206 Chapter 6 • Using ACID and SnortSnarf with Snort Figure 6-17 Getting more information about an IP address. Barnyard 207

6.5 Barnyard

Barnyard is a new tool which is intended to parse binary log files generated by Snort when you use the unified logging module. Barnyard is still in experimental form at the time of writing this book. You can download the latest version from the Snort web site and read the included file about installation and use of the tool. Basically you have to carry out the following three steps to compile and install it.

1. Run the configure script with a prefix command line parameter to define the

directory where you intend to install it. A typical command line may be “con- figure –-prefix=optbarnyard ”.

2. Run the make command.

3. Run the make install command to install it.

You also need to edit the barnyard.conf file before using the tool. I am omit- ting a detailed discussion because the process may change significantly by the time you read this book. W A R N I N G At the time of writing this book, Barnyard is still in the development process and the installation may differ significantly in the final release of the pack- age.

6.6 References

1. ACID is available from http:www.cert.orgkbacid 2. Apache web site at http:www.apache.org 3. PHP web site at http:www.php.net 4. GD library at http:www.boutell.comgd 5. PHPLOT package at http:www.phplot.com 6. ADODB package at http:php.weblogs.comadodb 7. SnortSnarf at http:www.silicondefense.comsoftwaresnortsnarfindex.htm 8. ADODB FAQ at http:php.weblogs.comadodb_faq 209 C H A P T E R 7 Miscellaneous Tools t this point you have built your completely working Snort system with database backend and web-based user interface. This chapter introduces a few useful tools that you can use with this system to make management simple and to enhance the capabilities of your system. You will also learn how to make your system secure. These components are briefly introduced below. IDS Manager is a Microsoft Windows-based GUI tool to manage Snort rules and the Snort configuration file snort.conf. Using this tool, you can carry out different tasks like: • Downloading the current configuration file snort.conf and rules from an operational Snort sensor. • Modifying the configuration file and rules. • Uploading the modified configuration to the sensor. Using IDS Manager, you can manage multiple Snort sensors. The only catch is that it uses SSH server, which must be running on the Snort sensor. SnortSam is another tool that can integrate Snort with firewalls. Using this package with Snort, you can modify firewall configuration. The useful- ness of this technique is still debatable as it may open up the firewall for denial of service DoS attacks. A 210 Chapter 7 • Miscellaneous Tools Another topic discussed in this chapter is the security of the web server where ACID is installed. Up to now you have not done anything to secure the web server. Anybody can access the ACID console and delete the data collected by Snort. Here you will learn a few methods of securing the web server itself.

7.1 SnortSam

SnortSam is a tool used to make Snort work with most commonly used firewalls. It is used to create a FirewallIDS combined solution. You can configure your firewall auto- matically to block offending data and addresses from entering your system when intruder activity is detected. It is available from http:www.snortsam.net where you can find the latest information. The tool consists of two parts:

1. A Snort output plug-in that is installed on the Snort sensor.

2. An agent that is installed on a machine close to Firewall or Firewall itself. Snort communicates to the agent using the output plug-in in a secure way. At the time of writing this book, the tools support the following firewalls: • IP filter-based firewalls • Checkpoint Firewall-1 • Cisco PIX • Netscreen The output plug-in, which is compiled with Snort, provides new keywords that can be used to control firewall behavior. For compiling Snort, refer to Chapter 2. In a typical scheme where you are using Checkpoint Firewall, you can run the SnortSam agent on the firewall itself. Figure 7-1 shows a typical scheme where a Snort sensor is controlling two Checkpoint firewalls. These firewalls may be running on Linux, Windows or other UNIX platforms supported by Checkpoint. In a typical situation where you don’t have a Checkpoint firewall, you will run the agent on another system, located close to the firewall. Depending on the type of your firewall, you will add plug-ins to the SnortSam agent to control a particular type of fire- wall. For example, to control a Cisco router access list, you will use the relevant plug-in available from the SnortSam web site. The scheme is shown in Figure 7-2 where the sensor sends messages to the agent system where the SnortSam agent is running. The SnortSam 211 Figure 7-1 Running SnortSam on Checkpoint Firewall. Figure 7-2 Running SnortSam with a separate agent to control multiple firewalls. 212 Chapter 7 • Miscellaneous Tools agent system will then update configuration of the firewall or routers depending on the policy. Documentation, examples, and information about how to install SnortSam are available on its web site. You can find information about the changes you need to make for a particular type of firewall in the snort.conf file. You should think twice about modifying firewall policy; it may lead to Denial of Service DoS attacks. For example, if someone sends you a message resulting in the blocking of root name server addresses, your DNS server will fail.

7.2 IDS Policy Manager

IDS policy manager is a Microsoft Windows based GUI. It is used to manage the Snort configuration file and Snort rules on a sensor. It is available from its web site http: activeworx.comidspm. At the time of writing this book, beta version 1.3 is available from this web site and it supports Snort versions up to 1.9.0. You can download the soft- ware and install it using normal Windows installation procedures. When you start the software, a window like the one shown in Figure 7-3 is displayed. As you can see, this window is initially empty. It has three tabs at the bottom, as explained below: • The “Sensor Manager” tab shows the sensors that you are managing with this tool. Initially there is no sensor listed in the window because you have to add sensors after installing IDS Manager. This is the default tab when you start the Policy Manager. • The “Policy Manager” tab shows configured policies. A policy includes snort.conf file parameters variables, input and output plug-ins, include files as well as a list of rules that belong to that policy. • The “Logging” tab shows log messages. You can click on any of these tabs to switch to a particular window. To add a new sensor, you can click on the “Sensor” menu and chose the “Add Sensor” option. A pop- up window like the one shown in Figure 7-4 appears where you fill out information about the sensor.