Securing the ACID Web Console 217
7.3 Securing the ACID Web Console
As you have seen in Chapter 6, ACID is a very useful tool for viewing and managing data generated by the Snort sensors. However, there is one issue that is not yet
resolved—security of ACID. If the web server running ACID is not secure, anybody can go to the ACID web pages and modify, archive, and delete data in the database
using ACID. As you have seen, the user name and password are hard coded in the ACID configuration file acid_conf.php and the person viewing ACID web pages
does not need to know the database user name and password to delete information from the database. There are multiple methods that you can adopt to achieve security.
7.3.1 Using a Private Network
There are different ways to make ACID secure. One way is to use a private net- work for all Snort sensors and the centralized database server where ACID and Apache
are installed so that their IP addresses are not visible from the Internet. This scheme is still vulnerable to the internal users who have access to this private network.
Figure 7-7 The Policy Editor window with snort.conf settings.
218 Chapter 7 • Miscellaneous Tools
7.3.2 Blocking Access to the Web Server on the Firewall
Another method is to block access to your web server from the firewall so that nobody from the Internet can access the web server. Again this scheme is still vulnera-
ble to internal users.
7.3.3 Using iptables
Another way is to use iptables to allow only your own computer to access port 80 on the web server. This is the most secure method because it protects your web
server and ACID from both internal and external users. You can use a simple command to block all incoming connections except your own workstation, which has an IP
address 192.168.1.100.
iptables -A INPUT -s 192.168.1.100 -j DROP
The command is case sensitive. This command blocks all connections except ones from host 192.168.1.100, which is your own workstation where you use the web
browser. This is not a comprehensive tutorial on how to use the iptables command. You can either use the “man iptables” command to get more information about ipt-
ables-based firewalls or read Rusty’s guide for iptables at http:www.netfilter.orgunre- liable-guidespacket-filtering-HOWTOindex.html.
Once you use the above command, nobody from any other host will be able to access ANY service on the machine where you used this command. All existing con-
nections will be dropped. You are warned
7.4 Easy IDS
Easy IDS is an integrated system available from http:www.argusnetsec.com for the Linux operating system. It has all of the necessary components to build a complete IDS
quickly. These components are precompiled and configured for easy installation. The package includes:
• Snort • Apache Web server
• MySQL server • ACID
• PHPLOT • ADODB
References 219
The installation script installs all of these components and creates startup and shutdown script links. This is a good choice for people who want to get something run-
ning quickly. At the time of writing this book, you have to ask for an evaluation CD from the company to test it. It may be available for free download from the company
web site in the future.
7.5 References
1. SnortSam at http:www.snortsam.net
2. Activeworx web site at http:activeworx.comidspm
3. Rusty’s Unreliable Guides at http:www.netfilter.orgunreliable-guides
4. Easy IDS at http:www.argusnetsec.com
221
A
P P E N D I X
A
Introduction to tcpdump
cpdump is a packet capture tool. It can grab packets flowing on the network, match them to some criteria and then dump them on the
screen or into a file. It is available on most of the UNIX platforms. On Linux machines, you need to be the root user to run tcpdump. If you save
the captured data in a file, you can view the file later using tcpdump. Since Snort can also store data in the tcpdump format in files, it becomes
an interesting tool for many people to view Snort files that have been cre- ated in the tcpdump format.
The typical output of the command when used on the command prompt without any argument is as follows:
[rootconformix] tcpdump Kernel filter, protocol ALL, TURBO mode 575 frames, datagram packet
socket tcpdump: listening on all devices
13:05:52.216049 eth0 rr-laptop.6001 dti414.1245: P 1578894642:157889467432 ack 3347166818 win 63520
nop,nop,timestamp 453029 53292014 DF 13:05:52.216049 eth0 dti414.1245 rr-laptop.6001: . 1:14491448 ack
32 win 63712 nop,nop,timestamp 53292021 453029 DF 13:05:52.216049 eth0 dti414.1245 rr-laptop.6001: P 1449:2045596
ack 32 win 63712 nop,nop,timestamp 53292021 453029 DF 13:05:52.216049 eth0 rr-laptop.6001 dti414.1245: . 32:320 ack
2045 win 64240 nop,nop,timestamp 453029 53292021 DF
T
222 Appendix A • Introduction to tcpdump
13:05:52.226049 eth0 dti414.1245 rr-laptop.6001: . 2045:34931448 ack 32 win 63712 nop,nop,timestamp 53292022 453029 DF
13:05:52.226049 eth0 dti414.1245 rr-laptop.6001: P 3493:4089596 ack 32 win 63712 nop,nop,timestamp 53292022 453029 DF
13:05:52.226049 eth0 rr-laptop.6001 dti414.1245: . 32:320 ack 4089 win 64240 nop,nop,timestamp 453029 53292022 DF
You can use a number of command line switches with the command. A list of switches is available on the manual pages. The important switch to use with Snort is
-r filename , where filename is the file containing Snort data. Simple Snort log
files can’t be used with this option. Only the files that are created in the tcpdump for- mat can be read by the command.
223
A
P P E N D I X
B
Getting Started with MySQL
ySQL is probably the most popular open source database. It is available for Linux and you can download and install it on your
Linux machine. The package is available in source code format as well as binary files. The easiest way to install it is to download the RPM file and
install it on your Linux machine. I have used RedHat Linux 7.1 on my machine and installed the MySQL package that came with it.
MySQL has two basic parts, the server and the utilities used to administer the server and connect to it. If you install the RPM package, the startup
script will be copied into the etcinit.d directory which you use to
start the database at boot time. Client utilities are available to manage the database.
MySQL is an easy database to use. This appendix contains some very basic commands that you can use to get started with the database. This is
not a MySQL manual or tutorial by any means. Comprehensive informa- tion about MySQL can be obtained from http:www.mysql.comdoc web
site.
M