Archive for January, 2010|Monthly archive page

Installing Snort with Mysql and ACID BASE

Location: Somewhere in a fan noise filled and brightly lit room…

Date: Jan 3, 2010

Time: 2314 UTC

“Hey John come look at this spike in traffic on port 1434 going to 10.0.1.23!” ,Tony exclaimed.

“Yeah, I saw that on 10.0.1.52 as well, looks like a SQL injection attack to me.”

“This one looks like it got through though, I see some outbound traffic on 6667 on that database server as well. There shouldn’t be any traffic on that port, that is IRC chat. The firewall should block it”.

John quickly SSH’ed into the firewall and checked the output of ipchains to determine the  default deny and any IRC rules. Much to his surprise all outbound traffic was allowed.

“What!!” John screamed out.

It just occurred to him that the firewall guys had just replaced the aging firewall that was attached to the DMZ. John  frantically searched for the binder that contained the installation and configuration for the firewall installation. Just has he suspected, the binder’s last date was  Dec 18, 2009. That was before the firewall was swapped out.

“No documentation, that’s great. How may times do I have to emphasize documentation! This will look great on the incident report” John said to himself.

Meanwhile Tony was setting up tcpdumps to capture the data for later forensics analysis.

Tony yelled to John from across the room “John, get the web database folks on the phone to see if they can start locking that system down”

John replied, “Dude it’s almost midnight, and we don’t have a good standby number for anybody.”

“Well there is only one thing to do then, we need to contain the problem and start documenting it. We need to close those ports to stop the leak.”

“But that means no one will be able to login to the ecommerce site, that means lost revenue”

“We better call the boss, and he won’t be happy”,  Tony stated solemnly after some thought.

“Well maybe he can call the database folks and find out why that server wasn’t locked down correctly”

“Why do you think it was their problem? It could have been a zero-day attack, I checked Dshield and there are huge spikes in 1434. Could be the underground is exploiting a flaw that isn’t public yet”

“Well either way, this isn’t good. Let’s lock it down before anymore data leaks out.”

“Ok, its your call until the boss gets here”

“Do it!”

This is a fictional scenario that could happen in the real world. Poor documentation, configuration errors, zero-days and slow response time could plague any business network and create opportunities for breaches. Here is where a  post analysis tool comes into to play. An intrusion detection system is not designed to stop attacks, but they make the watchful administrator aware of potential breaches or configuration problems. It also provides information to create  a more accurate  incident report that can identify the progression of the attack and which attack vector was used. This can be of tremendous value to help thwart attacks against other systems.

Enter SNORT.

With the constant attacks against networks it is essential to have a Intrusion Detection System (IDS) in place and functional. The IDS needs to be robust and easy to read the mountains of data that comes pouring in. Snort is an Open Source product that is free to use and is very customizable.

Snort charges for the rules subscription called “VRT Certified Rules”. If you are serious about keeping your IDS systems the most up to date you must pay for the rules set. You can receive the rules free of charge by registering. However, the free rules are 30 days old. If you manage a network you know that a lot can change in 30 days.

Snort on Ubuntu

Steps:

  1. Use apt-get to retrieve the snort-mysql (Use your host network for the listen address range, e.g 192.168.1.0/24)
  2. Use apt-get to retrieve the mysql-server package. Follow prompts for passwords (use your own password!! do not leave blank)
  3. Follow the instructions below to setup the database

———-Snippets taken from the snort-mysql debian package README—————–

CREATING THE DATABASE
———————–

In order for the above to work you need to create first
a database.

Consider that you have defined the following information when asked
to in the Debconf dialogs when installing the package:

Database User: snort
Database Password:  (Use your own password here)
Database name: snort

For Mysql you can do this:

[ running as an mysql user with admin privileges ]
$  mysql -u root -p

(Type in the password you just created during the mysql-server installation)

mysql> CREATE DATABASE snort;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort;
mysql> SET PASSWORD FOR snort@localhost=PASSWORD(‘INSERT YOUR OWN PASSWORD HERE‘);
mysql> flush privileges;
mysql> show grants for ‘snort’@’localhost’;

mysql>exit

Run the command below:

$ zcat /usr/share/doc/snort-mysql/create_mysql.gz | mysql -u snort -D snort -pYOUR OWN PASSWORD HERE

To do this remove the file ‘/etc/snort/db-pending-configuration’ and then do ‘/etc/init.d/snort start’. Confirm that snort is working and up
by running ‘/etc/init.d/snort status’ and reviewing the messages in the /var/log/daemon.log syslog file.

Before starting snort you will have to edit the /etc/snort/snort.conf  file.

Find the lines

# (#DBSTART#)
output database: log, mysql,
# (#DBEND#)

Change the output line to: output database: log, mysql, user=snort password=YOUR OWN PASSWORD HERE dbname=snort host=localhost

4. Install apache2  web server (apt-get install apache2)

5. Install acidbase application (apt-get install acidbase)

The package manager will walk you through the setup. You will need to enter the root database password, the database user (snort), the database name (snort) and the database password. It will also ask if you want it to install the configs for apache2. Select Apache2 for autoconfiguration. By default only the localhost has access to the apache site. “http://localhost/acidbase”

You will have to connect and have acidbase create the required fields for the snort database. This can be accomplished by hitting the button listed on the main page to create the tables.

Additionally you will have to edit the /etc/apache2/conf.d/acidbase.conf file and add any additional ip addresses or ip ranges that you want remote access from.

Visit the snort website for more information on updating rules and registering for your own “oinkcode”