IDS Policy Manager 215 • The SCP method uses SSH server running on the sensor. User name and password are used to log in to the Snort sensor to upload and download files. The “Upload Directory” shows the location of the snort.conf file on the Snort sensor. Since the location of other rule files is mentioned in the snort.conf file, you don’t need to specify names and locations of other rule files. After entering this information, you can click “OK” to add the sensor. After add- ing the sensor, the first task is to download policy from the sensor you added in the pre- vious step. For this purpose, you can use the “Download Policy from Sensor” option in the “Sensor” menu. After downloading the policy, you can click on the “Policy Man- ager” tab at the bottom of the screen to edit the policy. When you click here, you will see the screen with a list of currently available policies. Since you used “Official” as the name of the policy while adding the sensor, this policy must be present in the list. To edit the policy, double click the policy name and a Policy Editor window will appear, as shown in Figure 7-5. Figure 7-5 The Policy Editor window with list of rules. 216 Chapter 7 • Miscellaneous Tools On the left hand side of the window shown in Figure 7-5 is a list of different classes of rules used on the sensor. The right hand side of the window shows a descrip- tion of the class and individual rules included in that class. To modify a rule, you can double click that rule and a window like the one shown in Figure 7-6 will appear where you can modify different parts of a rule. The pull-down menus in the right side of the window shown in Figure 7-6 make it very easy to modify rules. For example, to modify protocol used in the rule, you can click the pull-down menu button and a list of supported protocols will appear. To modify other parts of the snort.conf file, you can click the “Settings” tab on the top left side of the window. A window like the one shown in Figure 7-7 appears where you can modify input and output plug-ins and values of different variables. As you can see in the screen shot in Figure 7-7, the database user name and pass- words are displayed. These are the same ones we used in Chapter 5 while configuring the MySQL database. After making changes to the policy, you can close this window. Now you can upload it to the sensor using options in the “Sensor” menu of the main menu. IDS Policy Manager makes it very easy to modify sensor policies. It does almost all of the tasks that are discussed in Chapter 3 and Chapter 4. Figure 7-6 Modifying a rule in IDS Policy Manager. Securing the ACID Web Console 217

7.3 Securing the ACID Web Console

As you have seen in Chapter 6, ACID is a very useful tool for viewing and managing data generated by the Snort sensors. However, there is one issue that is not yet resolved—security of ACID. If the web server running ACID is not secure, anybody can go to the ACID web pages and modify, archive, and delete data in the database using ACID. As you have seen, the user name and password are hard coded in the ACID configuration file acid_conf.php and the person viewing ACID web pages does not need to know the database user name and password to delete information from the database. There are multiple methods that you can adopt to achieve security.

7.3.1 Using a Private Network

There are different ways to make ACID secure. One way is to use a private net- work for all Snort sensors and the centralized database server where ACID and Apache are installed so that their IP addresses are not visible from the Internet. This scheme is still vulnerable to the internal users who have access to this private network. Figure 7-7 The Policy Editor window with snort.conf settings.