Snort Monitor 1.1.2
sntm is a Qt based GUI snort monitor. Currently, it is capable of monitoring multiple snort sensors in a centralized monitor screen. Each snort sensor creates a SSL encrypted communication thread to connect to the moniter server and each communication channel has its own certificate and private key.
NOTE
To Compile sntm, you have to have openssl-0.9.7+, qt-x11-3.2.1+ installed and libiodbc-3.51.1 on your Linux machine, then do the following:
If Openssl and Qt are installed under your specific DIR:
# ./configure --with-ssl-dir=your-openssl-DIR --with-qt-dir=your-qt-DIR \ --with-iodbc-dir=your-iodbc-DIR
- otherwise
# ./configure
After configuration,
# make
# make install
Check the "cafile" and "caprvkey" tags in your mconfig.xml file and make sure those matched with the location where you have your certificate and private key installed.
To use the databse, assign the tags "dbname", "dbuser" and "psword" in your mconfig.xml file to match your database configuration. To create MySql database tables, please use the mysql.sql file with the package. Currently tested with mysql-4.0.16 and libiodbc-3.51.1, you can download mysql-4.0.16 and ODBC driver for MySql and installation guide from http://www.mysql.org. This package comes with a compiled MySql ODBC driver and a sample odbc.ini file, to find out other database ODBC drivers and configuration information for libiodbc, go to http://www.iodbc.org.
To generate report, fill the "browser" tag in your mconfig.xml file to point to your default browser, e.g. mozilla, netscape ...
To build the Snort with sntm plugin, please copy the following files to your snort-2.0.4 directories:
spo_monitor.c, spo_monitor.h -> snort-2.0.4/src/output-plugins sntm.rules -> snort-2.0.4/rules
and run the snort configure script as:
# ./configure --prefix=/your-install-DIR
then do the following to build and install the snort:
# cd ../
# patch -p0 < snort-2.0.4.patch
# make
# make install
To create the Reference data, run the 'rfnimport' comes with the package as:
# rfnimport -r reference.config -d dbname -u dbuser -p dbpasswd rule_files ...
This package includes a sample certificate/private key pair for test. To create your own self-signed CA certificate/private key pair, please use the openssl:
# openssl req -newkey rsa:1024 -days 365 -nodes -new -x509 \
-out cacert.pem -keyout caprivkey.pem
You have to copy your cacert.pem to the location matched with your sntm.rules file. The format of the sntm.rules file is:
# Alert output sntm IP address sntm Port Sensor ID Full path of CA
output alert_monitor: ipaddr=192.168.1.3 port=2001 snsrid=10 cert=./cert.pem
Also, you need to append the sntm.rules to your snort.conf as:
include sntm.rules
TESTED PLATFORMS
- Linux (2.4.22) with glibc 2.3.2
GETTING SNTM
The primary distribution site for sntm is http://sntm.sourceforge.net
OTHER
Please note that sntm is currently ONLY tested under Linux, it MAY not compile, operate correctly on other platforms.
OpenSSL can be retrieved from http://www.openssl.org
Free Qt version can be retrieved from http://www.trolltech.com
IODBC can be retrieved from http://www.iodbc.org
GNU make, automake and autoconf can be found at ftp ftp.gnu.org
Any contributions (testing, comments, bug reports, enhancements etc) are greatly appreciated.
COPYRIGHT
Copyright (C) 2001, 2002 Min Hsu <minh1970@yahoo.com> All Rights Reserved
This file is part of the sntm program.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; see the file COPYING. If not, write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.