Performing Real-Time Data Analysis
Problem
You want to view alerts and data analysis in real time.
Solution
Use the Snort Alert Monitor (SAM) to view alerts and data analysis in real time. At the time of this writing, the latest version is sam_20040323_bin.zip. Use the following steps to install SAM on Windows:
- Install the Java Virtual Machine. At the time of this writing, the latest version is 1.4.2_05. Download and unzip the sam_20040323_bin.zip file to C:SAM.
- Open a command prompt, change to the C:SAM directory, and execute the following command:
C:SAM>java -jar sam.jar
You could also add the java command line for SAM to a Windows batch file or Unix script to easily start up SAM.
- SAM will start, and you will see the main window and the database login window. You must authenticate to the Snort database for the main SAM window to become active (Figure 6-4).
Figure 6-4. SAM authentication
- The main SAM window will now become active, and Connected to Database is displayed at the bottom of the window (Figure 6-5).
Figure 6-5. SAM main window
Use the following steps to install SAM on Linux:
- Install the Java Virtual Machine. Download and install the j2re-1_4_2_05-linux-i586-rpm.bin file.
[root@localhost root]# chmod a+x j2re-1_4_2_05-linux-i586-rpm.bin [root@localhost root]# ./j2re-1_4_2_05-linux-i586-rpm.bin [root@localhost root]# rpm -Uvh j2re-1_4_2_05-linux-i586.rpm
- Download and install SAM:
[root@localhost root]# mkdir SAM [root@localhost root]# cd SAM [root@localhost SAM]# unzip ../sam_20040323_bin.zip [root@localhost SAM]# /usr/java/j2re1.4.2_05/bin/java -jar sam.jar
- SAM will start and you will see the main window and the database login window. You must authenticate to the Snort database for the main SAM window to become active (Figure 6-4).
- The main SAM window will now become active, and Connected to Database is displayed at the bottom of the window (Figure 6-5).
Discussion
SAM is a real-time monitor for Snort alerts. It runs on Windows, Unix, and Mac OS. SAM provides a high-level overview of the status of your environment. For example, if you are attacked 150 times in a five minute period, you might choose to receive an alert either on screen with a large stoplight graphic, through an alert sound, or via email. SAM is a nice addition to your Snort/ACID environment. To troubleshoot SAM, click on the SAM log tab for status and information.
There are a few prerequisites to running SAM:
- Ensure that a MySQL database is installed and configured to work with Snort.
- Ensure that Snort is installed and configured and logging to the MySQL database.
- Install the Java Virtual Machine.
You may want to edit the settings in the /conf/sam.properties file, particularly the email settings. Email is disabled by default. If you want to have this feature, you must enable it by setting the email.active variable to true and configuring the email server, sender, and receiver. The email.to variable can contain multiple, comma-separated email addresses. Emails are set only when the alertlevel.high variable is triggered. This parameter classifies the number of alerts that are received during a five minute period. You will also want to change the DatabaseUID variable to something more relevant to your environment than the default Mike's House. The mainpanel.refresh variable determines the number of minutes between refreshing the main display and graphs.
#Tue Mar 23 14:45:59 CST 2004 email.from=snort@your-domain.com LogFileLogger.LogFile=log/sam.log email.host=your.smtp.server.com email.to=your@email.com AttackColumns=9,3,0,10,8,2 alertlevel.medium=100 DatabaseUID=Mike's House Lookup-Threshhold=0.25 DisableLookup=false alertlevel.high=150 mainpanel.refresh=5 DatabaseType=MySQL DataSource=Local-Host email.active=false
To log in, you must have the following information:
Database
The database ID that is configured in the sam.properties file.
Database type
The type of database to which you are connecting. MySQL and PostgreSQL are currently supported.
Hostname
The hostname of the system with the Snort database and the port on which the database is listening.
Database name
The name of the Snort database.
Username
The username to access the Snort database.
Password
The password for the username.
See Also
http://freesoftware.lookandfeel.com/sam/
http://java.com/en/download/manual.jsp
Recipe 2.11
Recipe 2.12
Generating Text Based Log Analysis |
Installing Snort from Source on Unix
- Installing Snort from Source on Unix
- Installing Snort Binaries on Linux
- Installing Snort on Solaris
- Installing Snort on Windows
- Uninstalling Snort from Windows
- Installing Snort on Mac OS X
- Uninstalling Snort from Linux
- Upgrading Snort on Linux
- Monitoring Multiple Network Interfaces
- Invisibly Tapping a Hub
- Invisibly Sniffing Between Two Network Points
- Invisibly Sniffing 100 MB Ethernet
- Sniffing Gigabit Ethernet
- Tapping a Wireless Network
- Positioning Your IDS Sensors
- Capturing and Viewing Packets
- Logging Packets That Snort Captures
- Running Snort to Detect Intrusions
- Reading a Saved Capture File
- Running Snort as a Linux Daemon
- Running Snort as a Windows Service
- Capturing Without Putting the Interface into Promiscuous Mode
- Reloading Snort Settings
- Debugging Snort Rules
- Building a Distributed IDS (Plain Text)
- Building a Distributed IDS (Encrypted)
Logging to a File Quickly
- Logging to a File Quickly
- Logging Only Alerts
- Logging to a CSV File
- Logging to a Specific File
- Logging to Multiple Locations
- Logging in Binary
- Viewing Traffic While Logging
- Logging Application Data
- Logging to the Windows Event Viewer
- Logging Alerts to a Database
- Installing and Configuring MySQL
- Configuring MySQL for Snort
- Using PostgreSQL with Snort and ACID
- Logging in PCAP Format (TCPDump)
- Logging to Email
- Logging to a Pager or Cell Phone
- Optimizing Logging
- Reading Unified Logged Data
- Generating Real-Time Alerts
- Ignoring Some Alerts
- Logging to System Logfiles
- Fast Logging
- Logging to a Unix Socket
- Not Logging
- Prioritizing Alerts
- Capturing Traffic from a Specific TCP Session
- Killing a Specific Session
How to Build Rules
- How to Build Rules
- Keeping the Rules Up to Date
- Basic Rules You Shouldnt Leave Home Without
- Dynamic Rules
- Detecting Binary Content
- Detecting Malware
- Detecting Viruses
- Detecting IM
- Detecting P2P
- Detecting IDS Evasion
- Countermeasures from Rules
- Testing Rules
- Optimizing Rules
- Blocking Attacks in Real Time
- Suppressing Rules
- Thresholding Alerts
- Excluding from Logging
- Carrying Out Statistical Analysis
Detecting Stateless Attacks and Stream Reassembly
- Detecting Stateless Attacks and Stream Reassembly
- Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
- Detecting and Normalizing HTTP Traffic
- Decoding Application Traffic
- Detecting Port Scans and Talkative Hosts
- Getting Performance Metrics
- Experimental Preprocessors
- Writing Your Own Preprocessor
Managing Snort Sensors
- Managing Snort Sensors
- Installing and Configuring IDScenter
- Installing and Configuring SnortCenter
- Installing and Configuring Snortsnarf
- Running Snortsnarf Automatically
- Installing and Configuring ACID
- Securing ACID
- Installing and Configuring Swatch
- Installing and Configuring Barnyard
- Administering Snort with IDS Policy Manager
- Integrating Snort with Webmin
- Administering Snort with HenWen
- Newbies Playing with Snort Using EagleX
Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Logs
- Generating Statistical Output from Snort Databases
- Performing Real-Time Data Analysis
- Generating Text-Based Log Analysis
- Creating HTML Log Analysis Output
- Tools for Testing Signatures
- Analyzing and Graphing Logs
- Analyzing Sniffed (Pcap) Traffic
- Writing Output Plug-ins
Monitoring Network Performance
- Monitoring Network Performance
- Logging Application Traffic
- Recognizing HTTP Traffic on Unusual Ports
- Creating a Reactive IDS
- Monitoring a Network Using Policy-Based IDS
- Port Knocking
- Obfuscating IP Addresses
- Passive OS Fingerprinting
- Working with Honeypots and Honeynets
- Performing Forensics Using Snort
- Snort and Investigations
- Snort as Legal Evidence in the U.S.
- Snort as Evidence in the U.K.
- Snort as a Virus Detection Tool
- Staying Legal
Index
EAN: 2147483647
Pages: 167
- Article 200 Use and Identification of Grounded Conductors
- Article 336 Power and Control Tray Cable Type TC
- Article 402: Fixture Wires
- Article 411: Lighting Systems Operating at 30 Volts or Less
- Example No. D2(c) Optional Calculation for One-Family Dwelling with Heat Pump(Single-Phase, 240/120-Volt Service) (See 220.82)
