Agenda: exercises-snort-BASE.htm

File exercises-snort-BASE.htm, 11.4 KB (added by admin, 5 years ago)
Line 
1<h1 id="introduction">Introduction</h1>
2<p>We will set up Snort together with BASE (Basic Analysis and Security Engine). This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. BASE is the evolution of a previous project called ACID.</p>
3<h2 id="notes">Notes</h2>
4<ul>
5<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
6<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
7<li>Commands with more specific command lines (e.g. &quot;RTR-GW&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
8</ul>
9<h2 id="goals">Goals</h2>
10<ul>
11<li>Learn how to install the Snort package with MySQL support</li>
12<li>Learn how to install and configure the acidbase package on Ubuntu</li>
13<li>Set up authentication</li>
14<li>Set up e-mail exports</li>
15</ul>
16<h1 id="snort-mysql-installation">Snort-MySQL Installation</h1>
17<p>Log in to the PC assigned to you, and install the the lamp-server group of packages:</p>
18<pre><code>$ sudo apt-get install tasksel
19$ sudo tasksel install lamp-server</code></pre>
20<p>The above command is a shortcut to install a set of predefined packages, that offer the &quot;Linux Apache Mysql PHP&quot; services, i.e. LAMP. Some or most of these packages may have already been installed during previous labs, but it doesn't hurt to run it.</p>
21<p>If you are curious which packages this &quot;set&quot; includes, you can run:</p>
22<pre><code>$ tasksel --task-packages lamp-server</code></pre>
23<p>If you haven't already done so before, you will be prompted to create a MySQL root password during the installation process. Please use the same password you used to log in to your virtual PC, and which was given in class.</p>
24<p>Now, create the database to be used by Snort:</p>
25<pre><code>$ mysql -u root -p</code></pre>
26<p>Type the password you provided earlier while installing. Then, at the mysql prompt, type the following:</p>
27<pre><code>mysql&gt; create database snort;
28mysql&gt; GRANT ALL PRIVILEGES ON snort.* TO &#39;snort&#39;@&#39;localhost&#39; IDENTIFIED BY &#39;snortpwd&#39;;
29mysql&gt; FLUSH PRIVILEGES;
30mysql&gt; quit</code></pre>
31<p>NOTE: Notice that we used 'snortpwd' here. This is the password that Snort will use to connect to the Mysql database. We will also use it later for the web front-end. Instead of 'snortpwd', you may want to use the default password used to log in to your machine.</p>
32<p>Install Snort with mysql support:</p>
33<pre><code>$ sudo apt-get -y install snort-mysql</code></pre>
34<p>If you see a window prompting you to provide the &quot;Address range for the local network&quot;. Type the network address of your particular group.</p>
35<p>For example, for group 1, the network block is: 10.10.1.0/24</p>
36<p>Following this, you will be asked if you wish to set up a database for use with Snort. Choose No. We will manually configure Snort to connect to our previously created database.</p>
37<p>You will receive a warning like the following: &quot;Snort will not start as its database is not yet configured&quot;. That's OK. Go on.</p>
38<p>Create the database table structure:</p>
39<pre><code>$ zcat /usr/share/doc/snort-mysql/create_mysql.gz |  mysql -u snort -p snort</code></pre>
40<p>type the snort database password: &quot;snortpwd&quot;</p>
41<p>Edit the Snort configuration to include the database parameters:</p>
42<pre><code>$ sudo editor /etc/snort/snort.conf</code></pre>
43<p>find this line:</p>
44<pre><code>output log_tcpdump: tcpdump.log</code></pre>
45<p>and comment it out like this:</p>
46<pre><code>#output log_tcpdump: tcpdump.log</code></pre>
47<p>Save and exit the editor.</p>
48<p>Now, edit the snort database configuration file:</p>
49<pre><code>$ sudo editor /etc/snort/database.conf</code></pre>
50<p>Then, add this line at the end of the file.</p>
51<p>output database: log, mysql, user=snort password=snortpwd dbname=snort host=localhost ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</p>
52<p>Remember to use the SAME password here that you picked during database creation earlier!</p>
53<p>Save and exit the editor.</p>
54<p>Remove the pending Snort database configuration file.</p>
55<pre><code>$ sudo rm -rf /etc/snort/db-pending-config</code></pre>
56<p>Start the Snort service.</p>
57<pre><code>$ sudo service snort start</code></pre>
58<p>Verify that the Snort daemon successfull started:</p>
59<pre><code>$ sudo /etc/init.d/snort status
60$ tail /var/log/daemon.log</code></pre>
61<h1 id="base-installation">BASE Installation</h1>
62<p>Next we will install a web front-end (BASE) to monitor Snort's output.</p>
63<pre><code>$ sudo apt-get -y install acidbase</code></pre>
64<p>During the installation process you will be prompted a couple of times where you just have to accept (Ok) and continue. You will then be asked to configure a database for acidbase. Choose &quot;MySQL&quot; for the database type when asked.</p>
65<p>You may be prompted for the password of the database administrator. This is the same password we used when MySQL was initially installed.</p>
66<p>Upon entering the database administrator password, you will be prompted to create a MySQL password for acidbase to connect to the database. In this exercise we will use the same password as the snort user: &quot;snortpwd&quot; (please double check that you are using the correct password, write it down if necessary for now!)</p>
67<h2 id="base-acidbase-configuration">BASE (acidbase) Configuration</h2>
68<p>When installed, the acidbase web front-end is configured to only allow access from the localhost. Modify acidbase's configuration to allow other workstations to connect:</p>
69<pre><code>$ sudo editor /etc/acidbase/apache.conf</code></pre>
70<p>find this line:</p>
71<pre><code>allow from 127.0.0.0/255.0.0.0</code></pre>
72<p>and change it to match your group's network. For example, for pc1:</p>
73<pre><code>allow from 10.10.1.0/255.255.255.0</code></pre>
74<p>Save the file and exit the editor. Then restart Apache:</p>
75<pre><code>$ sudo service apache2 restart</code></pre>
76<p>You may need to verify the acidbase configuration file for the database.</p>
77<p>To do this:</p>
78<pre><code>$ sudo editor /etc/acidbase/database.php</code></pre>
79<p>Make sure that the following variables are set in the same way in the file:</p>
80<pre><code>$alert_user=&#39;snort&#39;;
81$alert_password=&#39;snortpwd&#39;;
82$alert_dbname=&#39;snort&#39;;
83$DBtype=&#39;mysql&#39;;</code></pre>
84<p>If you make any changes, save and exit.</p>
85<p>Navigate to your new BASE webpage (substitute X with the number of your group)</p>
86<pre><code>http://10.10.X.10/acidbase</code></pre>
87<p>You will now see a message like the following:</p>
88<pre><code>The underlying database snort@ appears to be incomplete/invalid.
89
90The database version is valid, but the BASE DB structure (table: acid_ag)
91is not present. Use the Setup page to configure and optimize the DB.</code></pre>
92<p>Follow the directions in that page to update the database (Create BASE AG) Then, use the link in the top left to navigate to the &quot;Home&quot; page.</p>
93<p>You will see a dashboard containing the following:</p>
94<ul>
95<li>On the top left corner, a list of links to alert reports, classified by various criteria</li>
96<li>Below that, alert statistics, including percent bars of traffic by type</li>
97<li>At the bottom, a menu with several administrative options.</li>
98</ul>
99<h2 id="set-up-authentication">Set up authentication</h2>
100<p>In a production install, Snort alerts are very sensitive information, so we need to add authentication to this web front-end. Let's create a user for us to log in with.</p>
101<ul>
102<li>Go to the bottom menu and click on &quot;Administration&quot;</li>
103<li>Click on &quot;Create a User&quot;</li>
104<li>Login: &quot;sysadm&quot;</li>
105<li>Full Name: &quot;System Administrator&quot;</li>
106<li>Password: Type the sysadm password you used to log in to the PC</li>
107<li>Role: &quot;Admin&quot;</li>
108<li>Click on &quot;Submit Query&quot;</li>
109</ul>
110<p>Now, we need to configure BASE so that it requires authentication.</p>
111<pre><code># sudo editor /etc/acidbase/base_conf.php</code></pre>
112<p>find this line</p>
113<p>$Use_Auth_System = 0;</p>
114<p>and change it to:</p>
115<p>$Use_Auth_System = 1; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</p>
116<p>Save and exit.</p>
117<p>From now on, if you try and access your acid installation, it will require a login + password.</p>
118<h2 id="setup-apache2-ssl">Setup Apache2 SSL</h2>
119<p>We have set up acidbase to require authentication. However, we are now vulnerable to password sniffing because the web server is not encrypting the communications channel. To fix that, let's enable SSL for Apache2:</p>
120<pre><code>$ sudo a2enmod ssl
121$ sudo a2ensite default-ssl</code></pre>
122<p>Then, tell Apache that SSL is required for the acidbase pages:</p>
123<pre><code>sudo editor /etc/acidbase/apache.conf
124
125  add the following line inside the &lt;DirectoryMatch&gt; section:
126
127SSLRequireSSL</code></pre>
128<p>Save and restart Apache:</p>
129<pre><code>$ sudo service apache2 restart</code></pre>
130<p>You should be able to view your BASE using the https:// method in the URL:</p>
131<pre><code>https://10.10.X.10/acidbase</code></pre>
132<p>(Since we are using the default self-signed certificate, you will probably have to create an exception in your browser).</p>
133<p>You will be asked to authenticate. Log in with the &quot;sysadm&quot; account you created.</p>
134<h1 id="operation">Operation</h1>
135<h2 id="exporting-to-e-mail-for-collaboration">Exporting to e-mail for collaboration</h2>
136<p>BASE does not send automatic e-mail alerts, but you can set it up so that you can select one or more alerts and send their details to your colleagues in an e-mail message.</p>
137<p>For this to work, you will need to install a mail transfer agent. For example:</p>
138<pre><code>$ sudo apt-get -y install postfix</code></pre>
139<ul>
140<li>When asked about the type of mail configuration, select &quot;Internet Site&quot;.</li>
141<li>System mail name: It should be the full name of your server, for example &quot;pc1.ws.nsrc.org&quot;</li>
142</ul>
143<p>Also, make sure that you have the PHP mail module installed:</p>
144<pre><code>$ sudo apt-get -y install php-mail</code></pre>
145<p>Then, proceed to set some necessary variables in the BASE configuration file. The following values should work (substitute pc# with you actual pc name):</p>
146<pre><code>sudo editor /etc/acidbase/base_conf.php
147
148$action_email_smtp_host = &#39;localhost&#39;;
149$action_email_smtp_localhost = &#39;localhost&#39;;
150$action_email_smtp_auth = 0;
151$action_email_smtp_user = &#39;username&#39;;
152$action_email_smtp_pw = &#39;password&#39;;
153$action_email_from = &#39;snort@pc#.ws.nsrc.org&#39;;
154$action_email_subject = &#39;BASE Incident Report&#39;;
155$action_email_msg = &#39;&#39;;
156$action_email_mode = 0;</code></pre>
157<p>Now, let's test it sending e-mails.</p>
158<ul>
159<li>In the dashboard, click on &quot;Today's Alerts: unique&quot;</li>
160<li>Select one or more alerts. (if you don't have any alerts today, ask the members of a different group to scan your computer's ports with nmap, for example).</li>
161<li>In the drop-down menu on the bottom, select &quot;Email alerts (full)&quot;</li>
162<li>In the ACTION box, type &quot;sysadm@pc#.ws.nsrc.org&quot;</li>
163<li>Click on the &quot;Selected&quot; button</li>
164</ul>
165<p>Check your mail. Either use a mail client like mutt, or simply type:</p>
166<pre><code>$ sudo cat /var/mail/sysadm</code></pre>
167<h1 id="more-information">More information</h1>
168<p>The BASE project homepage includes links to mailing lists, online forums, etc:</p>
169<p>http://base.secureideas.net/</p>