For example, running Swatch with this command: ./swatch --examine messages --daemon has Swatch search the entire messages file every time it runs, rather than just checking for newly add
Trang 1Table 8.2 lists and describes some additional options that you can use to control how Swatch reads the log files You can only use one of these switches at a time
For example, running Swatch with this command:
./swatch examine messages daemon
has Swatch search the entire messages file every time it runs, rather than just checking for newly added lines
Swatch normally scans the UNIX messages file or, if there is no messages file, it defaults to the syslog file Using these switches in Table 8.2, you could have Swatch look
at any log file you want, such as the security logs or even an application-specific log file like nessus.messages
The Swatch Configuration File
The Swatch configuration file is where all the important settings are In this file, called swatchrc by default, you tell the program what to look for in the log files and what to do if that shows up Two sample swatchrc files are included with the program in the examples directory The swatchrc.personal file is for use on a personal workstation, and swatchrc.monitor is for server monitoring Listing 8.2 shows what the monitor version looks like
Listing 8.2 The swatchrc Monitor Configuration File
#
# Swatch configuration file for constant monitoring
#
Table 8.2 Swatch Log File Options
examine file Makes Swatch do a complete pass through the indicated file Use this
when the file being examined is created anew each time
read-pipe program Instead of reading a file, you can have Swatch read input directly
piped from the indicated program
tail file Reads only the newly added lines in file This is the default operation
for Swatch on log files, since new entries are usually appended to the end of an existing file This is much faster than rereading a whole file every time, especially with log files that can get quite big, such as Web server logs
Trang 2# Bad login attempts
watchfor /INVALID|REPEATED|INCOMPLETE/
echo
bell 3
exec "/usr/local/sbin/badloginfinger $0"
# Machine room temperature
watchfor /WizMON/
echo inverse
bell
# System crashes and halts
watchfor /(panic|halt)/
echo
bell
exec "call_pager 3667615 0911"
# System reboots
watchfor /SunOS Release/
echo
bell
exec "call_pager 3667615 0411"
As you can see in Listing 8.2, the basic format is a watchfor statement followed by
a text statement between two slashes, and then one or more action commands The text between the slashes is what Swatch looks for when it examines (tails) the log file If the search text is found, then Swatch takes the actions below the statement Table 8.3 lists and describes the action statements Swatch supports
Table 8.3 Swatch Action Statements
Action Statements Descriptions
echo mode Makes the search text be echoed to the screen The word
mode is optional and indicates the color in which it is to be
displayed The default is your normal screen text color, but you can also use the following modes: blink, bold, underline, inverse, green, blue, red, yellow, black, magenta, cyan, white,
or any of these choices followed by _h to use the highlighted colored version, for example black_h
bell number Rings the PC internal speaker the number of times indicated
by number The default if no number is given is 1.
Trang 3As you can see, Swatch can notify you of flagged log events in several different ways The easiest is to just have it beep or echo on the screen If you are not around the server all the time, then you can have it e-mail you If your pager or cell phone supports text messag-ing via e-mail, you could have it send the message directly to you You can also write a script to have the server dial a pager number using the UNIX tip command
Using Databases and Web Servers to Manage Your Security Data
Going beyond just checking server logs, you also want to be able to analyze the output of the security programs discussed earlier in this book The best way to do this is to import the results into a database The rest of the tools in this chapter are designed to let you import and view security data in a database To use these tools you’ll need a database pro-gram and a Web server running to review the results Though there are other options sup-ported, the database recommended for these programs is MySQL and the Web server is Apache with PHP You should set up these programs before attempting to install any of
Action Statements Descriptions
exec command Executes a command line parameter You can use this to call
any other program or script to do various things, for example,
to send an SMB pop message to a particular workstation This functionality greatly expands the things that Swatch can do You can even configure this to call a script that would take further action conditionally, based on what was found in the log file
pipe command Passes along a command to another process
addresses=address1:address2:
address3,subject=text
Sends an e-mail using the Sendmail program to a single e-mail address or to multiple addresses separated by colons Text appears as the subject line for your e-mail message The alert text appears in the body of the e-mail
write user1:user2 Causes the alert to be sent via the UNIX write command to a
single user or a group of users
throttle hours:minutes:seconds Controls the number of times the alert is sent during a period
of time for one watchfor statement This keeps you from get-ting dozens of messages if a text string appears multiple times
in the log file within the set time window
Table 8.3 Swatch Action Statements
Trang 4these tools The basic installation and configuration of each of these prerequisite servers are described briefly here
Setting Up a MySQL Server
MySQL is an open source SQL-compliant database that is gaining acceptance in the cor-porate world for its power and flexibility While this book does not intend to teach you all the ins and outs of running a MySQL database, the following information will help you set
up and execute some basic administrative tasks on a MySQL database so you can use the analysis tools
1.Download the latest version of MySQL from www.mysql.com or use an RPM from your OS and distribution disks Make sure it is at least version 4.0 or later Note: If you already have MySQL database version 4.0 or later installed, skip
to Step 4
2.Unpack the file and issue the usual compilation commands in the directory it creates:
./configure make
make install
3.Run the install script located in the /scripts directory by typing:
mysql_install_db
This initializes your database program and gets it ready for use
4.Create a MySQL user and group for the database to use to perform tasks Do this
by issuing the following commands:
groupadd mysql useradd –g mysql mysql
5.Set the ownership and file permissions so that MySQL can operate using the fol-lowing commands:
chown –R root /usr/local/mysql chown –R mysql /usr/local/mysql/var chgrp –R mysql /usr/local/mysql
cp /usr/local/mysql/support-files/my-medium.cnf /etc/ my.cnf
6.Edit the file /etc/ld.so.conf and add the following lines:
/usr/local/mysql/lib/mysql /usr/local/lib
7.Save the file
8.As root, type:
Trang 59. As root, set an admin user for the MySQL database by typing:
/usr/local/mysql/bin/mysqladmin –u root password 123456 where you replace 123456 with your password Be sure to write down your pass-word and keep it in a safe place
When you are finished with this, change back to the user you logged in as by typing “exit” at the command line
10.You will want to set up MySQL to start as a daemon and run all the time rather than having to start it manually You can do this by placing the following line at the end of the rc.local file found in /etc/r.cd/
mysqld –user=mysql &
This will start MySQL as a system process every time you reboot
11.Finally, you will want to lock down MySQL so that it doesn’t become a security hole on your system By default, MySQL has pretty weak security While MySQL security isn’t the subject of this book, here are a few things you can do
• Delete the standard users, unless you have a program that uses them
• Make sure that the root user can only connect from a small number of hosts
• Set up some rules on your firewall to only allow connections on a limited num-ber of ports and from a limited numnum-ber of machines to your MySQL server
• Create system accounts for running programs Don’t use either the system root account or the MySQL root account (two different things) unless you absolutely have to (the NPI tool does require this, unfortunately) This chapter includes examples of application-specific accounts to create in each package description wherever possible
MySQL is now ready to use Type mysql at a command prompt and you will be prompted for a user name and password to enter the standard MySQL command line, where you can use standard SQL commands on your MySQL databases See the sidebar for some basic MySQL commands
Basic MySQL Commands
To log in to MySQL, type mysql–uusername–p password, replacing user-name and password with the ones from the account on the MySQL database Note: This is different than your system login This logs you into MySQL and puts you at the MySQL prompt mysql> where you can type commands Be sure
to put a semi-colon at the end of commands before pressing Enter to execute them
The following are some basic commands to navigate and search a MySQL database
Trang 6Setting Up the Apache Web Server
The advanced analysis tools in this chapter require a Web server to act as both the config-uration interface and the output mechanism Again, this short section is not intended to be
a comprehensive guide on how to run and operate a Web server; it is merely intended to get you up and running with what you need to use the security tools If you intend to do use this server for more than ACID and NCC or to use it in high-volume environments, you should definitely do further reading on Web server administration Running a Web server does involve some security issues, and you should make sure these servers are locked down, running minimal services, and keep them frequently patched If you want to run IIS or an alternate Web server, it should work as long as it is compliant with PHP 4.0
or later
1.Download the latest version of Apache from www.apache.org If you can get it from your OS distribution disks or already have it installed, make sure you have at least version 1.3 or later
Note: If you already have Apache version 1.3 or later installed, skip to Step 3
2.Unpack the program and issue the following commands:
./configure –prefix=/www –enable –so –activate-module-src/modules/php4/libphp4.a
make make install
These commands set the default directory to /www and enable the proper modules you will need
3.Run the Web server by typing apachectlstart at the command line This starts the http daemon and sets it up to run as a system process
You can stop Apache at any time by issuing the same command with a stop parameter
Other Linux and UNIX variants may have different ways of handling starting and stopping Consult your documentation or online resources on how to accom-plish this
show databases; Displays all the databases available on that MySQL
server
use database-name; Makes the database-name specified the active database
so you can perform actions on it
show tables; Lists all the tables that exist in a database
select query from
Tablename;
Shows records that match the query in Tablename There are a number of operands you can use in your
query statement Using an * (asterisk) as your query statement will list all records in that table
Trang 74.Check your Web server installation by opening a Web browser and putting in the
IP address of your server, or specify localhost if you are working directly on that machine If it brings up a sample Apache Web page, then you have success-fully installed your Web server The root directory of your Web server, where you can put documents you want to be publicly viewable, is /usr/local/apache2/htdocs/
on a Mandrake Linux system; different distributions may vary slightly
5.Next, set Apache to run automatically when the system is rebooted (you don’t want
to have to manually restart the Web server every time you reboot) To do this, go to the directory where all the startup scripts reside; on Mandrake Linux, this is the / etc/rc.d directory Each rc file represents a different run level Add the following lines to the rc4.d and rc5.d files:
/init.d/httpd S85httpd /init.d/httpd K85httpd
You can test this by rebooting your system and verifying that the httpd process dis-plays when you the list processes running with the ps-ax command
6.You should lock down Apache to prevent its abuse Web servers are some of the most common targets for attackers, so if you are going to allow access to this machine from outside your network you need to make sure it is secure The follow-ing are some basic tips for good Web server security
• Run a vulnerability scanner against your Web server to make sure that it is all patched up and doesn’t have any obvious security holes right after you have fin-ished this installation and configuration process
• Protect any non-public Web directories with some access control The quickest and easiest way to do this is using htaccess files
• Encrypt communications from clients to the browser with SSL any time you are dealing with sensitive information (security data definitely counts in this cate-gory) If you are accessing your server from outside your local network, that is, across the Internet, consult your Web server documentation or the Internet on how to set this up
Again, this isn’t a comprehensive coverage of Web server security, but make sure you
do these things before making your server public
Setting Up PHP
PHP is a scripting language designed for use in Web pages It is an interpreted language, which means it doesn’t have to be compiled to work, so you can just insert your PHP script into a directory that recognizes PHP and it will run when accessed This makes it easy to write code embedded into Web pages Most current Web servers recognize PHP, though it may have to be configured on installation to do this
Because of these features, PHP has become the language of choice for many Web-based applications You will need it for the three remaining tools in this chapter (ACID, NPI, and NCC) PHP should have been installed as part of the configure directives in the
Trang 8Apache instructions described earlier To check if PHP is installed on your system and what version it is, type php–v at the command line If it is there, you should get some out-put with the version number However, if you were unable to install it as part of your Apache installation or you want to reload the latest version, use the following procedure
1 Download the latest version of PHP from www.php.net or use the RPMs on your
OS installation disks If you use the ones provided with your OS, make sure that you have version 4.0 or later
2 Unpack the distribution.
3 From the installed directory, run the following compile commands:
./configure –prefix=/www/php mysql=/usr/local/mysql –with-apxs2=/www/bin/apxs –with-zlib-dir=/usr/local
–with-gd (all on one line)
make make install
These configure statements enable several modules that are needed for the tools in this chapter
4 Edit the Web server configuration file, httpd.conf, usually found in /www Add the
following lines, and then save the file
LoadModule php4_module modules/libphp4.so AddType application/x-httpd-php.php
5 To make sure PHP is running properly, use a text editor to create a small script file
called test.php Enter the following in the file and then save it
<?php phpinfo(); ?>
This file is a short PHP script that will display some basic system information when run
6 Copy the test file into the /www/htdocs directory Type in the URL or IP address of
your machine and then enter /test.php You should see the PHP version displayed
on a Web page If you do, then your PHP-enabled Web server is ready to go
A C I D ( A n a l y s i s C o n s o l e f o r I n t r u s i o n D a t a b a s e s )
ACID
Author/primary contact: Roman Danyliw
Web site: www.andrew.cmu.edu/~rdanyliw/snort/
snortacid.html Platforms: Most UNIX
Version reviewed: 9.6.b23
Mailing list:
Acidlab users list Subscribe by sending an e-mail with the word “subscribe”
in the body to acidlab-users@lists.sourceforge.net
Trang 9The Analysis Console for Intrusion Databases (ACID) is a program designed to make better use of data from intrusion detection devices It was written by Roman Dany-liw and others for the AirCERT program run by Carnegie Mellon University They are part of the larger CERT (Computer Emergency Response Team) organization CERT has been instrumental in protecting the Internet and the organizations using it for many years CERT tracks incidents of computer crime and sends out notices to a mailing list whenever
a large incident happens The CERT mailing list is kind of an early warning system for any large outbreaks or attacks happening on the Internet As such, it can be very useful to
a system administrator You can visit the CERT site and sign up for their mailing list at www.cert.org
The AirCERT project is placing IDS sensors at various organizations and studying overall trends in intrusion activity and behavior They wrote ACID to facilitate this pro-cess Because they open sourced the code for the project, you can use it for your benefit without doing anything as part of AirCERT
The idea behind ACID is to port all your intrusion detection data into a database where it can be sorted and organized by priority ACID gives you a Web-based control panel of sorts to view and manipulate these results
ACID uses just about any SQL database and any Web server, and supports multiple sensors for the input data It also accepts both raw Snort alerts and syslog-compliant log files ACID currently only works directly with one IDS, Snort, but you can import logs into the ACID database from any device that will output in a syslog-type format using a utility called Logsnorter, which is available on the ACID Web site
ACID has quite a few prerequisite programs Besides a database, a Web server, and PHP, which have been covered earlier in this chapter, you need the following libraries and subprograms
ADOdb
This package provides the database abstraction layer so PHP can use a standard interface
to a multitude of databases, including MySQL Download it from http://php.weblogs.com/ adodb, unpack it into your /www/htdocs or applicable Web root directory, and it should be ready to go No further installation is needed
PHPLOT
This package lets you create charts using ACID If you want to use this capability, down-load the module from www.phplot.com Unpack it in the /www/htdocs directory, and just like ADOdb, it should be ready to use
JpGraph
This program upgrades PHP to do color graphs You’ll need it, along with PHPLOT above,
if you want to be able to graph your Snort data Download it from www.aditus.nu/jpgraph/
Trang 10and unzip it into your Web root directory (for example, /www/htdocs) It will create its own subdirectory and be available when needed by ACID
GD
This package has the image manipulation libraries for PHP, which are also needed for graphing If you installed PHP according to the instructions given earlier in this chapter, then you should already have this utility Otherwise, download it from www.boutell.com/ gd/ and install it in your /www/php directory If you didn’t compile PHP with the com-mands given earlier, you also need to make sure you have the following libraries for GD
• libpng This provides PNG-format support for GD You can get it at www.
libpng.org/pub/png/ or from your OS distribution disks
• libjpeg-6b This is a JPEG library for PHP You can get it at www.ijg.org/ or from
your OS distribution disks
• zlib This provides compression support for GD You can get it www.ijg.org/ or
from your OS distribution disks
Configuring Snort for MySQL
1 ACID assumes you have one or more Snort sensors up and running to feed it data.
If you haven’t already built your Snort sensors, refer back to Chapter 7 You must have your Snort sensors configured to log to a MySQL database To do this, follow these steps when installing Snort
• When first compiling Snort, use the following configure statement:
./configure with-mysql=/usr/local/mysql
Make sure you specify the directory where MySQL is located on your machine
• Edit the configuration file, snort.conf Find the commented out line that starts
with #outputdatabase Edit it as follows:
output database: log,mysql,user=snort password=123456 dbname=snort host=localhost
Change the user snort and password to the correct database name and pass-word you are going to use for ACID ACID will create a database named “snort,” although you can change this name by editing the ACID configuration file If you are connecting to a local database, leave the host variable as localhost If you are connecting to a database on a different machine, insert the IP address or hostname here
2 Be sure to uncomment the line (delete the #), and then save the file