocs [root@localhost root]# cd /www/htdocs [root@localhost htdocs]# tar zxvf jpgraph-1.16.tar.gz [root@localhost htdocs]# rm -rf jpgraph-1.16.tar.gz
Now you are ready to install ACID. The current version at the time of this writing is 0.9.6b23. Use the following commands to install ACID:
[root@localhost htdocs]# cd /root [root@localhost root]# cp acid-0.9.6b23.tar.gz /www/htdocs [root@localhost root]# cd /www/htdocs [root@localhost htdocs]# tar zxvf acid-0.9.6b23.tar.gz [root@localhost htdocs]# rm -rf acid-0.9.6b23.tar.gz [root@localhost htdocs]# cd acid [root@localhost acid]# vi acid_conf.php
Next, you must make a few configuration changes. Make sure the /www/htdocs/acid/acid_conf.php file contains the following information:
$DBlib_path = "/www/htdocs/adodb"; /* Alert DB connection parameters * - $alert_dbname : MySQL database name of Snort alert DB * - $alert_host : host on which the DB is stored * - $alert_port : port on which to access the DB * - $alert_user : login to the database with this user * - $alert_password : password of the DB user * * This information can be gleaned from the Snort database * output plugin configuration. */ $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "root"; $alert_password = "newpassword"; /* Archive DB connection parameters */ $archive_dbname = "snort"; $archive_host = "localhost"; $archive_port = ""; $archive_user = "root"; $archive_password = "newpassword"; $ChartLib_path = "/www/htdocs/jpgraph-1.16/src";
To continue with the configuration, open a web browser to http://localhost/acid/acid_main.php (Figure 5-16). Click on the Setup page link to continue (Figure 5-17).
Figure 5-16. ACID initial setup page
Figure 5-17. ACID database setup
Next, click the button that says Create ACID AG. You now see that four tables were successfully created (Figure 5-18). Now when you go back to the main ACID page, it displays the Snort sensor statistics (Figure 5-19).
Figure 5-18. ACID database setup complete
Figure 5-19. ACID main page
Discussion
The Analysis Console for Intrusion Databases (ACID) is a great tool to use for viewing, analyzing, and graphing your Snort logs. It is a PHP-based analysis engine that searches and processes your IDS database logs. Some of its features include a search engine, packet viewer, alert management, and graphing and statistics generation.
There are several prerequisites to installing ACID, including MySQL, Apache, PHP, ADODB, JPGraph, and Snort. The example provided installs ACID and its prerequisites on a default installation of Red Hat 9. When using other versions of Unix or Linux, you must download and install the appropriate prerequisites for your platform.
Keeping up with alerts and logs is one of the hardest parts of managing an IDS. Using a tool like ACID makes the IDS administrator's job a lot easier. Its web frontend, ease of use, and features make it an invaluable tool to have for IDS data analysis.
See Also
http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html
http://www.aditus.nu/jpgraph/jpdownload.php
http://httpd.apache.org/download.cgi
http://www.php.net/downloads.php
http://adodb.sourceforge.net/
Recipe 2.11
Recipe 2.12
Recipe 1.4
Recipe 1.2
Recipe 5.3
Securing ACID |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index