Integrating Snort with Webmin
Problem
You have already set up a Unix management system using Webmin. You would like to integrate Snort with this management system.
Solution
- Download the Snort Webmin module from MSB Networks (available at: http://www.msbnetworks.net/snort). This allows you to configure, monitor, and maintain Snort from within Webmin.
- Once you have downloaded the module, insert it into Webmin through the web interface by selecting the Webmin Configuration icon from the main screen (Figure 5-34).
Figure 5-34. Webmin main screen
- Select the Webmin Modules icon (Figure 5-35). This will show the information in the Webmin Modules (Figure 5-36).
Figure 5-35. Webmin Configuration
Figure 5-36. Webmin Modules
- In the Install Module box, select the From uploaded file radio button, and click the Browse button to navigate to the file that you downloaded.
- Click the Install Module button. You will get a confirmation screen (Figure 5-37).
Figure 5-37. Install Module
Discussion
Webmin is a web-based system-administration interface for Unix. It allows you to manage your Unix system and softwarein this case, Snort. Once you have installed the Snort Webmin Module, you need to configure the various settings by clicking on the Snort IDS Admin link in the Install Module window, or by navigating to the plug-in through the Webmin interface. On first use, you are presented with a screen prompting for the details of your Snort installation (Figure 5-38). Note that Webmin can handle only the control of one Snort daemon running on the machine.
Figure 5-38. Initial configuration
You need to set the full path to your Snort executable, the Snort configuration file, the rules directory, and the Snort PID file. Optionally, you can set the command to start Snort and set the URL to your ACID installation. Once you have filled in the information, click Save.
There are five main sections to the Webmin interface to Snort: Rulesets, Network Settings, PreProcessors, Alerts & Logging, and Edit Config File (Figure 5-39). Start in the Rulesets screen to select which rules you wish to enable. Note that changes will take effect only once you have restarted Snort. To facilitate this, there is a Restart Snort button at the bottom of this screen.
Figure 5-39. Snort IDS
The Network Settings screen allows you to set the various network options, including your Home and External networks, various servers, and port selections (Figure 5-40).
Figure 5-40. Network settings
The PreProcessors screen allows you to enable and disable the various preprocessors, along with setting required options (Figure 5-41).
Figure 5-41. Preprocessors
The Alerts & Logging screen allows you to enable, disable, and set the options on the assorted output plug-ins (Figure 5-42).
Figure 5-42. Alerts & Logging
The final screen, Edit Config File, allows you to directly edit the Snort configuration file by hand (Figure 5-43).
Figure 5-43. Edit Config File
In all the screens, you should set up Snort per your requirements, following the recommendations that we have provided in the other recipes in this book.
See Also
http://www.msbnetworks.net/snort
http://www.webmin.com
Administering Snort with HenWen |
Installing Snort from Source on Unix
- Installing Snort from Source on Unix
- Installing Snort Binaries on Linux
- Installing Snort on Solaris
- Installing Snort on Windows
- Uninstalling Snort from Windows
- Installing Snort on Mac OS X
- Uninstalling Snort from Linux
- Upgrading Snort on Linux
- Monitoring Multiple Network Interfaces
- Invisibly Tapping a Hub
- Invisibly Sniffing Between Two Network Points
- Invisibly Sniffing 100 MB Ethernet
- Sniffing Gigabit Ethernet
- Tapping a Wireless Network
- Positioning Your IDS Sensors
- Capturing and Viewing Packets
- Logging Packets That Snort Captures
- Running Snort to Detect Intrusions
- Reading a Saved Capture File
- Running Snort as a Linux Daemon
- Running Snort as a Windows Service
- Capturing Without Putting the Interface into Promiscuous Mode
- Reloading Snort Settings
- Debugging Snort Rules
- Building a Distributed IDS (Plain Text)
- Building a Distributed IDS (Encrypted)
Logging to a File Quickly
- Logging to a File Quickly
- Logging Only Alerts
- Logging to a CSV File
- Logging to a Specific File
- Logging to Multiple Locations
- Logging in Binary
- Viewing Traffic While Logging
- Logging Application Data
- Logging to the Windows Event Viewer
- Logging Alerts to a Database
- Installing and Configuring MySQL
- Configuring MySQL for Snort
- Using PostgreSQL with Snort and ACID
- Logging in PCAP Format (TCPDump)
- Logging to Email
- Logging to a Pager or Cell Phone
- Optimizing Logging
- Reading Unified Logged Data
- Generating Real-Time Alerts
- Ignoring Some Alerts
- Logging to System Logfiles
- Fast Logging
- Logging to a Unix Socket
- Not Logging
- Prioritizing Alerts
- Capturing Traffic from a Specific TCP Session
- Killing a Specific Session
How to Build Rules
- How to Build Rules
- Keeping the Rules Up to Date
- Basic Rules You Shouldnt Leave Home Without
- Dynamic Rules
- Detecting Binary Content
- Detecting Malware
- Detecting Viruses
- Detecting IM
- Detecting P2P
- Detecting IDS Evasion
- Countermeasures from Rules
- Testing Rules
- Optimizing Rules
- Blocking Attacks in Real Time
- Suppressing Rules
- Thresholding Alerts
- Excluding from Logging
- Carrying Out Statistical Analysis
Detecting Stateless Attacks and Stream Reassembly
- Detecting Stateless Attacks and Stream Reassembly
- Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
- Detecting and Normalizing HTTP Traffic
- Decoding Application Traffic
- Detecting Port Scans and Talkative Hosts
- Getting Performance Metrics
- Experimental Preprocessors
- Writing Your Own Preprocessor
Managing Snort Sensors
- Managing Snort Sensors
- Installing and Configuring IDScenter
- Installing and Configuring SnortCenter
- Installing and Configuring Snortsnarf
- Running Snortsnarf Automatically
- Installing and Configuring ACID
- Securing ACID
- Installing and Configuring Swatch
- Installing and Configuring Barnyard
- Administering Snort with IDS Policy Manager
- Integrating Snort with Webmin
- Administering Snort with HenWen
- Newbies Playing with Snort Using EagleX
Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Databases
- Performing Real-Time Data Analysis
- Generating Text-Based Log Analysis
- Creating HTML Log Analysis Output
- Tools for Testing Signatures
- Analyzing and Graphing Logs
- Analyzing Sniffed (Pcap) Traffic
- Writing Output Plug-ins
Monitoring Network Performance
- Monitoring Network Performance
- Logging Application Traffic
- Recognizing HTTP Traffic on Unusual Ports
- Creating a Reactive IDS
- Monitoring a Network Using Policy-Based IDS
- Port Knocking
- Obfuscating IP Addresses
- Passive OS Fingerprinting
- Working with Honeypots and Honeynets
- Performing Forensics Using Snort
- Snort and Investigations
- Snort as Legal Evidence in the U.S.
- Snort as Evidence in the U.K.
- Snort as a Virus Detection Tool
- Staying Legal
Index
EAN: 2147483647
Pages: 167
