Friday, November 30, 2012

How to fix problems with Snort Report on CentOS and Debian (update and addendum)

I spent the last 5 hours or so troubleshooting snort report on CentOS due to problems with how SELinux does not like apache requesting read operations to files owned by root in /var/www/html  in spite of having read and execute access to everything in the snort report directory, and other oddities.

Bare in mind I am not a PHP dev by nature and frankly, had no idea what the hell was wrong here, hence why it took me so long to troubleshoot the issues I ran across here. my troubleshooting boils down to two things you MUST do on CentOS for snort report to run properly:

1) /etc/php.ini must have the short_open_tag = On in order to parse the php scripts for snort report properly. per the php.ini comments:

    ; This directive determines whether or not PHP will recognize code between
    ; <? and ?> tags as PHP source which should be processed as such. It's been
    ; recommended for several years that you not use the short tag "short cut" and
    ; instead to use the full <?php and ?> tag combination. With the wide spread use
    ; of XML and use of these tags by other languages, the server can become easily
    ; confused and end up parsing the wrong code in the wrong context. But because
    ; this short cut has been a feature for such a long time, it's currently still
    ; supported for backwards compatibility, but we recommend you don't use them.

What this boils down to is that php best practices weren't followed when snort report was written and this could cause interference with other web apps being hosted on the same box. Generally speaking for our case, you'll only be using a single web front end for a snort sensor, and I would hope you are not hosting other web applications on the same system.

on centos, the short_open_tag directive was found on line 229, and is set to  "Off" by default, and resulted in some fugly half-rendered pages being generated. to fix this:

1. open up php.ini in an editor of your choice

2. navigate to line 229 and change the short_open_tag option to On

3. save the file and either reload or restart httpd for this to take effect.

2) SELinux does not like it when apache plays with files in /var/www/html that are owned by root and will not allow this to happen.

This took a little while to troubleshoot. I started by looking in /var/log/httpd/error_log finding several permission denied requests for a php require_once statement for srconf.php, snort report's config file. This turns out to be somewhat of a red herring.

I changed permissions on srconf multiple times and got the same results even with 777 permissions. It wasn't until I saw a post regarding how to troubleshooting require_once errors referring to file permissions saying that SELinux may be the culprit that I thought to suspect SELinux.

A quick look at /var/log/audit/audit.log and searching for srconf.php reveals that SELinux is smacking your hand anytime you try to use the srconf.php file, thus causing snortreport to sit there with a mostly blank page.

There are two fixes to this problem -- the wrong way and the right way

First, the wrong way:

Disable SELinux and change ownership of the snortreport directory and all files therein to the Apache user and group. Don't do this. Turning off SELinux was never the correct answer before, therefore I'm not making it the correct answer now. and because its the wrong answer, I leave it as an exercise for you to figure out how to do this and why this is a bad idea.

Now, the right way:

Inform SELinux that yes, httpd should be able to access these files and stop freaking out about it

1. cd to /var/www/html

2. run the command: chcon -R -t httpd_sys_rw_content_t snortreport-1.3.3/

what this does: we're telling SELinux that httpd is perfectly fine in requesting read and write operations to files located in this directory and to just let it happen.

After performing these two fixes, you should have a pefectly functioning snort report interface on CentOS.

Edit: Strange. I thought I had posted my update. Sorry about that!

Anyhow, you may be experiencing the same problems described on Debian 6 systems running snort report as well. Unfortunately, Debian has the same php.ini configuration as redhat short_open_tag is set to Off. If you set this to on, this will allow the snort report web UI to render properly.

On Debian, the php.ini file is located in /etc/php5/apache2/php.ini. the short_open_tag directive is in roughly the same spot as it is in CentOS either line 226 or 229. Chance the option from Off to On to resolve this issue.

I'm currently in the process of doing some testing here. It's been suggested on the snort mailing lists that simply used sed on all of snort report's php files to replace all entries of <? to <?php should resolve this issue. If this is the case, I may submit a bug report to symmetrix to resolve this issue permanently.

Until the bug is reported and resolved to snort report maintainers at symmetrix, utilize the fixes above to resolve the issue of the snort report UI failing to render on Debian and CentOS.

No comments:

Post a Comment