Snort mailing list archives
Archiving Giving you Trouble?
From: "Timothy Wright" <twright () nd edu>
Date: Thu, 6 Feb 2003 12:53:08 -0500
Like many ACID/Snort users, I found archiving IDS data to be a tad
cumbersome. How realistic is it to use the ACID interface to manually
archive event data? Not wishing to give up using this otherwise excellent
interface, I went ahead and crafted a PHP script that can be called via cron
to automatically handle archiving. The script is somewhat crude, and is
little more than modifications made to the 'acid_qry_main.php' script
included with ACID.
The ACID/Snort database server I use is running on Red Hat 8 - hence, the
script I'm providing below should be viewed from within this context. In
its present form, the script will archive only the last 24 hours' event
data - clearly, this can be tweaked.
Enjoy!
--
Timothy Wright, CISSP
Information Security
Office of Information Technology
University of Notre Dame
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/php -q
<?php
/* Program: ACID_Archive.php
*
* Purpose: To archive all of the IDS data accumulated during the past
* 24 hours of operation. These data are to be moved from the
* current ACID/Snort database, and inserted into the archive
* denoted in the 'acid_conf.php' file.
*
* This code is a _very_ brutish implementation of an archival
* solution. It was hacked out by taking the ACID script
* 'acid_qry_main.php' and modifying it to execute a query for
* the past 24 hours' event data, and then do an 'archive_alert2'
* (i.e., move event data into the archive).
*
* Usage : While this script could certainly be run by hand, a daily cron
* job is the best approach. One might take advantage of the HTML
* that results from executing this script, in order to obtain a
* status of the archive operation. E.g.:
*
* /var/www/html/acid/ACID_Archive.php | grep "ARCHIVE-move"
*
* Something like
*
* <FONT COLOR="#FF0000">Successful ARCHIVE-move - 264
alert(s)</FONT><P><TABLE WIDTH="100%">
*
* should be the result. One could then get a little fancy with
* the cron job, as in:
*/
/*
#!/bin/sh
# This script should execute once every 24 hours. Please
# see comments in '/var/www/html/acid/ACID_Archive.php'
# for details.
#
# T.W. - 2/3/03
# What to look for in the output of the archive process in
# order to tell how well we did, and how many events were
# moved.
ARCHIVE_FLAG="ARCHIVE-move"
# What to look for in the output of the archive process. If
# we don't find this, something went wrong.
SUCCESS_FLAG="Successful"
# The location of our update and archive scripts.
WEB_DIR="/var/www/html/acid"
# The location of our archive update script (update's the
# ACID cache for the archive database).
WEB_DIR_ARCH="/var/www/html/acidArchive"
# Start out by updating the cache for the primary database
# (note: not sure if this is necessary for the archival
# process...)
$WEB_DIR/ACID_Update.php
# Next log a message in /var/log/messages (or wherever
# we are logging user.notice messages)
logger "Daily ACID/Snort archive kicked off at "`date`
# Execute the archive script. At the same time, grep the output
# for the line that will tell us how we did, and how many events
# were archived.
output=`$WEB_DIR/ACID_Archive.php | grep "$ARCHIVE_FLAG"`
# We should only see a value of 0 or 1 for 'count' (i.e., the
# success flag should only be present 0 or 1 time in the output
# we capture).
count=`echo $output | grep -c "$SUCCESS_FLAG"`
# Do we have success or failure? Log an appropriate message.
if [ $count == 1 ]; then
logger "Daily ACID/Snort archive successfully ended at "`date`
logger "Daily ACID/Snort archive informational message: "$output
# Be sure to update the cache for the archive database, or else
# we'll have to do so by hand when we view the database via the
# ACID interface.
$WEB_DIR_ARCH/ACID_Update.php
else
logger "Daily ACID/Snort archive FAILED at "`date`
logger "Daily ACID/Snort archive ERROR message: "$output
fi
*/
/* Of course, the above script does assume that there is
* another script called 'ACID_Update.php' - used
* to update the ACID cache for a given ACID/Snort database
* (if you're in need of such a script, you can always
* use this program as your starting point...notice the line:
*
* if ( $event_cache_auto_update == 1 )
UpdateAlertCache($db);
*
* in the code below).
*
* Notes : Many thanks to Roman Danyliw for his solid work! Also, many
* thanks to good folks at Sourcefire and Snort.org for bringing
* us such a wonderful IDS!
*
* - Timothy Wright <twright () nd edu>
*/
/*
* Analysis Console for Incident Databases (ACID)
*
* Author: Roman Danyliw <rdd () cert org>, <roman () danyliw com>
*
* Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
*/
?>
<?php
include("acid_constants.inc");
include("acid_conf.php");
include("acid_include.inc");
include_once("acid_action.inc");
include_once("acid_db_common.php");
include_once("acid_common.php");
include_once("acid_ag_common.php");
include_once("acid_qry_common.php");
$yesterday_year = date("Y", time()-86400);
$yesterday_month = date("m", time()-86400);
$yesterday_day = date ("d", time()-86400);
$yesterday_hour = date ("H", time()-86400);
$time[0][0]= "";
$time[0][1]= ">=";
$time[0][2]= $yesterday_month;
$time[0][3]= $yesterday_day;
$time[0][4]= $yesterday_year;
$time[0][5]= $yesterday_hour;
$time[0][6]= "";
$time[0][7]= "";
$time[0][8]= "";
$time[0][9]= "";
// Setup some variables for the query (that will pull back
// IDS data for the last 24 hours)
$num_result_rows = -1;
$time_cnt = -1;
$new=1;
$submit="Query DB";
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("acid_qry_main.php", "&new=1&submit=Query+DB");
$cs->ReadState();
$qs = new QueryState();
$qs->AddCannedQuery("last_tcp", $last_num_alerts, "Last TCP", "time_d");
$qs->AddCannedQuery("last_udp", $last_num_alerts, "Last UDP Alerts",
"time_d");
$qs->AddCannedQuery("last_icmp", $last_num_alerts, "Last ICMP Alerts",
"time_d");
$qs->AddCannedQuery("last_any", $last_num_alerts, "Last Alerts",
"time_d");
/* Connect to the Alert database */
$db = NewACIDDBConnection($DBlib_path, $DBtype);
$db->acidDBConnect($db_connect_method,
$alert_dbname, $alert_host, $alert_port, $alert_user,
$alert_password);
if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
$printing_ag = false;
/* Init and run the query action */
$criteria_clauses = ProcessCriteria();
$from = " FROM acid_event ".$criteria_clauses[0];
$where = " WHERE ".$criteria_clauses[1];
$qs->AddValidAction("ag_by_id");
$qs->AddValidAction("ag_by_name");
$qs->AddValidAction("add_new_ag");
$qs->AddValidAction("del_alert");
$qs->AddValidAction("email_alert");
$qs->AddValidAction("email_alert2");
$qs->AddValidAction("csv_alert");
$qs->AddValidAction("archive_alert");
$qs->AddValidAction("archive_alert2");
$qs->AddValidActionOp("Selected");
$qs->AddValidActionOp("ALL on Screen");
$qs->AddValidActionOp("Entire Query");
$qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
// $et->Mark("Initialization");
$qs->RunAction($submit, PAGE_QRY_ALERTS, $db);
// $et->Mark("Alert Action");
include("acid_qry_sqlcalls.php");
// $et->Mark("Get Query Elements");
// $et->PrintTiming();
/* Now run the archival action */
// Setup some variables for the archival process (that will move
// all of the IDS data returned by the query, into the archive).
$submit = "Entire Query";
$qs->current_view = 0;
$qs->action = "archive_alert2";
if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
// Execute the archival process
$qs->RunAction($submit, PAGE_QRY_ALERTS, $db);
// $et->Mark("Alert Action");
include("acid_qry_sqlcalls.php");
// $et->Mark("Get Query Elements");
// $et->PrintTiming();
?>
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Archiving Giving you Trouble? Timothy Wright (Feb 07)