MYSQLIDS - A quicklook approach to Intrusion Detection Systems

• Mysqlids source & demo - 40.6 Kb

<a name="_toc73761826">Introduction

Intrusion Detection Systems using SNORT (Sourcefire and Snort are Trademarks or Registered Trademarks of Sourcefire, INC) have an ongoing good track record of reporting any event on networks where you can formulate a detection rule. An unfortunate aspect to the use of SNORT or any other IDS system is that you have to know a fair amount about network topology in order to begin to approach the reports. This application takes an approach that considers the users need to be able to perform triage on an infested network at 3:00am and sleep deprived. MYSQLIDS produces a report based upon 5 time criteria as shown above with the ability to correct for 3 time zones. It also allows for optional printing of the payload data. The output is created in a common text file for a reason. File types with complex automation support provided by the OS or support applications have the capacity to launch html and viral payloads.

<a name="_toc73761827">Background

The Analysis Console for Intrusion Databases (ACID) provides a good interface to the data extracted with MYSQLIDS. It wraps it better in many ways except for the perspective manner. You have more data presented than needed and the retrieval of that data takes several queries to select and order the data in a useful manner. Many of the alternative methods for analysis are scripted or LINUX-only in their implementations. MYSQLIDS is a first generation query tool for triage and trending over short periods in a large network. This is a realistic limitation based by MYSQL 4GB database limits and retrieval efficacy. You can quickly search for events in related sites with common time frame. The second generation of this tool needs to address time zone correction so that the queries can be made functional across time zones.

<a name="_toc73761828">Using the code

There are two executables included in the mysqlids.zip. They are named mysqlidsxp.exe and mysqlids2k.exe. The code should compile easily on Windows 2000 or XP using Visual Studio 6. The database used in this example is MYSQL-3.23.58 and the ODBC driver is MYODBC-3.51.06. To create a SNORT database, load MYSQL(3.23.58) on a Windows NT/2000 server. Bounce the box. Login in and “Start->Run->cmd” and then cd \mysql\bin. Key “mysqladmin –u root password newpassword” (replacing newpassword with your new desired root password. This enables the use of MYSQL database. Get a copy of MYSQL Administrator from www.mysql.com and a copy of MYSQL-Front from www.mysqlfront.de. Install both of them and place icons on your desktop on the server. Open the MYSQL Administrator program and logon with the credentials root, newpassword,locahost. In the MYSQL Administrator gui, click on User Administration. Right-click in the User Accounts area and select Add new User. Populate the User Information for the new user (I suggest the setting the userid for MYSQL User to snort and select an appropriate password). Don’t forget to click the Apply changes button. Return to User Accounts. Right click on the user snort and select “Add host from which the user can connect”. Enter the name or ip address for each client or sensor which will connect to the MYSQL database. Close MYSQL Administrator and open MYSQL-Front. The Add Session gui should come up. Enter local for the General Name. Click the connection tab and provide the server name as localhost. Click the Login tab and provide the root credentials. Hit OK and you should see the gui display a pane labeled local. Right click on the localhost, select NEW, then select Database. Name the database snort_db. Then hit File -> Exit. Obtain a copy of the create_mysql from \snort\contrib. Place it in a convenient location. Click Start->Run and key cmd and OK. Execute the following steps:

cd \mysql\bin
mysql -u root -p
newpassword
connect snort_db
source create_mysql ;
commit ;
exit

Reopen MYSQL Administrator – providing the root credentials to log in. Click on User Administration. Select the user snort. Then click the Schema Privileges tab. Click the snort_db Schemata. Highlight all of the available privileges and click the < button. Then hit the Apply changes button. Now close the MYSQL Administrator. On one of the sensors which you have designated to be able to connect to the snort_db database, install snort, edit \snort\etc\snort.conf with the edit verb to change its structure to dos. Then exit and use notepad to edit \snort\etc\snort.conf. Correct the include locations as well as the rules path then uncomment the line that reads as follows:

output database: log, mysql, user=snort,
  user=root password=test dbname=db host=localhost

And change it to

output database: log, mysql,
  user=snort password=newpassword dbname=snort_db host=server_ip

Replace server_ip with the actual ip address for the server. Correct newpassword to the actual snort password. Now you can start snort either as a service with “c:\snort\bin\snort /service /install –c c:\snort\etc\snort.conf –l c:\snort\log” or in command mode with “c:\snort\bin\snort –c c:\snort\etc\snort.conf –l c:\snort\log”. You should test first with the command mode execution to check for connectivity and function when you can see the errors returned to the console. After testing, use “net start snort” to start the service if you opted to install the service. In the previous case visit the Control Panel services to set the startup mode for SNORT to automatic. The sensor should now be logging to the database.

Configuration of the MYSQLIDS requirements is as follows…set the following environment variables at the system level:

IDS_DB_SERVER=server_ip
IDS_DB_USER=snort
IDS_DB_PASS=newpassword

On the client install MYODBC-3.51.06. Now you may start mysqlids (2k or XP as appripriate to the client). You’ll see an informational dialog box showing the server, user and password information being used to contact the snort_db database. Start by selecting one or more sensors … a sample interval … correct the time zone correction … decide on payload or not …then hit the Generate Report button. Use the Open Output button after the cursor returns to view the report.