Snorts Effectiveness
Well, its alerting on every RSS feed I browse using Newsgator as "ADWARE Gator". Hmmm.
At work we have this very cool vulnerability analyser called "appscan" which is designed to test websites in development for Cross Site Scripting and SQL Injection. So if I ran it against my website that snort is monitoring it will alert right?
Wrong. Not a blip. I wonder if the commercial sourcefire Network IDS systems are like this too?
I think this is just symptomatic of the entire technology, its just not up to detecting sophisticated web attacks. So If we close all ports except 80 and 443 and put an IDS outside the firewall, whats the IDS for?
The answer is "compliance". Hmmm. Security for securitys sake, I thought we were long past this.
Scuba
Last year I began using a cool tool from "Imperva" entitled "scuba", it lets the auditor / security analyst do a hit and run security analysis of the base database product against security best practice. Like most of these tools it does nothing to analyse the information flow or inter-relationships inside the application schema, but it does look at the vendor system tables and stored procedures and looks for obvious security misconfigurations. It works with DB2, Sybase, Oracle and Microsoft SQL Server.
The tool will require the auditor to have a temporay "sa" level read privelige on the entire database system and access to the network port the database runs on.
The tool runs on Windows platforms and requires a Java run time engine to be installed.
The reports are pretty HTML tables (good for cutting and pasting)
Snort 2.8.1 on Mac OSX Leopard with MAMP and Macports
I made a few notes on here about what I needed to do to get the latest snort going on OSX 10.5.2
I followed the excellent directions on Mark Duling's site, here (hope it doesnt dissappear like many .Mac sites do), but these were OSX 10.4/Tiger specific
I have used a combination of Macports / MAMP and self compiled the latest Snort
This is the split roughly:
Macports for BASE, ADODB, Mysql libraries (snort is way out of date on Macports, so I skipped it)
MAMP to host it (which includes PHP5 and Mysql managed via a nice GUI)
So here follow my really rough notes on the differences between what I did and what is noted on the halfdozen site:
iMac-G5:~ cooper$ cat .profile
PATH=/Applications/MAMP/Library/bin:$PATH:/opt/local/bin:/opt/local/sbin; export PATH cat create_mysql mysql -u root -p snortmysql -u root -pcd /opt/local/share/base/sqlcat create_base_tbls_mysql.sql mysql -u root -p snortmysql -u root -p
Compiling / configuring notes
Compile snort using Macports mysql libraries:
export LD_TWOLEVEL_NAMESPACE=1export MACOSX_DEPLOYMENT_TARGET=10.5
./configure --with-mysql --with-mysql-includes=/opt/local/include/mysql5/mysql/ --with-mysql-libraries=/opt/local/lib/mysql5/mysqsudo
Copy the latest rules downloaded from snort into snorts rule directory (after registering on http://www.snort.org/)
(I am now using oinkmaster.pl for this)
cp * /usr/local/etc/snort/rules sudo
Modify the loader script installed by Macports
vi /opt/local/share/snort/snort.sh to point to the snort binary in /usr/local/bin
Cludge to get Snort to read the MAMP Mysql socket (you need to have the macports mysql installed as well you see, but not running, and this confuses things)
sudo ln -s /Applications/MAMP/tmp/mysql/mysql.sock /opt/local/var/run/mysql5/mysqld.sock
Start snort:
sudo /usr/local/bin/snort -i en1 -c /usr/local/etc/snort/snort.conf
Make it load at boot time (uses Macports startup scripts)
sudo launchctl load -w /Library/LaunchDaemons/org.macports.snort.plist
BASE
More cludges to get BASE working with MAMP
sudo pico /opt/local/share/base/base_conf.php
cd /Applications/MAMP/htdocs/
sudo ln -s /opt/local/share/adodb5 adodb5
Install Pear extensions for graphing in Base:
/Applications/MAMP/bin/php5/bin/pear install Image_Canvas-0.3.1
/Applications/MAMP/bin/php5/bin/pear install Image_Graph-0.7.2
find / -name "*security*" -print