farm9.org
Open Source Security Tools for the Security Professional
Home
Projects
Harvester Project
Cryptcat Project
Audit Tools Project
Mudpit Project
Mailing Lists
Mailing List Info
Harvester Archives
Cryptcat Archives
Audit Tools Archives
General
Call for Participation
Press/News
Sponsors
Licensing
Contact Us

Mudpit

Background

The unified plugin allows Snort to write its alerts and logs into continuous binary files spending no time on binary->text conversions usually performed during alert/log generation process.

This feature has a potential to greatly improve Snort's performance/stability, especially if events are collected in a remote relational database.

The Problem

Snort has two separate output streams: alert and log. Alerts contain brief description of what's happened. Logs, on the other hand, provide full information about event, but usually are generated less often than alerts. There is no magic Snort parameter allowing one to get all the required information in one stream. With unified plugin you also get two streams; by ignoring one of them you will lose quality or quantity.

In general, Snort unified plugin can be configured to produce alert and log files simultaneously, but some events would be duplicated in both files having different level of details.

Existing Solutions

There are programs out there that can read and process files written in Snort's unified format. Most notable project with similar goals is Barnyard. To the best of our knowlegdge, none of the existing programs satisfies requirements for single complete source of output information suitable for event monitoring.

MudPit

Mudpit has been written to satisfy people's needs for the intelligent, modular and reliable processor for Snort's unified format.

The following Mudpit features make it exceptionally useful in Snort-based IDS devices hosted on Linux/UNIX:

  • Ability to process both alert and log files in parallel, choosing one that contains more information on a particular event.
  • Ability to independently handle outputs of more than one Snort processes on the same computer under separate permission sets.
  • Stability, including support for automatic recovery from network failures and outages with no information loss (checkpoints).
  • Modularity and ability to assign more than one output plugin to each spool processor.
  • A generic locking facility that allows separate spool processors to write to the same back-end database simultaneously.
  • "Start and forget" reliability.

Download

Mudpit can be downloaded from sourceforge.net.

Details

Mudpit utilizes well-known UNIX parent/child technique to achieve required reliability. Each child process works as a separate Snort spool processor. It reads an alert/log file pair in the specific spool directory and sends an event data to output plugins. Output plugins are implemented as UNIX shared modules and are dynamically loaded by each spool processor at initialization time. Each plugin should export the following set of functions:

int mp_out_init() [mandatory]
Called once during initialization. Configuration string(if any) given to this particular output plugin in the config file is provided as a parameter.
int mp_out_log() and/or int mp_out_alert() [at least one of them should be provided]
These functions are called when a new event becomes available. If both are exported and both alert and log data is available for a particular event, the log function is called.
mp_out_fini() [optional]
Called once during spool processor termination.

See mp_simple_out.c/Makefile for more details on output plugin implementation.

Important Note

In order for Mudpit to work correctly, Snort should have BOTH unified alert and unified log plugins active.

Supported Platforms

Currently, Linux RH7.3 is the only platform we used for testing. There should be no significant problems to compile/run Mudpit in any modern UNIX environment. Real problems await those who will try to port it to MSWin or MAC OSes v.X.

Configuration

Command line parameters

-c <config file>  Specifies the name of the configuration file.
                  Default is /etc/mudpit.cf
                  Only absolute filename is accepted here.
-v [-v [-v]]      Increases verbosity level.
-D|--daemon       Daemon mode.
-n|--nice level   Set priority level.
--once            Process each spool once, then exit.
-h|--help         Prints this help message.

Configuration file format

# Global parameters:

global {
# Turn on daemon mode (same as -D )
# mudpit would not become a daemon if verbosity level > 0.
# Default - not a daemon.
# Conflicts with: verbose.
daemon

# Verbosity level (the same as the appropriate number of "-v" args)
# Default: 0
# Conflicts with: daemon
verbose = 4

# The following are text files that contain important
# event-related information. All of them come with Snort
# distribution; see www.snort.org for details.
# If not absolute, filenames are relative to the directory
# containing the main configuration file (see -c parameter).
# They are all assigned to their respective default values.
class_file = "classification.config"
sid_file = "sid-msg.map"
gen_file = "gen-msg.map"
ref_file = "reference.config"

# Pid file is used in daemon mode only.
# Default: "/var/run/mudpit.pid"
pid_file = "/var/run/mudpit.pid"

# nice: changes priority for each spool processor.
# see man renice(8) for more details.
# The main process is unaffected.
# Default is 0
nice = 5

# run_once: mudpit processes new data,
# then exits without waiting for incoming data.
# default: false
run_once
}

# Spool configurarion. One or more spools should be configured.
# Spool definition contains the absolute path to a spool directory
# (that is, the directory containing Snort's log/alert file pair)
# and parameters for the spool processor.
spool "/snort/spool" {

# the name of a lock resource for this spool. Spool processor will try
# to obtain exclusive lock on this resource each time before it attempts
# to send data to output plugins. Alphanumeric symbols and '_' are allowed
# in the resource's name.
# Default: none (no locking)
lock = "mysql"

# Spool processor will delete Snort output file each time the newer
# file becomes available
# Default: don't delete
delete_processed

# Copy Snort output file to the specified directory when it's processed.
# If 'delete_processed' was specified, processed file will be moved from
# the spool directory to the arch directory. Absolute path is required.
arch_dir= "/snort/arch"

# Set euid/uid and egid/gid of the current spool processor to those of
# the given user and his primary group. Works only if Mudpit is started
# as a root process.
# Default: euid/uid and egid/gid are not changed.
user = "snort"

# Specifies the name of the checkpoint file.
# Default: "checkpoint"
checkpoint = "checkpoint"

# The name of the output plugin. At least one plugin must be specified.
# The string after comma is a parameter sent to the plugin; its format
# depends on a plugin type (mp_out_init entry should understand it).
# Default: none.
output = "/snort/mp_acid_out.so",
"server alisa, user snort, database snort, 
        hostname TEST, interface little_piggy, detail full"
}

Contributors

  1. Mudpit was originally written by Fidelis Security Systems

Copyright © 2005 farm9.com, Inc. - All Rights Reserved.
Last modified: January 01, 1970 00:00:00 UTC