Configuration

Monitor Intrusion Detection and Administration System

MIDASa (Alerting Service) - Configuration Options for the MIDASa Service
MIDASb (Big Brother Service) - Configuration Options for the MIDASb Service
MIDASc (Client Daemon) - Configuration Options for the MIDASc Client Daemon
MIDASd (Server Daemon) - Configuration Options for the MIDASd Server Daemon
MIDASn (Network Monitor Service) - Configuration Options for the MIDASn Service
MIDASs (IDS Service) - Configuration Options for the MIDASs Service
WebView (Web Interface) - Configuring the WebView Interface

WebView Login Screen - How to log into the WebView Interface
Registering Modules - Steps to Register WebView Modules
User Administration - Setting up User Accounts
Host Groups - Configuring MIDAS Host Grops
Hosts & Host Checks - Configuring Hosts and their Checks
MIDAS Checks - Configuring default MIDAS Checks

Check Options - Lists default MIDAS Check options

Alert Group/Contact - Creating the Alert Groups and Contacts
Network Monitoring - Configuring a Network Monitoring Host
Intrusion Detection - Configuring IDS Configuration and Rules

Pseudo XML - Understanding Pseudo XML

Part of the 'make install' process will place the distribution config files in to the MIDAS etc directory. These should be renamed/copied to end in .cf (Ie MIDASc.cf.dist -> MIDASc.cf).Each application has its own configuration file. These files use a pseudo-XML formating (See Pseudo XML for details on this format). The Config options will be specified in 'Dotted notation', ie using the following :

<CMD>/sbin/snort</CMD>

</SNORT>

The 'CMD' tag would be written as CONFIG.SNORT.CMD. Tag names are NOT case sensitive. Toggle values are specified as 1 or 0.

MIDASa (Alerting Service)

Option	Description
CONFIG.DAEMON	Toggles MIDASa to fork off into background when started.
CONFIG.LOOPTIME	Delay between MIDASa checking for new Alerts.
CONFIG.DEBUGLEVEL	This is the debug level. If specified it will debug into syslog. This is a bit level flag. Specified: 1 - Information
CONFIG.SQL.IP	The IP address to the MySQL server.
CONFIG.SQL.USER	This is the MySQL User name.
CONFIG.SQL.PASSWD	This is the MySQL Password.
CONFIG.SQL.DB	This is the MySQL DB name (Normally MIDAS2)
CONFIG.SQL.PORT	This is the MySQL port number (Normally 3306)
CONFIG.EMAIL.SERVER	The IP Address of the SMTP server to relay alert messages through.
CONFIG.EMAIL.SERVER.PORT	The port to use when connecting to the SMTP server.
CONFIG.EMAIL.DOMAIN	The Domain to be identified as during the SMTP session (HELO/EHLO)
CONFIG.EMAIL.FROM_ADDRESS	The From: address to use when sending the alert email.
CONFIG.EMAIL.HTML	Toggle send HTML email. If off Text email will be sent.
CONFIG.PAGER.SERVER	The IP address of the SNPP server to send alert pages through.
CONFIG.PAGER.SERVER.PORT	The port of the SNPP server.
CONFIG.TMPEXTERN	Specifies the file/path for the temp file used in the external alert.

MIDASb (Big Brother Service)

Option	Description
CONFIG.PORT	This is the port to listen on for Big Brother clients.
CONFIG.HID	This is the Host ID of this server.
CONFIG.DEBUGLEVEL	The Debug Level. Debug messages are sent to syslog.
CONFIG.DAEMON	Toggle if MIDASb should fork off into the background when started.
CONFIG.MAXFORKS	The Maximum number of Big Brother clients that are allowed to connect at once.
CONFIG.SERVERIP.IP	The IP address of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.PORT	The Port number of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.FAILOVER	Toggle fail over. If fails to connect then attempt to connect to the next server specified.
CONFIG.ACCESSIP.IP	Thi is the network IP address used to specify the IP range(s) that are allowed to connect.
CONFIG.ACCESSIP.IP.MASK	This is the Mask used on the specified network IP address.
CONFIG.BBCHECK.NAME	BigBrother service name to match.
CONFIG.BBCHECK.NAME.CID	MIDAS Check ID to match NAME to.
NOTE: You may specify the IP and MASK multiple times to allow different IP blocks.

MIDASc (Client Daemon)

Option	Description
CONFIG.HID	The Host HID for this client.
CONFIG.CMD.DISK	The command to use for checking Drive usage (df).
CONFIG.CMD.PROC	The command used to check process usage (ps).
CONFIG.CMD.LOG	The command used to check logs (tail).
CONFIG.CMD.PING	The command used for ping checks (ping).
CONFIG.CMD.RAM	The command used to check RAM usage (free).
CONFIG.DBFILE.LOG	The path and filename of the log check db file.
CONFIG.DBFILE.LOG.CACHESIZE	The maximum number of log entries to store in the log db.
CONFIG.DBFILE.MD5	The path and filename of the MD5 check db file.
CONFIG.SERVERIP.IP	The IP address of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.PORT	The Port number of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.FAILOVER	Toggle fail over. If fails to connect then attempt to connect to the next server specified
CONFIG.DEBUGLEVEL	This is the debug level. If specified it will debug into syslog. This is a bit level flag. Specified: 1 - General Information 2 - Errors 4 - Check processing 16 - Socket 32 - MD5 check 64 - Disk check 128 - CPU load check 256 - Log check 512 - Process check 1024 - External checks 2048 - Network checks 4096 - XML 8192 - Forking
CONFIG.MAXFORKS	The maximum number of processes to fork when performing checks
CONFIG.CHECKINTERVAL	The delay in seconds between check cycles
CONFIG.DAEMON	Toggle MIDASc to fork to the background when started.

MIDASd (Server Daemon)

Option	Description
CONFIG.PORT	This is the port that MIDASd will listen on.
CONFIG.HID	This is the Host ID of this host.
CONFIG.SQL.IP	The IP address to the MySQL server.
CONFIG.SQL.USER	This is the MySQL User name.
CONFIG.SQL.PASSWD	This is the MySQL Password.
CONFIG.SQL.DB	This is the MySQL DB name (Normally MIDAS2).
CONFIG.SQL.PORT	This is the MySQL port number (Normally 3306).
CONFIG.DEBUGLEVEL	This is the debug level. If specified it will debug into syslog. This is a bit level flag. Sepcified: 1 - General Information 2 - Errors 4 - SQL 8 - Socket 16 - Check Processing 32 - Process Forking 64 - XML Processing
CONFIG.MAXFORKS	This is the maximum number of processes to fork off for incoming processes.
CONFIG.DAEMON	Toggle on/off MIDASd from forking off into the background when started.
CONFIG.ACCESSIP.IP	This is the network IP address used to specify the IP range(s) that are allowed to connect.
CONFIG.ACCESSIP.IP.MASK	This is the Mask used on the specified network IP address.
CONFIG.MAINT.INTERVAL	Maint Cycle interval time (in seconds).
CONFIG.MAINT.MAKEBLUE	Minutes from last status update before a check is moved to BLUE status.
CONFIG.MAINT.CHECKEVENTS	Expire check event records older then X days (0 to disable).
CONFIG.MAINT.IDSEVENTS	Expire IDS event records older then X days (0 to disable).
CONFIG.MAINT.MACIP	Expire MAC/IP records that are older then X hours (0 to disable).
NOTE: You may specify the IP and MASK multiple times to allow different IP blocks.

MIDASn (Network Monitoring Service)

Option	Description
CONFIG.HID	The Host HID for this client.
CONFIG.DEBUGLEVEL	This is the debug level. If specified it will debug into syslog. This is a bit level flag. Sepcified: 1 - General Information 2 - Socket 4 - XML Processing 8 - Check Processing 16 - Process Forking
CONFIG.SERVERIP.IP	The IP address of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.PORT	The Port number of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.FAILOVER	Toggle fail over. If fails to connect then attempt to connect to the next server specified
CONFIG.DAEMON	Toggle MIDASn to fork to the background when started.
CONFIG.ETHDEV	Configures which device MIDASn will watch.
CONFIG.USER	Run MIDASn with this user (User is switched after NIC is configured).
CONFIG.PROMISC	Toggles if MIDASn should attempt to set NIC to promiscuous mode on startup.
CONFIG.SENDINTERVAL	# of seconds between sending stat updates.
CONFIG.MAIN.SESSIONS	Specifies the expire time (in days) for Network sessions.

MIDASs (IDS Service)

Option	Description
CONFIG.HID	The Host ID of this server.
CONFIG.SNORT.CMD	The command line to use to start snort. Other then changing the path the command args should be left as default.
CONFIG.SNORT.DB	The file and path to the Snort Packet DB file.
CONFIG.SNORT.DB.CACHESIZE	The number of packets to cache in DB file.
CONFIG.SERVERIP.IP	The IP address of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.PORT	The Port number of the MIDASd server to connect to.
CONFIG.SERVERIP.IP.FAILOVER	Toggle fail over. If fails to connect then attempt to connect to the next server specified.
CONFIG.DEBUGLEVEL	This is the debug level. If specified it will debug into syslog. This is a big level flag. Specified: 1 - Information 2 - Snort 4 - Socket 32 - XML
CONFIG.DAEMON	Toggle MIDASs to fork to the background when started.

WebView (Web Interface)

We will assume that the apache IP address is 192.168.1.80 on default port 80, and that you installed the WebView interface in the directory MIDAS off of your htdocs directory. You will need to change this to reflect your own setup.

Login Screen

To access the WebView Login Screen goto: http://192.168.1.80/MIDAS/index.php.

Use the following username and password for accessing the WebView interface for the first time (See Figure 3.1):

USERNAME: admin
PASSWORD: password

NOTE: Please make sure to change the admin's default password.

Figure 3.1 - WebView Login Screen

Back to Top

Registering Modules

To register modules to use with the WebView Interface goto Modules->Add/Remove Modules (See Figure 3.2).

Figure 3.2 - Register/Unregister Modules

To register the modules, you first select the un-registered module (The select box is a multi-select box, so you can use the CTRL key to select more than one module at a time), and move it over to the registered box by using the Add/Remove Arrows between the two lists.

Once you have select the modules you wish to register, click on the "Update" button to commit the changes (This will require the interface to be refreshed before the new modules show up correctly. This can be done by going to Go->Refresh).

Also, you will see a button called "Get Info". This allows you to select module(s) and get information about them. Like the include file used by the module, a description of the module, etc.

Web Configuration (Base)
Web Configuration (Users)

To configure users goto either; Quickview->Configuration->Users, or Config->Users.

NOTE: MIDAS creates a default user:

USERNAME: admin
PASSWORD: password

Please make sure you change this user's password.

User Options

Username - User's login
Access Level - Name of the Host you are configuring.

No Access - What it says
User R/O - User has the ability to view (No Access to: Register Modules, Configuration (All), Stat Reset).
User R/W - User has the ability to view, and write ability for Host Configuration (No Access to: Register Modules, Configuration (Purge DB, NetMon, IDS, Checks, User, Alert Groups/Contacts), Stat Reset).
Admin - User has the ability to view, and write ability for Configuration, Stat Reset (No Access to: Register Modules).
Super User - User has the ability to view, and write all.

Change Password - Changes user's current password
Allow Session Overwrite - Allows you to toggle on the ability to overwrite current/active sessions for this user.

Figure 3.3 - User Administration - Adding a new user

Web Configuration (Base)
Web Configuration (Hosts)

To get to the Host Groups configuration screen, goto either; Quickview->Configuration->Host Groups, or Config->Host Groups. Click on the "Add a Group" link and let's get started.

First we need to give our group a name and a description (See Figure 3.4). Once you have entered in your name and description click on the "Save" button. (See Figure 3.5)

Figure 3.4 - Adding a Host Group

Figure 3.5 - Viewing Host Group List

Web Configuration (Base)
Web Configuration (Hosts)

To get to the Host configuration screen, goto either; Quickview->Configuration->Hosts, or Config->Hosts.

Host Options

Host Group - Group to associate this host with. This is for helping organize your hosts within the WebView
Host Name - Name of the Host you are configuring.
IP Address - IP Address of the Host you are configuring.
Is Sniffer - This is a toggle used to inform MIDAS if this Host is/will be running MIDASs.
Alert Group - Alerting Group to associate this Host with. If any errors are detected, this is the group that will be contacted.
Host Description - Description of this Host.

Figure 3.6 - Add Host Page

Now that we have our host created, let's add a Host Check to it (See Figure 3.7).

Host Check Options

Check Name - Drop down list of pre-configured checks to select from (See Adding/Editing MIDAS Checks for more details).
Tester Name - Host to perform the check (NOTE: The Tester Host must have MIDASc running on it, and have the ability to access the Host over the network).
Min # of Failures - Number of failures before MIDASd creates an alert for this check.
Alerting Enabled - Tells MIDASa if it needs to process this alert, or ignore and delete the alert.
Check Options - Check Specific Options (See WebView - Checks Options for more details).
Use Default Options - Toggles if WebView should load the default values from the parent check.

NOTE: By default, all of the Parent Check's Options are commented out, so if you use the default options, please remember to uncomment out the options and re-save the host check.

For more information on the XML format goto: Pseudo XML - Understanding Pseudo XML.
For more information on the options to use for the Check Options goto: WebView - Checks Options.

Figure 3.7 - Add Host Check

In our example, we have added a PING check to our host, and will be using the default options of the parent check.

And Viola.... We have just created our first Host Check for MIDAS to monitor (NOTE: This check will not return anything until the MIDASd daemon, and the tester host's MIDASc daemon have been started).

Adding/Editing MIDAS Checks

Required Modules:

Web Configuration (Base)
Web Configuration (Hosts)

To access the MIDAS Checks screen goto QuickView->Configuration->Checks, or Config->Checks. By default, MIDAS has a number of checks already created, but you might want to modify some of them to better suite your configuration (See Figure 3.8).

Figure 3.8 - MIDAS Check List

Check Options (See Figure 3.9)

Check Name - Name of the Check.

Description - Description of the Check.

Check Type - Type of Check this is associated with (I.e. CPU, Process, Network, External, etc).

Port - If the Check Type is Network, this is the port this check attempts to connect to.

Connect Only - Toggles if the check is to only verify the port is up and accepting connections.

Check Options - Check Specific Options (See WebView - Checks Options for more details).
Red Status Events - Toggles if the check treats EVERY Status RED as a new event, also causes MIDASa to send an Alert on EVERY Status RED.

Figure 3.9 - Add/Modify Check

Back to Top

MIDAS Check Options

Check options allow you to specific check specific options. It uses the Pseudo-XML format used through out MIDAS to specify these. We will use the 'Dotted notation' format when specifying Check option tag/values.

Check	Option	Description
CPU load	CPU.MAX_LOAD	The maximum load before an alert is generated.
Disk Usage	DISK.PARTITION	The Partition/Mount point/device to check
	DISK.PERFREE	Minimum % free.
	DISK.PERUSED	Maximum % used.
	DISK.SPACEFREE	Minimum Space free.
	DISK.SPACEUSED	Maximum Space used.
Log	LOG.LOGFILE	Filename and path of log file to check.
	LOG.LOGIC	Logic (EQUAL, NOTEQUAL, LESS, GREATER) to use when comparing results of REGEX to EXPECT.
	LOG.REGEX	The extended regular expression to use when checking log lines.
	LOG.EXPECT	What to Expect/Compare against.
	LOG.NUMLINES	Number of lines off the end of log file to check.
Processes	PROC.TYPE	Type of Check: COUNT, ZOMBIE, PRESENT, ABSENT.
	PROC.NAME	Name of process (Only used with PRESENT/ABSENT).
	PROC.LIMIT	Max # of processes (Only used with COUNT/ZOMBIE).
RAM Usage	RAM.RAMFREE	Minimum amount of RAM free.
RAM Usage	RAM.SWAPFREE	Minimum amount of Swap free.
MD5	MD5.PATH	File/Directory to check.
MD5	MD5.RECURSIVE	Toggle if this check should recurse through sub directories.
PING	PING.COUNT	Number of packets to send.
SNMP	SNMP.COMMUNITY	The SNMP Community to use.
	SNMP.OID	The numeric SNMP OID to check.
	SNMP.LOGIC	Logic (EQUAL, NOTEQUAL, LESS, GREATER) to use when comparing the results.
	SNMP.EXPECT	What to Expect/Compare against.
	SNMP.TYPE	This value determines the type of RRD database that is created to store the retured values generated by this check. Valid options are: GUAGE, COUNTER, COUNTER32 and ABSOLUTE
	SNMP.FORMAT	used to specify how the result should be formated. Currently supports TIMETICKS and BYTES. TIMETICKS is used for Uptime style counters and BYTES is used for formating results into Byte strings (ie 12345 -> 12.30KB).
External Check	EXTERNAL.COMMAND	The filename and path to the application to run.
	EXTERNAL.LOGIC	Logic (EQUAL, NOTEQUAL, LESS, GREATER) to use when comparing the results of REGEX to EXPECT.
	EXTERNAL.REGEX	The extended regular expression to use when checking the output of the CMD.
	EXTERNAL.EXPECT	What to Expect/Compare against.
External Netsaint plug-in Check	EXTERNAL.COMMAND	The command line and arguments to the netsaint plug.in.
TCP/UDP Port Checks	SEND	What to send to the port after connecting (Used only with required connection port checks).

Web Configuration (Base)
Web Configuration (Alerting)

MIDAS by default creates an Alert Group called "Default". Now there are no Contacts in this group, but it is there as a starting point.

To add a new Alert Group, goto QuickView->Configuration->Alert Groups, or Config->Alert Groups.

Fill in the Alert Group's name, and description, and then click the "Save" button.

Once your group as been added, you can now go to the Alert Contacts Configuration and add the contacts that will be associated with your new Alert Group (QuickView->Configuration->Alert Contacts, or Config->Alert Contacts).

Alert Contact Options

Name - Name of your Alert Contact.
Description - Description of your Alert Contact.
Type - Alert Contact Type (EMAIL, PAGER, EXTERNAL).
Start Time - When this Alert Contact is active to MIDASa.
Time On - Length the Alert Contact is active after Start Time (Example: If you wanted to set up a contact for 24/7 alerting, you would set the Start Time to 00:00, or 12:00AM, and set the Time On to 24:00, or 24 hours afer 12:00AM).
Alert Groups - What group(s) to associate this contact to.
Alert Options - Alert Contact Specific Options.

Email options are formatted as:

Pager options are formatted as:

External options are formatted as: (>=v2.2e)

<CMD>[Command to run]</CMD>

<CMD>/sbin/sendmail some@emailaddr.com < /tmp/MIDASa.ext</CMD>

<CMD>/bin/echo "$[TIMESTAMP]$ - $[HOSTNAME]$-$[CHECKNAME]$-$[STATUS]$" > /var/adm/somelog</CMD>

For more information on the XML format goto: Pseudo XML - Understanding Pseudo XML

Figure 3.10 - Adding an Alert Contact

Web Configuration (Base)
Web Configuration (NetMon)

To configure a new Network Monitoring Host, goto QuickView->Configuration->Network Monitoring, or Config->Network Monitoring.

Network Monitoring Options

Host Name - Select box with a list of all the hosts you have configured.
Description - Description of the Host (This is pulled from the Host's Description.
NetMon Options - Network Monitoring Specific Options.

Network Monitoring Options are formated like:

Figure 3.11 - Network Monitoring Options

Web Configuration (Base)
Web Configuration (IDS)

To configure a the Intrusion Detection configuration and rule sets, goto QuickView->Configuration->IDS, or Config->IDS.

If you toggled on the "IsSniffer" field on any of your hosts, hosts that are running MIDASs, in the Hosts configuration screen, you will see them listed here. None of the default configuration and rule sets are copied over to any of the "IsSniffer" hosts, so first you must go into each host and "Restore Defaults".

Once the defaults have been loaded to the host(s), you can go and modify the config/rules as you see fit (See figures 3.12 and 3.13).

NOTE: Before modifing any of the IDS configuration and/or rule sets, check out the SNORT documentation.

NOTE: One of the main differences MIDAS does concerning the configuration and rule set files is that the MIDASs client will pull the information down from your MIDAS database and create one big file for the configuration and all of the rule sets. With this, MIDAS has commented out all of the "include" statements in the default SNORT configuration file.

Figure 3.12 - Intrusion Detection Configuration Screen

Figure 3.13 - Intrusion Detection Rule Set Screen

Pseudo XML

Notes on the formating of its 'Pseudo-XML':

The reason we call this 'Pseudo-XML' and not 'XML' is that we do not support the full range of features that XML offers. We do this because we do not need these features for what MIDAS is using them for. Therefore we do not feel adding this additional complexity is warranted. Here are the notes :

Does not support tag options. They are truncated off and ignored. <TAG OPTION> is the equiv of <TAG>.
There is NO syntax or format checking. Mess goes in Mess comes out...
End tags are not verified against start tags (ie <TAG1>VALUE</TAG2> is VALID). Also this means that end tags are pretty much useless and can be swapped with just </> if you want.
Values have there leading and trailing white characters removed

VALUE

<TAG>VALUE</TAG>

Tag values must come before child tags.

Comments start with a .

Tag names are case insensitive. <TAG> is equiv. to <tag> or <Tag>.

last modified: Fri Mar 09 11:57 PM CST 2004