Securing the ACID Web Console 217

7.3 Securing the ACID Web Console

As you have seen in Chapter 6, ACID is a very useful tool for viewing and managing data generated by the Snort sensors. However, there is one issue that is not yet resolved—security of ACID. If the web server running ACID is not secure, anybody can go to the ACID web pages and modify, archive, and delete data in the database using ACID. As you have seen, the user name and password are hard coded in the ACID configuration file acid_conf.php and the person viewing ACID web pages does not need to know the database user name and password to delete information from the database. There are multiple methods that you can adopt to achieve security.

7.3.1 Using a Private Network

There are different ways to make ACID secure. One way is to use a private net- work for all Snort sensors and the centralized database server where ACID and Apache are installed so that their IP addresses are not visible from the Internet. This scheme is still vulnerable to the internal users who have access to this private network. Figure 7-7 The Policy Editor window with snort.conf settings. 218 Chapter 7 • Miscellaneous Tools

7.3.2 Blocking Access to the Web Server on the Firewall

Another method is to block access to your web server from the firewall so that nobody from the Internet can access the web server. Again this scheme is still vulnera- ble to internal users.

7.3.3 Using iptables

Another way is to use iptables to allow only your own computer to access port 80 on the web server. This is the most secure method because it protects your web server and ACID from both internal and external users. You can use a simple command to block all incoming connections except your own workstation, which has an IP address 192.168.1.100. iptables -A INPUT -s 192.168.1.100 -j DROP The command is case sensitive. This command blocks all connections except ones from host 192.168.1.100, which is your own workstation where you use the web browser. This is not a comprehensive tutorial on how to use the iptables command. You can either use the “man iptables” command to get more information about ipt- ables-based firewalls or read Rusty’s guide for iptables at http:www.netfilter.orgunre- liable-guidespacket-filtering-HOWTOindex.html. Once you use the above command, nobody from any other host will be able to access ANY service on the machine where you used this command. All existing con- nections will be dropped. You are warned

7.4 Easy IDS

Easy IDS is an integrated system available from http:www.argusnetsec.com for the Linux operating system. It has all of the necessary components to build a complete IDS quickly. These components are precompiled and configured for easy installation. The package includes: • Snort • Apache Web server • MySQL server • ACID • PHPLOT • ADODB References 219 The installation script installs all of these components and creates startup and shutdown script links. This is a good choice for people who want to get something run- ning quickly. At the time of writing this book, you have to ask for an evaluation CD from the company to test it. It may be available for free download from the company web site in the future.

7.5 References

1. SnortSam at http:www.snortsam.net

2. Activeworx web site at http:activeworx.comidspm

3. Rusty’s Unreliable Guides at http:www.netfilter.orgunreliable-guides

4. Easy IDS at http:www.argusnetsec.com

221 A P P E N D I X A Introduction to tcpdump cpdump is a packet capture tool. It can grab packets flowing on the network, match them to some criteria and then dump them on the screen or into a file. It is available on most of the UNIX platforms. On Linux machines, you need to be the root user to run tcpdump. If you save the captured data in a file, you can view the file later using tcpdump. Since Snort can also store data in the tcpdump format in files, it becomes an interesting tool for many people to view Snort files that have been cre- ated in the tcpdump format. The typical output of the command when used on the command prompt without any argument is as follows: [rootconformix] tcpdump Kernel filter, protocol ALL, TURBO mode 575 frames, datagram packet socket tcpdump: listening on all devices 13:05:52.216049 eth0 rr-laptop.6001 dti414.1245: P 1578894642:157889467432 ack 3347166818 win 63520 nop,nop,timestamp 453029 53292014 DF 13:05:52.216049 eth0 dti414.1245 rr-laptop.6001: . 1:14491448 ack 32 win 63712 nop,nop,timestamp 53292021 453029 DF 13:05:52.216049 eth0 dti414.1245 rr-laptop.6001: P 1449:2045596 ack 32 win 63712 nop,nop,timestamp 53292021 453029 DF 13:05:52.216049 eth0 rr-laptop.6001 dti414.1245: . 32:320 ack 2045 win 64240 nop,nop,timestamp 453029 53292021 DF T 222 Appendix A • Introduction to tcpdump 13:05:52.226049 eth0 dti414.1245 rr-laptop.6001: . 2045:34931448 ack 32 win 63712 nop,nop,timestamp 53292022 453029 DF 13:05:52.226049 eth0 dti414.1245 rr-laptop.6001: P 3493:4089596 ack 32 win 63712 nop,nop,timestamp 53292022 453029 DF 13:05:52.226049 eth0 rr-laptop.6001 dti414.1245: . 32:320 ack 4089 win 64240 nop,nop,timestamp 453029 53292022 DF You can use a number of command line switches with the command. A list of switches is available on the manual pages. The important switch to use with Snort is -r filename , where filename is the file containing Snort data. Simple Snort log files can’t be used with this option. Only the files that are created in the tcpdump for- mat can be read by the command. 223 A P P E N D I X B Getting Started with MySQL ySQL is probably the most popular open source database. It is available for Linux and you can download and install it on your Linux machine. The package is available in source code format as well as binary files. The easiest way to install it is to download the RPM file and install it on your Linux machine. I have used RedHat Linux 7.1 on my machine and installed the MySQL package that came with it. MySQL has two basic parts, the server and the utilities used to administer the server and connect to it. If you install the RPM package, the startup script will be copied into the etcinit.d directory which you use to start the database at boot time. Client utilities are available to manage the database. MySQL is an easy database to use. This appendix contains some very basic commands that you can use to get started with the database. This is not a MySQL manual or tutorial by any means. Comprehensive informa- tion about MySQL can be obtained from http:www.mysql.comdoc web site. M