Snort mailing list archives
Archiving Giving you Trouble?
From: "Timothy Wright" <twright () nd edu>
Date: Thu, 6 Feb 2003 12:53:08 -0500
Like many ACID/Snort users, I found archiving IDS data to be a tad cumbersome. How realistic is it to use the ACID interface to manually archive event data? Not wishing to give up using this otherwise excellent interface, I went ahead and crafted a PHP script that can be called via cron to automatically handle archiving. The script is somewhat crude, and is little more than modifications made to the 'acid_qry_main.php' script included with ACID. The ACID/Snort database server I use is running on Red Hat 8 - hence, the script I'm providing below should be viewed from within this context. In its present form, the script will archive only the last 24 hours' event data - clearly, this can be tweaked. Enjoy! -- Timothy Wright, CISSP Information Security Office of Information Technology University of Notre Dame -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #!/usr/bin/php -q <?php /* Program: ACID_Archive.php * * Purpose: To archive all of the IDS data accumulated during the past * 24 hours of operation. These data are to be moved from the * current ACID/Snort database, and inserted into the archive * denoted in the 'acid_conf.php' file. * * This code is a _very_ brutish implementation of an archival * solution. It was hacked out by taking the ACID script * 'acid_qry_main.php' and modifying it to execute a query for * the past 24 hours' event data, and then do an 'archive_alert2' * (i.e., move event data into the archive). * * Usage : While this script could certainly be run by hand, a daily cron * job is the best approach. One might take advantage of the HTML * that results from executing this script, in order to obtain a * status of the archive operation. E.g.: * * /var/www/html/acid/ACID_Archive.php | grep "ARCHIVE-move" * * Something like * * <FONT COLOR="#FF0000">Successful ARCHIVE-move - 264 alert(s)</FONT><P><TABLE WIDTH="100%"> * * should be the result. One could then get a little fancy with * the cron job, as in: */ /* #!/bin/sh # This script should execute once every 24 hours. Please # see comments in '/var/www/html/acid/ACID_Archive.php' # for details. # # T.W. - 2/3/03 # What to look for in the output of the archive process in # order to tell how well we did, and how many events were # moved. ARCHIVE_FLAG="ARCHIVE-move" # What to look for in the output of the archive process. If # we don't find this, something went wrong. SUCCESS_FLAG="Successful" # The location of our update and archive scripts. WEB_DIR="/var/www/html/acid" # The location of our archive update script (update's the # ACID cache for the archive database). WEB_DIR_ARCH="/var/www/html/acidArchive" # Start out by updating the cache for the primary database # (note: not sure if this is necessary for the archival # process...) $WEB_DIR/ACID_Update.php # Next log a message in /var/log/messages (or wherever # we are logging user.notice messages) logger "Daily ACID/Snort archive kicked off at "`date` # Execute the archive script. At the same time, grep the output # for the line that will tell us how we did, and how many events # were archived. output=`$WEB_DIR/ACID_Archive.php | grep "$ARCHIVE_FLAG"` # We should only see a value of 0 or 1 for 'count' (i.e., the # success flag should only be present 0 or 1 time in the output # we capture). count=`echo $output | grep -c "$SUCCESS_FLAG"` # Do we have success or failure? Log an appropriate message. if [ $count == 1 ]; then logger "Daily ACID/Snort archive successfully ended at "`date` logger "Daily ACID/Snort archive informational message: "$output # Be sure to update the cache for the archive database, or else # we'll have to do so by hand when we view the database via the # ACID interface. $WEB_DIR_ARCH/ACID_Update.php else logger "Daily ACID/Snort archive FAILED at "`date` logger "Daily ACID/Snort archive ERROR message: "$output fi */ /* Of course, the above script does assume that there is * another script called 'ACID_Update.php' - used * to update the ACID cache for a given ACID/Snort database * (if you're in need of such a script, you can always * use this program as your starting point...notice the line: * * if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db); * * in the code below). * * Notes : Many thanks to Roman Danyliw for his solid work! Also, many * thanks to good folks at Sourcefire and Snort.org for bringing * us such a wonderful IDS! * * - Timothy Wright <twright () nd edu> */ /* * Analysis Console for Incident Databases (ACID) * * Author: Roman Danyliw <rdd () cert org>, <roman () danyliw com> * * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University * (see the file 'acid_main.php' for license details) * */ ?> <?php include("acid_constants.inc"); include("acid_conf.php"); include("acid_include.inc"); include_once("acid_action.inc"); include_once("acid_db_common.php"); include_once("acid_common.php"); include_once("acid_ag_common.php"); include_once("acid_qry_common.php"); $yesterday_year = date("Y", time()-86400); $yesterday_month = date("m", time()-86400); $yesterday_day = date ("d", time()-86400); $yesterday_hour = date ("H", time()-86400); $time[0][0]= ""; $time[0][1]= ">="; $time[0][2]= $yesterday_month; $time[0][3]= $yesterday_day; $time[0][4]= $yesterday_year; $time[0][5]= $yesterday_hour; $time[0][6]= ""; $time[0][7]= ""; $time[0][8]= ""; $time[0][9]= ""; // Setup some variables for the query (that will pull back // IDS data for the last 24 hours) $num_result_rows = -1; $time_cnt = -1; $new=1; $submit="Query DB"; $et = new EventTiming($debug_time_mode); $cs = new CriteriaState("acid_qry_main.php", "&new=1&submit=Query+DB"); $cs->ReadState(); $qs = new QueryState(); $qs->AddCannedQuery("last_tcp", $last_num_alerts, "Last TCP", "time_d"); $qs->AddCannedQuery("last_udp", $last_num_alerts, "Last UDP Alerts", "time_d"); $qs->AddCannedQuery("last_icmp", $last_num_alerts, "Last ICMP Alerts", "time_d"); $qs->AddCannedQuery("last_any", $last_num_alerts, "Last Alerts", "time_d"); /* Connect to the Alert database */ $db = NewACIDDBConnection($DBlib_path, $DBtype); $db->acidDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db); $printing_ag = false; /* Init and run the query action */ $criteria_clauses = ProcessCriteria(); $from = " FROM acid_event ".$criteria_clauses[0]; $where = " WHERE ".$criteria_clauses[1]; $qs->AddValidAction("ag_by_id"); $qs->AddValidAction("ag_by_name"); $qs->AddValidAction("add_new_ag"); $qs->AddValidAction("del_alert"); $qs->AddValidAction("email_alert"); $qs->AddValidAction("email_alert2"); $qs->AddValidAction("csv_alert"); $qs->AddValidAction("archive_alert"); $qs->AddValidAction("archive_alert2"); $qs->AddValidActionOp("Selected"); $qs->AddValidActionOp("ALL on Screen"); $qs->AddValidActionOp("Entire Query"); $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where"); // $et->Mark("Initialization"); $qs->RunAction($submit, PAGE_QRY_ALERTS, $db); // $et->Mark("Alert Action"); include("acid_qry_sqlcalls.php"); // $et->Mark("Get Query Elements"); // $et->PrintTiming(); /* Now run the archival action */ // Setup some variables for the archival process (that will move // all of the IDS data returned by the query, into the archive). $submit = "Entire Query"; $qs->current_view = 0; $qs->action = "archive_alert2"; if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db); // Execute the archival process $qs->RunAction($submit, PAGE_QRY_ALERTS, $db); // $et->Mark("Alert Action"); include("acid_qry_sqlcalls.php"); // $et->Mark("Get Query Elements"); // $et->PrintTiming(); ?> ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Archiving Giving you Trouble? Timothy Wright (Feb 07)