Installing and Configuring ACID

Table of contents:

Problem

You want to use ACID to analyze your Snort output.

Solution

Follow the recipes for Installing and Configuring MySQL (Recipe 2.11), Installing Snort Binaries on Linux (Recipe 1.2), and Configuring MySQL for Snort (Recipe 2.12). Make sure when you install Snort that you use the configure --with-mysql=/usr/local/mysql option.

First, install Apache. At the time of this writing, the current version is 2.0.50. Use the following commands to install Apache:

[root@localhost root]# tar zxvf httpd-2.0.50.tar.gz

[root@localhost root]# cd httpd-2.0.50

[root@localhost httpd-2.0.50]# ./configure --prefix=/www --enable-so

[root@localhost httpd-2.0.50]# make

[root@localhost httpd-2.0.50]# make install

[root@localhost httpd-2.0.50]# /www/bin/apachectl start

Next, check the system to make sure the web server is working by opening a web browser and entering your IP address or "localhost." You should see the default Apache web page.

Next, install PHP. You must install Version 4.3.8 because the current version, 5.0.0, does not work with ACID. Use the following commands to install PHP:

[root@localhost root]# tar zxvf php-4.3.8.tar.gz

[root@localhost root]# cd php-4.3.8

[root@localhost php-4.3.8]# ./configure --prefix=/www/php --with-apxs2=

/www/bin/apxs --with-config-filepath=/www/php --enable-sockets 

--with-mysql=/usr/local/mysql --with-zlib-dir=/usr/local --with-gd

[root@localhost php-4.3.8]# make

[root@localhost php-4.3.8]# make install

[root@localhost php-4.3.8]# cp php.ini-dist /www/php/php.ini

Make the following changes to the /www/conf/httpd.conf file:

[root@localhost php-4.3.8]# cd /www/conf

[root@localhost conf]# vi httpd.conf

Change the line:

DirectoryIndex index.html index.html.var

to:

DirectoryIndex index.php index.html index.html.var

Also, add the following line under the AddType section:

AddType application/x-httpd-php .php

Next, make the following changes to create links for startup scripts so that the web server starts when you boot up in run levels 3 and 5 (run level 3 is full multiuser mode, and run level 5 is the X Window System):

[root@localhost conf]# cd /www/bin

[root@localhost bin]# cp apachectl /etc/init.d/httpd

[root@localhost bin]# cd /etc/rc3.d

[root@localhost rc3.d]# ln -s ../init.d/httpd S85httpd

[root@localhost rc3.d]# ln -s ../init.d/httpd K85httpd

[root@localhost rc3.d]# cd /etc/rc5.d

[root@localhost rc5.d]# ln -s ../init.d/httpd S85httpd

[root@localhost rc5.d]# ln -s ../init.d/httpd K85httpd

Next, test the configuration with the following commands:

[root@localhost rc5.d]# cd /www/htdocs

[root@localhost htdocs]# echo "" > test.php

[root@localhost htdocs]# /etc/init.d/httpd stop

[root@localhost htdocs]# /etc/init.d/httpd start

Open the web browser again and enter http://IPaddress/test.php or http://localhost/test.php. You should see a PHP table output of system information.

Next, install adodb. At the time of this writing, the latest version is 4.5.1:

[root@localhost root]# tar zxvf adodb451.tgz

[root@localhost root]# cp -R ./adodb/ /www/htdocs

Next, install JPGraph. The current version at the time of this writing is 1.16. Use the following commands to install JPGraph:

[root@localhost root]# cp jpgraph-1.16.tar.gz /www/htdocs

[root@localhost root]# cd /www/htdocs

[root@localhost htdocs]# tar zxvf jpgraph-1.16.tar.gz

[root@localhost htdocs]# rm -rf jpgraph-1.16.tar.gz

Now you are ready to install ACID. The current version at the time of this writing is 0.9.6b23. Use the following commands to install ACID:

[root@localhost htdocs]# cd /root

[root@localhost root]# cp acid-0.9.6b23.tar.gz /www/htdocs

[root@localhost root]# cd /www/htdocs

[root@localhost htdocs]# tar zxvf acid-0.9.6b23.tar.gz

[root@localhost htdocs]# rm -rf acid-0.9.6b23.tar.gz

[root@localhost htdocs]# cd acid

[root@localhost acid]# vi acid_conf.php

Next, you must make a few configuration changes. Make sure the /www/htdocs/acid/acid_conf.php file contains the following information:

$DBlib_path = "/www/htdocs/adodb";

/* Alert DB connection parameters

 * - $alert_dbname : MySQL database name of Snort alert DB

 * - $alert_host : host on which the DB is stored

 * - $alert_port : port on which to access the DB

 * - $alert_user : login to the database with this user

 * - $alert_password : password of the DB user

 *

 * This information can be gleaned from the Snort database

 * output plugin configuration.

 */

$alert_dbname = "snort";

$alert_host = "localhost";

$alert_port = "";

$alert_user = "root";

$alert_password = "newpassword";

/* Archive DB connection parameters */

$archive_dbname = "snort";

$archive_host = "localhost";

$archive_port = "";

$archive_user = "root";

$archive_password = "newpassword";

$ChartLib_path = "/www/htdocs/jpgraph-1.16/src";

To continue with the configuration, open a web browser to http://localhost/acid/acid_main.php (Figure 5-16). Click on the Setup page link to continue (Figure 5-17).

Figure 5-16. ACID initial setup page

Figure 5-17. ACID database setup

Next, click the button that says Create ACID AG. You now see that four tables were successfully created (Figure 5-18). Now when you go back to the main ACID page, it displays the Snort sensor statistics (Figure 5-19).

Figure 5-18. ACID database setup complete

Figure 5-19. ACID main page

 

Discussion

The Analysis Console for Intrusion Databases (ACID) is a great tool to use for viewing, analyzing, and graphing your Snort logs. It is a PHP-based analysis engine that searches and processes your IDS database logs. Some of its features include a search engine, packet viewer, alert management, and graphing and statistics generation.

There are several prerequisites to installing ACID, including MySQL, Apache, PHP, ADODB, JPGraph, and Snort. The example provided installs ACID and its prerequisites on a default installation of Red Hat 9. When using other versions of Unix or Linux, you must download and install the appropriate prerequisites for your platform.

Keeping up with alerts and logs is one of the hardest parts of managing an IDS. Using a tool like ACID makes the IDS administrator's job a lot easier. Its web frontend, ease of use, and features make it an invaluable tool to have for IDS data analysis.

See Also

http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html

http://www.aditus.nu/jpgraph/jpdownload.php

http://httpd.apache.org/download.cgi

http://www.php.net/downloads.php

http://adodb.sourceforge.net/

Recipe 2.11

Recipe 2.12

Recipe 1.4

Recipe 1.2

Recipe 5.3

Securing ACID

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net