SnIPS: Snort Intrusion analysis using Proof Strengthening
Table of Contents
- Quick Overview
- Software Requirements
- Quick Start
- Interface
- Contacts
1. Quick Overview
SnIPS is a tool for intrusion analysis. It uses Snort
alerts and reasons about high confidence attacks from the input.
2. Software Requirements
Operating Systems
The current version of SnIPS is tested on linux 2.6 operating system.
Python and MySQLDB
The alert translator script is written in Python and
requires Python 3.2.2
or latter and
MySQLDB, the
Python DB API-2.0 mysql database interface.
Snort and Snort Rules
Snort is an open-source,
rule-based network intrusion detection system. It alerts on any
suspicious activity by monitoring the network traffic. While these
alerts can be stored in many formats, for the use of our tool Snort
must be configured to output the alerts into a MySQL database. Please
refer to the Snort manual to compile and install Snort with MySQL
support. Snort might require many libraries like libcap, pcre etc.
Ubuntu users can use the package manager for easy installation.
SnIPS currently supports the Snort Rule version 2.9x which can be
downloaded here.
Free registration is required for downloading the rules.
Also, SnIPS will need snort rule documentation here.
MySQL
MySQL is
required for storing the alerts from Snort. SnIPS will use it to store
the processing info, and final results.
Apache
The user will need to install latest Apache server to run PHP web interface
for the tool.
PHP5
The user will need to install PHP5 and other required modules for
MySQL and Apache servers.
XSB
XSB is a
Logic Programming and Deductive Database system. It is used by the
reasoning engine of SnIPS. Please download
and install the UNIX/Linux version of XSB 3.3.5 from here. The user needs to configure
XSB with db drivers option "--with-dbdrivers". XSB will need to
install mysql library for development "libmysqlclient-dev" before installation
Others
- Check your system for the latest Java SE Runtime
Environment.
- Check whether GraphViz is already installed on your system by
typing "dot". If GraphViz is not installed, you need to install it
from here
For Linux Ubuntu users
These steps of how to install snips on Ubuntu:
- install linux 2.6.32-36-generic-pae ubuntu 10.04 from here
- install snort by getting the source code for 2.9X, from here . The user can follow the installation for Ubuntu 10.04 here
- install python Mysql module, by writing "sudo apt-get install python-mysqldb"
- install graphviz, by writing "sudo apt-get install graphviz"
- install java and javac, by writing:
- sudo apt-get install openjdk-6-jre-headless
- sudo apt-get install openjdk-6-jdk
- Download XSB v.3.3.5 from here , the user should use "--with-dbdrivers" when configure XSB.
4. Quick Start
Unzip and untar the tar file using the following command.
$ tar xzf snips.tar.gz
Then change directory to snips
$ cd snips
Setup the environment variable SNIPS_ROOT to snips folder
$ cd snips
$ SNIPS_ROOT=$PWD
$ export SNIPS_ROOT
It will be useful to add the SNIPS_ROOT environment variable to the
user's shell initiation script such as ~/.bashrc.
To setup snips now write:
$ cd setup
$ sh setup.sh
Then setup.sh will take you through multiple steps.
To prepare the user interface SnIPS will need use apache server. Thus
"setup.sh" will require, to have the path to snort rules. Also, it will ask
you for the "snort rule documentation" path. It can be downloaded from
snort website.
SnIPS needs snort to be running and output to mysql database. Thus, While running setup.sh, the user will be asked to enter snort MySQL database
configuration information.
Then "setup.sh" will ask for network IPs. SnIPS needs the IP ranges for the local network. This will help snips
to reason about the local network. SnIPS takes at most class
B network, or single IPs For example, user can
write: 192.168.1.*,129.130.*.*,192.168.4.5 OR use can write 192.168.1.*
"setup.sh" will create the required scripts for running the tool if
all the requirements are met. The main script will be put inside
the bin folder. Change the directory to "bin/" to use the
"snips.sh" script.
Then the user can run the main script snips.sh. This script
work on range of time. For example, if the user wants to see if there
any compromised machines from "DEC-11 until DEC-13" it can write:
$ sh snips.sh 2011-12-11 00:00:00 2011-12-13 23:59:59
another example, if the user want to check for the work day of
DEC-10-2011 then:
$ sh snips.sh 2011-12-10 08:00:00 2011-12-10 17:00:00
snips.sh runs in two stages:
- Pre-processing: the goal of this stage is to translate and reduce the
amount of information entering the reasoning engine. The
pre-processing stage takes several minutes for large alerts input(e.g. 200k alerts).
User can avoid this delay by accumulating the pre-processing results
in hourly bases using cron job. The user can contact us for further help in this regard.
- Reasoning: the goal of this stage is to build attack
scenarios and calculate the belief of each one too.
6. Interface
User can see the output using web browser by writing:
http://localhost/snipsInterface/snipsMain.html
Snips Ranked Graphs List: is ranking of the compromised machines in the local
network. The most critical compromised machine is at the top of the list. Each
compromised fact can be clicked and checked for the supporting
evidences. find more help in doc/snipsManual.pdf for the php
interface.
Snips Visual Ranked Graphs this link will show SnIPS output as
visual graphs. Each graph is for a machine in the network. These
graphs are ranked by belief from high to low. For each graph snort
alerts groups(skolem) are the source nodes. Each skolem node point to
the supported node and so on till the sink node "compromised(IP)"
Snort Ranked Alerts:User can check the ranking of the snort
raw alerts too.
5. Contacts
For questions and bug reports please send an email to snips-feedback [AT] projects.cis.ksu.edu
Contributors
ACKNOWLEDGMENTS
The SnIPS project has been partially supported by the
National Science Foundation under Grant No. 0716665, 0954138, and 1018703, by
AFOSR under award No. FA9550-09-1-0138, and by HP Labs Innovation
Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those
of the authors and do not necessarily reflect the views of the sponsors.
Last updated on Nov 22, 2013
Argus - Cyber security
research group at Kansas State
University