Analysis and Management Tools 239 Table 8.2 lists and describes some additional options that you can use to control how Swatch reads the log files. You can only use one of these switches at a time. For example, running Swatch with this command: ./swatch examine messages daemon has Swatch search the entire messages file every time it runs, rather than just checking for newly added lines. Swatch normally scans the UNIX messages file or, if there is no messages file, it defaults to the syslog file. Using these switches in Table 8.2, you could have Swatch look at any log file you want, such as the security logs or even an application-specific log file like nessus.messages. The Swatch Configuration File The Swatch configuration file is where all the important settings are. In this file, called swatchrc by default, you tell the program what to look for in the log files and what to do if that shows up. Two sample swatchrc files are included with the program in the examples directory. The swatchrc.personal file is for use on a personal workstation, and swatchrc.monitor is for server monitoring. Listing 8.2 shows what the monitor version looks like. Listing 8.2 The swatchrc Monitor Configuration File # # Swatch configuration file for constant monitoring # Table 8.2 Swatch Log File Options Options Descriptions examine file Makes Swatch do a complete pass through the indicated file. Use this when the file being examined is created anew each time. read-pipe program Instead of reading a file, you can have Swatch read input directly piped from the indicated program. tail file Reads only the newly added lines in file. This is the default operation for Swatch on log files, since new entries are usually appended to the end of an existing file. This is much faster than rereading a whole file every time, especially with log files that can get quite big, such as Web server logs. Howlett_CH08.fm Page 239 Thursday, June 24, 2004 9:54 PM 240 Chapter 8 • Analysis and Management Tools # Bad login attempts watchfor /INVALID|REPEATED|INCOMPLETE/ echo bell 3 exec "/usr/local/sbin/badloginfinger $0" # Machine room temperature watchfor /WizMON/ echo inverse bell # System crashes and halts watchfor /(panic|halt)/ echo bell mail exec "call_pager 3667615 0911" # System reboots watchfor /SunOS Release/ echo bell mail exec "call_pager 3667615 0411" As you can see in Listing 8.2, the basic format is a watchfor statement followed by a text statement between two slashes, and then one or more action commands. The text between the slashes is what Swatch looks for when it examines (tails) the log file. If the search text is found, then Swatch takes the actions below the statement. Table 8.3 lists and describes the action statements Swatch supports. Table 8.3 Swatch Action Statements Action Statements Descriptions echo mode Makes the search text be echoed to the screen. The word mode is optional and indicates the color in which it is to be displayed. The default is your normal screen text color, but you can also use the following modes: blink, bold, underline, inverse, green, blue, red, yellow, black, magenta, cyan, white, or any of these choices followed by _h to use the highlighted colored version, for example black_h. bell number Rings the PC internal speaker the number of times indicated by number. The default if no number is given is 1. Howlett_CH08.fm Page 240 Thursday, June 24, 2004 9:54 PM Using Databases and Web Servers to Manage Your Security Data 241 As you can see, Swatch can notify you of flagged log events in several different ways. The easiest is to just have it beep or echo on the screen. If you are not around the server all the time, then you can have it e-mail you. If your pager or cell phone supports text messag- ing via e-mail, you could have it send the message directly to you. You can also write a script to have the server dial a pager number using the UNIX tip command. Using Databases and Web Servers to Manage Your Security Data Going beyond just checking server logs, you also want to be able to analyze the output of the security programs discussed earlier in this book. The best way to do this is to import the results into a database. The rest of the tools in this chapter are designed to let you import and view security data in a database. To use these tools you’ll need a database pro- gram and a Web server running to review the results. Though there are other options sup- ported, the database recommended for these programs is MySQL and the Web server is Apache with PHP. You should set up these programs before attempting to install any of Action Statements Descriptions exec command Executes a command line parameter. You can use this to call any other program or script to do various things, for example, to send an SMB pop message to a particular workstation. This functionality greatly expands the things that Swatch can do. You can even configure this to call a script that would take further action conditionally, based on what was found in the log file. pipe command Passes along a command to another process. mail addresses=address1:address2: address3,subject=text Sends an e-mail using the Sendmail program to a single e-mail address or to multiple addresses separated by colons. Text appears as the subject line for your e-mail message. The alert text appears in the body of the e-mail. write user1:user2 Causes the alert to be sent via the UNIX write command to a single user or a group of users. throttle hours:minutes:seconds Controls the number of times the alert is sent during a period of time for one watchfor statement. This keeps you from get- ting dozens of messages if a text string appears multiple times in the log file within the set time window. Table 8.3 Swatch Action Statements Howlett_CH08.fm Page 241 Thursday, June 24, 2004 9:54 PM 242 Chapter 8 • Analysis and Management Tools these tools. The basic installation and configuration of each of these prerequisite servers are described briefly here. Setting Up a MySQL Server MySQL is an open source SQL-compliant database that is gaining acceptance in the cor- porate world for its power and flexibility. While this book does not intend to teach you all the ins and outs of running a MySQL database, the following information will help you set up and execute some basic administrative tasks on a MySQL database so you can use the analysis tools. 1. Download the latest version of MySQL from www.mysql.com or use an RPM from your OS and distribution disks. Make sure it is at least version 4.0 or later. Note: If you already have MySQL database version 4.0 or later installed, skip to Step 4. 2. Unpack the file and issue the usual compilation commands in the directory it creates: ./configure make make install 3. Run the install script located in the /scripts directory by typing: mysql_install_db This initializes your database program and gets it ready for use. 4. Create a MySQL user and group for the database to use to perform tasks. Do this by issuing the following commands: groupadd mysql useradd –g mysql mysql 5. Set the ownership and file permissions so that MySQL can operate using the fol- lowing commands: chown –R root /usr/local/mysql chown –R mysql /usr/local/mysql/var chgrp –R mysql /usr/local/mysql cp /usr/local/mysql/support-files/my-medium.cnf /etc/ my.cnf 6. Edit the file /etc/ld.so.conf and add the following lines: /usr/local/mysql/lib/mysql /usr/local/lib 7. Save the file. 8. As root, type: ldconfig –v Howlett_CH08.fm Page 242 Thursday, June 24, 2004 9:54 PM Using Databases and Web Servers to Manage Your Security Data 243 9. As root, set an admin user for the MySQL database by typing: /usr/local/mysql/bin/mysqladmin –u root password 123456 where you replace 123456 with your password. Be sure to write down your pass- word and keep it in a safe place. When you are finished with this, change back to the user you logged in as by typing “exit” at the command line. 10. You will want to set up MySQL to start as a daemon and run all the time rather than having to start it manually. You can do this by placing the following line at the end of the rc.local file found in /etc/r.cd/. mysqld –user=mysql & This will start MySQL as a system process every time you reboot. 11. Finally, you will want to lock down MySQL so that it doesn’t become a security hole on your system. By default, MySQL has pretty weak security. While MySQL security isn’t the subject of this book, here are a few things you can do. • Delete the standard users, unless you have a program that uses them. • Make sure that the root user can only connect from a small number of hosts. • Set up some rules on your firewall to only allow connections on a limited num- ber of ports and from a limited number of machines to your MySQL server. • Create system accounts for running programs. Don’t use either the system root account or the MySQL root account (two different things) unless you absolutely have to (the NPI tool does require this, unfortunately). This chapter includes examples of application-specific accounts to create in each package description wherever possible. MySQL is now ready to use. Type mysql at a command prompt and you will be prompted for a user name and password to enter the standard MySQL command line, where you can use standard SQL commands on your MySQL databases. See the sidebar for some basic MySQL commands. Basic MySQL Commands To log in to MySQL, type mysql –u username –p password , replacing user- name and password with the ones from the account on the MySQL database. Note: This is different than your system login. This logs you into MySQL and puts you at the MySQL prompt mysql> where you can type commands. Be sure to put a semi-colon at the end of commands before pressing Enter to execute them. The following are some basic commands to navigate and search a MySQL database. Howlett_CH08.fm Page 243 Thursday, June 24, 2004 9:54 PM 244 Chapter 8 • Analysis and Management Tools Setting Up the Apache Web Server The advanced analysis tools in this chapter require a Web server to act as both the config- uration interface and the output mechanism. Again, this short section is not intended to be a comprehensive guide on how to run and operate a Web server; it is merely intended to get you up and running with what you need to use the security tools. If you intend to do use this server for more than ACID and NCC or to use it in high-volume environments, you should definitely do further reading on Web server administration. Running a Web server does involve some security issues, and you should make sure these servers are locked down, running minimal services, and keep them frequently patched. If you want to run IIS or an alternate Web server, it should work as long as it is compliant with PHP 4.0 or later. 1. Download the latest version of Apache from www.apache.org. If you can get it from your OS distribution disks or already have it installed, make sure you have at least version 1.3 or later. Note: If you already have Apache version 1.3 or later installed, skip to Step 3. 2. Unpack the program and issue the following commands: ./configure –prefix=/www –enable –so –activate-module- src/modules/php4/libphp4.a make make install These commands set the default directory to /www and enable the proper modules you will need. 3. Run the Web server by typing apachectl start at the command line. This starts the http daemon and sets it up to run as a system process. You can stop Apache at any time by issuing the same command with a stop parameter. Other Linux and UNIX variants may have different ways of handling starting and stopping. Consult your documentation or online resources on how to accom- plish this. show databases; Displays all the databases available on that MySQL server. use database-name; Makes the database-name specified the active database so you can perform actions on it. show tables; Lists all the tables that exist in a database. select query from Tablename; Shows records that match the query in Tablename . There are a number of operands you can use in your query statement. Using an * (asterisk) as your query statement will list all records in that table. Howlett_CH08.fm Page 244 Thursday, June 24, 2004 9:54 PM Using Databases and Web Servers to Manage Your Security Data 245 4. Check your Web server installation by opening a Web browser and putting in the IP address of your server, or specify localhost if you are working directly on that machine. If it brings up a sample Apache Web page, then you have success- fully installed your Web server. The root directory of your Web server, where you can put documents you want to be publicly viewable, is /usr/local/apache2/htdocs/ on a Mandrake Linux system; different distributions may vary slightly. 5. Next, set Apache to run automatically when the system is rebooted (you don’t want to have to manually restart the Web server every time you reboot). To do this, go to the directory where all the startup scripts reside; on Mandrake Linux, this is the / etc/rc.d directory. Each rc. file represents a different run level. Add the following lines to the rc4.d and rc5.d files: /init.d/httpd S85httpd /init.d/httpd K85httpd You can test this by rebooting your system and verifying that the httpd process dis- plays when you the list processes running with the ps -ax command. 6. You should lock down Apache to prevent its abuse. Web servers are some of the most common targets for attackers, so if you are going to allow access to this machine from outside your network you need to make sure it is secure. The follow- ing are some basic tips for good Web server security. • Run a vulnerability scanner against your Web server to make sure that it is all patched up and doesn’t have any obvious security holes right after you have fin- ished this installation and configuration process. • Protect any non-public Web directories with some access control. The quickest and easiest way to do this is using .htaccess files. • Encrypt communications from clients to the browser with SSL any time you are dealing with sensitive information (security data definitely counts in this cate- gory). If you are accessing your server from outside your local network, that is, across the Internet, consult your Web server documentation or the Internet on how to set this up. Again, this isn’t a comprehensive coverage of Web server security, but make sure you do these things before making your server public. Setting Up PHP PHP is a scripting language designed for use in Web pages. It is an interpreted language, which means it doesn’t have to be compiled to work, so you can just insert your PHP script into a directory that recognizes PHP and it will run when accessed. This makes it easy to write code embedded into Web pages. Most current Web servers recognize PHP, though it may have to be configured on installation to do this. Because of these features, PHP has become the language of choice for many Web- based applications. You will need it for the three remaining tools in this chapter (ACID, NPI, and NCC). PHP should have been installed as part of the configure directives in the Howlett_CH08.fm Page 245 Thursday, June 24, 2004 9:54 PM 246 Chapter 8 • Analysis and Management Tools Apache instructions described earlier. To check if PHP is installed on your system and what version it is, type php –v at the command line. If it is there, you should get some out- put with the version number. However, if you were unable to install it as part of your Apache installation or you want to reload the latest version, use the following procedure. 1. Download the latest version of PHP from www.php.net or use the RPMs on your OS installation disks. If you use the ones provided with your OS, make sure that you have version 4.0 or later. 2. Unpack the distribution. 3. From the installed directory, run the following compile commands: ./configure –prefix=/www/php mysql=/usr/local/mysql –with-apxs2=/www/bin/apxs –with-zlib-dir=/usr/local –with-gd (all on one line) make make install These configure statements enable several modules that are needed for the tools in this chapter. 4. Edit the Web server configuration file, httpd.conf, usually found in /www. Add the following lines, and then save the file. LoadModule php4_module modules/libphp4.so AddType application/x-httpd-php.php 5. To make sure PHP is running properly, use a text editor to create a small script file called test.php. Enter the following in the file and then save it. <?php phpinfo(); ?> This file is a short PHP script that will display some basic system information when run. 6. Copy the test file into the /www/htdocs directory. Type in the URL or IP address of your machine and then enter /test.php. You should see the PHP version displayed on a Web page. If you do, then your PHP-enabled Web server is ready to go. ACID (Analysis Console for Intrusion Databases) ACID Author/primary contact: Roman Danyliw Web site: www.andrew.cmu.edu/~rdanyliw/snort/ snortacid.html Platforms: Most UNIX License: GPL Version reviewed: .9.6.b23 Mailing list: Acidlab users list. Subscribe by sending an e-mail with the word “subscribe” in the body to acidlab-users@lists.sourceforge.net. Howlett_CH08.fm Page 246 Tuesday, June 29, 2004 3:16 PM Using Databases and Web Servers to Manage Your Security Data 247 The Analysis Console for Intrusion Databases (ACID) is a program designed to make better use of data from intrusion detection devices. It was written by Roman Dany- liw and others for the AirCERT program run by Carnegie Mellon University. They are part of the larger CERT (Computer Emergency Response Team) organization. CERT has been instrumental in protecting the Internet and the organizations using it for many years. CERT tracks incidents of computer crime and sends out notices to a mailing list whenever a large incident happens. The CERT mailing list is kind of an early warning system for any large outbreaks or attacks happening on the Internet. As such, it can be very useful to a system administrator. You can visit the CERT site and sign up for their mailing list at www.cert.org. The AirCERT project is placing IDS sensors at various organizations and studying overall trends in intrusion activity and behavior. They wrote ACID to facilitate this pro- cess. Because they open sourced the code for the project, you can use it for your benefit without doing anything as part of AirCERT. The idea behind ACID is to port all your intrusion detection data into a database where it can be sorted and organized by priority. ACID gives you a Web-based control panel of sorts to view and manipulate these results. ACID uses just about any SQL database and any Web server, and supports multiple sensors for the input data. It also accepts both raw Snort alerts and syslog-compliant log files. ACID currently only works directly with one IDS, Snort, but you can import logs into the ACID database from any device that will output in a syslog-type format using a utility called Logsnorter, which is available on the ACID Web site. ACID has quite a few prerequisite programs. Besides a database, a Web server, and PHP, which have been covered earlier in this chapter, you need the following libraries and subprograms. ADOdb This package provides the database abstraction layer so PHP can use a standard interface to a multitude of databases, including MySQL. Download it from http://php.weblogs.com/ adodb, unpack it into your /www/htdocs or applicable Web root directory, and it should be ready to go. No further installation is needed. PHPLOT This package lets you create charts using ACID. If you want to use this capability, down- load the module from www.phplot.com. Unpack it in the /www/htdocs directory, and just like ADOdb, it should be ready to use. JpGraph This program upgrades PHP to do color graphs. You’ll need it, along with PHPLOT above, if you want to be able to graph your Snort data. Download it from www.aditus.nu/jpgraph/ Howlett_CH08.fm Page 247 Tuesday, June 29, 2004 3:17 PM 248 Chapter 8 • Analysis and Management Tools and unzip it into your Web root directory (for example, /www/htdocs). It will create its own subdirectory and be available when needed by ACID. GD This package has the image manipulation libraries for PHP, which are also needed for graphing. If you installed PHP according to the instructions given earlier in this chapter, then you should already have this utility. Otherwise, download it from www.boutell.com/ gd/ and install it in your /www/php directory. If you didn’t compile PHP with the com- mands given earlier, you also need to make sure you have the following libraries for GD. • libpng. This provides PNG-format support for GD. You can get it at www. libpng.org/pub/png/ or from your OS distribution disks. • libjpeg-6b. This is a JPEG library for PHP. You can get it at www.ijg.org/ or from your OS distribution disks. • zlib. This provides compression support for GD. You can get it www.ijg.org/ or from your OS distribution disks. Configuring Snort for MySQL 1. ACID assumes you have one or more Snort sensors up and running to feed it data. If you haven’t already built your Snort sensors, refer back to Chapter 7. You must have your Snort sensors configured to log to a MySQL database. To do this, follow these steps when installing Snort. • When first compiling Snort, use the following configure statement: ./configure with-mysql=/usr/local/mysql Make sure you specify the directory where MySQL is located on your machine. • Edit the configuration file, snort.conf. Find the commented out line that starts with #output database . Edit it as follows: output database: log,mysql,user= snort password= 123456 dbname= snort host= localhost Change the user snort and password to the correct database name and pass- word you are going to use for ACID. ACID will create a database named “snort,” although you can change this name by editing the ACID configuration file. If you are connecting to a local database, leave the host variable as localhost . If you are connecting to a database on a different machine, insert the IP address or hostname here. 2. Be sure to uncomment the line (delete the #), and then save the file. Howlett_CH08.fm Page 248 Tuesday, June 29, 2004 3:17 PM . also want to be able to analyze the output of the security programs discussed earlier in this book. The best way to do this is to import the results into a database. The rest of the tools in this. comprehensive guide on how to run and operate a Web server; it is merely intended to get you up and running with what you need to use the security tools. If you intend to do use this server for. 5. Next, set Apache to run automatically when the system is rebooted (you don’t want to have to manually restart the Web server every time you reboot). To do this, go to the directory where all the