Step 6. Set Up the Alerts and Logs
As I mentioned earlier, Snort supports logging to MySQL, ODBC-compliant, SQL Server, and Oracle databases. You simply select the appropriate database type during the installation of Snort. For the purposes of keeping this article brief, let's move on to Snort's default text-file logging options and its ability to log to the Windows event log.
When you previously used the Snort command to start the NIDS, the -A console switch told Snort to display its alerts on screen. If you prefer to send the alerts to a text file, you can change this switch to either -A fast or -A full, depending on the type of logging you want. The full option provides a verbose amount of detail on multiple lines in a text file named alerts.ids in the log file directory path (which the -l switch defines). This logging type provides a rich level of detail, but in noisy networks, the detail is a bit much to work through visually. In noisy networks, you should use the fast option, which prompts Snort to post to alerts.ids a single line that provides the key details of the questionable traffic. Personally, I find the fast option easier to work with than the full option when I'm logging to a text file.
The current version of Snort lets you log to the Windows event log. Given that many organizations have already invested in centralized event monitoring, logging, and collection tools, this logging capability is a great add-on for Windows environments.
To send alerts to the Application event log of the system on which Snort is running, you use the -E switch (no options are necessary) instead of the -A switch. Figure 5 shows what a Snort event—in this case, the attempted cmd.exe exploit—looks like when it's been posted to the Application log. The Windows event provides the same level of detail as the console screen.
An NIDS doesn't do much good if you're looking at the event logs (or text logs) only once or twice a week. When something is happening on your network, you need to know as soon as possible. If you have a centralized event monitoring and management system, you can have new events generate notifications through email, a pager, or another medium. However, if you don't have a system like this in place, don't worry. NETIKUS.NET offers a wonderful freeware package called EventSentry Light that you can use to send notifications.
EventSentry Light, which you can download from http://www.netikus.net/products_downloads.html, is the trial version of EventSentry. Many thanks are due to the folks at EventSentry for making a freeware version of such a powerful application. Through EventSentry Light, you can have the system monitor your event logs and automatically email you the details about any Snort event posted to the log. Figure 6 shows the email message about the alerts for the attempted cmd.exe exploit. EventSentry Light emailed this message to me moments after I made the attack.
As I mentioned previously, Snort typically generates a lot of noise, which can cause your event logs to quickly fill up with notifications. Keep this fact in mind when you're making such decisions as how large to make the event log files and how you want to rotate them. To prevent EventSentry Light from cluttering up your mailbox with all of those alerts, you can implement a pattern-matching filter that specifically looks for key strings. For example, I set up a filter to search for the string [Priority: 1] in the text of events.
Step 7. Run as a Service
After Snort is up and running, you'll probably want to run it as a service instead of logging on to the desktop each time you need to start the program. If you launch Snort with the /SERVICE and /INSTALL parameters (along with the other command-line parameters you would typically use), Snort configures itself as a Windows service. As such, it'll start automatically when Windows starts, without any user intervention.
The Next Level: Add-Ons
Snort is a full-featured application. However, you might encounter situations in which you need to take your Snort installation to the next level. For example, if you have multiple NIDSs spread throughout your network, you might prefer to use a GUI to manage Snort. Add-ons that provide this capability include Engage Security's IDScenter and Activeworx's IDS Policy Manager. Or, suppose that you need to do some data mining on your alert data. One add-on that lets you review and analyze logged data is Carnegie Mellon University's Analysis Console for Intrusion Databases (ACID).
Knock Out Attacks
Snort is a highly capable application that's kind to your IT budget. If you pair Snort with a powerful event monitoring application such as EventSentry Light, you've got the one-two punch to knock out attacks on your network before they can do significant harm.
)
Register
I've found the most integrated (i.e. easy) way of getting started is to use EagleX from EngageSecurity. They package all the goodies together. ACID, MySQL, IDSCenter, Snort, etc. It installs simply and is highly configurable.
Once running, the Snort detected something very interesting. While surfing YOUR site, I was subjected to a portscan and attempted buffer overflow attack against real networks products by your banner provider, DoubleClick. I could probably prove that it was an intentional act to install spyware on my system.
Thanks for the education (on several fronts). Please do something about your vendor's behavior.
Jim Jernigan
Redmond, WA
Jim Jernigan June 21, 2004