com
MODULE 4
Module Objectives:
. r
o
. .
49
http://it4training.com
Gonfiguring Snort for Database Output and Graphical Analysis
in unified2
events. Use
An additional option
option
will log
vlan_event_type may be used in environments with VLANs. This the VLAN ID from the packet headers. If no VLAN ID is present then a 0 will
be used.
Notes:
50
StllffiEIrire
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
output. Barnyard2 is a fork of the original Bamyard project, and is under active development.
It is maintained by and can be downloaded from http://www.securixlive.com (latest changes are maintaned at https://github.com/firnsy/bamyard2). Securix is not only responsible for
maintaining Barnyard2, they have also been tasked with maintaining the Snort database
schema.
It should
release.
be noted that even though there is currently a database output plugin available in the Snort sourcecode - it is no longer being developed or supported and will be removed in a future
Slide 47
Barnyard2 is
a robust application that features several modes of operation including checkpoint mode in which it can write a transaction log to track what data has been processed. This enables Bamyard2 to pick up where it left offif it were to tenninate unexpectedly.
.
o
spi_alert - This data processor reads alerts produced by Snort in its unified2 output format.
spi_log - This data processor reads log data produced by Snort in its unified2 output format.
Slide 48
$fir \JM
Output plug-ins are directly associated with the data processors. These relationships are identified with the descriptions for the output plug-ins below:
This produces a concise, one line per alert output that increases performance because of its light weight. However, its perfonnance gains are at the expense of having much more limited inforrnation about the
spi_a1ert.
alert.
. r
log_ascii - This output plug-in receives data from spi_log to produce an ASCtr packet dump forrnat that contains the full packet data related to logged events and alerts. alert_syslog - Takes data from the
output.
spi
af
ert
Notes:
51
$ilffiffif?vm
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
spi_a1ert
and
spi_log
Other output plug-ins are available in the current Bamyard2 production release, but covered here, they include and cef.
alert
will not be
Installing Barnyard2
Slide 49
This section
will
step through the process of installing and configuring Bamyard for use
with
3.
Enter the
firnsy-barnyard2-
94437b5.
Notes:
52
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
4.
I
@
,/autogen. sh
5. Build
no
rt
94
437b5)
Slide 50
Conliguration
As with Snort, Bamyard has a primary configuration file: barnyard2 . conf . This file, like snort . conf, is very heavily corrmented which makes understanding the settings easier from the onset. They can be removed when you become more comfortable with the contents of the file. Fortunately, its not quite as large as snort . conf so you should be able to get fairly comfortable with the file after using it a couple of time. This section will step through the features of the barnyard2. conf file.
Confrguration Declarations
SIide 51
This section of the file allows you to declare values for certain variables. For the most part, the default configuration options listed in the file are to support the database output plug-in.
\#@
*-}
Notes:
53
Hilmffift,s
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
will
in
#config utc # set the appropriate paths to the file(s) your Snort process is config reference_fiie: /etc/snort/reference.config config classification_fi1e : / etc / snort /classificatlon. config config gen_fiIe t /eLc/snort/gen-msg.map config sid_file z /eLc/snort/ sid-msg.map
usj-ng
o . . . .
+
as
UTC
config reference_file - Specifies the Snort reference.config file. config classifrcation_fiIe - Specifies the classification.config file to use. conlig gen_file - Specifies the gen-msg.map (to be discused later in the chapter).
eon{ig sid_file - Specifies the sid-msg.map (to be discused later in the chapter.
# # #
#
Example:
# # # #
#
Typical options would be: config hostname: thor config i-nterface: ethO config alert_with_interface_name
snortbox
ethl
name when
alerting.
g alert_w j-th_interf
ace_name
config hostname - Specifies the name assigned to the sensor. config interface - Specifies the name assigned to the sensing interface. conlig alert with_interface_name - Prints the interface name when alerting.
Notes:
54
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
as a daemon.
maximum
length of the
#
+
CONTINOUS MODE
mode
. . .
config archivedir - Specifies the location to copy unified logs to after they have been read.
process_new_records - When in continous mode only process new data.
There are many options that we do not duscuss in class. Some have not yet been integrated inlo B amyard.
fully
Notes:
55
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
Slide 52
The following excerpts show portions of the input and output plug-in configuration section the barnyard2 . conf file. Some of options have been omitted.
of
# Step 2: setup the i-nput plugins input unified2 # Step 3: setup the output plugins # alert_fast
4--------
#Purpose: Converts data to an approxlmation of Snortrs "fast alert" mode. Argr.rments: file <file>, stdout arguments should be cornma delimited. #
# #
file - specifiy alert file stdout - no alert fj-1e, just print to screen
stdout
output alert_fast:
The input field specifies the type of input to expect. The output options specrry how to output the data. They are fairly well documented in the barnyard2 . conf file. Some notable options are illustrated in the following excerpt in the form of the alert sys 1og option and
the
1o
Notes:
56
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
#--------#
# alert_syslog
# Purpose: # This output module provides the abilty to output alert information toa # remote network host as well as the locaf host.
#
# Arguments: host=hostname[:port], severity facility arguments should be comma delj-mited. # # host - specify a remote hostname or fP with optional_ port number this is only specific to WIN32 (and is not yet fu11y supported) # #severity - as defined in RFC 3164 (eg. LOG_WARN, LOG_INEO) # facility - as defined i-n RFC 3164 (eg. tOG AUTH, tOG LOCATO)
#
Arguments:
name.
output 1og_tcpdump:
tcpdump. 1og
# il # #
+
:::1::::-1::-::-:-::::::1-::-ii:::::::
Purpose: This output module provides logging ability See doc/README.database for additi-onaI i-nformation.
Examples:
to a vari-ety of databases
# #
dbname=db
Notes:
57
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
Slide
54
lroot8snortbox -l # barnyard2 -? -*> Barnyaxd2 <*/ ,,_ \ Version 2.1.10-beta1 (Bui1d 266) lo" )-l By fan Eirns (Securj-xlive): http: //www.securixlive.com/ + I I I I + (C) Copyright 2008-20LL Ian Firns <firnsyGsecurixlj_ve.com> [-options] <fil-ter opti-ons) Gernal Options: -c <fi1e> Use configuration file <file> -C <fi-Ie> Read the classificatlon map from <file> Run barnyard2 in background (daemon) mode -D Display the second layer header info Turn off fflush ( ) calls after binary log writes -E -q <gname> Run barnyard2 gid as <gname> group (or gld) after initialization -G <fi1e> Read the gen-msq map from <fil-e> -h <name> Defj-ne the hostname <name>. For logging purposes only Define the interface <if>. For logging purposes only -i <if> Add Interface name to al-ert output -I Log to directory <1d> -1 <l_d> -m <umask> Set umask = (umask) Obfuscate the logged IP addresses Quiet. Donrt show banner and status report Y f nclude ' j-d' ln barnyard2_intf<id>, p j_d f i_1e name -r <id> -R <fi1e> Read the reference map from <fil-e> -S <f11e> Read the sid-msg map from <fi-le> -t <dir> Chroots process to <dir> after initialization Test and report on the current barnyard2 configuration -a -u <uname> Run barnyard2 uid as <uname> user (or uid) after initializati-on
USAGE: barnyard2
Notes:
58
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
-U
-v
-\7
-v
Use UTC for timestamps Be verbose Show versi-on number Include year in timestamp in the al-ert and log files
Show
this information
Continual Processing Options : -a <dir> Archj-ve processed fj-les to <dir> -f <base> Use <base) as the base filename pattern -d <dir> Spool files from <dir> Only process new events -n -w <fife> Enable bookmarking using <fi1e>
Batch Processj-ng Mode Options: Enable batch processj_ng -o
Longname
mode
options and their corresponding single char versj-on Same as -R --reference <file> Same as -C --classi-fication <file> Same as -G --gen-msg <fj-Ie> --sid-msg <file> Same as -S --a1ert-on-each-packet-j-n-stream Ca11 output plugi-ns on each packet i-n an afert stream Same as -n --process-new-records -on1y Specify the dj-rectory for the barnyard2 PID --pid-path <dir> file Same as -? --heIp Same as -V --versi-on Create PID fi1e, even when not in Daemon mode --create-pidfi-1e Do not try to lock barnyard2 PID file --nolock-pidfi-1e
#
lrootGSnortbox -l
Notes:
59
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
A couple of these options speciff what mode Bamyard2 will operate in.
described below:
Batch processing mode - This mode is enabled with the -o command line switch. In this mode, Bamyard2 reads the Snort output unified2 log file you speciff and quits once it has
been processed.
Continual with checkpoint mode - This mode runs Barnyard2 continually and tracks where it is at any given time in processing the Snort output unified2 log file. By keeping a record of what it has processed thus far, Barnyard2 is able to pick up where it left offif it were to terminate unexpectedly. Barnyard2 uses a Write-Ahead-Logging file. This is more commonly known as a ohaldo" file and may be specified in the configuration file. The Waldo file is created upon start. This file tracks the following infonnation:
o o o o
The directory location of the Snort unified log files The unified log file name prefix The currenl file name suffix The record location with the crrrent log file
Slide 55
Snort's stock rule set contains a couple of files that are important to the proper operation Barnyard:
of
sid-msg.map - Lists Snort ID (SID) numbers, their associated messages and reference information. These are the SIDs related to detection engine alerts. gen-msg.map - Lists Generator ID (GID) numbers, their associated SID numbers and their
messages. This is where the GID/SID parings are defined for alerts generated by entities
While these files are pre-configured and updated along with rule updates you can obtain from various sources such as snort.org, they do not contain any information related to custom rules or preprocessors you may have in your installation. Be sure to update these files with custom rule or preprocessor information and, when you download rule updates, you must add your custom information as well.
Notes:
60
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
The syntax for sid-msg.map is shown below. The excerpt shown is from the leading comments in the sid-msg. map file. Also shown are the first two entries in the file to provide an example of how the syntax is applied.
MSG I
Opti-ona1 References I I
Optional References ..
I
subseven 22 | | araehnids,4B5 | ur1, www. hackfix. orgr/subseven/ - Dagger*1.4.0_cl-1ent_connect Il arachnidsr 4B3 I urJ-, www. tlsecurity. net/backdoor/Daqger. 1. 4. html 105 ll BACKDOOR - Dagger_1.4.0 ll arachnids,4B4 | | ur1, www. tf secur j-ty. net,/
I
The syntax for the gen-ms g . map file is shown below. The excerpt shown is from the leading comments in the file. As in the previous example, the fust few lines of this file are shown to provide an example of how this $mtux is applied in the file.
MSG
2
3 1
1
spp_portscan: Portscan Detected spp_portscan: Portscan Status spp_portscan: Portscan Ended spp_minfrag: mj-nfrag alert http_decode: Unicode Attack
Notes:
61
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
C onfiguring the
Datab
as e
Before we can use Bamyard2 to write information to a database we must first create one! The systems in class came pre-installed with MySQL using default settings and options. The Snort database must be created, have permissions assigned and have its schema imported. This is a relativly straight forward process :
1.
Create the Snort database and MySQL user accounts. Then secure the accounts with passwords and configure them with the appropriate permissions.
To do this, you will need to access the MySQL command line client application. From within this application you will issue a series of statements as illustrated below.
the MySQI monitor. Commands end with ; or \9. connection id is 2 Server version: 5.0.'7"7 Source di-stribution for help, Type t\c' to cl-ear the currenl input
)
IrootGsnortbox] # rrysgl
mysql> set password for root@localfuqst=password('passwordt Query OK, 0 rows affected (0.00 sec) mysql> create databaEe snort; Query OK, 1 row affected (0.03 sec) mysql> grant create, insert,
snortG
select, delete, update on snort.* }ocalhost; Query OK, 0 rows affected (0.00 sec)
mysql> set password for snortGlocalhost=rassword( rpasswordr) ; Query OK, 0 rows affected (0.00 sec) mysql> exit
Bye
lrootGsnortboxl
"*Note that the items in bold are the commands you enter. The other items are representations of the feedback you should see on the screen. ln this command sequence, we have set the password for the and MySQL users to password as indicated by the portion of the command string
root
snort
as follows: ('pas sword').Enter the directory that contains the schemas for the various databases supported by Snort:
Notes:
62
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
schemas
3.
Issue the following command to set up the database schema for Snort:
lroot8snortbox schemasi # nysql -P < <:reat- mysql snort . You will be prompted for a password; enter the password you assigned to the root user
(password).
Next, check to see that the database was created and that it contains the tables needed for
Snort to operate properly.
the MySQl, monltor. Commands end wj-th ; or \9. connection i-d is 9 to server version: 5.0.'7'7
for he1p. Type '\ct to clear the current input
I Database
I information
schema
Notes:
63
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
+------------------+ I Tables_in_snort +-- - - -- - -- -- - - - - - --+ I data I detail I encoding I event I icmphdr I rphdr I opt I reference I reference_system I schema I sensor I sig_cl-ass I sig_reference I signature I tcphdr I udphdr +-- ---- -- - -- - - - - -- -+ 16 rows in set (0.00 sec)
I I I I I I
mysql> exit
Bye
IrootGsnortbox schemas]
Notes:
64
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
1.
2. 3.
/wvrw /hr-m]-
Unpack the ADODB package to provide an interface between the GUI and the MySQL
database as follows:
1.4.5.tar.92
+. Change the ownership of the BASE directory as follows: IrootGsnortbox htm]-l # chown apache base-1.4.5 s. Edit the php.ini file to tune the error reporting level. . Open the file / eLc / php . ini in a text editor. If you are using VI, enter the command
as
follows:
o .
ierror_rePorting = .
E_A.LL
& -E_NOIICE
Comment out the following line (this appea$ several lines below.)
emor_reporting =
:wq
E_AJ,L
Write the changes to the file and exit with the following command:
Notes:
65
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
6.
Restart the
httpd process to implement the changes you just made to the PHP configuration with the following command: lrootGsnortbox html] # service httpd restart
7.
Conligure BASE by opening a web browser and entering the following URL:
http: / /L92.
168 . LLt
.lO/base-1 .4 .5
The first time the BASE page is accessed, the BASE setup script executes as follows.
Ttls tulhr,IiftS p*ges rrill prcnryt yo$ tur set $F infuiaafisn ta.fini*tr tha in$all of ESSE" If *rty of fl*e options ffi[s{.- Brd rBd, thers $rill *ts 3 ds#*ption sf what yeu' need ts ds bBlfty lha cha*^
fisnl*ru,*
8.
Notes:
66
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
9.
Select the language from the drop-down list and enter the
ADODB directory
as
follows:
/var/www/htm1/adodb
Click the Continue button to complete this step of the setup script:
Notes:
67
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
10.
Next, enter the following information in the fields provided. If you will not be using an archive database, you can leave that set offields blank"
o o o o
l{r1r"..'B liiffit
unfi#&.@
d blank{,*rdaffiul8
access to the database service, you can leave the field blank, but the remaining fields need to be filled in.
Click the Continue button to move on to the next step in the setup process.
Notes:
68
SIlUtElr*vry:
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
BASE Authentication System which allows you to configure an account to ensure that only authorized users can see the Snort alerts in BASE.
To configure an acconnt, select the Use Authentication System check box and account credentials.
fill in the
o o . o
Check the
Use
Authentication Systembox
Click the Continue button to move on to the next step in the setup process.
Notes:
69
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
follows instructs the setup script to create the database tables used by the BASE application. Click the Create BASE AG button to create the tables and continue.
'a*id ip ea*li*
'remmfu$mffi' $.,
Additisnal DB wrmis*ions
p$ffi
EASE tahlqr Adds tables t* exterd the Sn,ort DB to suppo,rt tfre B&SE fi.rnctiona,lity *fi.l'JE
uc*essfirli-5,
craat*d user.
lfl srder to suppo,rt Al*rt purging {the selec irc #itrity te'perman,*ntrly delete alerts ftorfl the date,base} and Dl'il.S*rrtheis tooktry caching, the DB user "snort'" must h*ns the BELTIE and UFDATE pr,Mlege on th,e dst*base ""sn+rt@ calhcsf' tlnw continue tci step 5"". When the tables have been created, you get an indication to that effect as illustrated above. Click the Step 5 link at the bottom of the screen to finish the BASE setup process.
Notes:
70
sllffifitfrrE
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
13.
Lagirt:
Paax*M:
@@
Notes:
7l
http://it4training.com
Configuring Snod for Database Output and Graphical Analysis
14. The
working BASE main screen should look similm to the illustration below:
SaB.ireilir:sl:
0 &
/0
?rafEa Prafile
bf Proiosol
\\&.:":e"net rltJlt,"ifr/,t lry :! e+ . "t$wi*|. i ft.?'
I
Ur$qB6ftldrtf:
T&l
8.kgorie6:0
Nulxharaf Akrtf:
8rc tP qddr3r g
B
rcP
I '
{0${} W'##W:effi4iffit(
. . r . r . r
uaP {0t&}
:-:::---:-, .:Tt=--
DeBllFeddrs:&
UniquelPft.nkF{l
Sourue F*r,t$:
*
F{rtscsn Tffi'fiG {tr%}
o TCP{*} UEP{8}
Dest
Ffrhi
o TcF{t} UDFiO1
15. Create a
slmbolic link for Snort rule documentation with the following commands
Notes:
72
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
16. On
snortbox, issue the following commands to enable the BASE graphing capability (this
Numbers_Roman-1 . 0 . 2 . tar
[rootGsnortbox html] # pear insta1t /uEr/]-oaaL/stc./ Image_Color-l .0.4 . tar IrootGsnortbox html] # pear insta]-l /usr/Local/ scc/LogL.]-2.3. tar [rootGSnortbox hLmI] # pear insta]-l /uEr/Loaa]-/ src,/
insta].l /lasr/loc,al/erc/
Notes:
73
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
Lab Exercises
Perform the following exercises.
Slide 56
Lab
#22 Database
Configuration
Perform database conliguration tasks. Refer to the configuration discussion in the chapter for detailed installation instructions.
with Snort.
Openthe
/eLc/snort/snort.conf
fileandbelowtheunified2sectionofttheoutput
128
Once you complete the edits, save the file and exit the editing application.
Edit the /
eLc/ snort,/barnyard2 . conf file barnyard2. conf is the primary configuration file
ig
hostname
Notes:
74
mmnff*rm
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
conf i g wal-do_f i 1e, conf 1 g ar chive conf ig process_new_records_only so they look like the following. config waldo_file: /tmp/waIdo
Uncomment and the lines for the options:
dir
and
config archivedir:
conf
/tmp
ig process_new_records_onIy
In the output section of the bamyard2.conf file, disable the output al.ert_fast: stdout line of the output plug-ins and add the following line after the output database line.
Run Snort to begin producing unified output. Restart Snort. Earlier you made achangle to the snort . conf file to enable unified2 output. Snort has to be restarted so that it can re-read the conffile and begin to produce unified2 output. Issue the following command:
root G snortbox ]-o ca1 1 # / eLc. / Lrrit. d,/ snortd restart You can veriS that you are getting unified2 output by entering the / v ar / Log / s no r t
I
directory and listing the files there. Files structured as illustrated below are your indication that Snort is producing unified output as anticipated.
-rw-------
1 root
root
Notes:
75
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
18. StartBarnyafiZ.
Use the following command to start Barnyard2. Note that in the example below, the options will be separated in their own lines to make it more readable. As you enter the command, allow it to wrap on its own. Press the [Enter] key only after typing the entire text of the command. When you enter this command, you can omit the line continuation characters (\) as shown in the example. Just type the command and let it wrap as you fype.
barnyard2 \
When you execute this command, you will see Banryard2 output various messages indicating that is initializing its input processors, output plug-ins and connecting to the database. If there is no waldo file you will see a message indicating that Barnyard2 fuled, to open it. This is normal and the waldo file will be created upon start. If there is a problem, it will exit at this point. If all is working as anticipated, the shell will appear to hang until you press ICtrl] + [c] to stop the process.
BeforetenninatingtheBarnyard2processwiththe ICtrl] + [c], useabrowsertoaccess the BASE interface. Use nmap on uttila to generate some alert traffic. Verify that your alerts
are displaying as anticipated. If so, your Barnyard2 implementation is successfi.rl; Bamyard2 is accepting data from the Snort unified2 output file and passing it along to the MySQL database.
Notes:
76
ffiffiEtftm
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
barnyard2 tnthe /usr / l_ocal_/src j,niL. d directory and follow the remaining
# cp /tsr/Loc,al/src./barnyarrl2 /etc,/init.d * cp /asr / Loc,a]-/ stc./barnyard2 . sysconfig / eLc./ eysconfig,/barnyard2 # clrnod 155 /etc/init.d,/barnyard2 # chkconfig --add barnyard2
#
You can test whether or not your startup script is working by entering the following:
IrootGsnortbox snort] # serwice barnyard2 start Starting Snort Output Processor (barnyard2): IrootGsnortbox snort] #
loKl
Notes:
77
http://it4training.com
Configuring Snort for Database Output and Graphical Analysis
Module Summaty
Slide 57
This module discussed the benefits of using Barnyard2 with your Snort installation to off-load the burden of processing output from the Snort process. The module also covered installation of the application and its configuration. Barnyard2 has many output options available so, by using it, you don't loose any of the functionality of having Snort handle output and you gain a significant performance boost by having Barnyard2 handle output tasks.
Notes:
78