Performing Real-Time Data Analysis

Problem

You want to view alerts and data analysis in real time.

Solution

Use the Snort Alert Monitor (SAM) to view alerts and data analysis in real time. At the time of this writing, the latest version is sam_20040323_bin.zip. Use the following steps to install SAM on Windows:

1. Install the Java Virtual Machine. At the time of this writing, the latest version is 1.4.2_05. Download and unzip the sam_20040323_bin.zip file to C:SAM.
2. Open a command prompt, change to the C:SAM directory, and execute the following command:

   C:SAM>java -jar sam.jar  

   You could also add the java command line for SAM to a Windows batch file or Unix script to easily start up SAM.

    
3. SAM will start, and you will see the main window and the database login window. You must authenticate to the Snort database for the main SAM window to become active (Figure 6-4).

   Figure 6-4. SAM authentication

    
4. The main SAM window will now become active, and Connected to Database is displayed at the bottom of the window (Figure 6-5).

Figure 6-5. SAM main window

Use the following steps to install SAM on Linux:

1. Install the Java Virtual Machine. Download and install the j2re-1_4_2_05-linux-i586-rpm.bin file.

   [root@localhost root]# chmod a+x j2re-1_4_2_05-linux-i586-rpm.bin [root@localhost root]# ./j2re-1_4_2_05-linux-i586-rpm.bin [root@localhost root]# rpm -Uvh j2re-1_4_2_05-linux-i586.rpm  

2. Download and install SAM:

   [root@localhost root]# mkdir SAM [root@localhost root]# cd SAM [root@localhost SAM]# unzip ../sam_20040323_bin.zip [root@localhost SAM]# /usr/java/j2re1.4.2_05/bin/java -jar sam.jar  

3. SAM will start and you will see the main window and the database login window. You must authenticate to the Snort database for the main SAM window to become active (Figure 6-4).
4. The main SAM window will now become active, and Connected to Database is displayed at the bottom of the window (Figure 6-5).

Discussion

SAM is a real-time monitor for Snort alerts. It runs on Windows, Unix, and Mac OS. SAM provides a high-level overview of the status of your environment. For example, if you are attacked 150 times in a five minute period, you might choose to receive an alert either on screen with a large stoplight graphic, through an alert sound, or via email. SAM is a nice addition to your Snort/ACID environment. To troubleshoot SAM, click on the SAM log tab for status and information.

There are a few prerequisites to running SAM:

• Ensure that a MySQL database is installed and configured to work with Snort.
• Ensure that Snort is installed and configured and logging to the MySQL database.
• Install the Java Virtual Machine.

You may want to edit the settings in the /conf/sam.properties file, particularly the email settings. Email is disabled by default. If you want to have this feature, you must enable it by setting the email.active variable to true and configuring the email server, sender, and receiver. The email.to variable can contain multiple, comma-separated email addresses. Emails are set only when the alertlevel.high variable is triggered. This parameter classifies the number of alerts that are received during a five minute period. You will also want to change the DatabaseUID variable to something more relevant to your environment than the default Mike's House. The mainpanel.refresh variable determines the number of minutes between refreshing the main display and graphs.

#Tue Mar 23 14:45:59 CST 2004 email.from=snort@your-domain.com LogFileLogger.LogFile=log/sam.log email.host=your.smtp.server.com email.to=your@email.com AttackColumns=9,3,0,10,8,2 alertlevel.medium=100 DatabaseUID=Mike's House Lookup-Threshhold=0.25 DisableLookup=false alertlevel.high=150 mainpanel.refresh=5 DatabaseType=MySQL DataSource=Local-Host email.active=false

To log in, you must have the following information:

Database

The database ID that is configured in the sam.properties file.

Database type

The type of database to which you are connecting. MySQL and PostgreSQL are currently supported.

Hostname

The hostname of the system with the Snort database and the port on which the database is listening.

Database name

The name of the Snort database.

Username

The username to access the Snort database.

Password

The password for the username.

See Also

http://freesoftware.lookandfeel.com/sam/

http://java.com/en/download/manual.jsp

Recipe 2.11

Recipe 2.12