Saturday, April 15, 2006

Snort PortscanAI - testing

I have mentionned about snort portscanAI in previous post and start to configure it, here's how I get it to work.

The PortscanAI basically supports two type of neural networks - MLP and ELMAN, Multi-layer perceptron is feedforward and Elman is recurrent type. I have to admit I'm totally noob in neural network stuffs since I haven't had any experience in that field. For people who don't know what is neural network like me, you can take a quick glance at

Since I have already have it installed, I prefer to have the report shown in web interface. In order to run it properly, few things need to be installed such as php-gd and php-jpgraph and a working apache.

shell>yum install php-gd.i386

Then I download php-jpgraph at here and install it with rpm -Uvh command. Later I create a directory to store the snort configuration file.

shell>mkdir /etc/snort/portscanAI

I didn't use /etc/snort because I may need to try out snort-spade later, that's the best way to run different instances of snort.

I extracted the snort-2.4.3_ai.tar.gz and copied the snort.conf from the snort-ai/etc directory that I extracted to /etc/snort/PortscanAI and tweak the following value to enable portscan-AI preprocessor

preprocessor portscanai: ignorebc 1 \
analyze_thr_lower 100 \
analyze_thr_upper 1600 \
sense_level 0.05 \
net_topology 0 \
log_method 1

preprocessor portscanai_train

You may need to read the config file to understand what those value meant if you want to tweak it. To enable it's web base analyze console, there's console_web under directory snort-ai, just copy the directory tesis which is under console_web to /var/www/html(apache root directory).

Then make changes to the following variables in /var/www/html/tesis/file/config.php

$log_path = '/var/log/snort/portscanai';

$jpgraph_path = '/var/www/jpgraph-1.17';

Since I install php-jgraph version 1.19, I just change jpgraph-1.17 to jpgraph-1.19

After everything is configured, just run

shell>/usr/local/bin/snort-AI/bin/ snort -i eth0 \
-c /etc/snort/portscanAI/snort.conf -l /var/log/snort &

Everything is running now, you may need to navigate the /var/log/snort to check for alerts and the data it logs in portscanAI directory. The dissapointing part for the web-gui are the Data Filter seems not working at all, and it is not fully in English, I suppose if the project want more beta tester, using international language is a must. I totally lost in reading the message(guess it's in spanish, my language knowledge is bad though).

Below are the screenshots .....

The main interface, the filter seems not working for me.

Even the indicator name I have to guess, destino == destination???

I don't understand what does this message meant, maybe google translator may help but it still a big faint to me, ouch!!!!!

Overall it is still fun to play with it since I have never touched neural network stuffs before, maybe people who have experience in neural network may find it useful.

Enjoy :]

No comments: