next up previous
Next: 6 Problems Up: The Snort FAQ Previous: 4 Rules and Alerts

Subsections

5 Getting Fancy


5.1 I hear people talking about ``Barnyard''. What's that?

Barnyard is a output system for Snort. Snort creates a special binary output format called ``unified.'' Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plugin, Barnyard is aware of a failure to send the alert to the database, and it stops sending alerts. It is also aware when the database can accept connections again and will start sending the alerts again.

5.2 How do I process those Snort logs into reports?

  1. Barnyard 5.1 can be used to process unified output files into a number of formats, including output to a database for further analysis.
  2. SnortSnarf, a tool for producing HTML out of snort alerts for navigating through these alerts.

    http://www.silicondefense.com/snortsnarf/

  3. If you want to set up logging to a database you could try ACID. Some documentation describing the current ACID functionality includes:

    http://www.cert.org/kb/acid/

  4. You can manipulate the unified output files directly without a separate database and browse/correlate them with Cerebus:

    http://dragos.com/cerebus/

  5. For GUI front ends with simple log browsing, look at:

5.3 How do I log to multiple databases or output plugins?

Feed the unified output files through Barnyard twice to separate databases, or...

You can build redundancy by using multiple output plugins. Here are some examples.

Multiple instantiations of the database plugin:

    output log_database: mysql, dbname=snort host=localhost user=xyz
    output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
Remote database and local tcpdump:
    output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
    output log_tcpdump: /var/log/snort.tcpdump
Then you can replay the tcpdump file through snort to recreate the database.

CAVEAT: Just playing back the log packets might not trigger some of the state dependent pre-processors.

5.4 How can I test Snort without having an Ethernet card or a connection to other computers?

You have to use routing between two dummy devices:

modprobe -a dummy # (The dummy device has to be build by the kernel) 
ifconfig dummy0 192.168.0.1 
ifconfig dummy0:0 192.168.0.2  
telnet 192.168.0.3 12345

It's important that the second IP is on the same interface and not, e.g. dummy1 or dummy2 and that the IP you try to access is not one of those you put on the interfaces. Use snort's ability to hear in promiscious mode on an IP address range. (HOME_NET=192.168.0.0/16)

5.5 How to start Snort as a win32 service?

  1. You must use complete paths for everything. This means EVERYTHING: Command line, configuration files, everything.

    Examples: All include statements must be full paths:

    WRONG: include scan-lib

    CORRECT: include C:\( \backslash \)snort\( \backslash \)scan-lib

    All command line options must be full paths:

    WRONG: snort.exe -l ./log

    CORRECT: snort.exe -l C:\( \backslash \)snort\( \backslash \)log

  2. YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND LINE (-l switch). If you do not set a logging directory the service will not start and, on NT/Win2k, your bootup will hang for about 4 minutes.
  3. Make sure that snort runs correctly from the command line, without yet worrying about any service related issues. Test that all of your desired command line parameters are causing snort to function as you expect, such as correctly generating logging and alert output. If you can't get this part to work, then you don't have much hope of snort miraculously starting to work as a service.
  4. Once you have step (3) running correctly, modify the command line parameters you used in step (3) to include the additional parameters ``/SERVICE /INSTALL.'' For example, if your command line in step (3) was:
           snort -i1 -lC:\( \backslash \)snort\( \backslash \)log -cC:\( \
            backslash \)snort\( \backslash \)snort.conf
    
    then you should change it to be:
            snort /SERVICE /INSTALL -i1 -lC:\( \backslash \)snort\( \backslash \)
            log -cC:\( \backslash \)snort\( \backslash \)snort.conf
    
    Verify that the command line parameters were received correctly by running the command `snort /SERVICE /SHOW.'
  5. Start the service by running the command:
            net start snortsvc
    
    Note that versions 1.9 (build 228), 2.0 (build 50), or any versions newer than these, will add entries to the Win32 event Log if there is ever a problem starting the service. Stop the service by running the command:
            net stop snortsvc
    
  6. The service can be uninstalled by running the command:
            snort /SERVICE /UNINSTALL
    

5.6 Is it possible with snort to add a ipfilter/ipfw rule to a firewall?

Yes, with additional software in the contrib directory. But this can be dangerous and is not recommended unless you know what you're doing.

But one caveat... running external binaries can also be a performance limiter and your should read the caution below...

CHRISTOPHER CRAMER wrote:

I'm sure this has been mentioned before in similar discussions, but this feels like a _really_ bad idea. What if the bad guys realize what is going on and make use of your blocking method as a DoS attack. All one would have to do start sending a series of triggering packets with spoofed IP addresses.

Since I am no longer interested in breaking into your site, but rather making your life hell, I don't worry about the resulting data getting back to me. All I have to do is start proceeding up a list of IP addresses that I think you should no longer be able to talk to. When you come in the next morning, you find that you can no longer access the world.

Just my $0.02.

Danger Will Robinson: Conventional wisdom says that auto-blocking is inherently dangerous.

However, for those that like to live at the bleeding edge of tech (and the separate process scanning logs and processing firewall commands sounds like a good way to do this...):

Please remember to include an exclusion list and put on them important sites such as root servers, other important dns servers (yours, and important sites for your users), and in general any host you don't want to receive phone calls about being DoSed when they are spoofed - usually inconveniently like that first time you actually manage to get on vacation.... (i.e. imagine ``Crisis: the CEO can't reach his favorite redlite.org game.... you have to fly back from the Carribean ASAP....'')

5.7 What is the best way to use Snort to block attack traffic?

snort-inline > hogwash >> SnortSAM|Guardian >> flexresp

5.8 Snort complains about the ``react'' keyword...

Rerun configure with the -enable-flexresp option and rebuild/reinstall.

5.9 How do I get Snort to e-mail me alerts?

You can't. Such a process would slow Snort down too much to make it of any use. Instead, log to syslog and use swatch or logcheck to parse over the plaintext logfiles.

With the Logsurfer docs, this might get you on the road to doing something with Snort and Logsurfer:

JASON HAAR provided an example Swatch (3.1beta) config that emails alerts:

Here are some docs on swatch:

IDS Center (see FAQ [*]) on Win32 will also mail alerts.

5.10 How do I log a specific type of traffic and send alerts to syslog?

An example addition to snort.conf:

ruletype redalert {
   type alert
   output alert_syslog: LOG_LOCAL2
    output database: alert, postgresql, user=user dbname=snort password=pwd
}

Go into your local.rules and make sure you have something like:

redalert tcp any any -> any any (msg:"REDRUM REDRUM"; content:"redalerttest")

Then just do a telnet and type `redalerttest.' Presto, alerts to both.

5.11 Is it possible to have Snort call an external program when an alert is raised?

Calling another program from within your main IDS loop is generally a bad idea. Having your IDS block while waiting for $<$something$>$ of dubious reliability and origin nevermind timing while the packets are piling up is inviting packet loss. Especially with the already oh-so-consistent ``Gee I think I'll go away for a minute'' rock steady even cpu slicing Windows gives you (that's sarcasm, sorry). Go with the second approach.... process invokation is expensive on Windows.

You want to keep that IDS task humming and munching packets as efficiently as possible with as few interruptions as possible, imho, and not be invoking the penalty of process invocation.... particularly on Windows where process invocation is much much heavier task than *nix.

Even in a secondary process... You'll probably find something that stays ``awake'' all the time will work out much more nicely than something that gets ``woken up'' on a per alert basis for the aforementioned reasons.

As a better alternative go check out swatch or logwatch. Also for those new to UNIX, logging alerts to syslog and then using ``tail -f /var/log/messages'' might be what you are looking for.

5.12 How can I use Snort to log HTTP URLs or SMTP traffic?

It can be done with Snort, but you might find it faster to use mailsnarf and urlsnarf from Dug Song's dsniff package. Dsniff is available from:

http://www.monkey.org/~dsong/dsniff/

You can get a win32 port of dsniff at:

http://www.datanerds.net/~mike/dsniff.html

5.13 How can I move data from the snort db to snort_archive db like ACID does?

Use the perl script snort_archdb.pl found in the contrib dir of the Snort distribution (snort_archdb-90a.tar.gz).

5.14 What are some resources that I can use to understand more about source addresses logged and where they are coming from?

Also, try ``dig.''

5.15 How do I understand this traffic and do IDS alert analysis?

  1. You'll need to understand some basics of IP, TCP, and UDP. Things like destination addresses, source addresses, common ports, what TCP SYN, FIN and RST mean, etc. The same kind of basic knowledge of the internet you need to successfully configure a multi-interface router applies here, although you don't need to know router syntax. Some useful online references:
  2. You'll need to understand some basics of how network attacks work. I'd recommend skimming over ``Smashing the Stack for fun and profit'' by Aleph one. A deep understanding isn't necessary, but a casual read of this will give you some helpful basics in understanding the kinds of things that happen in an attack, and give you a better understanding of what to look for.

    http://www.insecure.org/stf/smashstack.txt

  3. A good guide on securing systems is helpful, something like this one:

    http://www.openna.com/products/books/sol/solus.php

    http://www.seifried.org/lasg/

  4. You'll need to understand the basics of internet servers, ie: what DNS, HTTP, FTP, SMTP, etc. are for. Most of that should be covered in the various other references made here.
  5. An excellent reference on ``oddball'' traffic patterns commonly seen at network borders, also very helpful:

    http://www.robertgraham.com/pubs/firewall-seen.html

  6. Also take a look at the ``Recommended Reading'' section (see FAQ [*])

5.16 How can I examine logged packets in more detail?

If you are using unified logging, you can use Barnyard (see FAQ [*]) or the unified log to pcap converter written by Dragos:

http://dragos.com/logtopcap.c

You can then get additional decoding of the packet contents by analyzing these pcap files with either:


next up previous
Next: 6 Problems Up: The Snort FAQ Previous: 4 Rules and Alerts
Oden Eriksson 2005-03-15