Database Output and Graphical Analysis PDF

http://it4training.
com
MODULE 4
Configur@ Snortfor Databc$e Output and Grrphical Analysis
About This Module

This module presents a technique in which Snort log and alert data is output in the unified2 forrrat and written to a database. This binary output format is less process intensive so Snort can concentrate its efforts on processing packet data. The Bamyard2 program is a tool that can accept the unified or unified2 output and take over the task ofprocessing it.
Module Objectives:
. r
o
Describe the unified2 output format

Understand the benefits using a separate tool to handle output tasks
Install and configure Barnyard2

Configure MySQL Configure BASE
. .
49
http://it4training.com
Gonfiguring Snort for Database Output and Graphical Analysis
The Unified2 Output Formats

Slide 46
Snort has the ability to produce a fast, binary output format called the uni f ied2 format. The idea behind this capability is to have other applications do the work of processing Snort output, thus relieving the Snort process. This makes Snort run more efficiently since it can concentrate more of its efforts on processing packets rather than having to also worry about output.
What is Produced With Unilied Outputs?

Uni f ied2 output can produce three types of files: an alert file, packet log file or a true unified file. The alert file is simply information about the alert, which includes some of the packet header information in addition to the alert information, such as alert message, SID and
revision number if so configured in the rule. The packet log file contains the full packet information that triggered the alert wfiich also includes the alert information. Unified includes both logging styles in a single, unified file.
The directives to enable the different syles of logging would be as follows:
o alert_unified2 . log_unj-f i-ed2 o unified2

When MPI,S support is turned on, MPLS labels can be included
MPLS labels
in unified2
events. Use
optionmpls_event_types toenablethis. Ifoptionmplseventtypesisnotused,then

will
be not be included in unified2 events.
An additional option
option
will log
vlan_event_type may be used in environments with VLANs. This the VLAN ID from the packet headers. If no VLAN ID is present then a 0 will
be used.
What do You do With Unified2 Output?

To take advantage ofunified output, you need some tool to read that output and perforrn the job of processing it the way the Snort process would have done. This includes being able to convert it to flat ASCtr, PCAP or redirect output to a database. By handing this offto another process, Snort can spend more of it's time processing packets. One such application to handle unified output is called Barnyard2.Barnyard2 takes the unified output files created by Snort and allows you to configure the output in a variety of ways. Like Snort, BarnyarD canproduce output in many formats including ASCtr, PCAP, or database
Notes:
50
StllffiEIrire
Configuring Snort for Database Output and Graphical Analysis
output. Barnyard2 is a fork of the original Bamyard project, and is under active development.
It is maintained by and can be downloaded from http://www.securixlive.com (latest changes are maintaned at https://github.com/firnsy/bamyard2). Securix is not only responsible for
maintaining Barnyard2, they have also been tasked with maintaining the Snort database
schema.
It should
release.
be noted that even though there is currently a database output plugin available in the Snort sourcecode - it is no longer being developed or supported and will be removed in a future
Slide 47
Barnyard2 is
a robust application that features several modes of operation including checkpoint mode in which it can write a transaction log to track what data has been processed. This enables Bamyard2 to pick up where it left offif it were to tenninate unexpectedly.
Barnyard2's architecture is as follows:
data processors - to accept input from Snort.
output plug-ins - to produce various forms of output
Barnyard2 Data Processors

There are two data processors. Each is described below:
.
o
spi_alert - This data processor reads alerts produced by Snort in its unified2 output format.
spi_log - This data processor reads log data produced by Snort in its unified2 output format.
Barnyard2 Output Plug-ins
Slide 48
$fir \JM
Output plug-ins are directly associated with the data processors. These relationships are identified with the descriptions for the output plug-ins below:
This produces a concise, one line per alert output that increases performance because of its light weight. However, its perfonnance gains are at the expense of having much more limited inforrnation about the
alert_fast - Converts data received by
spi_a1ert.
alert.
. r
log_ascii - This output plug-in receives data from spi_log to produce an ASCtr packet dump forrnat that contains the full packet data related to logged events and alerts. alert_syslog - Takes data from the
output.
spi
af
ert
processor to produce syslog compatible
Notes:
51
$ilffiffif?vm
database - Takes data from both datatrl a database.
spi_a1ert
and
spi_log
to produce packet and log
Other output plug-ins are available in the current Bamyard2 production release, but covered here, they include and cef.
csv, alert sguil
alert
will not be
Installing Barnyard2
Slide 49
This section
will
step through the process of installing and configuring Bamyard for use
with
your Snort installation.
Obtain the Barnyard Distribution

In class we will be using Barnyard2-1.10 Beta. Although we do not promote running beta code in production environments, in this particular case we are making an exception as there are a number of improvements to version 1.9. It should already be present in the following directory: /usr / l-ocal- / src.It is also available from Github. Install Barnyard Perform the following steps onsnortbox to complete the Barnyard2 installation:
r. Make swe you are in the following directory: /usr / loca7.

2.
Issue the following command to unpack the Barryard distribution:
IrootGsnortbox 1ocalJ# unzip src/firnsy-barnyard2-w2-L.10-beta1-0-g411db8a.zip
3.
Enter the
firnsy-barnyard2-
94437b5.
lrootGsnortbox locall # cd firnsy-barnyard2-94437b5 lrootGsnortbox firnsy-barnyard2-9 4437b51 #
Notes:
52
4.
I
@
Run the configuration script as follows:
root snortbox firnsy-barnyard2-9 4437b5)
,/autogen. sh
5. Build
Barnyard using the following commands:

&&
[rootGsnortbox firnsy-barnyard2-9443'7b5]# ./config.ure --with-mysql && make nake install

Copy the barnyard.conf file located in the: / us x / Lo c a1 / f irns y-b arny ar d2 - 9 4 437b5 / eL c directory to the / eL c / directory with the following colnmand:
s
no
rt
IrootGsnortbox firnsy-barnyard2-9443'7b51# cp etc,/barnyard2.conf /etc/snort

Create a log directory for Bamyard2. This is required for Barnyard2 to start properly:
lroot Gsnortbox f irnsy-barnyard2-
94
437b5)
# nkdir /war / Log /barnyard2
Slide 50
Conliguration
As with Snort, Bamyard has a primary configuration file: barnyard2 . conf . This file, like snort . conf, is very heavily corrmented which makes understanding the settings easier from the onset. They can be removed when you become more comfortable with the contents of the file. Fortunately, its not quite as large as snort . conf so you should be able to get fairly comfortable with the file after using it a couple of time. This section will step through the features of the barnyard2. conf file.
Confrguration Declarations
SIide 51
This section of the file allows you to declare values for certain variables. For the most part, the default configuration options listed in the file are to support the database output plug-in.
\#@
*-}
Notes:
53
Hilmffift,s
The illustration below is an excerpt from the file. We

class.
will
discuss the options to be used
in
#use UTC for timestamps
#config utc # set the appropriate paths to the file(s) your Snort process is config reference_fiie: /etc/snort/reference.config config classification_fi1e : / etc / snort /classificatlon. config config gen_fiIe t /eLc/snort/gen-msg.map config sid_file z /eLc/snort/ sid-msg.map
usj-ng
o . . . .
+
config utc - Specifies if the data should output
as
UTC
config reference_file - Specifies the Snort reference.config file. config classifrcation_fiIe - Specifies the classification.config file to use. conlig gen_file - Specifies the gen-msg.map (to be discused later in the chapter).
eon{ig sid_file - Specifies the sid-msg.map (to be discused later in the chapter.
# # #
#
Example:
Eor a snort process as folJ-ows: snort -1 eth0 -c /eLc/snort.conf
# # # #
#
Typical options would be: config hostname: thor config i-nterface: ethO config alert_with_interface_name
snortbox
config hostname: confj-g interface:

x #
#
ethl
name when
# enabl-e pri-nting of the interface

conf i
alerting.
g alert_w j-th_interf
ace_name
config hostname - Specifies the name assigned to the sensor. config interface - Specifies the name assigned to the sensing interface. conlig alert with_interface_name - Prints the interface name when alerting.
Notes:
54
The next few options we
will look at are used to help Barnyard? when we run
as a daemon.
# define the fuII waldo filepath.

x tr
#config waldo_file: /tmp/waldo # specificy the

#
maximum
length of the
MPI,S labe1 chain
#
+
CONTINOUS MODE
# set the archive directory for use with continous

#
mode
#config archivedir: /tmp

# when in operatlng in continous mode, only process new records and ignore any # existing unifj-ed files
#
#config process new records only
. . .
confrg watdo_file - Specifies the location of the write-ahead log frle.
config archivedir - Specifies the location to copy unified logs to after they have been read.
process_new_records - When in continous mode only process new data.
There are many options that we do not duscuss in class. Some have not yet been integrated inlo B amyard.
fully
Notes:
55
Configuring the Input and Output Plug-ins
Slide 52
The following excerpts show portions of the input and output plug-in configuration section the barnyard2 . conf file. Some of options have been omitted.
of
# Step 2: setup the i-nput plugins input unified2 # Step 3: setup the output plugins # alert_fast
4--------
#Purpose: Converts data to an approxlmation of Snortrs "fast alert" mode. Argr.rments: file <file>, stdout arguments should be cornma delimited. #
# #
file - specifiy alert file stdout - no alert fj-1e, just print to screen
stdout
output alert_fast:
The input field specifies the type of input to expect. The output options specrry how to output the data. They are fairly well documented in the barnyard2 . conf file. Some notable options are illustrated in the following excerpt in the form of the alert sys 1og option and
the
1o
g_t cpdump configuration option.
Notes:
56
#--------#
# alert_syslog
# Purpose: # This output module provides the abilty to output alert information toa # remote network host as well as the locaf host.
#
# Arguments: host=hostname[:port], severity facility arguments should be comma delj-mited. # # host - specify a remote hostname or fP with optional_ port number this is only specific to WIN32 (and is not yet fu11y supported) # #severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INEO) # facility - as defined i-n RFC 3164 (eg. tOG AUTH, tOG LOCATO)
#
# Examples: #output alert_syslog # log_tcpdump # -------#
# Purpose # This output module logs packets in binary tcpdump format

# # # tt
#
Arguments:
The only argument is the output file

Examples:
name.
output 1og_tcpdump:
tcpdump. 1og
# il # #
+
:::1::::-1::-::-:-::::::1-::-ii:::::::
Purpose: This output module provides logging ability See doc/README.database for additi-onaI i-nformation.
Examples:
to a vari-ety of databases
# #
output database: 1og, mysql, user=root password=test
dbname=db
Notes:
57
Barnyard Command Line Options
Slide
54
The following is a listing of the command line options available to Barnyard:
lroot8snortbox -l # barnyard2 -? -*> Barnyaxd2 <*/ ,,_ \ Version 2.1.10-beta1 (Bui1d 266) lo" )-l By fan Eirns (Securj-xlive): http: //www.securixlive.com/ + I I I I + (C) Copyright 2008-20LL Ian Firns <firnsyGsecurixlj_ve.com> [-options] <fil-ter opti-ons) Gernal Options: -c <fi1e> Use configuration file <file> -C <fi-Ie> Read the classificatlon map from <file> Run barnyard2 in background (daemon) mode -D Display the second layer header info Turn off fflush ( ) calls after binary log writes -E -q <gname> Run barnyard2 gid as <gname> group (or gld) after initialization -G <fi1e> Read the gen-msq map from <fil-e> -h <name> Defj-ne the hostname <name>. For logging purposes only Define the interface <if>. For logging purposes only -i <if> Add Interface name to al-ert output -I Log to directory <1d> -1 <l_d> -m <umask> Set umask = (umask) Obfuscate the logged IP addresses Quiet. Donrt show banner and status report Y f nclude ' j-d' ln barnyard2_intf<id>, p j_d f i_1e name -r <id> -R <fi1e> Read the reference map from <fil-e> -S <f11e> Read the sid-msg map from <fi-le> -t <dir> Chroots process to <dir> after initialization Test and report on the current barnyard2 configuration -a -u <uname> Run barnyard2 uid as <uname> user (or uid) after initializati-on
USAGE: barnyard2
Notes:
58
-U
-v
-\7
-v
Use UTC for timestamps Be verbose Show versi-on number Include year in timestamp in the al-ert and log files
Show
this information
Continual Processing Options : -a <dir> Archj-ve processed fj-les to <dir> -f <base> Use <base) as the base filename pattern -d <dir> Spool files from <dir> Only process new events -n -w <fife> Enable bookmarking using <fi1e>
Batch Processj-ng Mode Options: Enable batch processj_ng -o
Longname
mode
options and their corresponding single char versj-on Same as -R --reference <file> Same as -C --classi-fication <file> Same as -G --gen-msg <fj-Ie> --sid-msg <file> Same as -S --a1ert-on-each-packet-j-n-stream Ca11 output plugi-ns on each packet i-n an afert stream Same as -n --process-new-records -on1y Specify the dj-rectory for the barnyard2 PID --pid-path <dir> file Same as -? --heIp Same as -V --versi-on Create PID fi1e, even when not in Daemon mode --create-pidfi-1e Do not try to lock barnyard2 PID file --nolock-pidfi-1e
#
lrootGSnortbox -l
Notes:
59
A couple of these options speciff what mode Bamyard2 will operate in.
described below:
These modes are
Batch processing mode - This mode is enabled with the -o command line switch. In this mode, Bamyard2 reads the Snort output unified2 log file you speciff and quits once it has
been processed.
Continual with checkpoint mode - This mode runs Barnyard2 continually and tracks where it is at any given time in processing the Snort output unified2 log file. By keeping a record of what it has processed thus far, Barnyard2 is able to pick up where it left offif it were to terminate unexpectedly. Barnyard2 uses a Write-Ahead-Logging file. This is more commonly known as a ohaldo" file and may be specified in the configuration file. The Waldo file is created upon start. This file tracks the following infonnation:
o o o o
The directory location of the Snort unified log files The unified log file name prefix The currenl file name suffix The record location with the crrrent log file
Barnyard and Custom Rules
Slide 55
Snort's stock rule set contains a couple of files that are important to the proper operation Barnyard:
of
sid-msg.map - Lists Snort ID (SID) numbers, their associated messages and reference information. These are the SIDs related to detection engine alerts. gen-msg.map - Lists Generator ID (GID) numbers, their associated SID numbers and their
messages. This is where the GID/SID parings are defined for alerts generated by entities
other than the detection engine.
While these files are pre-configured and updated along with rule updates you can obtain from various sources such as snort.org, they do not contain any information related to custom rules or preprocessors you may have in your installation. Be sure to update these files with custom rule or preprocessor information and, when you download rule updates, you must add your custom information as well.
Notes:
60
The syntax for sid-msg.map is shown below. The excerpt shown is from the leading comments in the sid-msg. map file. Also shown are the first two entries in the file to provide an example of how the syntax is applied.
# $rd$ # Format: SID I I # SlD -> MSG map

l-03 I I 104 ll
BACKDOOR BACKDOOR
MSG I
Opti-ona1 References I I
Optional References ..
I
subseven 22 | | araehnids,4B5 | ur1, www. hackfix. orgr/subseven/ - Dagger*1.4.0_cl-1ent_connect Il arachnidsr 4B3 I urJ-, www. tlsecurity. net/backdoor/Daqger. 1. 4. html 105 ll BACKDOOR - Dagger_1.4.0 ll arachnids,4B4 | | ur1, www. tf secur j-ty. net,/
I
The syntax for the gen-ms g . map file is shown below. The excerpt shown is from the leading comments in the file. As in the previous example, the fust few lines of this file are shown to provide an example of how this $mtux is applied in the file.
# srds # GENERATORS -> msg map # Format: generatorid ll alertid ll
MSG
1ll1l 2|1I 3ll1l 100 ll 100 ll 100 lt 101 ll 702 ll
snort general alert tag: Tagged Packet snort dynamic alert

1
2
3 1
1
spp_portscan: Portscan Detected spp_portscan: Portscan Status spp_portscan: Portscan Ended spp_minfrag: mj-nfrag alert http_decode: Unicode Attack
Notes:
61
C onfiguring the
Datab
as e
Before we can use Bamyard2 to write information to a database we must first create one! The systems in class came pre-installed with MySQL using default settings and options. The Snort database must be created, have permissions assigned and have its schema imported. This is a relativly straight forward process :
1.
Create the Snort database and MySQL user accounts. Then secure the accounts with passwords and configure them with the appropriate permissions.
To do this, you will need to access the MySQL command line client application. From within this application you will issue a series of statements as illustrated below.
VJelcome to Your MySQl,
the MySQI monitor. Commands end with ; or \9. connection id is 2 Server version: 5.0.'7"7 Source di-stribution for help, Type t\c' to cl-ear the currenl input
)
IrootGsnortbox] # rrysgl
Type 'he1p;' or '\h' statement.
mysql> set password for root@localfuqst=password('passwordt Query OK, 0 rows affected (0.00 sec) mysql> create databaEe snort; Query OK, 1 row affected (0.03 sec) mysql> grant create, insert,
snortG
select, delete, update on snort.* }ocalhost; Query OK, 0 rows affected (0.00 sec)
mysql> set password for snortGlocalhost=rassword( rpasswordr) ; Query OK, 0 rows affected (0.00 sec) mysql> exit
Bye
lrootGsnortboxl
"*Note that the items in bold are the commands you enter. The other items are representations of the feedback you should see on the screen. ln this command sequence, we have set the password for the and MySQL users to password as indicated by the portion of the command string
root
snort
as follows: ('pas sword').Enter the directory that contains the schemas for the various databases supported by Snort:
Notes:
62
2. I root snortbox ] # cd /usr

G
/ Loc,al / f irnsy-barnyard2- 94437b5 /
schemas
3.
Issue the following command to set up the database schema for Snort:
lroot8snortbox schemasi # nysql -P < <:reat- mysql snort . You will be prompted for a password; enter the password you assigned to the root user
(password).
Next, check to see that the database was created and that it contains the tables needed for
Snort to operate properly.
Iroot@snortbox schemas]# rysq1 -p Enter password:

Wel-come to Your MySQL
the MySQl, monltor. Commands end wj-th ; or \9. connection i-d is 9 to server version: 5.0.'7'7
for he1p. Type '\ct to clear the current input
Type 'he1p;' or '\h' statement.
mysql> show databases; +- - -- - - -- - ------- - - - -+
I Database
I information
schema
+-- - - -- - -- -- - - - -- - -- -+ 4 rows in set (0.00 sec)
I mysql I snort I test
Notes:
63
mysql> use snort Database changed mysql> ehow tables;
+------------------+ I Tables_in_snort +-- - - -- - -- -- - - - - - --+ I data I detail I encoding I event I icmphdr I rphdr I opt I reference I reference_system I schema I sensor I sig_cl-ass I sig_reference I signature I tcphdr I udphdr +-- ---- -- - -- - - - - -- -+ 16 rows in set (0.00 sec)
I I I I I I
mysql> exit
Bye
IrootGsnortbox schemas]
Notes:
64
Setup the Graphical Interface

The section that follows steps you through the process of setting up the BASE graphical interface and all the supporting packages. BASE is a straight forward GUI for analysis of Snort information. We will be using BASE throught the class. Keep in mind there are other analysis consoles available such as SGUIL, Snorby, Snort Report and more. In a production envirorunent find the console taht best suits your needs. To install and configure BASE the follow these instructions:
1.
2. 3.
Switch to the following directory:

I
root Gsnortbox] # cd,/var
/wvrw /hr-m]-
Unpack the ADODB package to provide an interface between the GUI and the MySQL
database as follows:
lrootGsnortbox html-l # tar zxvf /ro,sr/Loc,aL/ src/adodb49O.l"gz

Unpack the BASE package which provides the graphical front end to the Snort database alert data as follows:
1.4.5.tar.92
IrootGsnortbox htm]-l # tar zxvf /wsr/Local/src/base-
+. Change the ownership of the BASE directory as follows: IrootGsnortbox htm]-l # chown apache base-1.4.5 s. Edit the php.ini file to tune the error reporting level. . Open the file / eLc / php . ini in a text editor. If you are using VI, enter the command
as
follows:
o .
lrootGsnortbox htmll # vim /etc/php.ini

Navigate to the portion of the file where the error reporting is configured. If you are using the VI editot you can quickly navigate to this line by typing 348 <shift>g Uncomment the line below:
ierror_rePorting = .
E_A.LL
& -E_NOIICE
Comment out the following line (this appea$ several lines below.)
emor_reporting =
:wq
E_AJ,L
Write the changes to the file and exit with the following command:
Notes:
65
6.
Restart the
httpd process to implement the changes you just made to the PHP configuration with the following command: lrootGsnortbox html] # service httpd restart
7.
Conligure BASE by opening a web browser and entering the following URL:
http: / /L92.
168 . LLt
.lO/base-1 .4 .5
The first time the BASE page is accessed, the BASE setup script executes as follows.
Ttls tulhr,IiftS p*ges rrill prcnryt yo$ tur set $F infuiaafisn ta.fini*tr tha in$all of ESSE" If *rty of fl*e options ffi[s{.- Brd rBd, thers $rill *ts 3 ds#*ption sf what yeu' need ts ds bBlfty lha cha*^
fisnl*ru,*
8.
Click the "Continue" link to go to the next step.
Notes:
66
9.
Select the language from the drop-down list and enter the
fully qualified path to the
ADODB directory
as
follows:
/var/www/htm1/adodb
Click the Continue button to complete this step of the setup script:
Notes:
67
10.
Next, enter the following information in the fields provided. If you will not be using an archive database, you can leave that set offields blank"
o o o o
Name: snort Host: localhost Database User Name: snort

I)atabase Database Database Password: password
l{r1r"..'B liiffit
unfi#&.@
d blank{,*rdaffiul8
Ifyou have not changed the default port number for
access to the database service, you can leave the field blank, but the remaining fields need to be filled in.
Click the Continue button to move on to the next step in the setup process.
Notes:
68
SIlUtElr*vry:
11. You can choose to use the
BASE Authentication System which allows you to configure an account to ensure that only authorized users can see the Snort alerts in BASE.
To configure an acconnt, select the Use Authentication System check box and account credentials.
fill in the
For the purposes of the class, enter the following credentials:
o o . o
Check the
Use
Authentication Systembox
Admin User Name: snort

Password: password
Full Name: Snort
Click the Continue button to move on to the next step in the setup process.
Notes:
69
12. The screen that
follows instructs the setup script to create the database tables used by the BASE application. Click the Create BASE AG button to create the tables and continue.
Suecesafullp, *r*ated 'aeid agi $ucee*s{u lly mealsd'x'*id*ag*aJeri'

S,u*cesnfi.rli!,r flrea{e,J
'a*id ip ea*li*
Successfu lly created *cid_e.;*nt Sx*aessfu1l1' cr'es:ted'bas*_r*les"
S**ces*fi.r1ly lll"dSSEIED Adr*in rele

Lrccessfirlly lf,lSE.RTE* .&Lrthe nti*Eted Us*r mie uceessfu lly llqi$f HTEO AncnSq'11 sgs U ser rcle S.uncers:fully I{'i*EftTE.U &krl Srurp trd,itsr rule Sue cessfully crealed bsse_users'
S
'remmfu$mffi' $.,
Additisnal DB wrmis*ions
p$ffi
Wfl Try.:*#ffiffiffir%ssil-, ,ffi "

ffir,rdffiXffiffi#f:"--ad#
,S
EASE tahlqr Adds tables t* exterd the Sn,ort DB to suppo,rt tfre B&SE fi.rnctiona,lity *fi.l'JE
uc*essfirli-5,
craat*d user.
The umdedying AIefi BE is confguld fr^r usa.Ee rr*ith BASE-
lfl srder to suppo,rt Al*rt purging {the selec irc #itrity te'perman,*ntrly delete alerts ftorfl the date,base} and Dl'il.S*rrtheis tooktry caching, the DB user "snort'" must h*ns the BELTIE and UFDATE pr,Mlege on th,e dst*base ""sn+rt@ calhcsf' tlnw continue tci step 5"". When the tables have been created, you get an indication to that effect as illustrated above. Click the Step 5 link at the bottom of the screen to finish the BASE setup process.
Notes:
70
sllffifitfrrE
13.
At this point, you will
be prompted to login using the credentials you selected upon
execution of the BASE setup script.
Lagirt:
Paax*M:
@@
Notes:
7l
Configuring Snod for Database Output and Graphical Analysis
14. The
working BASE main screen should look similm to the illustration below:
Sacrtlr Grafil Aturt 0&tX 6rg*h r,t*rt B*ntl{}ll Trnrs
SaB.ireilir:sl:
0 &
/0
?rafEa Prafile
bf Proiosol
\\&.:":e"net rltJlt,"ifr/,t lry :! e+ . "t$wi*|. i ft.?'
I
Ur$qB6ftldrtf:
T&l
8.kgorie6:0
Nulxharaf Akrtf:
8rc tP qddr3r g
B
rcP
I '
{0${} W'##W:effi4iffit(
. . r . r . r
uaP {0t&}
:-:::---:-, .:Tt=--
DeBllFeddrs:&
UniquelPft.nkF{l
Sourue F*r,t$:
*
F{rtscsn Tffi'fiG {tr%}
o TCP{*} UEP{8}
Dest
Ffrhi
o TcF{t} UDFiO1
15. Create a
slmbolic link for Snort rule documentation with the following commands
[rootGsnortbox htm]-l# ln -s /et.c,/Ey:ort/doc/si-gnatures /var/www/htm]-/baee1.4 .S/sigmatures IrootGsnortbox htm]-l# 1n -s /etc/Enort/rules /vac/www/htnl/base-L.4.S,/rutes
Notes:
72
16. On
snortbox, issue the following commands to enable the BASE graphing capability (this
step may be done from any directory).
Numbers_Roman-1 . 0 . 2 . tar
[rootGsnortbox html] # pear insta1t /uEr/]-oaaL/stc./ Image_Color-l .0.4 . tar IrootGsnortbox html] # pear insta]-l /usr/Local/ scc/LogL.]-2.3. tar [rootGSnortbox hLmI] # pear insta]-l /uEr/Loaa]-/ src,/
frootGSnortbox htm]-l # pear Numbers_Words-0 . 13 . 1 . tar

Image_Canvas-O
.
insta].l /lasr/loc,al/erc/
lrootGSnortbox htmll # pear instaLl /lasr/Loc,aL/src/

3 . 1 . tar
lrootGSnortbox htmll # pear inEta].]. /ras:r/LocaL/ src/ Image_Graph-O. 7 .2 .t-ar

The BASE application should be fully installed and operational at this point. You can test the graphing capability by opening BASE and clicking the Graph Alert Data link.
This functionality will be explored further in the module that follows.
Notes:
73
Lab Exercises
Perform the following exercises.
Slide 56
Lab #1: Barnyard2 Installation

Perform aBarnyxd? installation. Refer to the installation discussion in the chapter for detailed
installation instructions.
Lab
#22 Database
Configuration
Perform database conliguration tasks. Refer to the configuration discussion in the chapter for detailed installation instructions.
Lab #3: BASE Installation

Perform the BASE installation. Refer to the installation discussion in the chapter for detailed installation instructions.
Lab#42 Barnyard2 Configuration Lab

This lab has you make a few final configuration updates in preparation for running Barnyard2
with Snort.
Openthe
/eLc/snort/snort.conf
fileandbelowtheunified2sectionofttheoutput
pluginds, add the following line:
output unified2: fi-lename merged.log, l-imit
128
Once you complete the edits, save the file and exit the editing application.
Edit the /
eLc/ snort,/barnyard2 . conf file barnyard2. conf is the primary configuration file
for the Banryard application. For this
installation make the following edits:
Inthe configuration section of the barnyard2.conf file, uncomentthe conf

and conf
ig interface line and make the following changes.
ig
hostname
confJ-g hostname: snortbox
config interface: ethl
Notes:
74
mmnff*rm
conf i g wal-do_f i 1e, conf 1 g ar chive conf ig process_new_records_only so they look like the following. config waldo_file: /tmp/waIdo
Uncomment and the lines for the options:
dir
and
config archivedir:
conf
/tmp
ig process_new_records_onIy
In the output section of the bamyard2.conf file, disable the output al.ert_fast: stdout line of the output plug-ins and add the following line after the output database line.
output database: 1og, mysq1, user=snort password=password dbname=snort host=localhost

This directive enables barnyard2 to send output to the MySQL database. When you have completed these edits, save them and quit the editing application.
17.
Run Snort to begin producing unified output. Restart Snort. Earlier you made achangle to the snort . conf file to enable unified2 output. Snort has to be restarted so that it can re-read the conffile and begin to produce unified2 output. Issue the following command:
root G snortbox ]-o ca1 1 # / eLc. / Lrrit. d,/ snortd restart You can veriS that you are getting unified2 output by entering the / v ar / Log / s no r t
I
directory and listing the files there. Files structured as illustrated below are your indication that Snort is producing unified output as anticipated.
-rw-------
IrootGsnortbox loca1] * cd /var/log/snorL IrootGsnortbox snort]# 1s -a1
1 root
root
24 Aug 24 t1:36 mer9ed.1o9.1314192843
Notes:
75
18. StartBarnyafiZ.
Use the following command to start Barnyard2. Note that in the example below, the options will be separated in their own lines to make it more readable. As you enter the command, allow it to wrap on its own. Press the [Enter] key only after typing the entire text of the command. When you enter this command, you can omit the line continuation characters (\) as shown in the example. Just type the command and let it wrap as you fype.
barnyard2 \
-c / et c / snort,/barnyard2. conf \ -d /var/Ioglsnort \ -f merged.log
When you execute this command, you will see Banryard2 output various messages indicating that is initializing its input processors, output plug-ins and connecting to the database. If there is no waldo file you will see a message indicating that Barnyard2 fuled, to open it. This is normal and the waldo file will be created upon start. If there is a problem, it will exit at this point. If all is working as anticipated, the shell will appear to hang until you press ICtrl] + [c] to stop the process.
BeforetenninatingtheBarnyard2processwiththe ICtrl] + [c], useabrowsertoaccess the BASE interface. Use nmap on uttila to generate some alert traffic. Verify that your alerts
are displaying as anticipated. If so, your Barnyard2 implementation is successfi.rl; Bamyard2 is accepting data from the Snort unified2 output file and passing it along to the MySQL database.
Notes:
76
ffiffiEtftm
Lab #5: Implementing a Barnyard2 Startup Script

Yonr Snort installation now includes Bamyard2.In addition to the other processes that should start automatically on system startup (HTTPD, MySQL, Snort), Barnyafi2 should also automatically start so the system can begin processing unified2 log files immediately.
There is a pre-configured startup script called directory. Just copy the script into the / etc/
steps.
barnyard2 tnthe /usr / l_ocal_/src j,niL. d directory and follow the remaining
Next we will use
chkconf ig to enable the
daemon See the instructions below.
IrootGsnortbox IrootGsnortbox IrootGsnortbox IrootGsnortbox IrootGsnortbox
# cp /tsr/Loc,al/src./barnyarrl2 /etc,/init.d * cp /asr / Loc,a]-/ stc./barnyard2 . sysconfig / eLc./ eysconfig,/barnyard2 # clrnod 155 /etc/init.d,/barnyard2 # chkconfig --add barnyard2
#
You can test whether or not your startup script is working by entering the following:
IrootGsnortbox snort] # serwice barnyard2 start Starting Snort Output Processor (barnyard2): IrootGsnortbox snort] #
loKl
Notes:
77
Module Summaty
Slide 57
This module discussed the benefits of using Barnyard2 with your Snort installation to off-load the burden of processing output from the Snort process. The module also covered installation of the application and its configuration. Barnyard2 has many output options available so, by using it, you don't loose any of the functionality of having Snort handle output and you gain a significant performance boost by having Barnyard2 handle output tasks.
Notes:
78

Database Output and Graphical Analysis PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Database Output and Graphical Analysis PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

http://it4training.

Configur@ Snortfor Databc$e Output and Grrphical Analysis

About This Module

Describe the unified2 output format

Install and configure Barnyard2

The Unified2 Output Formats

What is Produced With Unilied Outputs?

o alert_unified2 . log_unj-f i-ed2 o unified2

optionmpls_event_types toenablethis. Ifoptionmplseventtypesisnotused,then

What do You do With Unified2 Output?

Barnyard2's architecture is as follows:

data processors - to accept input from Snort.

output plug-ins - to produce various forms of output

Barnyard2 Data Processors

Barnyard2 Output Plug-ins

alert_fast - Converts data received by

processor to produce syslog compatible

database - Takes data from both datatrl a database.

to produce packet and log

csv, alert sguil

your Snort installation.

Obtain the Barnyard Distribution

r. Make swe you are in the following directory: /usr / loca7.

IrootGsnortbox 1ocalJ# unzip src/firnsy-barnyard2-w2-L.10-beta1-0-g411db8a.zip

lrootGsnortbox locall # cd firnsy-barnyard2-94437b5 lrootGsnortbox firnsy-barnyard2-9 4437b51 #

Run the configuration script as follows:

root snortbox firnsy-barnyard2-9 4437b5)

Barnyard using the following commands:

[rootGsnortbox firnsy-barnyard2-9443'7b5]# ./config.ure --with-mysql && make nake install

IrootGsnortbox firnsy-barnyard2-9443'7b51# cp etc,/barnyard2.conf /etc/snort

lroot Gsnortbox f irnsy-barnyard2-

# nkdir /war / Log /barnyard2

The illustration below is an excerpt from the file. We

discuss the options to be used

#use UTC for timestamps

config utc - Specifies if the data should output

Eor a snort process as folJ-ows: snort -1 eth0 -c /eLc/snort.conf

config hostname: confj-g interface:

# enabl-e pri-nting of the interface

The next few options we

will look at are used to help Barnyard? when we run

# define the fuII waldo filepath.

#config waldo_file: /tmp/waldo # specificy the

MPI,S labe1 chain

# set the archive directory for use with continous

#config archivedir: /tmp

#config process new records only

confrg watdo_file - Specifies the location of the write-ahead log frle.

Configuring the Input and Output Plug-ins

g_t cpdump configuration option.

# Examples: #output alert_syslog # log_tcpdump # -------#

# Purpose # This output module logs packets in binary tcpdump format

The only argument is the output file

output database: 1og, mysql, user=root password=test

Barnyard Command Line Options

The following is a listing of the command line options available to Barnyard:

These modes are

Barnyard and Custom Rules

other than the detection engine.

# $rd$ # Format: SID I I # SlD -> MSG map

# srds # GENERATORS -> msg map # Format: generatorid ll alertid ll

1ll1l 2|1I 3ll1l 100 ll 100 ll 100 lt 101 ll 702 ll

snort general alert tag: Tagged Packet snort dynamic alert

Suecesafullp, rated 'aeid agi $ucees{u lly mealsd'x'idagaJeri'

Successfu lly created cid_e.;nt Sxaessfu1l1' cr'es:ted'bas_r*les"

S**cesfi.r1ly lll"dSSEIED Adrin rele

Sacrtlr Grafil Aturt 0&tX 6rgh r,trt B*ntl{}ll Trnrs