Security

(LinuxWorld) -- I wanted to try ACID ever since someone rooted my server last year. Mind you, not the hallucinogen LSD, though at the time I might have been tempted. The ACID I'm talking about is the Analysis Console for Intrusion Databases. It allows you to display and examine alerts from Snort in almost real-time. Snort, of course, is the wonderful open source Intrusion Detection System (IDS) by Marty Roesch. You can read all about my introduction to Snort by following the link given in Resources below. Another link in Resources points to a primer on installing Snort. It's a favorite of security people around the globe. I understand that some IT staffs prefer it to commercial offerings, and not just because of its price.

It all begins with Snort...

My ACID trip began with the Snort install. Please note that almost all the packages required to get ACID up and running make use of what you've done in installing other packages. Do your Apache install incorrectly, and PHP won't work. If you want to use Snort with MySQL and various bits associated with MySQL aren't found, Snort's configure script will throw up its hands in defeat.

My first download was Snort itself. I found version 1.8.4 on a mirror listed on the Snort.org Web site. The download includes Martin Roesch's fine Snort manual in PDF dated March 13, 2002. There are also a number of handy README.* files. If you plan to install ACID, the database README is vital. Snort supports MySQL, PostgreSQL, Oracle, and any Unix ODBC.

...then MySQL...

I chose MySQL because to my mind this is exactly the kind of application it does best. Others will go with PostgreSQL, Oracle, or whatever and have their own reasons for doing so. I began by installing MySQL 3.23.49a-1 from the Red Hat 7.2 RPM.

Turning back to Snort, I ran the configure script with the indicated database enabled (with-mysql). It complained about not finding mysql.h and failed. Well, no wonder it couldn't find it. It wasn't on my system. I installed the MySQL development RPM from the Red Hat CD and tried again, adding a complete path to the header file. Configure didn't like that either. I peeked at the source for the configure script and found that it was appending an include/mysql/mysql.h to the directory I was specifying. I chopped the path to simply with-mysql=/usr and it worked just fine.

After running the supplied scripts to create the Snort database and then assigning a user and password with rights to the database, I started to hack the snort.conf file. I uncommented the output database: log (etc) line with the appropriate database name, user, and password. Then I entered an identical line for output database: alert (etc)". To start snort running (and logging/alerting to the MySQL database) I simply entered snort -D -c /etc/snort/snort.conf.

...then Apache, PHP, ADOdb...

Of course, I was after more than just running Snort. The goal of my exercise was to provide alert data in a flash, and in an attractive GUI format at that. I needed ACID, and ACID needs Apache and ADOdb. Apache needs to speak both PHP and MySQL, and PHP needs to speak MySQL as well. It also needs the GD graphing library. It can all get confusing.

Next came Apache. I grabbed the 1.3.24 tar ball from a mirror of the Apache.org site because my pre-installed Apache binary wasn't adequate for the task. My successful Apache build came after a number of flawed attempts. It was based on the following configure statement:

./configure --enable-module=most --enable-shared=max

Then came PHP. It took me considerably longer to get PHP built correctly. Some the wasted time came about because of mistakes I made with initial builds of Apache. Until I got Apache right, it didn't really matter whether I got the PHP configure correct. Here is the configure statement that finally moved me along:

./configure --with-mysql=/usr --with-apxs=/usr/local/apache/bin/apxs --with-gd

Now I was nearly there. First, I needed to add ADODB in order to standardize PHP's database interfaces. That was as easy as downloading and uncompressing the ADODB PHP pages, then moving them into /usr/local/apache/htdocs. Next came the GD graphics library and phplot. After downloading GD from the Web site, I followed the instructions in readme.txt and ran make install. This put libgd.so in /usr/local/lib. I made sure that directory was included in /etc/ld.so.conf, then ran /sbin/ldconfig.

phplot was pre-tweaked to use PNG images, so I had nothing to change in it. I simply moved the PHP files into the same spot I was putting everything else: /usr/local/apache/htdocs.

...then finally, ACID

Finally, it was time for ACID. I downloaded it and copied the contents of the directory created when I uncompressed the tar ball into the same Apache htdocs directory. I edited the acid_conf.php file to give it the particulars on the Snort database, including the user name and password to use, and to tell it where ADOdb and phplot were located.

The first time I used ACID (pointing my Galeon browser at http://localhost:8080), it needed to add a couple of columns to the Snort database. I simply followed the cues on the Update page and it did all the work. All I needed to do was let Snort gather data.

To help that process along, I asked LUG members to scan my IP address. That request yielded more than 10,000 alerts in 2 hours. It also revealed a huge security hole on my system. ACID itself was available to anyone sending HTML requests to port 8080 at my IP address, and one of the volunteer scanners told me he had used ACID to search for his own IP in the alert database.

The point is to remember to secure access to Apache if you are following along on your own system. I have since changed my httpd.conf from "Allow from any" to "Allow from 127.0.0.1". Be sure to read the PHP documentation carefully for security tips as well, because it has its own security issues.

The ACID home page (shown below) provides running totals of the various types of alerts (TCP, UDP, and ICMP) and port scanning activity. By default, these totals are refreshed every 3 minutes. You can hack acid_conf.php to turn the refreshing on or off, or to change the interval between refreshments. ACID also allows you to choose from several tools with which to analyze the database.

Options include about half a dozen "canned" reports showing the most recent alerts, the most common alerts, alerts for the past day, and so on. For real security analysts, ACID's real value probably comes not from any one of the packaged "snapshots" but from its search capabilities.

The Search page allows you to specify almost any type of search criteria for a database query: from IP address to packet payload to category of alert to time of day. If you can name it, most likely you can find a place to specify it.

The image below shows a graph of alerts by hour in a day. The graphing functionality is still noted as being experimental, but it allows you to define all the parameters for about a dozen types of graphing.

ACID, written by Roman Danyliw, is part of a larger project called AirCERT. AirCERT seeks to create a global Internet repository of security alerts or anomalies from selected local sites. Among other things, this will allow for quicker identification of the signatures of new attacks and threats.