10- Snort Report

Introduction

Snort Report is a graphical interface to the alerts generated by a Snort intrusion detection system and stored in a database.

These notes presuppose that you have successfully installed Snort as we did with Notes #8, and that you have successfully configured MySQL and Barnyard2 to store the results of Snort as per Notes #9.

Snort Report is a PHP based web application; we will demonstrate its installation on our traditional CentOS x64 6.2 system.

Installation

Snort Report depends on quite a few packages and components. As a web application, it will need a functioning Apache web server; fortunately this is part of the standard install in our class virtual machine. Snort report also requires PHP to function, and yes, that is also set up in our class virtual machine.

To generate the graphs that Snort Report will present, we need two additional pieces of software- JpGraph and GD.

JpGraph & GD

The GD library is required for JpGraph, and this was not installed as part of our standard class image. Installing it however, is simple. Mount the .iso for disc 1 of the installation image and install the required package with rpm:

[root@satorsquare ~]# rpm -ivh 
/media/CentOS_6.2_Final/Packages/php-gd-5.3.3-3.el6_1.3.x86_64.rpm 
/media/CentOS_6.2_Final/Packages/libXpm-3.5.8-2.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libXpm                 ########################################### [ 50%]
   2:php-gd                 ########################################### [100%]

Apache needs to be restarted once this installation is complete.

JpGraph is a PHP library designed to create charts for PHP. It can be downloaded online or from the class labshare.

There are different versions of JpGraph appropriate for different versions of PHP. However, despite the fact that we are running PHP 5, the preferred version of JpGraph for SnortReport is the older version 1.27.1.

Unzip the JpGraph package in the PHP include path, /usr/share/php/ to create /usr/share/php/jpgraph-1.27.1/. For simplicity going forward, create a symbolic link from jpgraph to the src subdirectory in the form

[root@satorsquare ~]# ln -s /usr/share/php/jpgraph-1.27.1/src/ 
/usr/share/php/jpgraph

This will enable PHP scripts that require JpGraph to simply use a line like

require_once('jpgraph/jpgraph.php');

To test the installation, first copy the jpgraph directory over to a subdirectory in the web server’s document root:

[root@satorsquare html]# cp -r /usr/share/php/jpgraph-1.27.1/src/ 
/var/www/html/test/

Then visit the web page test/Examples/example0.php; you should obtain a nice graph like the following.

There is a more complete and thorough testing suite available; just visit http://satorsquare.cosc.tu/test/Examples/testsuit.php. Be prepared to wait a few moments for all of the graphs to render. This page will generate some errors, primarily though not exclusively font errors. The JpGraph suite allows the writer to specify the fonts used, and in many examples they specify a particular Windows font from C:\Windows\Fonts. By default on our system, JpGraph will look for the fonts in /usr/share/fonts/truetype and if the correct font is placed there, the images will render correctly.

Once testing is complete, the test directory should be removed from DocumentRoot- there is no reason to continue serving those pages.

Installing Snort Report

Grab a copy of Snort Report, either online or from the labshare. In this example, we will be using the latest version, 1.3.3.

Unzip the package directly into the DocumentRoot for the web server, /var/www/html. For convenience so that we do not have to remember the version number in the URL, create a symlink to the proper directory

[root@satorsquare html]# tar -xzvf /home/vimes/Desktop/snortreport-1.3.3.tar.gz  

[root@satorsquare html]# ln -s /var/www/html/snortreport-1.3.3/ 
/var/www/html/snortreport

[root@satorsquare html]# ls -l
total 8
-rw-r--r--. 1 root root   35 Apr 15 09:06 info.php
lrwxrwxrwx. 1 root root   32 Apr 15 09:28 snortreport -> /var/www/html/
snortreport-1.3.3/
drwxr-xr-x. 2 root root 4096 Jan  9 22:00 snortreport-1.3.3

Two modifications then need to be made to the structure of PHP. First, the time zone must be correctly set; this can be done by editing /etc/php.ini, line 946 and make the change:

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = America/New_York

More significantly, we need to tell PHP to recognize short opening tags. This is not the preferred way to write PHP, but it is the way that the authors of SnortReport chose, so we modify line 229 of /etc/php.ini:

; This directive determines whether or not PHP will recognize code between
; <? and ?> tags as PHP source which should be processed as such. It's been
; recommended for several years that you not use the short tag "short cut" and
; instead to use the full <?php and ?> tag combination. With the wide spread use
; of XML and use of these tags by other languages, the server can become easily
; confused and end up parsing the wrong code in the wrong context. But because
; this short cut has been a feature for such a long time, it's currently still
; supported for backwards compatibility, but we recommend you don't use them.
; Default Value: On
; Development Value: Off
; Production Value: Off
; http://www.php.net/manual/en/ini.core.php#ini.short-open-tag
short_open_tag = On

With the changes made to /etc/php.ini, the web server needs to be restarted to take the changes into account:

[root@satorsquare html]# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Next, create an account on the database server for the connection by SnortReport. Recall, in Notes #8 we deployed a Snort sensor on the host isleofgods.cosc.tu. In Notes #9, we set up a database on the separate host biers.cosc.tu to store the data generated by that sensor. In this example, we will assume that the web application host is separate from either the sensor or the database with the name satorsquare.cosc.tu. Of course, this is not necessary; any two, or even all three of these hosts can be the same.

From the database server, biers.cosc.tu, connect to MySQL as the root user and add the user:

mysql> grant all on snort.* to snort@satorsquare.cosc.tu identified by 
"password1!";
Query OK, 0 rows affected (0.04 sec)

and verify that it worked as it ought to:

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select user, host, password from user;
+-------+---------------------+-------------------------------------------+
| user  | host                | password                                  |
+-------+---------------------+-------------------------------------------+
| root  | localhost           | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| root  | biers.cosc.tu       | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| root  | 127.0.0.1           | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| snort | isleofgods.cosc.tu  | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| snort | satorsquare.cosc.tu | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
+-------+---------------------+-------------------------------------------+
5 rows in set (0.00 sec)

Finally, validate this by logging into the database system directly from the web application server:

[root@satorsquare html]# mysql -u snort -h biers.cosc.tu -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

Next, SnortReport itself must be configured; this is done by editing the file /var/www/html/snortreport/srconf.php. Update the snort database variables in lines 27-32 with the values just chosen:

// Put your snort database login credentials in this section
$server = "biers.cosc.tu";
$user = "snort";
$pass = "password1!";
$dbname = "snort";

Finally, the location of JpGraph needs to be selected; modify line 44 to read

define("JPGRAPH_PATH","/usr/share/php/jpgraph");

If you visit the web page snortreport/alerts.php you will then be able to select a date and time range, and view the alerts recorded by your sensor.

Note how many alerts were noted with sid 10000001- this is the test rule created back in Notes #8 that fired on any connection to or from a web site. Hmm. I should probably remember to delete that one now…

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: