weasel first steps
First, thanks for testing weasel. We tried hard to make it easy and intuitive to use. But still, weasel should be considered as beta software. So if you tried weasel, please let us know what you liked and what we can improve.
To discuss about weasel, there is a mailing list and a community forum.
Open your browser and point it at your weasel installation. you should see a login form. If all you get is just a green page without login form then you probably didn't comment out the catch-line in config_inc.php. Refer to the install instructions. If everything worked, you should see something like this:
The default username is 'admin' and the password is 's3cr3t'. We have choosen such a lame password on purpose, in the hope to have the users change it imediately. We are going to show you how to do that in the chapters to come.
After login the overview page is displayed:
The overview consists of 8 tables that contain useful statistics. you will see the eventwise top 10 sensors, protocols, signature, classifications, source and destination IP's and ports. All numbers are clickable and link to a view that shows the coresponding events, very much like BASE.
Just above that, a line indicates the overall status of the weasel db. It will probably be rather empty at the moment, due to the fact that there might be no alerts generated by snort yet. If that is the case, you should try to get some alerts into the database before continuing with this guide.
The header contains the navigation and is present on each page. The light green box provides links to the different views of the current alert set. The upper part has the links for the non-view pages, like the Search Form or Administration. Click on the "Administration" Link in order to change your password.
The Administration Page links to different modules. In order to change the admin password, click on "Manage Users", then in the row of the admin user, click on "Edit". To set a new passsword, enter it twice in the form. If you submit the form without a new password, then the old one is preserved. It is therefore not possible to create a user with an empty password.
As you can see, there are plans to support multiple users with per users restrictions, however this is not yet implemented properly.
Another administrative module, "Manage Sensors", allows you to check the status of the sensors. The page should list all your active sensors along with the status (clock-skew, dead, running), current logging rate, queue utilization and number of dropped packets since last sensor restart.
While here, please note that there are other administrative modules that we are going to skip for now: "Configure User Interface" allows you to fine-tune the look-and-feel of the user interface, "Manage Filters" allows you to create, edit and delete persistent filters, and in "Manage Extensions" you can enable and configure extensions.
Weasel allows you to analyze the snort alerts by means of different views, showing different aggregations of the alerts contained in the database. The views are accessed by the links in the light green section of the navigation header. The currently active view is highlighted in bold. you can simply switch between the different views by clicking on the links.
To further refine the analysis, it is possible to define filters. Each view will only aggregate those alerts which pass the currently active filter. If there is a filter in effect, it is displayed in the box "Filter Criteria". Filter and Views are independent concepts, which means that the currently active filter stays in effect when you switch the view.
You can mix and match filters and views to nagivate in the dataset. Please note that the filter state is not global, but rather per window (passed along via the URL), so you can work with different filters in different windows or tabs at the same time.
In each view, there is a table containing the results of the query. The table headers have brackets, which allow you to sort the table. You can also see which sorting is currently in effect as the corresponding bracket is highlighted in grey.
In case your query has more than fifty rows, weasel will only show the first fifty. You can go on to the next page by the links under the table. (Note that this number can be adjusted in the User Interface section of the Admin Pages.)
Some fields are hyperlinks that will switch views and add expressions to the current filter automagically. For example, suppose that you see in the Unique Alert View, that the alert "P2P Napster login" (sid 549) came from 19 different Sources in your network. Clicking on the number 19 in the "Sources" column and "P2P Naptser Login" row will:
- change the view to the IP list, to display Source IP's, and
- add a filter for the "P2P Napster login" (sid 549) alert.
The query that you get should return exactly those 19 Source IPs, which had Napster Logins detected. This allows you to quickly and intuitively navigate in the alert dataset.
Note that the Top Ten statistics on the "Overview Page" are also linked as described above, so they provide a convenient starting point for your analysis.
Searching and Filters
Click on "New Search" in the Navigation Header. A form to start a custom search will apear.
The form is divided into sections, containing different kind of fields. A field is ignored if it is left empty. For example, to search for alerts about traffic from your network to the outside world within the last hour, click on "Add Relative Time" in the section "snort" and select "hour(s)" in the dropdown. Then in the Section "IP", "Address", select:Source == 192.168.0.0/16Then click on "Add Address" and select:Destination != 192.168.0.0/16.
Finally click on submit to start the search. Behind the scene, new filters will be defined and added to the current filter criterion.
As you can see, the filter is composed out of filter atoms or tokens. You can delete individual tokens by enabling the corresponding checkboxes in the "Filter Criteria" box and then clicking on "Remove", or clear the entire filter by clicking on "Remove all Tokens". Another way to start a new search is to click again on "New Search" in the page header. If you want to refine the current filter by adding a new token, click on the "Add Filter" link instead.
Weasel allows you to store frequently used filters in a persistent form. For example, if you want to check frequently if machines of your home network are attacking someone else's network, you can define this query as a persistent filter, so you don't need to enter it again and again. The administrative page "Manage Filters" allows you to create, delete and edit persistent Filters.
In order to load a persistent filter, you first need to flip-out the filter box by clicking on the "hide/show" link. If you click on the name of the persistent filter, it will replace the currently active one. If you click on the "(add)" link besides the persistent filter, it will be merged to the active one.
Now we will have a closer look at an alert. All alerts are assinged with an unique ID when they are logged into the database, independent of the alerts origin. To get the details of an alert, you must click on its ID on the "Alert Listing" view. The ID is actually composed of two numbers. The first is the number of the alert within the currently active query, and the second number is the alert's unique ID coming from the database.
The details about this alerts are structured in several sections. You can see which sensor has reported the alert, which signature has fired. You also can see the usual network header fields. The IP.proto field and the TCP.flag fields have a mouse over tool tip, that gives you a human readable name of the protocol and states if the tcp flag combination is valid after RFC.
Note that the context of the alert listing is still around, which means that you can browse to the next alert by clicking the "Next" link.
The packet payload field contains a hex dump of the entire packet. Each byte contains again a mouse over tool tip, stating the name of the field. you can color the individual header fields by clicking on the "Show Fields" Button. You can also get tsharks/tethereals opinion about that packet by clicking on the "Show Tshark" Button.
You reached the end of this first steps guide. And now ? If you have installed weasel you might be interested that some people have already written some extensions for it, like a rule manager or a sensor manager. We will release these as soon as the extension insterface has become more stable. If you want to give them a try, you can check them out from the CVS. If you need any help or want to give us some feedback, there is a web forum.
Thomas and Patrick, 2007