Rule MANagement for Snort |
This code is alpha
Having said that it is working and used in anger - YMMV but if you have real problems and have checked the pre-requisites / known issues please let me know and I'll try to help.
Currently the DB code has only been tested on a Redhat Linux 7.2 box however the rule extractor which runs on the sensors is perl and has been tested on a variery of Linux boxen and should be portable to FreeBSD - if anyone trys this please update me
The complete installation comprises the following steps
Database Server | |
Populating the Database | |
Sensor Configuration | |
Web Front End | |
Automatic Update |
Before installing on the database server you will need to have created your Snort databse - see the Snort docs on how to do this. Once that is done use the mysql.dbschema file to create the additional tables required. The user you login is must have the appropriate create rights on the database - i.e. probably a db admin. *NOTE* that this account is only needed for table creation and not for normal use.
The following will connect to the local MySQL Server and insert the tables into a database called "snort"
[mvevers@rman]$ mysql -p snort < mysql.dbschema | |
Enter password: xxxxxxxx |
That should have created seven tables in your database prefixed with rman_. Now you need to create a user called rman_www which shoule have Select Insert Update and Delete rights over the rman_tables created. The most secure way is to add a user with no priviliges at all and then add Select, Insert, Update and Delete rights over the five tables we just created.
Download the latest set of rules from the snort website (or use CVS) to a folder on the database server. You then need to edit the loadrules.pl script and edit the database configuration (just after the copyright notice). Fill in the database name, user and password and save the file. You then need to execute the script and give the directory where you downloaded the rules as the command line argument:
[mvevers@rman]$ ./loadrules.pl /usr/local/cvs/snort/rules Ruleset: attack-responses Rule 1292: new, ATTACK RESPONSES http dir listing Rule 498: new, ATTACK RESPONSES id check returned root Rule 494: new, ATTACK RESPONSES command completed Rule 495: new, ATTACK RESPONSES command error Rule 497: new, ATTACK RESPONSES file copied ok Ruleset: backdoor Rule 103: new, BACKDOOR subseven 22 Rule 104: new, BACKDOOR - Dagger_1.4.0_client_connect Rule 105: new, BACKDOOR - Dagger_1.4.0 ........ etc
The script scans through all files in the rules directory and loads the rules contained in them into a group named after the filename - i.e. the rules in backdoor.rules get added into the group called 'backdoor'. If you want to update the ruleset in the database at any time just download a new ruleset and re-run the command. The script will detect new or modified rules and merge them into the database. If you have your own sets of rules just call the script for the directory where you store them.
*NOTE* All user rules must have a sid option > 1000000, a version and a msg: option for the merge to work correctly. Misunderstood rules will be discarded.
There is a bit of a 'catch 22' situtaion in installing sensors - until the sensor has spoken to the database, the database doesn't know about it, and until the database knows about the sensor you can't extract a ruleset for the sensor, so first of the sensor will need to be started with a temporary ruleset, however before you do that you need to configure the sensor to talk to the database:
# or you can specify the variable to be any IP address
# like this:
include db.vars
# database: log to a variety of databases
# ---------------------------------------
include db.config
#========================================= # Include all relevant rulesets here # include db.rules # all the other include.rules commented out
[mvevers@rman]$ touch db.rules
The sensor is now known to Snort, but still not to Rule MANager. In order to do this you'll need to set up the web front end ....
IMPORTANT NOTICE - This web site is NOT SECURE YET!
I know this is a bit of a cop out, but I haven't had time to sort out site security. I am working through my code to try and make sure all user input is either escaped or passed through an appropriate function to clean it up, but that is not the case yet. Once this is done I will think about a user authentication and priviliges scheme, but for now put it behind a decent firewall, set the allowed ip addresses in apache, and put a .htaccess file in and only access it from a trusted network - this ought to keep most people out. For the really paranoid set up a Snort rule that pages you if unauthorized access is attempted ;-). This is not a public facing website anyway!
The installation instructions assume you are setting up the web site on the same server as the database. If this is not the case all you should have to do is change the localhost entry mysql_connect line in rman_common.inc.
Assuming all is well you should see the front page which looks something like this:
|
If you select sensor maintenance, and then click the 'Add Sensor' button you should see your new sensors listed. Select the sensors you want to activate and click the activate button. The page should now redisplay minus the sensor you just activated. Select the 'Return to Sensor Maintenance' link at the top and you should now see you sensor listed there. Select your sensor and start assigning groups etc.
Once you have assigned some rulegroups to your sensors you are now in a position to set up automatic update on the sensor to retrieve the rules on demand. This works by recording a timestamp against each sensor. Every time you make a change which affects a sensors rule base, the timestamp in the database gets updated. When the sensor next connects it checks its timestamp against the database and if it is different, pulls a new rule set, and restarts Snort
Copy the extractrules.pl file to the Snort rules directory on the sensor, and edit the variables in the section starting:
# database: log to a variety of databases
#---------------------------------------------------------------------------
# Additional script configs you might want to edit
You'll need to set the snort args to what you want to use, the directory where the pid file maybe found etc. The script assmumes you will be running Snort in daemon mode and will automatically add the interface option from the db.config file. Run this script as root from the command line and it should pull the rules into db.rules and start Snort. If this works schedule the script to run in cron - we use every minute since the database timestamp check is very low load and it has the added advantage that if Snort segv's and cores it will restart automatically. (We see this sometimes - one day I'll get time to gdb the core and send a bug update into the Snort team). A log file of extractrules.pl activity is kept in /var/log/snortrules
That should be it - happy Snorting!