Snort-Base Enhancements

From ChekMate Security Group

Contents

[edit]

Introduction

Snort and BASE are both excellent tools and very useful for monitoring intrusion attempts within your network but it is difficult to get a clear picture of what events are happening and when within a specific period. The following two scripts presents a summary of the events and ties back to BASE to pull details.

  • base_summary.php reports on the total number of alerts within the specified time period, breaking it down into the IP Protocol groups (TCP, UDP, ICMP and Portscans) and which events triggered.
  • base_details.php reports on a specific Snort signature and is called from base_summary.php. It reports what IP address links are involved with the event.
  • base_fulldetails.php reports on all Snort signatures. It reports what IP address links are involved with each event.
[edit]

Maintainer

Shannon McNaught (smcnaught)

[edit]

License 

base_summary.php/base_details.php 
  - Reports events from BASE in more meaningful presentation

Copyright (C) 2005  Shannon McNaught

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

Sourcefire, the Sourcefire logo, Snort, the Snort logo, Intrusion Sensor, Intrusion Agent, Real-time Network Awareness, RNA Sensor, Defense Center, Success Pack, and 3D System, are trademarks or registered trademarks of Sourcefire, Inc.

[edit]

Download

[edit]

Installation

1. Copy base_summary.php, base_fulldetails.php and base_details.php to your base/scripts directory. 

> emacs /var/www/html/base/scripts/base_summary.php
> emacs /var/www/html/base/scripts/base_details.php
> emacs /var/www/html/base/scripts/base_fulldetails.php

2. Edit base_summary.php, base_fulldetails.php and base_details.php to communicate with your snort database: 

#################################################################################
#
# Change the following parameters:
#
#################################################################################

$db_server = 'localhost';
$db_user = 'username';
$db_pwd = 'password';
$db_name = 'database';

3. Modify base_main.php

Modify base_main.php at approximately line 317 replace: 

<tr><td align="center" valign="top">
<B><A HREF="base_qry_main.php?new=1"><?php echo _SEARCH; ?></A></B><br>
<B><A HREF="base_graph_main.php"><?php echo _GALERTD; ?></A></B><br>
<A HREF="base_stat_time.php"><?php echo _GALERTDT; ?></A><br><br>
<?php DBLink(); ?>
</td></tr></table>

with: 

<tr><td align=right><table>
<tr><td colspan=3 align='center'><a href="/base/scripts/base_summary.php" target="_new">Sumary Report</a></td></tr>
<tr>
<td align="left" valign="top"><B><A HREF="base_qry_main.php?new=1"><?php echo _SEARCH; ?></A></B></td>
<td align="center" valign="top"><B><A HREF="base_graph_main.php"><?php echo _GALERTD; ?></A></B></td>
<td align="right" valign="top"><A HREF="base_stat_time.php"><?php echo _GALERTDT; ?></A></B></td>
<?php DBLink(); ?>
</tr></table></td></tr></table>
[edit]

Change Log

  • Nothing to document.
[edit]

Screenshots

[edit]

References

Snort and the Snort logo are trademarks or registered trademarks of Sourcefire, Inc.
[edit]

SNORT Tables

Description of the relevant table within the snort database: 

acid_event;
+--------------+------------------+------+-----+---------------------+-------+
| Field        | Type             | Null | Key | Default             | Extra |
+--------------+------------------+------+-----+---------------------+-------+
| sid          | int(10) unsigned |      | PRI | 0                   |       |
| cid          | int(10) unsigned |      | PRI | 0                   |       |
| signature    | int(10) unsigned |      | MUL | 0                   |       |
| sig_name     | varchar(255)     | YES  | MUL | NULL                |       |
| sig_class_id | int(10) unsigned | YES  | MUL | NULL                |       |
| sig_priority | int(10) unsigned | YES  | MUL | NULL                |       |
| timestamp    | datetime         |      | MUL | 0000-00-00 00:00:00 |       |
| ip_src       | int(10) unsigned | YES  | MUL | NULL                |       |
| ip_dst       | int(10) unsigned | YES  | MUL | NULL                |       |
| ip_proto     | int(11)          | YES  | MUL | NULL                |       |
| layer4_sport | int(10) unsigned | YES  | MUL | NULL                |       |
| layer4_dport | int(10) unsigned | YES  | MUL | NULL                |       |
+--------------+------------------+------+-----+---------------------+-------+
Retrieved from "http://www.chekmate.org//wiki/index.php/Snort-Base_Enhancements"