11- Snort Report 1.3.3

Introduction

Snort Report is a graphical interface to the alerts generated by a Snort intrusion detection system and stored in a database.

These notes presuppose that you have successfully installed Snort as we did with Notes #8, and that you have successfully configured MySQL and Barnyard2 to store the results of Snort as per Notes #9.

Snort Report is a PHP based web application; we will demonstrate its installation on our traditional CentOS x64 6.2 system.

Installation

Snort Report depends on quite a few packages and components. As a web application, it will need a functioning Apache web server; fortunately this is part of the standard install in our class virtual machine. Snort report also requires PHP to function, and yes, that is also set up in our class virtual machine.

Since this is a web application, we need to get our web server started; be sure you

• Update the ServerName directive in httpd.conf
• Configure the web server to start on boot
• Open the proper ports (80, 443) in the firewall
• Set SELinux to permissive mode

You can go back to notes #6 for details.

To generate the graphs that Snort Report will present, we need two additional pieces of software- JpGraph and GD.

JpGraph & GD

The GD library is required for JpGraph, and this was not installed as part of our standard class image. Installing it however, is simple. Mount the .iso for disc 1 of the installation image and install the required package with rpm:

[root@sayshell ~]# rpm -ivh 
/media/CentOS_6.2_Final/Packages/php-gd-5.3.3-3.el6_1.3.x86_64.rpm 
/media/CentOS_6.2_Final/Packages/libXpm-3.5.8-2.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libXpm                 ########################################### [ 50%]
   2:php-gd                 ########################################### [100%]

Apache needs to be restarted once this installation is complete.

JpGraph is a PHP library designed to create charts for PHP. It can be downloaded online or from the class labshare.

There are different versions of JpGraph appropriate for different versions of PHP. Despite the fact that we are running PHP 5, the preferred version of JpGraph for SnortReport is the older version 1.27.1.

Unzip the JpGraph package in the PHP include path, /usr/share/php/ to create /usr/share/php/jpgraph-1.27.1/.

[root@sayshell php]# mv /home/seldon/Desktop/jpgraph-1.27.1.tar.gz 
/usr/share/php/
[root@sayshell php]# cd /usr/share/php/
[root@sayshell php]# tar -xzvf ./jpgraph-1.27.1.tar.gz 

For simplicity going forward, create a symbolic link from jpgraph to the src subdirectory in the form

[root@sayshell php]# ln -s /usr/share/php/jpgraph-1.27.1/src/ 
/usr/share/php/jpgraph

This will enable PHP scripts that require JpGraph to simply use lines like

require_once('jpgraph/jpgraph.php');

To test the installation, first copy the jpgraph directory over to a subdirectory in the web server’s document root:

[root@sayshell html]# cp -r /usr/share/php/jpgraph-1.27.1/src/ 
/var/www/html/test/

Then visit the web page test/Examples/example0.php; you should obtain a nice graph like the following.

There is a more complete and thorough testing suite available; just visit http://sayshell.cosc.tu/test/Examples/testsuit.php. Be prepared to wait a few moments for all of the graphs to render. This page will generate some errors, primarily though not exclusively font errors. The JpGraph suite allows the writer to specify the fonts used, and in many examples they specify a particular Windows font from C:\Windows\Fonts. By default on our system, JpGraph will look for the fonts in /usr/share/fonts/truetype and if the correct font is placed there, the images will render correctly. If not, well, then whining ensues. Shrug.

Once testing is complete, the test directory should be removed from DocumentRoot- there is no reason to continue serving those pages.

Installing Snort Report

Grab a copy of Snort Report, either online or from the labshare. In this example, we will be using the latest version, 1.3.3.

Unzip the package directly into the DocumentRoot for the web server, /var/www/html. For convenience so that we do not have to remember the version number in the URL, create a symlink to the proper directory

[root@sayshell ~]# cd /var/www/html/
[root@sayshell html]# tar -xzvf /home/seldon/Desktop/snortreport-1.3.3.tar.gz 
[root@sayshell html]# ln -s /var/www/html/snortreport-1.3.3/ 
/var/www/html/snortreport

[root@sayshell html]# ls -l
total 4
lrwxrwxrwx. 1 root root   32 Apr 13 17:22 snortreport -> 
/var/www/html/snortreport-1.3.3/
drwxr-xr-x. 2 root root 4096 Jan  9  2012 snortreport-1.3.3

Two modifications then need to be made to the structure of PHP. First, the time zone must be correctly set; this can be done by editing /etc/php.ini, line 946 and make the change:

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = America/New_York

More significantly, we need to tell PHP to recognize short opening tags. This is not the preferred way to write PHP, but it is the way that the authors of SnortReport chose, so we modify line 229 of /etc/php.ini:

; This directive determines whether or not PHP will recognize code between
; <? and ?> tags as PHP source which should be processed as such. It's been
; recommended for several years that you not use the short tag "short cut" and
; instead to use the full <?php and ?> tag combination. With the wide spread use
; of XML and use of these tags by other languages, the server can become easily
; confused and end up parsing the wrong code in the wrong context. But because
; this short cut has been a feature for such a long time, it's currently still
; supported for backwards compatibility, but we recommend you don't use them.
; Default Value: On
; Development Value: Off
; Production Value: Off
; http://www.php.net/manual/en/ini.core.php#ini.short-open-tag
short_open_tag = On

With the changes made to /etc/php.ini, the web server needs to be restarted to take the changes into account:

[root@sayshell html]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Next, create an account on the database server for the connection by SnortReport. Recall, in Notes #8 we deployed a Snort sensor on the host tazenda.cosc.tu. In Notes #9, we set up a database on the separate host comporellon.cosc.tu to store the data generated by that sensor. In this example, we will assume that the web application host is separate from either the sensor or the database with the name sayshell.cosc.tu. Of course, this is not necessary; any two, or even all three of these hosts can be the same.

Connect to MySQL as the root user on the database server, comporellon.cosc.tu, and add the user:

[root@comporellon ~]# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant all on snort.* to snort@sayshell.cosc.tu identified by 
'password1!';
Query OK, 0 rows affected (0.00 sec)

Remember that last week we created the user snort@tazenda.cosc.tu with access to this database, but since we are connecting to the database from a different host, we need to create an additional user.

Verify that it worked by logging into the database system directly from the web application server:

[root@sayshell ~]# mysql -u snort -h comporellon.cosc.tu -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use snort;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| data             |
| detail           |
| encoding         |
| event            |
| icmphdr          |
| iphdr            |
| opt              |
| reference        |
| reference_system |
| schema           |
| sensor           |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
16 rows in set (0.00 sec)

Next, SnortReport itself must be configured; this is done by editing the file /var/www/html/snortreport/srconf.php. Update the snort database variables in lines 27-32 with the values just chosen:

// Put your snort database login credentials in this section
$server = "comporellon.cosc.tu";
$user = "snort";
$pass = "password1!";
$dbname = "snort";

Finally, the location of JpGraph needs to be selected; modify line 44 to read

define("JPGRAPH_PATH", "/usr/share/php/jpgraph/");

If you visit the web page snortreport/alerts.php you will then be able to select a date and time range, and view the alerts recorded by your sensor.

Do you think that this might be easier than looking through Splunk logs of snort alerts?