SNEZ 1.11 was just released, providing install scripts and features tested on Ubuntu 14.04 LTS. So now you have the option to install on Centos or Ubuntu.
SNĒZ is a web interface to the popular open source IDS program SNORT®. It is written entirely in PHP, minimizing client and server software prerequisites. There is one very simple configuration file with only a handful of parameters to set. This allows for SNĒZ to be dropped onto an IDS server with a minimum number of installation steps and program requirements.
The main design feature of SNĒZ is the ability to filter (or dismiss) alerts rather than require alerts to be deleted after review by the security analyst. At any time, filters can be ‘overridden’ so that all collected alerts can be analyzed for patterns, forensics, etc. Of course, the ability to delete filtered alerts is available.
A main design criteria for SNĒZ is speed, obtained by eliminating nice-to-have but unnecessary features. For example, simple page forward and page backward is provided so that queries do not need to read the entire database to create page numbers. SNĒZ does not reformat or rewrite the IDS database, saving time.
Basic security features include definition of regular analysts and administrators, an adjustable screen timeout, adjustable maximum sign-on attempts and lockout, and the ability to change passwords
• Not forced to delete alerts; uses filtering which can be overridden
• Easy installation; one small config file
• Simple task-oriented views
• Support regular users and administrator(s); users can manage their own passwords
• Adjustable security parameters
• Provides packet information and data view
• DNS resolution option
While SNEZ is tested with web vulnerability scanners, do not allow SNEZ to be accessed from the Internet or an untrusted or insecure network.
REQUIREMENTS and PRE-REQS
Ubuntu (tested on 14.04) or RedHat-based (tested on Centos 6) Linux. Versions prior to 1.11 provide installation scripts and program code for Centos and RedHat only.
Snort, Apache, MySQL, PHP.
For https connection (default), mod_ssl and openssl. README.SSL contains information to a aid in the generation of a digital certificate.
When configuring Snort, output type must be MySQL or barnyard2 to MySQL.
NEW INSTALL (See below for upgrades)
Create SNEZ database and install package-
1. mkdir /opt/SNEZ
2. cd /opt/SNEZ
3. cp [download location]/SNEZ-[ver].[rel].tar.gz ./
4. tar -xzvf SNEZ-[ver].[rel].tar.gz
5. cd SNEZ-[ver].[rel]
6. ./SNEZcreate or bash SNEZcreate (This will create and populate your SNEZ db.
Supply password for root@localhost when prompted;
then supply a password for access to your SNEZ DB when prompted.
You will enter this password in the config file in the next step).
7. vi ./SNEZconfig.php. Add the SNEZ database password selected in the previous step to the line
Modify other parameters as needed, especially your sniffer interface (See CONFIG FILE later in the README)
8. ./SNEZinstall or bash SNEZinstall (Answer prompt with C for Centos, else Ubuntu is assumed)
9. Create logins and populate malware active ip list-
a. In a browser- http://[ip address of server]/SNEZ/SNEZlogin.php
b. Login as ‘admin’ using password of ‘admin’
c. Click on the Admin Functions tab and add an administrator
that can add users (be sure to check the box)
d. From the browser, log off and log on with the new administrator id from step 3.
e. Go to Admin Functions and delete user admin.
10. Click on the box to load malware active ip list from malwaredomainlist.com
11. Use visudo to make the additions and changes so certain root commands can be executed. (Caution! Read the sudo and visudo documentation.
Mistakes here can render your system inoperable. Never edit the sudoers file with vi or another editor. You skip this if you don’t want to use the tcpdump or logrotate-on- demand capabilities of SNEZ, or are uncomfortable making the changes, or concerned about security implications of allowing a non-root user running tcpdump or logrotate).
hostname (get hostname of your system)
visudo (add the following lines, adjusting for your system appropriately; some systems may use
apache as http server user, Centos for example)
www-data hostname=NOPASSWD:/usr/sbin/tcpdump (substitue your host name for hostname)
(comment out the following lines if present)
!wq (or q! if you make mistakes and want to start over)
CONFIG FILE (after install, the config file can be changed at any time, and then run SNEZconfiginstall from /opt/SNEZ/SNEZ-v.r.m)
Settings in the SNEZconfig.php file-
encrypt = none
none or an existing, installed php hash function for password
NOTE: if you change this on a running system, login first,
run SNEZconfiginstall, and immediately add new users
https = enforced
all connections https; change to unenforced for http (NOT RECOMMENDED)
inactive = 900
password to the SNEZ database chosen at install time; must be set
GMT offset; default to USA Eastern
default maximum db rows read before page displayed
default max db rows read before page displayed when DNS resolution used;(can be lowered for speed)
summary.rowlimit = 10000
number of db rows to read before fully collapsed summary view
php.max.execution.time = 120
overrides php.ini max execution time
sniffer.interface = eth1
sniffer interface for optionaluse of tcpdump (*Note)
min.user.pwd.len = 8
minimum password length for users
pwd.complexity = strong
default is strong, letter, number, caps, special chars; can change to simple
whois = SNEZdoc.php?page”=”whois
whois or reputation lookup site; select your personalfavorite *
(whois2 through whois9 can be added to for up to 10 reputation or lookup sites)
* You can cut from the SNEZ page and paste into the lookup site, however, keyword substitution is also provided for ip address and domain lookup information.
Use keyword SNEZip to substitute ip address, and SNEZdns for domain lookup.
You will need to manually visit the site to determine the path and the proper location in the URI for the parameters.
Escape equal signs and ampersand characters by enclosing them in double-quotes.
This feature is offered as a convenience, and you are solely responsible for accessing the chosen site properly and
whois = http://favoritelookupdomain.com/….path…/SNEZdns
whois = http://favoriteantimalwaresite.com/…path…/SNEZip
whois = http://www.ipvoid.com/scan/SNEZip/
whois = http://www.google.com/safebrowsing/diagnostic?site”=”SNEZdns
whois = http://www.siteadvisor.com/sites/SNEZdns
1. cd /opt/SNEZ
2. cp [download location]/SNEZ-[ver].[rel].tar.gz ./
3. tar -xzvf SNEZ-[ver].[rel].tar.gz
4. cd SNEZ-[ver].[rel]
6. only if upgrading from < or = SNEZ 1.6.x, ./SNEZ17update
7. only if upgrading from < or = SNEZ 1.7x, ./SNEZ18update
8. only if upgrading from < or = SNEZ 1.8.1, ./SNEZ19update
Can be used to uninstall product permanently or clean for fresh install
Occassionally use mysqlcheck –databases SNEZ -vaop and mysqlcheck –databases snort -vaop. Best to stop Snort
and Barnyard2 first.
Download latest Version : SNEZ-1.11.tar.gz (12.2 MB)
sources : http://geneguinter.com/
our post before : http://seclist.us/update-snez-v-1-7-0-1-web-interface-to-the-popular-open-source-intrusion-detection-system.html