Rule MANagement for Snort 

Documentation

HEALTH WARNING: This code is alpha

Having said that it is working and used in anger - YMMV but if you have real problems and have checked the pre-requisites / known issues please let me know and I'll try to help.

Prerequisites

Currently the DB code has only been tested on a Redhat Linux 7.2 box however the rule extractor which runs on the sensors is perl and has been tested on a variery of Linux boxen and should be portable to FreeBSD - if anyone trys this please update me

Installation

The complete installation comprises the following steps

Database Server
Populating the Database
Sensor Configuration
Web Front End
Automatic Update

Database Server

Before installing on the database server you will need to have created your Snort databse - see the Snort docs on how to do this. Once that is done use the mysql.dbschema file to create the additional tables required. The user you login is must have the appropriate create rights on the database - i.e. probably a db admin. *NOTE* that this account is only needed for table creation and not for normal use.

The following will connect to the local MySQL Server and insert the tables into a database called "snort"

[mvevers@rman]$ mysql -p snort < mysql.dbschema
Enter password: xxxxxxxx

That should have created seven tables in your database prefixed with rman_. Now you need to create a user called rman_www which shoule have Select Insert Update and Delete rights over the rman_tables created. The most secure way is to add a user with no priviliges at all and then add Select, Insert, Update and Delete rights over the five tables we just created.

Populating the database

Download the latest set of rules from the snort website (or use CVS) to a folder on the database server. You then need to edit the loadrules.pl script and edit the database configuration (just after the copyright notice). Fill in the database name, user and password and save the file. You then need to execute the script and give the directory where you downloaded the rules as the command line argument:

[mvevers@rman]$ ./loadrules.pl /usr/local/cvs/snort/rules
Ruleset: attack-responses
Rule 1292: new, ATTACK RESPONSES http dir listing
Rule 498: new, ATTACK RESPONSES id check returned root
Rule 494: new, ATTACK RESPONSES command completed
Rule 495: new, ATTACK RESPONSES command error
Rule 497: new, ATTACK RESPONSES file copied ok
Ruleset: backdoor
Rule 103: new, BACKDOOR subseven 22
Rule 104: new, BACKDOOR - Dagger_1.4.0_client_connect
Rule 105: new, BACKDOOR - Dagger_1.4.0
........ etc

The script scans through all files in the rules directory and loads the rules contained in them into a group named after the filename - i.e. the rules in backdoor.rules get added into the group called 'backdoor'. If you want to update the ruleset in the database at any time just download a new ruleset and re-run the command. The script will detect new or modified rules and merge them into the database. If you have your own sets of rules just call the script for the directory where you store them.

*NOTE* All user rules must have a sid option > 1000000, a version and a msg: option for the merge to work correctly. Misunderstood rules will be discarded.

Sensor configuration

There is a bit of a 'catch 22' situtaion in installing sensors - until the sensor has spoken to the database, the database doesn't know about it, and until the database knows about the sensor you can't extract a ruleset for the sensor, so first of the sensor will need to be started with a temporary ruleset, however before you do that you need to configure the sensor to talk to the database:

  1. Perform a standard snort install on your snort sensor - but do not connect the sensor to the database
  2. Copy rman/configs/db.config and db.timestamp to the snort rules directory
  3. Edit the sensor and database information in the db.config file
  4. Make sure you edit both the double commented lines and the snort config line
  5. Edit snort.conf to suit your needs
  6. Comment out all the variable definitions within snort.conf (i.e. var HOME_NET etc)
  7. Add line in bold shown below to snort.conf just below where you commented out HOME_NET:

    # or you can specify the variable to be any IP address
    # like this:
    include db.vars

  8. Add the following line to the database logging section:

    # database: log to a variety of databases
    # ---------------------------------------
    include db.config

  9. *COMMENT OUT* all the rule includes in the snort.conf file
  10. Add an include for the db.rules file to snort.conf:

    #=========================================
    # Include all relevant rulesets here
    #
    include db.rules
    # all the other include.rules commented out

  11. Create an empty file called db.rules:

    [mvevers@rman]$ touch db.rules

  12. Now create an empty file called db.vars the same way.
  13. Start your snort sensor and check it starts with no rules and connects to the database OK

The sensor is now known to Snort, but still not to Rule MANager. In order to do this you'll need to set up the web front end ....

Web Front End

IMPORTANT NOTICE - This web site is NOT SECURE YET!
I know this is a bit of a cop out, but I haven't had time to sort out site security. I am working through my code to try and make sure all user input is either escaped or passed through an appropriate function to clean it up, but that is not the case yet. Once this is done I will think about a user authentication and priviliges scheme, but for now put it behind a decent firewall, set the allowed ip addresses in apache, and put a .htaccess file in and only access it from a trusted network - this ought to keep most people out. For the really paranoid set up a Snort rule that pages you if unauthorized access is attempted ;-). This is not a public facing website anyway!

The installation instructions assume you are setting up the web site on the same server as the database. If this is not the case all you should have to do is change the localhost entry mysql_connect line in rman_common.inc.

  1. Place all the .php, .inc, .html and .css files in a suitable directory
  2. Configure apache for the website - make sure apache has PHP with MySQL support enabled
  3. Edit the rman_common.inc file and fill in the $dbuser, $dbpass fields just after the copyright notice
  4. Fire up the website ....

Assuming all is well you should see the front page which looks something like this:

  Rule MANagement for Snort 

Active Rules: 1254
Inactive Rules: 0


Sensor Maintenance
Rule Group Maintenance

If you select sensor maintenance, and then click the 'Add Sensor' button you should see your new sensors listed. Select the sensors you want to activate and click the activate button. The page should now redisplay minus the sensor you just activated. Select the 'Return to Sensor Maintenance' link at the top and you should now see you sensor listed there. Select your sensor and start assigning groups etc.

Automatic Update

Once you have assigned some rulegroups to your sensors you are now in a position to set up automatic update on the sensor to retrieve the rules on demand. This works by recording a timestamp against each sensor. Every time you make a change which affects a sensors rule base, the timestamp in the database gets updated. When the sensor next connects it checks its timestamp against the database and if it is different, pulls a new rule set, and restarts Snort

Copy the extractrules.pl file to the Snort rules directory on the sensor, and edit the variables in the section starting:

# database: log to a variety of databases
#---------------------------------------------------------------------------
# Additional script configs you might want to edit

You'll need to set the snort args to what you want to use, the directory where the pid file maybe found etc. The script assmumes you will be running Snort in daemon mode and will automatically add the interface option from the db.config file. Run this script as root from the command line and it should pull the rules into db.rules and start Snort. If this works schedule the script to run in cron - we use every minute since the database timestamp check is very low load and it has the added advantage that if Snort segv's and cores it will restart automatically. (We see this sometimes - one day I'll get time to gdb the core and send a bug update into the Snort team). A log file of extractrules.pl activity is kept in /var/log/snortrules

That should be it - happy Snorting!