[Snort-users] Distributed Snort management

Richard DeYoung webmaster at ...9253...
Wed May 21 21:13:07 EDT 2003


Ben,
Just a few suggestions....read below.


On Wed, 2003-05-21 at 21:15, Nelson, Ben wrote:
    I have many snort sensors that are distributed across  large
    geographic boundaries.  Maintaining and monitoring these
    installations is starting to become trouble-some. I have started
    using SnortCenter to manage and push out rules (which is working
    great BTW), but I need to figure out a good way to centralize the
    data and alerts that Snort comes up with.
    
    At first I thought that I could just make all of the sensors log to
    a centralized MySQL server (all logging to the same database) over
    stunnel or something like that, 
        I'm currently running with multiple sensors, geographically 
        distributed across various sections of the country and all
        sending alerts via an SSL tunnel back to the MySQL database. I
        don't yet have any need to provide an additional layer of
        redundancy by incorporating a MySQL instance in proximity to
        each sensor, but I am considering "tacking up" and instance to
        provide convergence for a few (two or three) sensors in each
        part of the country. 

    but what if a sensor loses connectivity to the MySQL server?  
       Then either your sensor traffic routing pathways need to be
       reconfigured in your network topology *or* you can look
       at implementing a MySQL instance as I mentioned above. If
       reconfiguring isn't feasible (due to political issues, or 
       other factors beyond your control), then the second option may
       provide more of what you're looking to achieve.
          In other words, you'll need to run a quick risk assessment,
       taking into account such things as 
             1) How often do you lose network connectivity to various
                part of your network topology?, 
             2) What are your organizations requirements with 
                regard to real-time and historical data analysis? and 
             3) How much latitude are you being given in how and where
                you're going to be able to place your sensors and
                databases?

    I'd lose all of the alerts generated during that time frame(I guess
    I could log them to flat files on disk as well, but that would
    defeat the purpose of using a database...no?)  
    You may lose alerts for that time frame but depending on how you
    how you've configured your portscan preprocessors, you should
    still be able to monitor some of what's happening on your network.

     If you go with logging to two separate outputs, you'll want to
     look at implementing barnyard to help with the back-end MySQL   
     processing.
    Then I though maybe I could set up TWO output directives to log all
    alerts to two separate databases (one local to
     the sensor and the remote one), but then re-synchronizing the
    sensor's database to the main MySQL server 
    becomes a problem when connectivity is re-established.  
    
    I could also just use MySQL's built in replication (over stunnel
    again).  
          Sounds like a great idea. I understand that MySQL v4.x
          natively supports SSL connections but I haven't had the time
          to run any tests in my current environment.
    That would solve my problem of re-synchronizing databases when
    connectivity came back (MySQL handles all of that), but then I'd
    have to have a separate database for each sensor since MySQL doesn't
    support replication of multiple masters to a single slave (does any
    database supported by snort do this?).  Ideally, I'd like to have
    all alerts from all sensors go into the SAME database.
    
    Is anyone else in a similar situation?  What did you do to
    centralize your alerts?  I'm really open to suggestions.....

           I'm attaching two scripts I use to help setup my stunnel
           tunnels, along with a "readme". HTH.
    .having ACID loaded onto EVERY sensor seems like a waste (not to
    mention a pain to check regularly).
           Not to mention the application and network security
           configurations that go along with that kind of setup ;-)

           Thanks,
           R. DeYoung
           webmaster at verticept dot com

-------------- next part --------------
#*******************************************
#$Revision: 1.3 $
#*******************************************
# Descr:
# This file declares values for all variables
# detailed in the stunnel startup script located
# in /etc/rc.d/init.d/stunnel
#*******************************************
# Dynamic stunnel values
# The role of Stunnel as it runs on this system will
# be defined here. Valid values are [client,server]
# An easier way to determine what the role of the system
# will be, is this: 
# If the system will initiate the connection and will
# write to it's loopback address before the encrypted
# stream is sent out over the network, then it's a client.
# Otherwise it's a server
#
# The Client/Server Port values must have matching
# entries in the /etc/services file. The values below will
# define the tunnel number, the client/server IP addresses
# to be used in the connection, the ports stunnel is able 
# to utilize, and any local service (imapd, mysqld, pop, etc)
# that must be checked/restarted during tunnel initialization.

# The field variables below are:
# A -> Tunnel "role"
# B -> Client IP
# C -> Client Port
# D -> Server IP
# E -> Server Port
# F-Z -> Local Service dependancies
#        NOTE: The local service dependancies will be restarted in the 
#              order they're listed in so BE CAREFUL !!
#                    A        B       C           D      E      F     G
S_PROTOCOL_TUNNEL1="client 127.0.0.1 mysql  172.16.25.26 mysqls mysqld"
S_PROTOCOL_TUNNEL2="client 127.0.0.1 mysql2 172.16.25.27 mysqls2 mysqld"

# Static stunnel values
S_USER=stunnel
S_GROUP=stunnel
S_PEM_FILE=/etc/.stunnel/sensor.pem
S_PID_FILE=/var/run/stunnel.pid
S_DEBUG_LEVEL=daemon.debug
S_LOG=/var/log/stunnel.log
S_LOCK_FILE=/var/lock/subsys/stunnel
-------------- next part --------------
ScriptNames:
          stunnel 	(should be placed in /etc/sysconfig/stunnel)
          init_d_stunnel(should be copied to /etc/init.d/stunnel)

Purpose:
          The purpose of these scripts is to provide not only a more automated
          means of starting the SSL-enabling application "stunnel", but also
          a way to impose dependancy checking on the applications you'll be 
          running in your SSL tunnels.

Platforms tested on:
          RedHat 7.2 and RedHat Linux 7.3  

Dependancies:
          stunnel-3.22
          initscripts-6.67-1 (needed for updates to the "/etc/init.d/functions" file)
          <insert name of application you'd like to tunnel, **here**>

Installation:
          1. copy the "stunnel" script to "/etc/sysconfig/stunnel"

               ex. cp stunnel /etc/sysconfig/stunnel

	  2. copy the "init_d_stunnel" script to "/etc/init.d/stunnel"
            
               ex. cp init_d_stunnel /etc/init.d/stunnel

          3. run 'chkconfig' to ensure that the service is successfully added to the
             startup routines

               ex. cd /etc/init.d/stunnel
                   chkconfig --add stunnel

          4. edit the /etc/sysconfig/stunnel file, making the necessary configuration
             changes to enable tunneling of your application.

          5. edit your applications configuration file/tables to ensure that when the
             application starts writing data to a local port, the local port will be
             the decrypted end of the stunnel connection on the local system.

          6. email the author (webmaster at ...9253...) with suggestions for improvements
           
-------------- next part --------------
#!/bin/bash
#*******************************************
#Revision 1.3  2003/04/07 14:57:42  rdeyoung
#
#Functions added:
#  "Start()"
#   This function accomplishes the following:
#    1. Determines how many tunnels need to be started, based on the configs
#       obtained from the Stunnel configuration file (usually located in
#       /etc/sysconfig/stunnel; This value can be changed in the SysV startup
#       script).
#    2. Loops through each of the tunnel definitions, parsing for pertinant
#       info to build the tunnels with. The command-line options are built,
#       based on the role (client or server) of the system as defined by
#       each tunnel definition stanza.
#    3. Starts the SSL tunnel with the correct options
#    4. Starts the dependant services, as defined in each tunnel's configuration
#       stanza
#
#  "StartDependants()"
#   This function accomplished the following:
#   1. Checks to see if any of the dependant services listed in each tunnel's
#      configuration stanza are active.
#      a) If they're not, the applicable service is started
#      b) If they are, the applicable service is restarted
#
#
#TODO:
#   1) Change the SysV init script so that the value of the "S_CONF" variable
#      is determined by the script itself, instead of referencing the config
#      file to determine where the config file lives.....duh !!!
#*******************************************
# chkconfig: 2345 30 76
# description: Program to start and stop the SSL Tunneling 
# application, "Stunnel"

# processname: stunnel
# config: /etc/sysconfig/stunnel
# pidfile: /var/run/stunnel.pid

#PROG=`basename $0`
#export PS4='[$PROG] Line: $LINENO '
#set -x
# Uncomment the three lines above to enable debugging

# Location of the main config file
S_CONF=/etc/sysconfig/stunnel

# Source function library.
. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

# Source stunnel configuration
if [ -f ${S_CONF} ];
then
	. ${S_CONF}
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Check to see if stunnel binary is executable; if it's not BAIL
if [ ! -x /usr/sbin/stunnel ];
then
    echo "Execution failed" 
    echo "Please check the permissions of the stunnel executable"
    logger -p daemon.info -t "stunnel" "Unable to start the stunnel executable"
    exit 1
fi

function Start()
{ 
    # Let's determine how many tunnels we need to start
    TOTAL_NUM_TUNNELS=`grep -c ^S_PROTOCOL_TUNNEL ${S_CONF}`

    # Loop through each of the tunnel definitions (obtained from the config
    # file, and parse for pertinant information)
    for (( TUNNEL_NUM=1 ; $TUNNEL_NUM <= $TOTAL_NUM_TUNNELS ; TUNNEL_NUM++ ))
    do
       grep ^S_PROTOCOL_TUNNEL$TUNNEL_NUM ${S_CONF} |
        awk -F"=" '{
                        gsub("\"","");
                        print $2
                   }'|
       while read TUNNEL_ROLE CLIENT_IP CLIENT_PORT SERVER_IP SERVER_PORT DEPENDANT_SVC1 DEPENDANT_SVC2 DEPENDANT_SVC3 
       do

         # Build command-line options based on role of system
         if [ ${TUNNEL_ROLE} = "client" ];
         then
            OPTIONS="-d ${CLIENT_IP}:${CLIENT_PORT} -r ${SERVER_IP}:${SERVER_PORT} -c -p ${S_PEM_FILE} -s ${S_USER} -g ${S_GROUP} -P ${S_PID_FILE} -D ${S_DEBUG_LEVEL} -o ${S_LOG}"
         elif [ ${TUNNEL_ROLE} = "server" ];
         then
            OPTIONS="-d ${CLIENT_IP}:${CLIENT_PORT} -r ${SERVER_IP}:${SERVER_PORT} -p ${S_PEM_FILE} -s ${S_USER} -g ${S_GROUP} -P ${S_PID_FILE} -D ${S_DEBUG_LEVEL} -o ${S_LOG}"
         fi
   
         cd /var/log/stunnel
         
         # Start SSL Tunnels with correct options
         echo -n "Starting stunnel: "
         daemon stunnel ${OPTIONS}
 
         # Start the dependant services AFTER the tunnel is up
         StartDependants

       done
       touch ${S_LOCK_FILE}
done

}

function StartDependants()
{ 
   for SERVICE in $DEPENDANT_SVC1 $DEPENDANT_SVC2 $DEPENDANT_SVC3
   do
      if [ -z "`pidofproc ${SERVICE}`" ];
      then
          echo "Starting ${SERVICE}"
          service ${SERVICE} start
      elif [ -n "`pidofproc ${SERVICE}`" ];
      then
          echo "Restarting ${SERVICE}"
          service ${SERVICE} restart
      fi
   done
}

	
# See how we were called.
case "$1" in
  start)
    Start
    ;;
  stop)
    echo -n "Stopping stunnel: "
    killproc stunnel
    rm -f ${S_LOCK_FILE}
    echo
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  status)
    status $0 
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
esac

exit 0


More information about the Snort-users mailing list