------------------------------------

IDS Sensors (Snort, MySQL & stunnel)

------------------------------------

Email: obscure@securityminded.net

------------------------------------

Requirements

------------

 

This article will cover the setup and configuration of the end system

including the centralized database and a remote network sensor. For

the sake of brevity, you'll need the following:

 

On the Databse Server:

---------------------

 

+ A properly installed and secured MySQL database server

+ A properly installed OpenSSL dist

+ A properly installed stunnel

+ A user to access the Snort database (ex: user=snortdb)

+ A user and group to run stunnel (ex: user=stunnel, group=stunnel)

+ A copy of the create_mysql file from the contrib directory of the Snort source dist

+ A copy of the snortdb_extra.gz file from: http://www.incident.org/snortdb

 

On the IDS Sensor:

------------------

 

+ A running Snort compiled with MySQL support

+ A properly installed OpenSSL dist

+ A properly installed stunnel

+ A user and group to run Snort (ex: user=runsnort, group=runsnort)

+ A user and group to run stunnel (ex: user=stunnel, group=stunnel)

 

Setting up the Database

-----------------------

 

Once the MySQL daemon is running on the database server, a database must be

created and configured for the snort data. To do so, log into MySQl a root:

 

root@bigbox:~> mysql -u root

 

and enter the command:

 

mysql>CREATE DATABASE snortdata;

 

where snortdata is the name of the database that will house the snort data.

Next, grant appropriaterights on the database for the user that the sensors

will use to add information to the database:

 

mysql> grant INSERT, SELECT on snortdata.* to snortdb;

 

where snortdb is the name of the local user account that the sensors will be

configured to use.

Next, the snort database structure needs to be created.

This is done by using the create_mysql fileincluded with the snort dist in the

contrib directory. Exit the database and issue the command:

 

root@bigbox:~> mysql snortdata < create_mysql

 

The snortdb_extra file from http://www.incident.org/snortdb adds additional

useful tables to the snort database. The tables are created in the database

with the following command:

 

root@bigbox:~> zcat snortdb-extra.gz | mysql snortdata

 

At this point the database is correctly configured and is ready to accept data.

 

Server Stunnel Configuration

----------------------------

 

Rather than allowing IDS sensors to communicate with the database over the

network with unencrypted communications with OpenSSL. Future versions of

MySQl will handle native SSL communications directly, but support is limited as

of writing this. by default, stunnel will allow communications to configured TCP

ports from all hosts. However, stunnel can be used in conjunction with TCP Wrappers

to limit communications by IP address. To enable this fucntionality, we'll create

a service name for the encrypted MySQL communications:

 

root@bigbox:~> echo "mysqls 3307/tcp" >> /etc/services

 

where mysqls is the chosen name and 3307 is the chosen TCP port over which the

encrypted communications will occur. The chosen service name and TCP port should

not conflict with existing service entries. Add sensor IP addresses to the

hosts.allow file in /etc:

 

root@bigbox:~> echo "mysqls: 192.168.0.100" >> /etc/hosts.allow

 

where 192.168.0.100 is the IP adress of our IDS sensor. /etc/hosts.allow

will need to be edited to further account for multiple sensors.

Next block all other access to the encrypted MySQL port in the /etc/hosts.deny file:

 

root@bigbox:~> echo "mysqls: ALL" >> /etc/hosts.deny

 

Start up stunnel so that connections from authorized hosts to port

3307 are forwarded to the MySQL listener on port 3306 listening

on loopback address. The following command wil do:

 

stunnel -f -d mysqls -r 127.0.0.1:3306 -p /home/stunnel/stunnel.pem \

 -N mysqls -s stunnel -g stunnel

 

Note:

----

 

If you haven't created the stunnel.pem, here's how to do so:

 

openssl req -new -out stunnel.pem -keyout stunnel.pem -nodes -x509 -days 365

chown stunnel:stunnel stunnel.pem

chmod 600 stunnel.pem

 

This was taken right out of the man page (man 8 ssl)

Here is a summary of the command-line options used:

 

-f                                              + Keeps the process in the foreground,

                                    with connection and debugging info

                                                sent to the console (stderr)

 

-d mysqls                                + Starts stunnel in daemon mode for the

                                                mysqls service (TCP port 3307)

 

 

-r 127.0.0.1:3306                        + Specifies the remote service to which

                                                connections to the daemon port (mysqls)

                                                will be forwarded (TCP port 3306)

 

-p /home/stunnel/stunnel.pem            + Specifies the location of the stunnel

                                                private key/certification

 

-N mysqls                                + Specifies the service name for TCP

                                                wrapper checking

 

-s stunnel                                + setuid() to user stunnel

 

-g stunnel                                + setgid() to group stunnel

 

 

 

At this point, only the IDS sensor at 192.168.0.100 is allowed

access to the mysqls service (TCP port 3307) on our database server.

 

On the Sensor(s)

----------------

Configuring the Encrypted Client Connection

-------------------------------------------

 

Now that i've shown how stunnel works, the client configuration

for the sensor stunnel configuration should be intuitive.

The sensor must be configured with a listener on TCP port 3306.

The snort sensor will direct logging information to the local

listener, and stunnel will forward the data to thw database server

over the encrypted channel. The stunnel command we'll use on the

sensor (the MySQL client) is:

 

stunnel -f -c -d 127.0.0.1:3306  -r 192.168.0.200:3307 -s stunnel -g stunnel

 

in this example, 192.168.0.200 is thw address of the remote

MySQL server. One flag we have not yet is -c options, which

configures stunnel to act as a client. Note that I have not

configured TCP wrappers on the client, because I specified

the client-side listener to listen on the loopback address.

Configure such controls as described above if desired. With

this configuration, any connections that the sensor creates

to the local listener on TCP 3306 will be forwarded by stunnel

to the SSL-encrypted MySQL listener at 192.168.0.200. We can

now configure snort to log data to the MySQL database. First,

ensure that snort is able to capture traffic normally. Run:

 

snort -vi xl0

 

where xl0 is the network interface on which snort listens.

Note that the sensor must be in position to sniff network

traffic (ex: on a hub or a switch with port mirroring enables)

 

Ruleset Configuration Notes

---------------------------

 

Once the sensor is detecting taffic, the snort config file

should be customized for the sensor. there is online rules

database at www.snort.org that can fill in most of the sensors

signature set. You may want to create some rules of your own,

which is quite simple with snort rules language. The process of

creating an effective IDS rule base is subject to debate.

Factor's affecting the size and breadth of a ruleset include

performance requirements, network activity, and other available

security countermeasures.

 

Configuring Snort to Log to MySQL

---------------------------------

 

The options for logging snort data to our MySQL database is the

output directive. To turn on logging to the configured MySQL database,

add the following line to snort.conf:

 

output log_database: log, mysql, host=127.0.0.1 dbname=snortdata \

user=snortdb password=foo

 

Here is a summary of the directives used:

 

log                               + Specifies that logging information

                                    should be sent to the database

 

mysql                          + Specifies that the remote database

                                    is a MySQL database

 

host=127.0.0.1                        + Sends snort log information to the

                                    MySQL listener on the sensors loopback

                                    address. The sensors stunnel client

                                    will redirect the data to the remote

                                    server over the encrypted channel.

 

dbname=snortdata     + The remote database name

 

user=snortdb               + The user context with which to access

                                    the remote database

 

Because there is a password in plaintext in this configuration file,

appropriate permissions should be applied to the snort configuration file.

 

root@bigbox:~> chown runsnort:runsnort snort.conf; chmod 400 snort.conf

 

All that remains is to start snort. A command similar to the following can be used:

 

 

snort -c snort.conf -d -i xl0 -u runsnort -g runsnort

 

-c snort.conf                + Specifies the configuration file

                                    snort should use

 

-d                                 + Dump application layer data

 

-i xl0                            + Use interface xl0

 

-u runsnort                   + Run snort as user runsnort after

                                    initialization

 

-g runsnort                   + Run snort under group runsnort after

                                    initailization

 

There are many other snort options; check the README file

included with the dist for details.

At this point, the sensor will be logging to the remote MySQl

datavase over and encrypted channel. Once the sensor has collected

and logged some data, you can verify proper operation by logging

into the database from the snort sensor.

 

root@bigbox:~> mysql -h 127.0.0.1 -u snortdb

 

mysql>use snortdata

 

mysql>SELECT * FROM event;

 

This query should display logged snort events.