Intrusion detection systems with snort: Advanced IDS techniques with snort , apache, MySQL, PHP and ACID

nyard is still in experimental form at the time of writing this book. You can download the latest version from the Snort web site and read the included file about installation and use of the tool. Basically you have to carry out the following three steps to compile and install it. 1. Run the configure script with a prefix command line parameter to define the directory where you intend to install it. A typical command line may be "configure –- prefix=/opt/barnyard". 2. Run the make command. 3. Run the make install command to install it. 182 You also need to edit the barnyard.conf file before using the tool. I am omitting a detailed discussion because the process may change significantly by the time you read this book. WARNING At the time of writing this book, Barnyard is still in the development process and the installation may differ significantly in the final release of the package. 6.6 References 1. ACID is available from 2. Apache web site at 3. PHP web site at 4. GD library at 5. PHPLOT package at 6. ADODB package at 7. SnortSnarf at 8. ADODB FAQ at 183 Chapter 7. Miscellaneous Tools At this point you have built your completely working Snort system with database backend and web-based user interface. This chapter introduces a few useful tools that you can use with this system to make management simple and to enhance the capabilities of your system. You will also learn how to make your system secure. These components are briefly introduced below. IDS Manager is a Microsoft Windows-based GUI tool to manage Snort rules and the Snort configuration file snort.conf. Using this tool, you can carry out different tasks like: • Downloading the current configuration file snort.conf and rules from an operational Snort sensor. • Modifying the configuration file and rules. • Uploading the modified configuration to the sensor. Using IDS Manager, you can manage multiple Snort sensors. The only catch is that it uses SSH server, which must be running on the Snort sensor. SnortSam is another tool that can integrate Snort with firewalls. Using this package with Snort, you can modify firewall configuration. The usefulness of this technique is still debatable as it may open up the firewall for denial of service (DoS) attacks. Another topic discussed in this chapter is the security of the web server where ACID is installed. Up to now you have not done anything to secure the web server. Anybody can access the ACID console and delete the data collected by Snort. Here you will learn a few methods of securing the web server itself. 7.1 SnortSam SnortSam is a tool used to make Snort work with most commonly used firewalls. It is used to create a Firewall/IDS combined solution. You can configure your firewall automatically to block offending data and addresses from entering your system when intruder activity is detected. It is available from where you can find the latest information. The tool consists of two parts: 1. A Snort output plug-in that is installed on the Snort sensor. 2. An agent that is installed on a machine close to Firewall or Firewall itself. Snort communicates to the agent using the output plug-in in a secure way. At the time of writing this book, the tools support the following firewalls: • IP filter-based firewalls • Checkpoint Firewall-1 • Cisco PIX • Netscreen 184 The output plug-in, which is compiled with Snort, provides new keywords that can be used to control firewall behavior. For compiling Snort, refer to Chapter 2. In a typical scheme where you are using Checkpoint Firewall, you can run the SnortSam agent on the firewall itself. Figure 7-1 shows a typical scheme where a Snort sensor is controlling two Checkpoint firewalls. These firewalls may be running on Linux, Windows or other UNIX platforms supported by Checkpoint. Figure 7-1. Running SnortSam on Checkpoint Firewall. In a typical situation where you don't have a Checkpoint firewall, you will run the agent on another system, located close to the firewall. Depending on the type of your firewall, you will add plug-ins to the SnortSam agent to control a particular type of firewall. For example, to control a Cisco router access list, you will use the relevant plug-in available from the SnortSam web site. The scheme is shown in Figure 7-2 where the sensor sends messages to the agent system where the SnortSam agent is running. The agent system will then update configuration of the firewall or routers depending on the policy. Figure 7-2. Running SnortSam with a separate agent to control multiple firewalls. 185 Documentation, examples, and information about how to install SnortSam are available on its web site. You can find information about the changes you need to make for a particular type of firewall in the snort.conf file. You should think twice about modifying firewall policy; it may lead to Denial of Service (DoS) attacks. For example, if someone sends you a message resulting in the blocking of root name server addresses, your DNS server will fail. 7.2 IDS Policy Manager IDS policy manager is a Microsoft Windows based GUI. It is used to manage the Snort configuration file and Snort rules on a sensor. It is available from its web site At the time of writing this book, beta version 1.3 is available from this web site and it supports Snort versions up to 1.9.0. You can download the software and install it using normal Windows installation procedures. When you start the software, a window like the one shown in Figure 7-3 is displayed. Figure 7-3. IDS Policy Manager Window. 186 As you can see, this window is initially empty. It has three tabs at the bottom, as explained below: • The "Sensor Manager" tab shows the sensors that you are managing with this tool. Initially there is no sensor listed in the window because you have to add sensors after installing IDS Manager. This is the default tab when you start the Policy Manager. • The "Policy Manager" tab shows configured policies. A policy includes snort.conf file parameters (variables, input and output plug-ins, include files) as well as a list of rules that belong to that policy. • The "Logging" tab shows log messages. You can click on any of these tabs to switch to a particular window. To add a new sensor, you can click on the "Sensor" menu and chose the "Add Sensor" option. A pop-up window like the one shown in Figure 7-4 appears where you fill out information about the sensor. Figure 7-4. Adding a new sensor to IDS Policy Manager. 187 The screen shot shown in Figure 7-4 is taken after filling out information in blank fields. You have to enter the following information about a sensor: • Sensor name, which is "MyHome Sensor" in this example. • IP address of sensor which is 192.168.1.2. You have to fill out the IP address of your sensor in this box. • The "IDS System" box is used to specify which version of Snort is being used on the sensor. Different Snort versions have slightly different parameters for input and output plug-ins as well as keywords used in rules. It's important to use correct information in this option. • The policy name is "Official". You can use a different name for the policy. The sensor policy is downloaded and stored on the machine where IDS Policy Manager is being installed. • The "Upload Information" section includes parameters that are needed to transfer files from and to the sensor. • The SCP method uses SSH server running on the sensor. User name and password are used to log in to the Snort sensor to upload and download files. The "Upload Directory" shows the location of the snort.conf file on the Snort sensor. Since the location of other rule files is mentioned in the snort.conf file, you don't need to specify names and locations of other rule files. 188 After entering this information, you can click "OK" to add the sensor. After adding the sensor, the first task is to download policy from the sensor you added in the previous step. For this purpose, you can use the "Download Policy from Sensor" option in the "Sensor" menu. After downloading the policy, you can click on the "Policy Manager" tab at the bottom of the screen to edit the policy. When you click here, you will see the screen with a list of currently available policies. Since you used "Official" as the name of the policy while adding the sensor, this policy must be present in the list. To edit the policy, double click the policy name and a Policy Editor window will appear, as shown in Figure 7-5. Figure 7-5. The Policy Editor window with list of rules. On the left hand side of the window shown in Figure 7-5 is a list of different classes of rules used on the sensor. The right hand side of the window shows a description of the class and individual rules included in that class. To modify a rule, you can double click that rule and a window like the one shown in Figure 7-6 will appear where you can modify different parts of a rule. Figure 7-6. Modifying a rule in IDS Policy Manager. 189 The pull-down menus in the right side of the window shown in Figure 7-6 make it very easy to modify rules. For example, to modify protocol used in the rule, you can click the pull-down menu button and a list of supported protocols will appear. To modify other parts of the snort.conf file, you can click the "Settings" tab on the top left side of the window. A window like the one shown in Figure 7-7 appears where you can modify input and output plug-ins and values of different variables. Figure 7-7. The Policy Editor window with snort.conf settings. As you can see in the screen shot in Figure 7-7, the database user name and passwords are displayed. These are the same ones we used in Chapter 5 while configuring the MySQL database. 190 After making changes to the policy, you can close this window. Now you can upload it to the sensor using options in the "Sensor" menu of the main menu. IDS Policy Manager makes it very easy to modify sensor policies. It does almost all of the tasks that are discussed in Chapter 3 and Chapter 4. 7.3 Securing the ACID Web Console As you have seen in Chapter 6, ACID is a very useful tool for viewing and managing data generated by the Snort sensors. However, there is one issue that is not yet resolved—security of ACID. If the web server running ACID is not secure, anybody can go to the ACID web pages and modify, archive, and delete data in the database using ACID. As you have seen, the user name and password are hard coded in the ACID configuration file acid_conf.php and the person viewing ACID web pages does not need to know the database user name and password to delete information from the database. There are multiple methods that you can adopt to achieve security. 7.3.1 Using a Private Network There are different ways to make ACID secure. One way is to use a private network for all Snort sensors and the centralized database server where ACID and Apache are installed so that their IP addresses are not visible from the Internet. This scheme is still vulnerable to the internal users who have access to this private network. 7.3.2 Blocking Access to the Web Server on the Firewall Another method is to block access to your web server from the firewall so that nobody from the Internet can access the web server. Again this scheme is still vulnerable to internal users. 7.3.3 Using iptables Another way is to use iptables to allow only your own computer to access port 80 on the web server. This is the most secure method because it protects your web server and ACID from both internal and external users. You can use a simple command to block all incoming connections except your own workstation, which has an IP address 192.168.1.100. iptables -A INPUT -s ! 192.168.1.100 -j DROP The command is case sensitive. This command blocks all connections except ones from host 192.168.1.100, which is your own workstation where you use the web browser. This is not a comprehensive tutorial on how to use the iptables command. You can either use the "man iptables" command to get more information about iptables-based firewalls or read Rusty's guide for iptables at HOWTO/index.html. 191 Once you use the above command, nobody from any other host will be able to access ANY service on the machine where you used this command. All existing connections will be dropped. You are warned! 7.4 Easy IDS Easy IDS is an integrated system available from for the Linux operating system. It has all of the necessary components to build a complete IDS quickly. These components are precompiled and configured for easy installation. The package includes: • Snort • Apache Web server • MySQL server • ACID • PHPLOT • ADODB The installation script installs all of these components and creates startup and shutdown script links. This is a good choice for people who want to get something running quickly. At the time of writing this book, you have to ask for an evaluation CD from the company to test it. It may be available for free download from the company web site in the future. 7.5 References 1. SnortSam at 2. Activeworx web site at 3. Rusty's Unreliable Guides at 4. Easy IDS at 192 Appendix A. Introduction to tcpdump Tcpdump is a packet capture tool. It can grab packets flowing on the network, match them to some criteria and then dump them on the screen or into a file. It is available on most of the UNIX platforms. On Linux machines, you need to be the root user to run tcpdump. If you save the captured data in a file, you can view the file later using tcpdump. Since Snort can also store data in the tcpdump format in files, it becomes an interesting tool for many people to view Snort files that have been created in the tcpdump format. The typical output of the command when used on the command prompt without any argument is as follows: [View full width] [root@conformix]# tcpdump Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on all devices 13:05:52.216049 eth0 dti414.1245: P 1578894642:1578894674(32) ack 3347166818 win 63520 (DF) 13:05:52.216049 eth0 > dti414.1245 > rr-laptop.6001: . 1:1449(1448) ack 32 win 63712 <nop ,nop,timestamp 53292021 453029> (DF) 13:05:52.216049 eth0 > dti414.1245 > rr-laptop.6001: P 1449:2045(596) ack 32 win 63712 (DF) 13:05:52.216049 eth0 dti414.1245: . 32:32(0) ack 2045 win 64240 <nop ,nop,timestamp 453029 53292021> (DF) 13:05:52.226049 eth0 > dti414.1245 > rr-laptop.6001: . 2045:3493(1448) ack 32 win 63712 (DF) 13:05:52.226049 eth0 > dti414.1245 > rr-laptop.6001: P 3493:4089(596) ack 32 win 63712 (DF) 13:05:52.226049 eth0 dti414.1245: . 32:32(0) ack 4089 win 64240 <nop ,nop,timestamp 453029 53292022> (DF) You can use a number of command line switches with the command. A list of switches is available on the manual pages. The important switch to use with Snort is -r , where filename is the file containing Snort data. Simple Snort log files can't be used with this option. Only the files that are created in the tcpdump format can be read by the command. Appendix B. Getting Started with MySQL MySQL is probably the most popular open source database. It is available for Linux and you can download and install it on your Linux machine. The package is available in source code format as well as binary files. The easiest way to install it is to download the RPM file and install it on 193 your Linux machine. I have used RedHat Linux 7.1 on my machine and installed the MySQL package that came with it. MySQL has two basic parts, the server and the utilities used to administer the server and connect to it. If you install the RPM package, the startup script will be copied into the /etc/init.d directory which you use to start the database at boot time. Client utilities are available to manage the database. MySQL is an easy database to use. This appendix contains some very basic commands that you can use to get started with the database. This is not a MySQL manual or tutorial by any means. Comprehensive information about MySQL can be obtained from web site. For New Users of MySQL The MySQL server daemon, mysqld, can be started using the startup script. It listens to incoming connection requests from clients. The package comes with mysql client program that you can use to connect to the database and carry out some system administration tasks as well as add/update/delete records in the database. You can have multiple databases and at the time of connection you can define to which database you want to connect. Starting and Stopping MySQL Server You can start and stop MySQL Server using startup script /etc/init.d/mysqld on Linux machines. This script is shown below: #!/bin/bash # # mysqld This shell script takes care of starting # and stopping # the MySQL subsystem (mysqld). # # chkconfig: - 78 12 # description:MySQL database server. # processname: mysqld # config: /etc/my.cnf # pidfile: /var/run/mysqld/mysqld.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Source subsystem configuration. [ -f /etc/sysconfig/subsys/mysqld ] && . /etc/sysconfig/subsys/mysqld prog="MySQL" 194 start(){ touch /var/log/mysqld.log chown mysql.mysql /var/log/mysqld.log chmod 0640 /var/log/mysqld.log if [ ! -d /var/lib/mysql/mysql ] ; then action $"Initializing MySQL database: " /usr/bin/mysql_install_db ret=$? chown -R mysql.mysql /var/lib/mysql if [ $ret -ne 0 ] ; then return $ret fi fi chown mysql.mysql /var/lib/mysql chmod 0755 /var/lib/mysql /usr/bin/safe_mysqld --defaults-file=/etc/my.cnf >/dev/null 2>&1 & ret=$? if [ $ret -eq 0 ]; then action $"Starting $prog: " /bin/true else action $"Starting $prog: " /bin/false fi [ $ret -eq 0 ] && touch /var/lock/subsys/mysqld return $ret } stop(){ /bin/kill `cat /var/run/mysqld/mysqld.pid 2> /dev/null ` > /dev/null 2>&1 ret=$? if [ $ret -eq 0 ]; then action $"Stopping $prog: " /bin/true else action $"Stopping $prog: " /bin/false fi [ $ret -eq 0 ] && rm -f /var/lock/subsys/mysqld [ $ret -eq 0 ] && rm -f /var/lib/mysql/mysql.sock return $ret } restart(){ stop start } condrestart(){ [ -e /var/lock/subsys/mysqld ] && restart || : } reload(){ [ -e /var/lock/subsys/mysqld ] && mysqladmin reload } # See how we were called. case "$1" in start) start ;; stop) 195 stop ;; status) status mysqld ;; reload) reload ;; restart) restart ;; condrestart) condrestart ;; *) echo $"Usage: $0 {start|stop|status|reload|condrestart|restart}" exit 1 esac exit $? To start the server, use the following commands: /etc/init.d/mysqld start When you start MySQL for the first time, you will see the following messages on your screen: [root@conformix /root]# /etc/init.d/mysqld start Initializing MySQL database: [ OK ] Starting MySQL: [ OK ] [root@conformix /root]# The next time you start MySQL, it will not show the first line of output because it only needs to initialize its own database the first time you start it. To stop the database, use the following command: [root@conformix /root]# /etc/init.d/mysqld stop Stopping MySQL: [ OK ] [root@conformix /root]# If the script is not available on your platform, you can create a similar script yourself for your particular UNIX platform. MySQL Server Configuration File At startup time, the server uses its configuration file /etc/my.cnf as mentioned in this startup script. The default configuration file that came with my distribution of Linux 7.1 is shown below: [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock 196 [mysql.server] user=mysql basedir=/var/lib [safe_mysqld] err-log=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid Database Storage Files Each database is stored in a directory under /var/lib/mysql top level directory (configurable through my.cnf file). For example, if you use "snort" as the database name, all files in this database will be located in the directory /var/lib/mysql/snort. You have used a script to create tables in this database in Chapter 5. The typical contents of this directory after creating all tables is as follows: [root@laptop]# ls -l /var/lib/mysql/snort total 4080 -rw-rw---- 1 mysql mysql 8614 Apr 30 14:30 data.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 data.MYD -rw-rw---- 1 mysql MYSQL 1024 Apr 30 14:30 data.MYI -rw-rw---- 1 mysql mysql 8606 Apr 30 14:30 detail.frm -rw-rw---- 1 mysql mysql 40 Apr 30 14:30 detail.MYD -rw-rw---- 1 mysql mysql 2048 Apr 30 14:30 detail.MYI -rw-rw---- 1 mysql mysql 8614 Apr 30 14:30 encoding.frm -rw-rw---- 1 mysql mysql 60 Apr 30 14:30 encoding.MYD -rw-rw---- 1 mysql mysql 2048 Apr 30 14:30 encoding.MYI -rw-rw---- 1 mysql mysql 8642 Apr 30 14:30 event.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 event.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 event.MYI -rw-rw---- 1 mysql mysql 8802 Apr 30 14:39 flags.frm -rw-rw---- 1 mysql mysql 17476 Apr 30 14:39 flags.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:39 flags.MYI -rw-rw---- 1 mysql mysql 8738 Apr 30 14:30 icmphdr.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 icmphdr.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 icmphdr.MYI -rw-rw---- 1 mysql mysql 8920 Apr 30 14:30 iphdr.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 iphdr.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 iphdr.MYI -rw-rw---- 1 mysql mysql 8728 Apr 30 14:30 opt.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 opt.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 opt.MYI -rw-rw---- 1 mysql mysql 8624 Apr 30 14:39 protocols.frm -rw-rw---- 1 mysql mysql 6248 Apr 30 14:39 protocols.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:39 protocols.MYI -rw-rw---- 1 mysql mysql 8630 Apr 30 14:30 reference.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 reference.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 reference.MYI -rw-rw---- 1 mysql mysql 8618 Apr 30 14:30 reference_system.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 reference_system.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 reference_system.MYI -rw-rw---- 1 mysql mysql 8580 Apr 30 14:30 schema.frm -rw-rw---- 1 mysql mysql 13 Apr 30 14:30 schema.MYD -rw-rw---- 1 mysql mysql 2048 Apr 30 14:30 schema.MYI 197 -rw-rw---- 1 mysql mysql 8706 Apr 30 14:30 sensor.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 sensor.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 sensor.MYI -rw-rw---- 1 mysql mysql 8648 Apr 30 14:39 services.frm -rw-rw---- 1 mysql mysql 3686536 Apr 30 14:39 services.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:39 services.MYI -rw-rw---- 1 mysql mysql 8614 Apr 30 14:30 sig_class.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 sig_class.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 sig_class.MYI -rw-rw---- 1 mysql mysql 8730 Apr 30 14:30 signature.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 signature.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 signature.MYI -rw-rw---- 1 mysql mysql 8616 Apr 30 14:30 sig_reference.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 sig_reference.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 sig_reference.MYI -rw-rw---- 1 mysql mysql 8888 Apr 30 14:30 tcphdr.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 tcphdr.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 tcphdr.MYI -rw-rw---- 1 mysql mysql 8704 Apr 30 14:30 udphdr.frm -rw-rw---- 1 mysql mysql 0 Apr 30 14:30 udphdr.MYD -rw-rw---- 1 mysql mysql 1024 Apr 30 14:30 udphdr.MYI [root@laptop]# As you may have figured out, there are three files related to each table in the database. To find out how many databases are present on your system, just list the directories under /usr/lib/mysql. Basic MySQL Commands This section presents some very basic MySQL commands. These commands are required to do basic operations with the database. Creating a Database First of all you have to login to create a database. You can login as user "root" to MySQL server as shown below. This root user is not the Linux root user. It is related to MySQL database only. [root@conformix /root]# mysql -u root Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 to server version: 3.23.36 Type 'help;' or '\h' for help. Type '\c' to clear the buffer mysql> At the mysql> prompt, you can use MySQL commands. The following command creates testdb. mysql> create database testdb; Query OK, 1 row affected (0.01 sec) mysql> 198 When you create a database, a directory is created under /var/lib/mysql to store database files. In this case the name of the directory is /var/lib/mysql/testdb. Displaying a List of Databases At the command prompt, you can use the show databases command to list available databases. mysql> show databases; +----------+ | Database | +----------+ | mysql | | test | | testdb | +----------+ 3 rows in set (0.00 sec) mysql> This command shows that three databases exist. The names of these databases are mysql, test and testdb. Connecting to a Database To connect to a database, you can use the use command by providing the name of the database as the argument to this command. The following command starts using testdb as the database. mysql> use testdb; Database changed mysql> In some cases you can also use the following command: mysql> connect testdb Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Connection id: 3 Current database: testdb mysql> Creating Tables The following command creates a table with the name customer. The table contains four columns. [View full width] mysql> create table customers (name varchar(20), address varchar(40), phone varchar(10), 199 dob date); Query OK, 0 rows affected (0.00 sec) mysql> Column names and their data types are defined in the command. When you create a table, three files are created in the directory that corresponds to the database. In this case, files are created in /var/lib/mysql/testdb directory as shown in the following command. [root@conformix]# ls /var/lib/mysql/testdb customers.frm customers.MYD customers.MYI [root@conformix]# The names of these files start with the name used for the table. Listing Tables The show tables command lists currently defined tables in the database. mysql> show tables; +------------------+ | Tables_in_testdb | +------------------+ | customers | +------------------+ 1 row in set (0.01 sec) mysql> Displaying Table Information You can display information about each table column by using the describe command. The following command displays information about recently created table customers. mysql> describe customers; +---------+-------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------+-------------+------+-----+---------+-------+ | name | varchar(20) | YES | | NULL | | | address | varchar(40) | YES | | NULL | | | phone | varchar(10) | YES | | NULL | | | dob | date | YES | | NULL | | +---------+-------------+------+-----+---------+-------+ 4 rows in set (0.01 sec) mysql> Adding Data to Tables Data can be added to a table using the insert command. The following command adds one row to the customers table. 200 mysql> insert into customers values ('Boota', '135 SB, Sargodha', '001-946-15', '1970-01-01'); Query OK, 1 row affected (0.06 sec) mysql> Displaying Data in Tables The select command retrieves data from one or more tables. In its simplest form, the following command displays all records in the customers table. mysql> select * from customers; +-------+------------------+------------+------------+ | name | address | phone | dob | +-------+------------------+------------+------------+ | Boota | 135 SB, Sargodha | 001-946-15 | 1970-01-01 | +-------+------------------+------------+------------+ 1 row in set (0.00 sec) mysql> For more information on the select command, use any SQL language reference. Deleting Data from Tables The delete command removes data from the table. The following command deletes records from the customer table where the name of the customer is Boota. mysql> delete from customers where customers.name='Boota'; Query OK, 1 row affected (0.00 sec) mysql> Switching from One Database to Another You can use the use commands to switch to another database. The following command starts using mysql-test database. mysql> use mysql-test Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> Creating a User The simplest way to create a user is to grant the user some access rights to a database. If the user does not already exist, it will be created. The following command creates a user rrehman and grants all access rights on the testdb database. 201 mysql> grant all on testdb.* to rrehman; Query OK, 0 rows affected (0.00 sec) mysql> This command creates a row in the user table in mysql database for user rrehman and grants permission for everything to user rrehman on database testdb. Setting Password for a User You can assign a password to the user upon creation. The following command creates a user rrehman and assigns a password boota. grant all on testdb.* to rrehman identified by 'boota'; To assign a password later on, use the following command: mysql> set password for rrehman = password('kaka'); Query OK, 0 rows affected (0.00 sec) mysql> Granting Permissions The grant command is used to grant different levels of permissions to users. Refer to the following command where different permissions are assigned to a user rr on localhost. mysql> grant CREATE,INSERT,DELETE,UPDATE,SELECT on snort.* to rr@localhost; Query OK, 0 rows affected (0.00 sec) mysql> Using mysqladmin Utility The mysqladmin utility is used for database administration. A complete discussion is beyond the scope of this book. The following output of the command shows some of the tasks that it is capable of doing. [root@conformix /root]# mysqladmin mysqladmin Ver 8.18 Distrib 3.23.36, for redhat-linux-gnu on i386 Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL license Administration program for the mysqld daemon. Usage: mysqladmin [OPTIONS] command command.... -#, --debug=... Output debug log. Often this is 'd:t:o,filename` -f, --force Don't ask for confirmation on drop database; with multiple commands, continue even if an error occurs -?, --help Display this help and exit 202 --character-sets-dir=... Set the character set directory -C, --compress Use compression in server/client protocol -h, --host=# Connect to host -p, --password[=...] Password to use when connecting to server If password is not given it's asked from the tty -P --port=... Port number to use for connection -i, --sleep=sec Execute commands again and again with a sleep between -r, --relative Show difference between current and previous values when used with -i. Currently works only with extended-status -E, --vertical Print output vertically. Is similar to --relative, but prints output vertically. -s, --silent Silently exit if one can't connect to server -S, --socket=...Socket file to use for connection -t, --timeout=...Timeout for connection to the mysqld server -u, --user=# User for login if not current user -v, --verbose Write more information -V, --version Output version information and exit -w, --wait[=retries] Wait and retry if connection is down Default options are read from the following files in the given order: /etc/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf The following groups are read: mysqladmin client The following options may be given as the first argument: --print-defaults Print the program argument list and exit --no-defaults Don't read default options from any options file --defaults-file=# Only read default options from the given file # --defaults-extra-file=# Read this file after the global files are read Possible variables for option --set-variable (-O) are: connect_timeout current value: 0 shutdown_timeout current value: 3600 Where command is a one or more of: (Commands may be shortened) create databasenameCreate a new database drop databasenameDelete a database and all its tables extended-status Gives an extended status message from the server flush-hosts Flush all cached hosts flush-logs Flush all logs flush-status Clear status variables flush-tables Flush all tables flush-threads Flush the thread cache flush-privileges Reload grant tables (same as reload) kill id,id,... Kill mysql threads password new-password Change old password to new-password ping Check if mysqld is alive processlist Show list of active threads in server reload Reload grant tables refresh Flush all tables and close and open logfiles shutdown Take server down status Gives a short status message from the server start-slave Start slave stop-slave Stop slave variables Prints variables available version Get version info from server [root@conformix]# 203 You can use different options on the command line. For example "mysqladmin version" will show the version number for the utility. Appendix C. Packet Header Formats Snort rules use the protocol type field to distinguish among different protocols. Different header parts in packets are used to determine the type of protocol used in a packet. In addition, rule options can test many of the header fields. This appendix explains headers of different protocols. These packet headers are explained in detail in RFCs. Understanding different parts of these packet headers is very important for writing effective Snort rules. IP Packet Header The basic IPv4 header consists of 20 bytes. An options part may be present after these 20 bytes. This optional part may be up to forty bytes long. Structure of IP header is present in Figure C-1. Figure C-1. IP header Detailed information about the IP packet header can be found in RFC 791 which is available from ftp://ftp.isi.edu/in-notes/rfc791.txt and many other places including the RFC editor web site. A brief explanation of different fields in the IP packet header is found in Table C-1. Table C-1. IP Packet Header Fields Field Explanation V Version number. The value is 4 for IPv4. Four bits are used for this part. IHL This field shows length of IP packet header. This is used to find out if the options part is present after the basic header. Four bits are used for IHL and it shows length in 32-bit word length. The value of this field for a basic 20-bytes header is 5. TOS This field shows type of service used for this packet. It is 8 bits in length. Total Length This field shows the length of the IP packet, including the data part. It is 16 bits long. ID This field packet identification number. This part is 16 bits long. 204 Table C-1. IP Packet Header Fields Field Explanation F This part is three bits long and it shows different flags used in the IP header. Frag Offset This part is thirteen bits long and it shows fragment offset in case an IP packet is fragmented. TTL This is time to live value. It is eight bits long. Protocol This part shows transport layer protocol number. It is eight bits long. Header Checksum This part shows header checksum, which is used to detect any error in the IP header. This part is sixteen bits long. Source Address This is the 32 bit long source IP address. Destination Address This is the 32 bit long destination IP address. ICMP Packet Header ICMP header is completely explained in RFC 792, which is available from ftp://ftp.isi.edu/in- notes/rfc792.txt for download. Figure C-2 shows basic structure of ICMP header. Note that depending upon type of ICMP packet, this basic header is followed by different parts. Figure C-2. Basic ICMP header An explanation of the fields in a basic ICMP header is provided in Table C-2. Table C-2. ICMP Packet Header Fields Field Explanation Type This part is 8 bits long and shows the type of ICMP packet. Code This part is also 8 bits long and shows the sub-type or code number used for the packet. Checksum This part is 16 bits long and is used to detect any errors in the ICMP packet. The ICMP information part is variable depending upon the value of the type field. For example, the ping command uses ICMP ECHO REQUEST type packet. This packet header is shown in Figure C-3. 205 Figure C-3. ICMP packet used in ping command. For a complete list of ICMP packet types, refer to RFC 792. TCP Packet Header TCP packet header is discussed in detail in RFC 793 which is available at ftp://ftp.isi.edu/in- notes/rfc793.txt for download. Figure C-4 shows structure of TCP header. Figure C-4. TCP header Different parts of TCP header are explained in Table C-3. Again for a detailed explanation of TCP, refer to the RFC 793. Table C-3. TCP Packet Header Fields Field Explanation Source Port This part is 16 bits long and shows source port number. Destination Port This is a 16-bit long field and shows the destination port number. Sequence Number This is the sequence number for the TCP packet. It is 32 bits long. It shows the sequence number of the first data octet in the packet. However if SYN bit is set, this number shows the initial sequence number. Acknowledgement Number This number is used for acknowledging packets. It is 32 bits long. This number shows the sequence number of the octet that the sender is expecting. Offset This is a 4- bit field and shows the length of the TCP header. Length is measured in 32-bit numbers. Reserved Six bits are reserved. Flags or Control bits The flags are six bits in length and are used for control purposes. These bits are URG, ACK, PSH, RST, SYN and FIN. A value of 1 in any bit place indicates the flag is set. 206 Table C-3. TCP Packet Header Fields Field Explanation Window This is 16 bits long and is used to tell the other side about the length of TCP window size. Checksum This is a checksum for TCP header and data. It is 16 bits long. Urgent Pointer This field is used only when the URG flag is set. It is 16 bits long. Options This part is of variable length. UDP Packet Header The UDP packet header is simple and is described in RFC 768. It has four fields as shown in Figure C-5. Each field is 16 bits long. Names of all fields are self-explanatory. Figure C-5. UDP packet header ARP Packet Header ARP packets are used to discover the hardware or MAC addresses when the IP address is known. In any LAN, you will see a lot of ARP packets being transmitted. This is because each host has to find out the MAC address of the destination host before sending data. The ARP is a broadcast protocol and its packet header is shown in Figure C-6. Figure C-6. ARP header Different fields in the ARP packet header are described in Table C-4. Table C-4. ARP Packet Header Fields 207 Field Explanation HW Address Type The HW Address type is a 16 bit long field and it shows the type of hardware. Since most of LANs are Ethernet-based, its value is 1. For IEEE 802 networks, its value is 6. For IPSec tunnel, the value is 31. Protocol Address Type The protocol address type shows the protocol used in the network layer. The value of this field is 0x800 for IP. HW Addr Len This field shows the length of the hardware address in number of bytes. This field is 8 bits long. Proto Addr Length This field shows the length of the protocol address. This field is also 8 bits long. Operation or Opcode This field is 16 bits long and is used for the type of ARP packet. A value of 1 indicates a request packet and a value of 2 indicates a reply packet. Source hardware address This is a 48 bit long field in the case of Ethernet. However its length is variable. Source protocol address This is a 32 bit field in the case of IPv4 packets. However its length is variable. Target hardware address This is 48 bits long in Ethernet and its length is variable. Target protocol address This is 32 bits in the case of IPv4 and its length is variable. Appendix D. Glossary This appendix defines some of the most commonly used terms in this book. Glossary Alert A message generated when any intruder activity is detected. Alerts may be sent in many different forms, e.g., pop-up window, logging to screen, e-mail and so on. DMZ 208 Demilitarized zone. HIDS Host Intrusion Detection System. A system that detects intruder activity for a host. IDS Intrusion Detection System. A system that detects any intruder activity. Snort is an example of an IDS. IDS Signature A pattern that we want to look for in a data packet. Based upon a particular signature we can define appropriate action to take. NIDS Network Intrusion Detection System. This is an intrusion detection system that works for a network. Usually a device (computer or a dedicated device) is placed at an appropriate location in the network to detect any intruder activity. Rule Header The first part of each Snort rule. It contains information about action, protocol, source and destination addresses, port numbers and direction. Snort Configuration File The snort.conf file, which is the main configuration file for Snort. It is read at the time when Snort starts. Snort Rule 209 A way of conveying intruder signatures to Snort. TOS Type of Service field used in IPv4 packet header. Trust Levels Different levels of trust may be imposed in different trust zones. For example, a financial database may be at a different trust level than a company public web server. See also [Trust Zone] Trust Zone An area of your network where you apply the same security policy. For example, all publicly accessible hosts (WWW and e-mail servers) may be placed in a demilitarized zone (DMZ). TTL Time to Live field used in IP packet header. Appendix E. SNML DTD This is the DTD file used for Snort XML based messages. <!-- * Simple Network Markup Language (SNML) * Version 0.2 * * snml.dtd * Copyright (C) 2001, 2002 Carnegie Mellon University * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of * the License, or (at your option) any later version. * 210 * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public * License along with this program; if not, write to the Free * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, * MA 02111-1307, USA. --> <!-- This DTD defines a simple XML exchange format for Network Intrusion Detection Systems. The snml can stand for "Snort Markup Language" when used with the snort IDS or as the "Simple Network Markup Language" when used in multi-vendor IDS environments. Comments or questions can be directed to: Roman Danyliw --> <!-- | The sensor element contains information that can be used to | uniquely identify the source which detected the event. | It always contains a hostname. Optionally, a | sensor filter, a data source filename, or an ip address | and network interface may be given. --> <!-- | sensor attributes | format = encoding format of the packet payload (data) | detail = defines which protocol fields will be present | fast - limited information | full - the full packet will be present --> <!ATTLIST sensor format (base64|ascii|hex) #REQUIRED detail (fast|full) #REQUIRED > <!-- | Contains a string representing a network interface | e.g., eth0, ppp0, hme0, etc. 211 --> <!-- | A string representing a tcpdump filter that is normally passed | in on the command line. e.g. "not net 10.1.1.0/24" --> <!-- | The signature is free-form text describing the event. In snort, | it is the string contained in the "msg" rule option --> <!-- | signature attributes | id = unique identifier of this signature (0..2^32-1) | revision = revision number of this signature | class = classification identifier of this signature (numeric) | priority = numeric priority of this event - (0..255) --> <!ATTLIST signature id CDATA #IMPLIED revision CDATA #IMPLIED class CDATA #IMPLIED priority CDATA #IMPLIED > <!-- | A reference provides a mechanism to refer to an external | database for information related to this signature or event. --> <!-- | reference attribute | system = the external database referenced | - cve : Common Vulnerabilities and Exposures | ( | - bugtraq : Bugtraq | ( | - arachnids : arachNIDS | ( | - mcafee : McAfee | ( | - url : custom URL --> <!ATTLIST reference system CDATA #REQUIRED > <!-- | The timestamp must conform to ISO-8601 standard. | e.g., ISO-8601: 1999-08-04 00:01:23-05 --> 212 <!-- | A packet can be logged without being decoded using "raw" | mode. This encoding should only be used when a packet is | received containing protocols which cannot be decoded. --> <!-- | IP address (in dot-quad notation). | e.g., 10.1.2.3 | Note: Domain names are not valid. | | The version attribute is the version of IP address | (should be 4 or 6). --> <!ATTLIST ipaddr version CDATA #REQUIRED > <!-- | IPv4 header | saddr = source IP address - IP address IP (192.168.1.2) | daddr = destination IP address - IP address IP (192.168.1.2) | ver = version of ip - 1 byte INT (0 - 15) | hlen = header length in 32 bit words | - 1 byte INT (0 - 15) | tos = type of service - 1 byte INT (0 - 255) | len = total length of the packet | - 2 byte INT (0 - 65535) | id = identification - 2 byte INT (0 - 65535) | flags = fragment flags - 1 byte INT (0 - 7) | off = fragment offset - 2 byte INT (0 - 65535) | ttl = time to live - 1 byte INT (0 - 255) | proto = protocol - 1 byte INT (0 - 255) | csum = checksum - 2 byte INT (0 - 65535) --> <!ATTLIST iphdr saddr CDATA #REQUIRED daddr CDATA #REQUIRED ver CDATA #REQUIRED hlen CDATA #IMPLIED tos CDATA #IMPLIED len CDATA #IMPLIED id CDATA #IMPLIED flags CDATA #IMPLIED ttl CDATA #IMPLIED off CDATA #IMPLIED ttl CDATA #IMPLIED proto CDATA #REQUIRED csum CDATA #IMPLIED > 213 <!-- | IP or TCP option | option = option code - 1 byte INT (0 - 255) | len = length of option data - 1 byte INT (0 - 255) --> <!ATTLIST option code CDATA #REQUIRED len CDATA #IMPLIED > <!-- | TCP header information | sport = source port - 2 byte INT (0 - 65535) | dport = destination port - 2 byte INT (0 - 65535) | seq = sequence number - 4 byte INT (0 - 4294967295) | ack = acknowledgment number - 4 byte INT (0 - 4294967295) | off = data offset - 1 byte INT (0 - 15) | res = reserved field - 1 byte INT (0 - 63) | flags = represents TCP flags - 1 byte INT (0 - 255) | win = window - 2 byte INT (0 - 65535) | csum = checksum - 2 byte INT (0 - 65535) | urp = urgent pointer - 2 byte INT (0 - 65535) --> <!ATTLIST tcphdr sport CDATA #REQUIRED dport CDATA #REQUIRED seq CDATA #IMPLIED ack CDATA #IMPLIED off CDATA #IMPLIED res CDATA #IMPLIED flags CDATA #REQUIRED win CDATA #IMPLIED csum CDATA #IMPLIED urp CDATA #IMPLIED > <!-- | UDP header information | sport = source port - 2 byte INT (0 - 65535) | dport = destination port - 2 byte INT (0 - 65535) | len = length field of UDP header | - 2 byte INT (0 - 65535) | csum = checksum - 2 byte INT (0 - 65535) --> <!ATTLIST udphdr sport CDATA #REQUIRED dport CDATA #REQUIRED len CDATA #IMPLIED csum CDATA #IMPLIED > <!-- | ICMP header | type = icmp type - 1 byte INT (0 - 255) 214 | code = icmp code - 1 byte INT (0 - 255) | csum = checksum - 2 byte INT (0 - 65535) | id = identifier - 2 byte INT (0 - 65535) | seq = sequence number - 2 byte INT (0 - 65535) --> <!ATTLIST icmphdr type CDATA #REQUIRED code CDATA #REQUIRED csum CDATA #IMPLIED id CDATA #IMPLIED seq CDATA #IMPLIED > ]>