SnIPS: Snort Intrusion analysis using Proof Strengthening

Quick Overview
Software Requirements
Quick Start
Interface
Contacts

1. Quick Overview

SnIPS is a tool for intrusion analysis. It uses Snort alerts and reasons about high confidence attacks from the input.

2. Software Requirements

Operating Systems

The current version of SnIPS is tested on linux 2.6 operating system.

Python and MySQLDB

The alert translator script is written in Python and requires Python 3.2.2 or latter and MySQLDB, the Python DB API-2.0 mysql database interface.

Snort and Snort Rules

Snort is an open-source, rule-based network intrusion detection system. It alerts on any suspicious activity by monitoring the network traffic. While these alerts can be stored in many formats, for the use of our tool Snort must be configured to output the alerts into a MySQL database. Please refer to the Snort manual to compile and install Snort with MySQL support. Snort might require many libraries like libcap, pcre etc. Ubuntu users can use the package manager for easy installation.

SnIPS currently supports the Snort Rule version 2.9x which can be downloaded here. Free registration is required for downloading the rules.

Also, SnIPS will need snort rule documentation here.

MySQL

MySQL is required for storing the alerts from Snort. SnIPS will use it to store the processing info, and final results.

Apache

The user will need to install latest Apache server to run PHP web interface for the tool.

PHP5

The user will need to install PHP5 and other required modules for MySQL and Apache servers.

XSB

XSB is a Logic Programming and Deductive Database system. It is used by the reasoning engine of SnIPS. Please download and install the UNIX/Linux version of XSB 3.3.5 from here. The user needs to configure XSB with db drivers option "--with-dbdrivers". XSB will need to install mysql library for development "libmysqlclient-dev" before installation

Others

Check your system for the latest Java SE Runtime Environment.
Check whether GraphViz is already installed on your system by typing "dot". If GraphViz is not installed, you need to install it from here

For Linux Ubuntu users

These steps of how to install snips on Ubuntu:

install linux 2.6.32-36-generic-pae ubuntu 10.04 from here
install snort by getting the source code for 2.9X, from here . The user can follow the installation for Ubuntu 10.04 here
install python Mysql module, by writing "sudo apt-get install python-mysqldb"
install graphviz, by writing "sudo apt-get install graphviz"
install java and javac, by writing:
- sudo apt-get install openjdk-6-jre-headless
- sudo apt-get install openjdk-6-jdk
Download XSB v.3.3.5 from here , the user should use "--with-dbdrivers" when configure XSB.

4. Quick Start

Unzip and untar the tar file using the following command.

$ tar xzf snips.tar.gz

Then change directory to snips

$ cd snips

Setup the environment variable SNIPS_ROOT to snips folder

$ cd snips  
$ SNIPS_ROOT=$PWD
$ export SNIPS_ROOT

It will be useful to add the SNIPS_ROOT environment variable to the user's shell initiation script such as ~/.bashrc.

To setup snips now write:

$ cd setup
$ sh setup.sh

Then setup.sh will take you through multiple steps.

To prepare the user interface SnIPS will need use apache server. Thus "setup.sh" will require, to have the path to snort rules. Also, it will ask you for the "snort rule documentation" path. It can be downloaded from snort website.

SnIPS needs snort to be running and output to mysql database. Thus, While running setup.sh, the user will be asked to enter snort MySQL database configuration information.

Then "setup.sh" will ask for network IPs. SnIPS needs the IP ranges for the local network. This will help snips to reason about the local network. SnIPS takes at most class B network, or single IPs For example, user can write: 192.168.1.*,129.130.*.*,192.168.4.5 OR use can write 192.168.1.*

"setup.sh" will create the required scripts for running the tool if all the requirements are met. The main script will be put inside the bin folder. Change the directory to "bin/" to use the "snips.sh" script. Then the user can run the main script snips.sh. This script work on range of time. For example, if the user wants to see if there any compromised machines from "DEC-11 until DEC-13" it can write:

$ sh snips.sh  2011-12-11 00:00:00 2011-12-13 23:59:59

another example, if the user want to check for the work day of DEC-10-2011 then:

$ sh snips.sh  2011-12-10 08:00:00 2011-12-10 17:00:00

snips.sh runs in two stages:

Pre-processing: the goal of this stage is to translate and reduce the amount of information entering the reasoning engine. The pre-processing stage takes several minutes for large alerts input(e.g. 200k alerts). User can avoid this delay by accumulating the pre-processing results in hourly bases using cron job. The user can contact us for further help in this regard.
Reasoning: the goal of this stage is to build attack scenarios and calculate the belief of each one too.

6. Interface

User can see the output using web browser by writing:

http://localhost/snipsInterface/snipsMain.html

Snips Ranked Graphs List: is ranking of the compromised machines in the local network. The most critical compromised machine is at the top of the list. Each compromised fact can be clicked and checked for the supporting evidences. find more help in doc/snipsManual.pdf for the php interface.

Snips Visual Ranked Graphs this link will show SnIPS output as visual graphs. Each graph is for a machine in the network. These graphs are ranked by belief from high to low. For each graph snort alerts groups(skolem) are the source nodes. Each skolem node point to the supported node and so on till the sink node "compromised(IP)"

Snort Ranked Alerts:User can check the ranking of the snort raw alerts too.

5. Contacts

For questions and bug reports please send an email to snips-feedback [AT] projects.cis.ksu.edu

Contributors

ACKNOWLEDGMENTS

The SnIPS project has been partially supported by the National Science Foundation under Grant No. 0716665, 0954138, and 1018703, by AFOSR under award No. FA9550-09-1-0138, and by HP Labs Innovation Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

Last updated on Nov 22, 2013

Argus - Cyber security research group at Kansas State University