Snorter

HTML reporting tool for the network intrusion detection system SNORT

DESCRIPTION

SNORTER connects to the MYSQL SGBD and query it for events generated by SNORT or any other device using SNORT-DB format.

Features :

The features of Snorter are :

• Hostility based report (from attack classes and bayesian statistics)
• Investigating on events with whois queries, snortDB queries, world map tracing...
• Managing the database : deletion of events with the choice of the delete critera (IPSRC, IPDST, SIGNATURE, DATE)
• Event packet decode
• Bayesian learning about false positives, Activity graph, Time-Dispersion graph
• Embedded web server

Screenshots :

Requirements :

• a working Mysql SGBD
• 1 or more working Snort sensor(s) compiled with mysql support (configure --with-mysql)
• Openssl
• Perl-DBI - http://search.cpan.org/~timb/DBI-1.38/
• Perl-CGI - http://search.cpan.org/~lds/CGI.pm-3.00/
• libpng - http://www.libpng.org/pub/png/
• GD Graphic library - http://www.boutell.com/gd/

The following required perl modules are included in the Snorter package

• Perl-GD - http://search.cpan.org/~lds/GD-2.11/
• Perl-GD-Graph - http://search.cpan.org/~mverb/GDGraph-1.43/
• Perl-GD-Text - http://search.cpan.org/~mverb/GDTextUtil-0.86/

For information on howto install snort with mysql support, see : http://www.snort.org/docs/snortdb/snortdb.html http://www.snort.org/docs/snortdb/snortdb_config.html http://www.snort.org/docs/snortdb.png

INSTALL&RUN____________________________________________________________________________________________________

1. First untar the package and cd in SNORTER directory.

2. Edit the makefile to check the default install and network connexion options : ROOT = /opt/snorter SOURCEPATH = . CONFIGPATH = /etc/snorter BIN=snorter.sh BINPATH=/usr/sbin

   certname = snorter life = 730 keylength = 1024 listenport = 666 listen_ip = 127.0.0.1

   KEY_REPOSITORY = $(CONFIGPATH)/ssl_key SSL_PROGRAM = /usr/bin/openssl

3. Do a "make install" , setup will ask you :

   • information needed to build the SSL certificate
   • information needed to install perl GD graphic library

4. Start Snorter in background with "snorter.sh&"

5. Connect with your favorite browser to the adress and port specified in the Makefile (default is 127.0.0.1:666). You will be prompted for Mysql connexion parameters.

That's all, have fun :))

TROUBLESHOOTING&CUSTOMIZATION__________________________________________________________________________________________

1. Configuration files?

-> Configuration file "snorter.conf" is found by default in /etc/snorter : port=666 addtype_pl=internal/cgi realm=Miniserv Perl Web Server logfile=/var/log/miniserv.log errorlog=/var/log/miniserv.error pidfile=/var/log/miniserv.pid keyfile=/etc/snorter/ssl_key/snorter.pem logtime=600 ssl=1 listen=127.0.0.1:666 log=1 syslog=1 session=1 root=/opt/snorter/webroot mimetypes=/etc/snorter/mime.types

2. No connexion ?

   -> port 666 must be opened ("nmap -p 666 127.0.0.1" will tell you :) -> the "miniserv.pl" process must be running ("ps -A" will tell you :)

3. Can't locate SOME_MODULE.pm in @INC (@INC contains: ...?

After successful connexion, (SSL certificate was aproved) the webserver says "Can't locate SOME_MODULE.pm in @INC (@INC contains: ...)

-> Your perl environment is not complete. query http://search.cpan.org/ for the missing module and install it.